Cullum Smith 1 year ago
parent
commit
bf6013cd5f

+ 11
- 0
CHANGELOG.md View File

@@ -1,6 +1,17 @@
1 1
 # Changelog
2 2
 Any breaking or significant changes will be documented in this file with a corresponding Git tag.
3 3
 
4
+# [0.2.1] - 2019-03-15
5
+  - Add davical
6
+  - DKIM keys moved from /etc/mail to /etc/dkim, intervention required to avoid generating new keys!
7
+    - ```
8
+mkdir /etc/dkim /etc/dkim/private
9
+chmod 700 /etc/dkim/private
10
+cp /etc/mail/dkim/private.key /etc/dkim/private/dkim.key
11
+cp /etc/mail/dkim/public.key  /etc/dkim/dkim.pub.key
12
+cp /etc/mail/dkim/dkim.txt    /etc/dkim/dkim.txt
13
+```
14
+
4 15
 # [0.2.0] - 2019-03-09
5 16
   - Switch authentication backend from /etc/passwd to LDAP.
6 17
   - ypldap is used to provide an NIS translation layer for ldapd.

+ 1
- 1
roles/davical/handlers/main.yml View File

@@ -11,5 +11,5 @@
11 11
 
12 12
 - name: restart php-fpm
13 13
   service:
14
-    name: php72_fpm
14
+    name: '{{ php_fpm_daemon }}'
15 15
     state: restarted

+ 3
- 3
roles/davical/tasks/main.yml View File

@@ -60,7 +60,7 @@
60 60
 
61 61
 - name: enable php-fpm
62 62
   service:
63
-    name: php72_fpm
63
+    name: '{{ php_fpm_daemon }}'
64 64
     enabled: yes
65 65
     state: started
66 66
 
@@ -97,9 +97,9 @@
97 97
     warn: False
98 98
   when: check_db.rc != 0
99 99
 
100
-- name: read cal dkim private key
100
+- name: read dkim private key
101 101
   slurp:
102
-    src: /etc/mail/dkim/cal.private.key
102
+    src: '{{ dkim_home }}/private/dkim.key'
103 103
   register: slurp_dkim_private_key
104 104
 
105 105
 - name: set cal dkim private key

+ 2
- 0
roles/davical/vars/main.yml View File

@@ -1,5 +1,7 @@
1 1
 ---
2 2
 php_version: 7.2
3
+php_fpm_daemon: 'php{{ php_version | replace(".", "") }}_fpm'
4
+dkim_home: /etc/dkim
3 5
 davical_home: /var/www/htdocs/davical
4 6
 awl_home: /var/www/htdocs/awl
5 7
 davical_fpm_sock: /var/www/run/davical.sock

+ 15
- 0
roles/dkim/tasks/dkim_key.yml View File

@@ -0,0 +1,15 @@
1
+---
2
+- name: generate dkim private key
3
+  command: openssl genrsa -out '{{ dkim_home }}/private/{{ selector }}.key' 2048
4
+  args:
5
+    creates: '{{ dkim_home }}/private/{{ selector}}.key'
6
+
7
+- name: generate dkim public key
8
+  command: openssl rsa -in '{{ dkim_home }}/private/{{ selector }}.key' -pubout -out '{{ dkim_home }}/{{ selector }}.pub.key'
9
+  args:
10
+    creates: '{{ dkim_home }}/{{ selector }}.pub.key'
11
+
12
+- name: generate dkim TXT record
13
+  shell: ( echo p= ; grep -Ev -- '-+(BEGIN|END) PUBLIC KEY-+' '{{ dkim_home }}/{{ selector }}.pub.key') | tr -d '\n' | fold -w255 | awk 'BEGIN { print "{{ selector }}._domainkey{{ "." + subdomain if subdomain is defined else "" }}     IN TXT ( \"v=DKIM1; k=rsa; \"" } { print "    " "\"" $0 "\"" } END { print ") ;" }' > '{{ dkim_home }}/{{ selector }}.txt'
14
+  args:
15
+    creates: '{{ dkim_home }}/{{ selector }}.txt'

+ 16
- 31
roles/dkim/tasks/main.yml View File

@@ -10,43 +10,28 @@
10 10
     dest: /etc/dkimproxy_out.conf
11 11
   notify: restart dkimproxy
12 12
 
13
-- name: create dkim key directory
13
+- name: create dkim directory
14 14
   file:
15
-    path: /etc/mail/dkim
15
+    path: '{{ dkim_home }}'
16
+    mode: 0755
17
+    state: directory
18
+
19
+- name: create dkim private directory
20
+  file:
21
+    path: '{{ dkim_home }}/private'
16 22
     owner: root
17 23
     group: _dkimproxy
18 24
     mode: 0750
19 25
     state: directory
20 26
 
