[opendkim] Pepcransification

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

group_vars/opendkim.yml

@@ -0,0 +1,21 @@
+---
+glob_opendkim:
+  domain: "crans.org"
+  selector: "mail"
+  signing:
+    - "*@crans.org"
+    - "*@crans.fr"
+    - "*@crans.eu"
+  trust:
+    - "185.230.79.0/26"
+    - "172.16.3.0/24"
+    - "172.16.10.0/24"
+    - "2a0c:700:0:2::/64"
+    - "2a0c:700:0:3::/64"
+    - "2a0c:700:0:10::/64"
+    - "*@crans.org"
+    - "*@crans.fr"
+    - "*@crans.eu"
+  txt_record: |
+    mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtwkNVd9Mmz8S4WcfuPk0X2drG39gS8+uxAv8igRILgzWeN8j2hjeZesl8pm/1UTVU87bYcdfUgXiGfQy9nR5p/Vmt2kS7sXk9nsJ/VYENgb3IJQ6paWupSTFMyeKycJ4ZHCEZB/bVvifoG6vLKqW5jpsfCiOcfdcgXATn0UPuVx9t93yRrhoEMntMv9TSodjqd3FKCtJUoh5cNQHo0T6dWKtxoIgNi/mvZ92D/IACwu/XOU+Rq9fnoEI8GukBQUR5AkP0B/JrvwWXWX/3EjY8X37ljEX0XUdq/ShzTl5iK+CM83stgkFUQh/rpww5mnxYEW3X4uirJ7VJHmY4KPoIU+2DPjLQj9Hz63CMWY3Ks2pXWzxD3V+GI1aJTMFOv2LeHnI3ScqFaKj9FR4ZKMb0OW2BEFBIY3J3aeo/paRwdbVCMM7twDtZY9uInR/NhVa1v9hlOxwp4/2pGSKQYoN2CkAZ1Alzwf8M3EONLKeiC43JLYwKH1uBB1oikSVhMnLjG0219XvfG/tphyoOqJR/bCc2rdv5pLwKUl4wVuygfpvOw12bcvnTfYuk/BXzVHg9t4H8k/DJR6GAoeNAapXIS8AfAScF8QdKfplhKLJyQGJ6lQ75YD9IwRAN0oV+8NTjl46lI/C+b7mpfXCew+p6YPwfNvV2shiR0Ez8ZGUQIcCAwEAAQ==" ; ----- DKIM key mail for crans.org
+  private_key: "{{ vault.opendkim_private_key }}"

hosts

@@ -79,13 +79,6 @@ jitsi.adm.crans.org
 [keepalived:children]
 routeurs_vm
 
-[slapd]
-tealc.adm.crans.org
-sam.adm.crans.org
-daniel.adm.crans.org
-jack.adm.crans.org
-sputnik.adm.crans.org
-
 [linx]
 linx.adm.crans.org
 
@@ -111,6 +104,10 @@ wiki
 charybde.adm.crans.org
 # silice.adm.crans.org
 
+[opendkim:children]
+mailman
+postfix
+
 [postfix]
 redisdead.adm.crans.org
 zamok.adm.crans.org
@@ -143,6 +140,13 @@ routeur-daniel.adm.crans.org
 routeur-jack.adm.crans.org
 routeur-sam.adm.crans.org
 
+[slapd]
+tealc.adm.crans.org
+sam.adm.crans.org
+daniel.adm.crans.org
+jack.adm.crans.org
+sputnik.adm.crans.org
+
 [thelounge]
 irc.adm.crans.org
 zamok.adm.crans.org

plays/mailman.yml

@@ -6,8 +6,10 @@
     certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
     mailman3: '{{ glob_mailman3 | default({}) | combine(loc_mailman3 | default({})) }}'
     nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
+    opendkim: '{{ loc_opendkim | default(glob_opendkim | default([])) }}'
   roles:
     - certbot
     - nginx
     - mailman3
     - postfix-mailman3
+    - opendkim

plays/postfix.yml

@@ -12,8 +12,7 @@
         domains: "*.crans.org"
     bind:
       masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
-    opendkim:
-        private_key: "{{ vault.opendkim_private_key }}"
+    opendkim: "{{ glob_opendkim | default({}) | combine(loc_opendkim | default({})) }}"
     policyd:
       mail: root@crans.org
       exemptions: "{{ lookup('re2oapi', 'get_role', 'user-server')[0] }}"

roles/opendkim/tasks/main.yml

@@ -11,7 +11,7 @@
 
 - name: Ensure opendkim directories are here
   file:
-    path: /etc/opendkim/keys/crans.org
+    path: "/etc/opendkim/keys/{{ opendkim.domain }}"
     state: directory
     mode: 0750
     owner: opendkim
@@ -40,11 +40,11 @@
 
