diff --git a/bundles/rspamd/files/dkim.conf b/bundles/rspamd/files/dkim.conf index 3ca59d9..29f19eb 100644 --- a/bundles/rspamd/files/dkim.conf +++ b/bundles/rspamd/files/dkim.conf @@ -1,4 +1,4 @@ -# TODO path = "/var/lib/rspamd/dkim/$selector.key"; +# selector = "${node.metadata['rspamd']['dkim']}"; selector = "2019"; allow_username_mismatch = true; diff --git a/bundles/rspamd/items.py b/bundles/rspamd/items.py index b8ceaeb..b743afa 100644 --- a/bundles/rspamd/items.py +++ b/bundles/rspamd/items.py @@ -20,6 +20,11 @@ directories = { 'svc_systemd:rspamd:restart', }, }, + '/var/lib/rspamd/dkim': { + 'owner': '_rspamd', + 'group': '_rspamd', + 'mode': '0750', + }, } svc_systemd = { @@ -51,16 +56,40 @@ files = { }, } +actions = { + 'rspamd_assure_dkim_key_permissions': { + 'command': 'chown _rspamd:_rspamd /var/lib/rspamd/dkim/*.key', + 'needs': { + 'directory:/var/lib/rspamd/dkim', + }, + }, +} + # TODO manage this using bundlewrap -if node.metadata.get('rspamd', {}).get('dkim', False): +if 'dkim' in node.metadata.get('rspamd', {}): for i in {'arc', 'dkim_signing'}: files[f'/etc/rspamd/local.d/{i}.conf'] = { 'source': 'dkim.conf', + 'content_type': 'mako', + 'needs': { + 'action:rspamd_generate_dkim_key', + }, 'triggers': { 'svc_systemd:rspamd:restart', }, } + actions['rspamd_generate_dkim_key'] = { + 'command': node.metadata['rspamd']['dkim'].format_into('cd /var/lib/rspamd/dkim && /usr/bin/rspamadm dkim_keygen -s "{0}" -b 2048 -k "{0}.key" > "{0}.txt"'), + 'unless': node.metadata['rspamd']['dkim'].format_into('test -f "/var/lib/rspamd/dkim/{0}.key"'), + 'needs': { + 'directory:/var/lib/rspamd/dkim', + }, + 'needed_by': { + 'action:rspamd_assure_dkim_key_permissions', + }, + } + if 'password' in node.metadata.get('rspamd', {}): files['/etc/rspamd/local.d/worker-controller.inc'] = { 'content_type': 'mako', diff --git a/bundles/rspamd/metadata.py b/bundles/rspamd/metadata.py index b2ce5cf..10206f8 100644 --- a/bundles/rspamd/metadata.py +++ b/bundles/rspamd/metadata.py @@ -31,6 +31,9 @@ defaults = { }, }, }, + 'rspamd': { + 'dkim': repo.vault.password_for(node.name + ' rspamd dkim key'), + }, } diff --git a/data/powerdns/files/bind-zones/franzi.business b/data/powerdns/files/bind-zones/franzi.business index a5c2a3b..8303089 100644 --- a/data/powerdns/files/bind-zones/franzi.business +++ b/data/powerdns/files/bind-zones/franzi.business @@ -39,3 +39,4 @@ _mta-sts IN TXT "v=STSv1;id=20201111;" _smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" _token._dnswl IN TXT "gg3mbwjx9bbuo5osvh7oz6bc881wcmc" 2019._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" +uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index 40de748..58d57d9 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -32,6 +32,9 @@ _mta-sts IN TXT "v=STSv1;id=20201111;" _smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" _token._dnswl IN TXT "6akc10htbgmg56e072w0w2n0wql4oezu" 2019._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" +uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" +_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" + f2k1.de._report._dmarc IN TXT "v=DMARC1" franzi.business._report._dmarc IN TXT "v=DMARC1" kunsmann.eu._report._dmarc IN TXT "v=DMARC1" diff --git a/data/powerdns/files/bind-zones/kunsmann.eu b/data/powerdns/files/bind-zones/kunsmann.eu index 74866bb..9b89f8f 100644 --- a/data/powerdns/files/bind-zones/kunsmann.eu +++ b/data/powerdns/files/bind-zones/kunsmann.eu @@ -35,3 +35,4 @@ _mta-sts IN TXT "v=STSv1;id=20201111;" _smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" _token._dnswl IN TXT "5mx0rv9ru8s1zz4tf4xlt48osh09czmg" 2019._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" +uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" diff --git a/data/powerdns/files/bind-zones/trans-agenda.eu b/data/powerdns/files/bind-zones/trans-agenda.eu index b47e135..75eff4e 100644 --- a/data/powerdns/files/bind-zones/trans-agenda.eu +++ b/data/powerdns/files/bind-zones/trans-agenda.eu @@ -16,3 +16,4 @@ _mta-sts IN TXT "v=STSv1;id=20201111;" _smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" _token._dnswl IN TXT "5mx0rv9ru8s1zz4tf4xlt48osh09czmg" 2019._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" +uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py index 39cddbc..e986ca8 100644 --- a/nodes/htz/ex42-1048908.py +++ b/nodes/htz/ex42-1048908.py @@ -58,11 +58,6 @@ nodes['htz.ex42-1048908'] = { 'deb http://deb.debian.org/debian {os_release}-backports main', ], }, - 'rspamd': { - 'items': { - 'deb [arch=amd64] http://rspamd.com/apt-stable/ {os_release} main', - }, - }, 'weechat': { 'items': { 'deb https://weechat.org/debian {os_release} main', @@ -304,7 +299,6 @@ nodes['htz.ex42-1048908'] = { }, }, 'rspamd': { - 'dkim': True, 'ignore_spam_check_for_ips': { # entropia '188.40.158.213',