bundles/rspamd: first draft for automatically-rotating dkim keys

bundles/rspamd/items.py

@@ -56,11 +56,22 @@ if node.metadata.get('rspamd', {}).get('dkim', False):
     for i in {'arc', 'dkim_signing'}:
         files[f'/etc/rspamd/local.d/{i}.conf'] = {
             'source': 'dkim.conf',
+            'content_type': 'mako',
+            'needs': {
+                'action:rspamd_generate_dkim_key',
+            },
             'triggers': {
                 'svc_systemd:rspamd:restart',
             },
         }
 
+    actions = {
+        'rspamd_generate_dkim_key': {
+            'command': node.metadata['rspamd']['dkim'].format_into('cd /var/lib/rspamd/dkim && /usr/bin/rspamadm dkim_keygen -s "{fault}" -b 2048 -k "{fault}.key" > "{fault}.txt"'),
+            'unless': node.metadata['rspamd']['dkim'].format_into('test -f "/var/lib/rspamd/dkim/{fault}.key"'),
+        },
+    }
+
 if 'password' in node.metadata.get('rspamd', {}):
     files['/etc/rspamd/local.d/worker-controller.inc'] = {
         'content_type': 'mako',

bundles/rspamd/metadata.py

@@ -31,6 +31,9 @@ defaults = {
             },
         },
     },
+    'rspamd': {
+        'dkim': repo.vault.password_for(node.name + ' rspamd dkim key'),
+    },
 }
 
 

nodes/htz/ex42-1048908.py

@@ -58,11 +58,6 @@ nodes['htz.ex42-1048908'] = {
                         'deb http://deb.debian.org/debian {os_release}-backports main',
                     ],
                 },
-                'rspamd': {
-                    'items': {
-                        'deb [arch=amd64] http://rspamd.com/apt-stable/ {os_release} main',
-                    },
-                },
                 'weechat': {
                     'items': {
                         'deb https://weechat.org/debian {os_release} main',
@@ -304,7 +299,6 @@ nodes['htz.ex42-1048908'] = {
             },
         },
         'rspamd': {
-            'dkim': True,
             'ignore_spam_check_for_ips': {
                 # entropia
                 '188.40.158.213',