21
-- name: generate dkim private key
22
-  command: openssl genrsa -out /etc/mail/dkim/private.key 2048
23
-  args:
24
-    creates: /etc/mail/dkim/private.key
25
-
26
-- name: generate dkim public key
27
-  command: openssl rsa -in /etc/mail/dkim/private.key -pubout -out /etc/mail/dkim/public.key
28
-  args:
29
-    creates: /etc/mail/dkim/public.key
30
-
31
-- name: generate dkim TXT record
32
-  shell: ( echo p= ; grep -Ev -- '-+(BEGIN|END) PUBLIC KEY-+' /etc/mail/dkim/public.key) | tr -d '\n' | fold -w255 | awk 'BEGIN { print "dkim._domainkey     IN TXT ( \"v=DKIM1; k=rsa; \"" } { print "    " "\"" $0 "\"" } END { print ") ;" }' > /etc/mail/dkim/dkim.txt
33
-  args:
34
-    creates: /etc/mail/dkim/dkim.txt
35
-
36
-- name: generate cal dkim private key
37
-  command: openssl genrsa -out /etc/mail/dkim/cal.private.key 2048
38
-  args:
39
-    creates: /etc/mail/dkim/cal.private.key
40
-
41
-- name: generate cal dkim public key
42
-  command: openssl rsa -in /etc/mail/dkim/cal.private.key -pubout -out /etc/mail/dkim/cal.public.key
43
-  args:
44
-    creates: /etc/mail/dkim/cal.public.key
45
-
46
-- name: generate cal dkim TXT record
47
-  shell: ( echo p= ; grep -Ev -- '-+(BEGIN|END) PUBLIC KEY-+' /etc/mail/dkim/cal.public.key) | tr -d '\n' | fold -w255 | awk 'BEGIN { print "cal._domainkey.dav     IN TXT ( \"v=DKIM1; k=rsa; \"" } { print "    " "\"" $0 "\"" } END { print ") ;" }' > /etc/mail/dkim/cal.txt
48
-  args:
49
-    creates: /etc/mail/dkim/cal.txt
27
+- name: generate dkim keys
28
+  include: dkim_key.yml
29
+  vars:
30
+    selector: '{{ item.selector }}'
31
+    subdomain: '{{ item.subdomain if item.subdomain is defined else omit }}'
32
+  with_items:
33
+    - { selector: dkim }
34
+    - { selector: cal, subdomain: dav }
50 35
 
51 36
 - name: enable and start daemon
52 37
   service:

+ 1
- 1
roles/dkim/templates/dkimproxy_out.conf.j2 View File

@@ -1,6 +1,6 @@
1 1
 listen 127.0.0.1:{{ dkim_listen_port }}
2 2
 relay 127.0.0.1:{{ dkim_relay_port }}
3 3
 domain {{ domain }}
4
-keyfile /etc/mail/dkim/private.key
4
+keyfile {{ dkim_home }}/private/dkim.key
5 5
 selector dkim
6 6
 signature dkim(c=relaxed/relaxed,a=rsa-sha256)

+ 2
- 0
roles/dkim/vars/main.yml View File

@@ -0,0 +1,2 @@
1
+---
2
+dkim_home: /etc/dkim

+ 1
- 0
roles/ldapd/templates/ldapd.conf.j2 View File

@@ -10,6 +10,7 @@ schema "/etc/ldap/openssh-lpk.schema"
10 10
 
11 11
 namespace "{{ basedn }}" {
12 12
   rootdn "{{ ldap_rootdn }}"
13
+  # TODO: need logic to use old password hash unless rootpw was changed
13 14
   rootpw "{CRYPT}{{ lookup('pipe', 'encrypt -b a ' + ldap_rootpw|quote ) }}"
14 15
 
15 16
   {% for i in ldap_indexes %}

+ 5
- 14
roles/nsd/tasks/get_dkim.yml View File

@@ -1,19 +1,10 @@
1 1
 # store DKIM records into dkim_records variable
2 2
 ---
3
-- name: read dkim records file
4
-  slurp:
5
-    src: /etc/mail/dkim/dkim.txt
6
-  register: dkim_records_b64
3
+- name: read dkim records
4
+  shell: cat {{ dkim_home }}/*.txt
5
+  register: cat_dkim_records
6
+  changed_when: False
7 7
 
8 8
 - name: set dkim records
9 9
   set_fact:
10
-    dkim_records: '{{ dkim_records_b64.content | b64decode }}'
11
-
12
-- name: read cal dkim records file
13
-  slurp:
14
-    src: /etc/mail/dkim/cal.txt
15
-  register: cal_dkim_records_b64
16
-
17
-- name: set cal dkim records
18
-  set_fact:
19
-    cal_dkim_records: '{{ cal_dkim_records_b64.content | b64decode }}'
10
+    dkim_records: '{{ cat_dkim_records.stdout }}'

+ 0
- 1
roles/nsd/templates/domain.zone.j2 View File

@@ -61,7 +61,6 @@ ns{{ loop.index }} IN AAAA {{ addr }}
61 61
 
62 62
 ; DKIM
63 63
 {{ dkim_records }}
64
-{{ cal_dkim_records }}
65 64
 
66 65
 ; SRV records
67 66
 {% for r in _srv_records  + (srv_records | default([])) %}

+ 2
- 1
roles/php/handlers/main.yml View File

@@ -1,2 +1,3 @@
1 1
 ---
2
-# TODO: add restart hander iff there are pools defined
2
+- name: restart php-fpm
3
+  include: restart_php.yml

+ 12
- 0
roles/php/handlers/restart_php.yml View File

@@ -0,0 +1,12 @@
1
+---
2
+- name: check if any pools are defined
3
+  find:
4
+    paths: /etc/php-fpm.d
5
+  register: php_pools
6
+
7
+- name: restart php_fpm
8
+  service:
9
+    name: '{{ php_fpm_daemon }}'
10
+    enabled: yes
11
+    state: restarted
12
+  when: php_pools.matched | int > 0

+ 1
- 0
roles/php/vars/main.yml View File

@@ -1,3 +1,4 @@
1 1
 ---
2 2
 php_version: 7.2
3 3
 php_pkg_version: 7.2.10
4
+php_fpm_daemon: 'php{{ php_version | replace(".", "") }}_fpm'

Loading…
Cancel
Save