Add opendkim role

5 files changed, 184 insertions, 0 deletions

diff --git a/roles/opendkim/files/mail.private b/roles/opendkim/files/mail.private
new file mode 100644
index 0000000..ed1d799
--- /dev/null
+++ b/roles/opendkim/files/mail.private
@@ -0,0 +1,50 @@
+$ANSIBLE_VAULT;1.1;AES256
+38303738386236636234393166646635616134323636313163613064633261383135613739336131
+3961343961383131333166313364326466626661353832380a376135343532653438326130313366
+66323335353938346333646231653639393738343934616465333066346365333933373730366630
+6566373064666638650a613937353531343336363236333132373330623932373539356633653765
+30383061376264323730636635623861306236356133373930616134363737363334613966303663
+66623632636662666339393431363737383337653665366130343464616432353064313032323134
+65353265363366663065663837393234623339616637623836613731366139353538333464323265
+62646137636534346463653263363139333466623465356564383335316530616334666338643362
+63303233363035636534616361306364323064316239333139386464316432336337336566666539
+65383934633334323663396230393333396562633564376235626163393566643266663536653337
+34353630636335313337343432643662656530356333626461666333663133666336313230633439
+36383362343862363331363535346433376539666139643635613435326665363033363664303034
+66663266336534353665366238363937333832653263323334373862383864643563373835666135
+38363236363030326261326539386138613838326131383362373066313363346432643135313966
+31653939643132303837663131343230376238646166616232383436333733333731663966316533
+65316465363965666264646264373463346162363336666439376363323230363365323739356530
+30343032666161636531393730326237393330306462623463633338626566623232623435616365
+65373366396561373864643238633035376665333534396531626563633163383863343764366133
+63303932393864343564313363316230663436386238656365343438333165613762613064336363
+65353730326539363733663833343733643762633636306337353533373662383164373666613764
+65373030616563366233303634323037613536636262613637316537656538656266663066623561
+66393139646330663166656536323664653136393063383830373837356365643533336630666233
+31383539616166623932326638316362376162316134623634393936626365333238346632653561
+32646333653533376666616633613762656564626230326532306339376661386438643331623832
+39616361313137656634363863643933393039663562613039636261626534376434396134373063
+65376164373834633565343830366231623935303239346661623837343638623833616333393162
+36616532353466363639663735333839353132323164333263376639353430336332656535633637
+38363534626161333435326638333634363364333935323830366561313230396630316334356561
+36633864306134343066393738363137663433373330656565316435623630386532373838623065
+62636162346564613439663666383534383961343135396464666163323238646439383961386363
+32653233616266313037636563633131396237346233343433336531333332363930323463613931
+61353333313963306661613432383766343334643139313062383538353432616563623162356639
+61313533633437626535313434643862363363396339373231353638373764363061363165303066
+32633562383565363130316436663236643365393736353830653832653734613430306331303761
+31363735306465653635303737376237363132626330316235323837363432633163616131326432
+35323433656133343135396334383236613932663933633461343332356461386639656437363338
+62396336316338386534396162373163353161346364376234363237666563366232333032636637
+37333265646561346130383037653862303930353235333366653634376431633631376266373364
+63323864346166663232343439303630663862393461663635626136633230336363616366336263
+34373762336634313437313832366334316663636631343561306133633238376133393531333638
+62613733366164373662613630633135333737326535643862396563333561343565323866613862
+63626237633466656463623663383237326532363938656632373533393663316234313837333766
+62363066643139396135383133353863643466663139323362366665343164623063663937343534
+31656561623661373562356533636437666530383230613162383637616566376461323637386134
+31346535653536383264666366376165363366333531393963366230323333373230386331636138
+64386630363035653032303062306235346330343535623262623530663665373635326136613738
+38343138613366376562653230346533373337363337316635653935636339653166636334386238
+30653730326333313262366337663636653761386365343663643833663631613132323030613966
+6462
diff --git a/roles/opendkim/files/mail.txt b/roles/opendkim/files/mail.txt
new file mode 100644
index 0000000..9f805a6
--- /dev/null
+++ b/roles/opendkim/files/mail.txt
@@ -0,0 +1,2 @@
+mail._domainkey	IN	TXT	( "v=DKIM1; h=sha256; k=rsa; s=email; "
+	  "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfLCoTGJhay1bw8B78F559UcPdUXxYjBR51Y3zQNYVG6wIOZv9dB+HpAPdkgbxIgBC74HzOMTO4nr6EyFkfQ4srXzJyd/Wpc4fxwT6GrFFGLZmn+8thkVXqvxnjrLqKrwMXq48rDuFinT8mXa8ljTSW9yaxBoTlTajpgFk6LXPUQIDAQAB" )  ; ----- DKIM key mail for ilvokhin.com
diff --git a/roles/opendkim/files/opendkim.conf b/roles/opendkim/files/opendkim.conf
new file mode 100644
index 0000000..6e35ed8
--- /dev/null
+++ b/roles/opendkim/files/opendkim.conf
@@ -0,0 +1,100 @@
+## CONFIGURATION OPTIONS
+
+##  BaseDirectory path
+##  default (none)
+##
+##  Causes the filter to change to the named directory before beginning
+##  operation.  Thus, cores will be dumped here and configuration files
+##  are read relative to this location.
