Start adding dns

roles/email/defaults/dns.yml

@@ -0,0 +1,18 @@
+dns_zones:
+  - "famedly.{{ famedly_tld }}"
+  - "famedly.{{ famedly_dnssec_tld }}"
+dns_host_name_short: "{{ famedly_subdomain }}"
+dns_host_ipv4: "{{ famedly_server_host_ipv4 }}"
+dns_host_ipv6: "{{ famedly_server_host_ipv6 }}"
+dns_text_records:
+  - records:
+      - name: "dkim._domainkey.ratzupaltuff-test"
+        content: "v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9T9xfbZRkfZIhmUHgMU5GBUerx2pdy9VGVmvPcyjoso7o3TCcStNFXSQifKRPAhj5RusYbd5JgPcg5lf6gdBWGyqp1TENrB9lE8yuYokfIowEH4x0WlCjr9yqxZBUfS3a7MGO8uQOiyZhsSvcQmuP0My3F1jOZneb9DZWoVirKQIDAQAB"      - name: "_dmarc.ratzupaltuff-test"
+        content: "v=DMARC1; p=reject; fo=1; rua=mailto:dmarc-rua@ratzupaltuff-test.famedly.de; ruf=mailto:dmarc-ruf@ratzupaltuff-test.famedly.de"
+      - name: "ratzupaltuff-test"
+        content: "v=spf1 mx ip4:116.203.43.126 +all"
+ssh_ecdsa_sha256_fingerprint:
+  fingerprint: 
+
+dns_cloudflare_api_key: "{{ cloudflare_dns_api_token }}"
+dnssec_zone: "famedly.{{ famedly_dnssec_tld }}"

roles/email/defaults/main.yml

@@ -73,6 +73,10 @@ rspamd_docker_volumes:
   - "{{ rspamd_host_base_path }}/control_socket/:/run/rspamd:rw"
   - "{{ rspamd_dkim_location_host }}/:{{ rspamd_dkim_location_container }}/:ro"
 rspamd_install_redis: true
+  #rspamd_dkim_key_file_was_missing: not dkim_file_check.stat.exists
+  #rspamd_dkim_key_file_was_empty: key_already_generated.changed
+  #rspamd_dkim_key_was_present: key_already_generated.msg == ""
+rspamd_dkim_override_key: false
 
 #DKIM
 #dkim_selector_name: ratzupaltuff-test #dkim #hostname or month/year

roles/email/tasks/dns.yml

@@ -0,0 +1,9 @@
+---  
+#  - name: set reverse dns records
+#    import_tasks: reverse-dns.yml
+#    become: true
+
+  - include_role:
+      name: dns
+      apply:
+        delegate_to: localhost

roles/email/tasks/main.yml

@@ -11,20 +11,24 @@
       state: directory
       group: "{{ email_group_name }}"
     become: true
+    when: false
+
+  - name: prepare dns records
+    import_tasks: dns.yml
+    become: true
+    when: true
 
   - name: install postfix
     import_tasks: postfix.yml
     become: true
-    #when: false
+    when: false
     
   - name: install rspamd
     import_tasks: rspamd/rspamd.yml
     become: true
-    when: true
+    when: false
+
 
-    #  - name: set reverse dns records
-    #    import_tasks: reverse-dns.yml
-    #    become: true
 
     #- name: install dovecot
     #import_tasks: dovecot.yml

roles/email/tasks/old_opendkim.yml

@@ -0,0 +1,58 @@
+---
+  - name: Add opendkim group
+    ansible.builtin.group:
+      name: "{{ opendkim_group_name }}"
+      state: present
+ 
+  - name: Add opendkim user
+    ansible.builtin.user:
+      name: "{{ opendkim_user_name }}"
+      group: "{{ opendkim_group_name }}"
+    register: opendkim_user
+
+  - name: create directory for opendkim config and dkim-certs
+    file:
+      path: '{{ opendkim_base_path }}/{{ item }}'
+      state: directory
+      owner: root
+      #owner: "{{ opendkim_user.name }}"
+      #group: "{{ opendkim_user.group }}"
+      mode: '0700'
+    with_items:
+      - 
+      - certs
+      - config
+      - certs/opendkim
+
+  - name: configure opendkim
+    template:
+      src: "opendkim/opendkim.conf"
+      dest: "{{ opendkim_base_path }}/config/opendkim.conf"
+      owner: root
+      #owner: "{{ opendkim_user.name }}"
+      #group: "{{ opendkim_user.group }}"
+      mode: '0700'
+
+  - name: opendkim cert-gen
+    import_tasks: opendkim_cert_gen.yml
+
+  - name: install opendkim container
+    docker_container:
+      name: "{{ opendkim_docker_name }}"
+      hostname: "{{ opendkim_docker_name }}"
+      image: "{{ opendkim_docker_image }}"
+      ports: "{{ opendkim_docker_ports }}"
+      labels: "{{ opendkim_docker_labels }}"
+      restart_policy: unless-stopped
+      recreate: true
+      #user: "{{ opendkim_user.uid }}" #:{{ opendkim_user.group }}"
+      pull: true
+      command: "/usr/sbin/opendkim -x {{ opendkim_conf_path }}"
+      #command: "/usr/sbin/opendkim -f -l -p {{ opendkim_listening_socket }} -d {{ email_domain }} -k {{ opendkim_cert_path }}/{{ opendkim_cert_filename }} -s {{ opendkim_selector_name }}"
+      volumes:
+        - "{{ opendkim_base_path }}/certs/{{ opendkim_cert_filename }}:{{ opendkim_cert_filepath }}"
+        - "{{ opendkim_base_path }}/config/opendkim.conf:{{ opendkim_conf_path }}"
+
+  - name: debug
+    debug:
+      msg: "{{ opendkim_base_path }}/config/opendkim.conf:{{ opendkim_conf_path }}"

