Initial commit

tasks/main.yml

@@ -0,0 +1,33 @@
+- name: Generate OpenDKIM keys
+  command:
+        argv: ["opendkim-genkey", "-D", "/etc/opendkim-data/", "-d", "redxen.eu", "-s", "mail"]
+  tags:
+        - opendkim
+        - keygen
+  when: generate|default(false)
+  notify: Run service actions
+- name: Copy OpenDKIM config
+  loop:
+  template:
+        src: 'opendkim.conf'
+        dest: '/etc/opendkim.conf'
+        follow: yes
+        owner: opendkim
+        mode: 700
+  tags:
+        - opendkim
+  notify: Run service actions
+- name: Copy OpenDKIM files
+  loop:
+        - 'keytable'
+        - 'signingtable'
+        - 'trustedhosts'
+  template:
+        src: '{{ item }}'
+        dest: '/etc/opendkim-data/{{ item }}'
+        follow: yes
+        owner: opendkim
+        mode: 700
+  tags:
+        - opendkim
+  notify: Run service actions

templates/keytable

@@ -0,0 +1 @@
+mail._domainkey.redxen.eu redxen.eu:mail:/etc/opendkim-data/mail.private

templates/opendkim.conf

@@ -0,0 +1,87 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog			yes
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask			007
+
+# Sign for example.com with key in /etc/dkimkeys/dkim.key using
+# selector '2007' (e.g. 2007._domainkey.example.com)
+#Domain			example.com
+#KeyFile		/etc/dkimkeys/dkim.key
+#Selector		2007
+
+# Commonly-used options; the commented-out versions show the defaults.
+Canonicalization	relaxed/simple
+#Mode			sv
+#SubDomains		no
+AutoRestart		yes
+Background		yes
+SignatureAlgorithm	rsa-sha256
+OversignHeaders		From
+
+# Socket smtp://localhost
+#
+# ##  Socket socketspec
+# ##
+# ##  Names the socket where this filter should listen for milter connections
+# ##  from the MTA.  Required.  Should be in one of these forms:
+# ##
+# ##  inet:port@address           to listen on a specific interface
+# ##  inet:port                   to listen on all interfaces
+# ##  local:/path/to/socket       to listen on a UNIX domain socket
+#
+Socket			local:/var/spool/postfix/opendkim/opendkim.sock
+
+##  PidFile filename
+###      default (none)
+###
+###  Name of the file where the filter should write its pid before beginning
+###  normal operations.
+#
+PidFile               /run/opendkim/opendkim.pid
+
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier.  From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders		From
+
+##  ResolverConfiguration filename
+##      default (none)
+##
+##  Specifies a configuration file to be passed to the Unbound library that
+##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
+##  documentation at http://unbound.net for the expected content of this file.
+##  The results of using this and the TrustAnchorFile setting at the same
+##  time are undefined.
+##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
+##  unbound package
+
+# ResolverConfiguration     /etc/unbound/unbound.conf
+
+##  TrustAnchorFile filename
+##      default (none)
+##
+## Specifies a file from which trust anchor data should be read when doing
+## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
+## at http://unbound.net for the expected format of this file.
+
+TrustAnchorFile       /usr/share/dns/root.key
+
+##  Userid userid
+###      default (none)
+###
+###  Change to user "userid" before starting normal operation?  May include
+###  a group ID as well, separated from the userid by a colon.
+#
+UserID                opendkim
+
+KeyTable file:/etc/opendkim-data/keytable
+SigningTable refile:/etc/opendkim-data/signingtable
+InternalHosts refile:/etc/opendkim-data/trustedhosts

templates/signingtable

@@ -0,0 +1 @@
+*@redxen.eu mail._domainkey.redxen.eu

templates/trustedhosts

@@ -0,0 +1,3 @@
+127.0.0.1
+{{ ansible_ens10.ipv4.address }}/16
+redxen.eu