+
+BaseDirectory /run/opendkim
+
+##  Canonicalization hdrcanon[/bodycanon]
+##  default "simple/simple"
+##
+##  Select canonicalizations to use when signing.  If the "bodycanon" is
+##  omitted, "simple" is used.  Valid values for each are "simple" and
+##  "relaxed".
+
+Canonicalization relaxed/relaxed
+
+##  Domain dataset
+##  default (none)
+##
+##  Specify for which domain(s) signing should be done.  No default; must
+##  be specified for signing.
+
+Domain ilvokhin.com
+
+##  KeyFile filename
+##  default (none)
+##
+##  Specifies the path to the private key to use when signing.  Ignored if
+##  SigningTable and KeyTable are used.  No default; must be specified for
+##  signing if SigningTable/KeyTable are not in use.
+
+KeyFile /etc/opendkim/mail.private
+
+##  LogWhy { yes | no }
+##  default "no"
+##
+##  If logging is enabled (see Syslog below), issues very detailed logging
+##  about the logic behind the filter's decision to either sign a message
+##  or verify it.  The logic behind the decision is non-trivial and can be
+##  confusing to administrators not familiar with its operation.  A
+##  description of how the decision is made can be found in the OPERATIONS
+##  section of the opendkim(8) man page.  This causes a large increase
+##  in the amount of log data generated for each message, so it should be
+##  limited to debugging use and not enabled for general operation.
+
+LogWhy yes
+
+##  PidFile filename
+##  default (none)
+##
+##  Name of the file where the filter should write its pid before beginning
+##  normal operations.
+
+PidFile /var/run/opendkim.pid
+
+##  Selector name
+##
+##  The name of the selector to use when signing.  No default; must be
+##  specified for signing.
+
+Selector mail
+
+##  Socket socketspec
+##
+##  Names the socket where this filter should listen for milter connections
+##  from the MTA.  Required.  Should be in one of these forms:
+##
+##  inet:port@address  to listen on a specific interface
+##  inet:port   to listen on all interfaces
+##  local:/path/to/socket to listen on a UNIX domain socket
+
+Socket local:/run/opendkim/opendkim.sock
+
+##  SyslogSuccess { yes | no }
+##  default "no"
+##
+##  Log success activity to syslog?
+
+SyslogSuccess yes
+
+##  TemporaryDirectory path
+##  default /tmp
+##
+##  Specifies which directory will be used for creating temporary files
+##  during message processing.
+
+TemporaryDirectory /run/opendkim
+
+##  UMask mask
+##  default (none)
+##
+##  Change the process umask for file creation to the specified value.
+##  The system has its own default which will be used (usually 022).
+##  See the umask(2) man page for more information.
+
+UMask 002
diff --git a/roles/opendkim/handlers/main.yml b/roles/opendkim/handlers/main.yml
new file mode 100644
index 0000000..3cf093d
--- /dev/null
+++ b/roles/opendkim/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: Restart opendkim
+  ansible.builtin.service:
+    name: opendkim
+    state: restarted
diff --git a/roles/opendkim/tasks/main.yml b/roles/opendkim/tasks/main.yml
new file mode 100644
index 0000000..e38df64
--- /dev/null
+++ b/roles/opendkim/tasks/main.yml
@@ -0,0 +1,28 @@
+- name: Install opendkim
+  ansible.builtin.package:
+    name:
+      - opendkim
+    state: present
+
+- name: Configure opendkim
+  ansible.builtin.copy:
+    src: '{{ item }}'
+    dest: /etc/opendkim/
+    owner: opendkim
+    group: opendkim
+    # It doesn't have much sense to set a more granular permissions for each
+    # specific file here, because /etc/opendkim directory itself has pretty
+    # strict permissions and non-privilege users can't read them anyway.
+    mode: u+rw,g-rwx,o-rwx
+  loop:
+    - files/opendkim.conf
+    - files/mail.private
+    - files/mail.txt
+  notify:
+    - Restart opendkim
+
+- name: Enable opendkim systemd service
+  ansible.builtin.service:
+    name: opendkim
+    enabled: yes
+    state: started