 - name: Deploy opendkim key
   template:
-    src: opendkim/keys/crans.org/{{ item }}.j2
-    dest: /etc/opendkim/keys/crans.org/{{ item }}
+    src: "opendkim/keys/key.{{ item }}.j2"
+    dest: "/etc/opendkim/keys/{{ opendkim.domain }}/{{ opendkim.selector }}.{{ item }}"
     mode: 0600
     owner: opendkim
     group: opendkim
   loop:
-    - mail.private
-    - mail.txt
+    - "private"
+    - "txt"

roles/opendkim/templates/opendkim/KeyTable.j2

@@ -1 +1 @@
-mail._domainkey.crans.org crans.org:mail:/etc/opendkim/keys/crans.org/mail.private
+{{ opendkim.selector }}._domainkey.{{ opendkim.domain }} {{ opendkim.domain }}:{{ opendkim.selector }}:/etc/opendkim/keys/{{ opendkim.domain }}/{{ opendkim.selector }}.private

roles/opendkim/templates/opendkim/SigningTable.j2

@@ -1,2 +1,3 @@
-*@crans.org mail._domainkey.crans.org
-*@crans.eu  mail._domainkey.crans.org
+{% for pattern in opendkim.signing %}
+{{ pattern }} {{ opendkim.selector }}._domainkey.{{ opendkim.domain }}
+{% endfor %}

roles/opendkim/templates/opendkim/keys/crans.org/mail.txt.j2

@@ -1 +0,0 @@
-mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtwkNVd9Mmz8S4WcfuPk0X2drG39gS8+uxAv8igRILgzWeN8j2hjeZesl8pm/1UTVU87bYcdfUgXiGfQy9nR5p/Vmt2kS7sXk9nsJ/VYENgb3IJQ6paWupSTFMyeKycJ4ZHCEZB/bVvifoG6vLKqW5jpsfCiOcfdcgXATn0UPuVx9t93yRrhoEMntMv9TSodjqd3FKCtJUoh5cNQHo0T6dWKtxoIgNi/mvZ92D/IACwu/XOU+Rq9fnoEI8GukBQUR5AkP0B/JrvwWXWX/3EjY8X37ljEX0XUdq/ShzTl5iK+CM83stgkFUQh/rpww5mnxYEW3X4uirJ7VJHmY4KPoIU+2DPjLQj9Hz63CMWY3Ks2pXWzxD3V+GI1aJTMFOv2LeHnI3ScqFaKj9FR4ZKMb0OW2BEFBIY3J3aeo/paRwdbVCMM7twDtZY9uInR/NhVa1v9hlOxwp4/2pGSKQYoN2CkAZ1Alzwf8M3EONLKeiC43JLYwKH1uBB1oikSVhMnLjG0219XvfG/tphyoOqJR/bCc2rdv5pLwKUl4wVuygfpvOw12bcvnTfYuk/BXzVHg9t4H8k/DJR6GAoeNAapXIS8AfAScF8QdKfplhKLJyQGJ6lQ75YD9IwRAN0oV+8NTjl46lI/C+b7mpfXCew+p6YPwfNvV2shiR0Ez8ZGUQIcCAwEAAQ==" ; ----- DKIM key mail for crans.org

roles/opendkim/templates/opendkim/keys/key.txt.j2

@@ -0,0 +1 @@
+{{ opendkim.txt_record }}

roles/postfix-mailman3/templates/postfix/main.cf.j2

@@ -22,6 +22,10 @@ smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
+# OpenDKIM
+smtpd_milters = inet:localhost:12301
+non_smtpd_milters = inet:localhost:12301
+
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.