kunsi-feature-rspamd-rotating-keys #3

Merged
kunsi merged 4 commits from kunsi-feature-rspamd-rotating-keys into main 2020-11-13 12:13:00 +00:00
8 changed files with 40 additions and 8 deletions

View file

@ -1,4 +1,4 @@
# TODO
path = "/var/lib/rspamd/dkim/$selector.key";
# selector = "${node.metadata['rspamd']['dkim']}";
selector = "2019";
allow_username_mismatch = true;

View file

@ -20,6 +20,11 @@ directories = {
'svc_systemd:rspamd:restart',
},
},
'/var/lib/rspamd/dkim': {
'owner': '_rspamd',
'group': '_rspamd',
'mode': '0750',
},
}
svc_systemd = {
@ -51,16 +56,40 @@ files = {
},
}
actions = {
'rspamd_assure_dkim_key_permissions': {
'command': 'chown _rspamd:_rspamd /var/lib/rspamd/dkim/*.key',
'needs': {
'directory:/var/lib/rspamd/dkim',
},
},
}
# TODO manage this using bundlewrap
if node.metadata.get('rspamd', {}).get('dkim', False):
if 'dkim' in node.metadata.get('rspamd', {}):
for i in {'arc', 'dkim_signing'}:
files[f'/etc/rspamd/local.d/{i}.conf'] = {
'source': 'dkim.conf',
'content_type': 'mako',
'needs': {
'action:rspamd_generate_dkim_key',
},
'triggers': {
'svc_systemd:rspamd:restart',
},
}
actions['rspamd_generate_dkim_key'] = {
'command': node.metadata['rspamd']['dkim'].format_into('cd /var/lib/rspamd/dkim && /usr/bin/rspamadm dkim_keygen -s "{0}" -b 2048 -k "{0}.key" > "{0}.txt"'),
'unless': node.metadata['rspamd']['dkim'].format_into('test -f "/var/lib/rspamd/dkim/{0}.key"'),
'needs': {
'directory:/var/lib/rspamd/dkim',
},
'needed_by': {
'action:rspamd_assure_dkim_key_permissions',
},
}
if 'password' in node.metadata.get('rspamd', {}):
files['/etc/rspamd/local.d/worker-controller.inc'] = {
'content_type': 'mako',

View file

@ -31,6 +31,9 @@ defaults = {
},
},
},
'rspamd': {
'dkim': repo.vault.password_for(node.name + ' rspamd dkim key'),
},
}

View file

@ -39,3 +39,4 @@ _mta-sts IN TXT "v=STSv1;id=20201111;"
_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
_token._dnswl IN TXT "gg3mbwjx9bbuo5osvh7oz6bc881wcmc"
2019._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"

View file

@ -32,6 +32,9 @@ _mta-sts IN TXT "v=STSv1;id=20201111;"
_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
_token._dnswl IN TXT "6akc10htbgmg56e072w0w2n0wql4oezu"
2019._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"
_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
f2k1.de._report._dmarc IN TXT "v=DMARC1"
franzi.business._report._dmarc IN TXT "v=DMARC1"
kunsmann.eu._report._dmarc IN TXT "v=DMARC1"

View file

@ -35,3 +35,4 @@ _mta-sts IN TXT "v=STSv1;id=20201111;"
_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
_token._dnswl IN TXT "5mx0rv9ru8s1zz4tf4xlt48osh09czmg"
2019._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"

View file

@ -16,3 +16,4 @@ _mta-sts IN TXT "v=STSv1;id=20201111;"
_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
_token._dnswl IN TXT "5mx0rv9ru8s1zz4tf4xlt48osh09czmg"
2019._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"

View file

@ -58,11 +58,6 @@ nodes['htz.ex42-1048908'] = {
'deb http://deb.debian.org/debian {os_release}-backports main',
],
},
'rspamd': {
'items': {
'deb [arch=amd64] http://rspamd.com/apt-stable/ {os_release} main',
},
},
'weechat': {
'items': {
'deb https://weechat.org/debian {os_release} main',
@ -304,7 +299,6 @@ nodes['htz.ex42-1048908'] = {
},
},
'rspamd': {
'dkim': True,
'ignore_spam_check_for_ips': {
# entropia
'188.40.158.213',