2020-11-13 12:13:00 +00:00
8 changed files with 40 additions and 8 deletions
--- a/bundles/rspamd/files/dkim.conf
+++ b/bundles/rspamd/files/dkim.conf
@ -1,4 +1,4 @@
-# TODO
 path = "/var/lib/rspamd/dkim/$selector.key";
+# selector = "${node.metadata['rspamd']['dkim']}";
 selector = "2019";
 allow_username_mismatch = true;
--- a/bundles/rspamd/items.py
+++ b/bundles/rspamd/items.py
@ -20,6 +20,11 @@ directories = {
            'svc_systemd:rspamd:restart',
        },
    },
+    '/var/lib/rspamd/dkim': {
+        'owner': '_rspamd',
+        'group': '_rspamd',
+        'mode': '0750',
+    },
 }

 svc_systemd = {
@ -51,16 +56,40 @@ files = {
    },
 }

+actions = {
+    'rspamd_assure_dkim_key_permissions': {
+        'command': 'chown _rspamd:_rspamd /var/lib/rspamd/dkim/*.key',
+        'needs': {
+            'directory:/var/lib/rspamd/dkim',
+        },
+    },
+}
+
 # TODO manage this using bundlewrap
-if node.metadata.get('rspamd', {}).get('dkim', False):
+if 'dkim' in node.metadata.get('rspamd', {}):
    for i in {'arc', 'dkim_signing'}:
        files[f'/etc/rspamd/local.d/{i}.conf'] = {
            'source': 'dkim.conf',
+            'content_type': 'mako',
+            'needs': {
+                'action:rspamd_generate_dkim_key',
+            },
            'triggers': {
                'svc_systemd:rspamd:restart',
            },
        }

+    actions['rspamd_generate_dkim_key'] = {
+        'command': node.metadata['rspamd']['dkim'].format_into('cd /var/lib/rspamd/dkim && /usr/bin/rspamadm dkim_keygen -s "{0}" -b 2048 -k "{0}.key" > "{0}.txt"'),
+        'unless': node.metadata['rspamd']['dkim'].format_into('test -f "/var/lib/rspamd/dkim/{0}.key"'),
+        'needs': {
+            'directory:/var/lib/rspamd/dkim',
+        },
+        'needed_by': {
+            'action:rspamd_assure_dkim_key_permissions',
+        },
+    }
+
 if 'password' in node.metadata.get('rspamd', {}):
    files['/etc/rspamd/local.d/worker-controller.inc'] = {
        'content_type': 'mako',
--- a/bundles/rspamd/metadata.py
+++ b/bundles/rspamd/metadata.py
@ -31,6 +31,9 @@ defaults = {
            },
        },
    },
+    'rspamd': {
+        'dkim': repo.vault.password_for(node.name + ' rspamd dkim key'),
+    },
 }


--- a/data/powerdns/files/bind-zones/franzi.business
+++ b/data/powerdns/files/bind-zones/franzi.business
@ -39,3 +39,4 @@ _mta-sts        IN  TXT     "v=STSv1;id=20201111;"
 _smtp._tls      IN  TXT     "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
 _token._dnswl   IN  TXT     "gg3mbwjx9bbuo5osvh7oz6bc881wcmc"
 2019._domainkey IN  TXT     "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
+uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"
--- a/data/powerdns/files/bind-zones/kunbox.net
+++ b/data/powerdns/files/bind-zones/kunbox.net
@ -32,6 +32,9 @@ _mta-sts            IN  TXT     "v=STSv1;id=20201111;"
 _smtp._tls          IN  TXT     "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
 _token._dnswl       IN  TXT     "6akc10htbgmg56e072w0w2n0wql4oezu"
 2019._domainkey     IN  TXT     "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
+uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"
+_smtp._tls          IN  TXT     "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
+
 f2k1.de._report._dmarc  IN  TXT "v=DMARC1"
 franzi.business._report._dmarc  IN  TXT "v=DMARC1"
 kunsmann.eu._report._dmarc  IN  TXT "v=DMARC1"
--- a/data/powerdns/files/bind-zones/kunsmann.eu
+++ b/data/powerdns/files/bind-zones/kunsmann.eu
@ -35,3 +35,4 @@ _mta-sts        IN  TXT     "v=STSv1;id=20201111;"
 _smtp._tls      IN  TXT     "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
 _token._dnswl   IN  TXT     "5mx0rv9ru8s1zz4tf4xlt48osh09czmg"
 2019._domainkey IN  TXT     "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
+uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"
--- a/data/powerdns/files/bind-zones/trans-agenda.eu
+++ b/data/powerdns/files/bind-zones/trans-agenda.eu
@ -16,3 +16,4 @@ _mta-sts        IN  TXT     "v=STSv1;id=20201111;"
 _smtp._tls      IN  TXT     "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
 _token._dnswl   IN  TXT     "5mx0rv9ru8s1zz4tf4xlt48osh09czmg"
 2019._domainkey IN  TXT     "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
+uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"
--- a/nodes/htz/ex42-1048908.py
+++ b/nodes/htz/ex42-1048908.py
@ -58,11 +58,6 @@ nodes['htz.ex42-1048908'] = {
                        'deb http://deb.debian.org/debian {os_release}-backports main',
                    ],
                },
-                'rspamd': {
-                    'items': {
-                        'deb [arch=amd64] http://rspamd.com/apt-stable/ {os_release} main',
-                    },
-                },
                'weechat': {
                    'items': {
                        'deb https://weechat.org/debian {os_release} main',
@ -304,7 +299,6 @@ nodes['htz.ex42-1048908'] = {
            },
        },
        'rspamd': {
-            'dkim': True,
            'ignore_spam_check_for_ips': {
                # entropia
                '188.40.158.213',