roles/email/tasks/rspamd/gen_dkim_keys.yml

@@ -1,33 +1,56 @@
 ---
-  - name: create cert files with right permissions
-    copy:
-      content: ""
-      dest: "{{ rspamd_dkim_location_host }}/{{ item }}"
-      force: no
-      owner: "{{ rspamd_user.name }}"
-      group: "{{ rspamd_user.group }}"
-      mode: '0700'
-    with_items:
-      - "{{ dkim_selector_name }}_test.key"
-      - "{{ dkim_selector_name }}_dns_record.txt"
+  - name: Attempt to generate DKIM-Certs
+    block:
+      - name: create cert files with right permissions
+        copy:
+          content: ""
+          dest: "{{ rspamd_dkim_location_host }}/{{ item }}"
+          force: no
+          owner: "{{ rspamd_user.name }}"
+          group: "{{ rspamd_user.group }}"
+          mode: '0700'
+        with_items:
+          - "{{ dkim_selector_name }}_test.key"
+          - "{{ dkim_selector_name }}_dns_record.txt"
+        register: dkim_create_files
+      
+      - debug:
+          var: dkim_create_files.changed
 
-  - name: run rspamd cert-gen container
-    docker_container:
-      name: "rspamd_cert_gen"
-      image: "{{ rspamd_docker_image }}"
-      ports: []
-      labels: {}
-      restart_policy: "no"
-      recreate: true
-        #user: "{{ rspamd_user.uid }}:{{ rspamd_user.group }}"
-      user: "root"
-        #"/bin/sh: can't create /var/lib/rspamd/dkim/dkim_dns_record.txt: Permission denied\n", "status": 1
-      pull: true
-      entrypoint: "/bin/sh"
-      command: 
-        - "-c"
-        - "/usr/bin/rspamadm dkim_keygen -s {{ dkim_selector_name }} -b 2048 -d {{ email_hostname }} -k {{ rspamd_dkim_location_container }}/{{ dkim_selector_name }}_test.key > {{ rspamd_dkim_location_container }}/{{ dkim_selector_name }}_dns_record.txt"
-      volumes: 
-        - "{{ rspamd_dkim_location_host }}:{{ rspamd_dkim_location_container }}"
-      command_handling: "correct"
-      detach: "no"
+      - name: run rspamd cert-gen container
+        docker_container:
+          name: "rspamd_cert_gen"
+          image: "{{ rspamd_docker_image }}"
+          ports: []
+          labels: {}
+          restart_policy: "no"
+          recreate: true
+            #user: "{{ rspamd_user.uid }}:{{ rspamd_user.group }}"
+          user: "root"
+            #"/bin/sh: can't create /var/lib/rspamd/dkim/dkim_dns_record.txt: Permission denied\n", "status": 1
+          pull: true
+          entrypoint: "/bin/sh"
+          command: 
+            - "-c"
+            - "/usr/bin/rspamadm dkim_keygen -s {{ dkim_selector_name }} -b 2048 -d {{ email_hostname }} -k {{ rspamd_dkim_location_container }}/{{ dkim_selector_name }}_test.key > {{ rspamd_dkim_location_container }}/{{ dkim_selector_name }}_dns_record.txt"
+          volumes: 
+            - "{{ rspamd_dkim_location_host }}:{{ rspamd_dkim_location_container }}"
+          command_handling: "correct"
+          detach: "no"
+        when: dkim_create_files.changed or rspamd_dkim_override_key
+
+    rescue: 
+      - name: delete certs
+        file:
+          state: absent
+          path: "{{ rspamd_dkim_location_host }}/{{ item }}"
+        with_items: 
+          - "{{ dkim_selector_name }}_test.key"
+          - "{{ dkim_selector_name }}_dns_record.txt"
+
+#  - name: is dkim-key already populated?
+#    lineinfile: 
+#      dest: "{{ rspamd_dkim_location_host }}/{{ dkim_selector_name }}_test.key"
+#      line: "-----BEGIN PRIVATE KEY-----"
+#    check_mode: yes
+#    register: key_already_generated