diff --git a/bundles/rspamd/files/dkim.conf b/bundles/rspamd/files/dkim.conf index 3ca59d9..29f19eb 100644 --- a/bundles/rspamd/files/dkim.conf +++ b/bundles/rspamd/files/dkim.conf @@ -1,4 +1,4 @@ -# TODO path = "/var/lib/rspamd/dkim/$selector.key"; +# selector = "${node.metadata['rspamd']['dkim']}"; selector = "2019"; allow_username_mismatch = true; diff --git a/bundles/rspamd/items.py b/bundles/rspamd/items.py index cb24f3b..5347c73 100644 --- a/bundles/rspamd/items.py +++ b/bundles/rspamd/items.py @@ -20,6 +20,11 @@ directories = { 'svc_systemd:rspamd:restart', }, }, + '/var/lib/rspamd/dkim': { + 'owner': '_rspamd', + 'group': '_rspamd', + 'mode': '0750', + }, } svc_systemd = { @@ -51,8 +56,17 @@ files = { }, } +actions = { + 'rspamd_assure_dkim_key_permissions': { + 'command': 'chown _rspamd:_rspamd /var/lib/rspamd/dkim/*.key', + 'needs': { + 'directory:/var/lib/rspamd/dkim', + }, + }, +} + # TODO manage this using bundlewrap -if node.metadata.get('rspamd', {}).get('dkim', False): +if 'dkim' in node.metadata.get('rspamd', {}): for i in {'arc', 'dkim_signing'}: files[f'/etc/rspamd/local.d/{i}.conf'] = { 'source': 'dkim.conf', @@ -65,10 +79,14 @@ if node.metadata.get('rspamd', {}).get('dkim', False): }, } - actions = { - 'rspamd_generate_dkim_key': { - 'command': node.metadata['rspamd']['dkim'].format_into('cd /var/lib/rspamd/dkim && /usr/bin/rspamadm dkim_keygen -s "{fault}" -b 2048 -k "{fault}.key" > "{fault}.txt"'), - 'unless': node.metadata['rspamd']['dkim'].format_into('test -f "/var/lib/rspamd/dkim/{fault}.key"'), + actions['rspamd_generate_dkim_key'] = { + 'command': node.metadata['rspamd']['dkim'].format_into('cd /var/lib/rspamd/dkim && /usr/bin/rspamadm dkim_keygen -s "{fault}" -b 2048 -k "{fault}.key" > "{fault}.txt"'), + 'unless': node.metadata['rspamd']['dkim'].format_into('test -f "/var/lib/rspamd/dkim/{fault}.key"'), + 'needs': { + 'directory:/var/lib/rspamd/dkim', + }, + 'needed_by': { + 'action:rspamd_assure_dkim_key_permissions', }, }