LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

fix exim4 opendkim

python3
Andrea Cimbalo 7 years ago
parent
491b634682
commit
d13656954d
3 changed files with 142 additions and 23 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -0
      roles/exim4/defaults/main.yaml
  2. +134
    -14
      roles/exim4/tasks/main.yaml
  3. +7
    -9
      roles/postfix/tasks/dkim.yaml

+ 1
- 0
roles/exim4/defaults/main.yaml View File

@ -1,2 +1,3 @@
---
sympa_transport: false
fqdn_domain: "{{ ansible_hostname }}.lilik.it"

+ 134
- 14
roles/exim4/tasks/main.yaml View File

@ -61,12 +61,121 @@
service_packages:
- exim4
- name: generate the TLS key
shell: "/usr/share/doc/exim4-base/examples/exim-gencert"
- name: generate the RSA key
# TODO: reenable openssl_privatekey when moving to ansible 2.3
# openssl_privatekey:
# path: "/etc/exim4/exim.key"
# size: 2048
# state: present
# type: RSA
shell: "openssl genrsa -out /etc/exim4/exim.key 2048"
args:
creates: /etc/exim4/exim.key
notify: restart exim4
- name: generate CSR
# TODO: reenable openssl_csr when moving to ansible 2.3
# openssl_csr:
# commonName: "{{ fqdn_domain }}"
# countryName: "IT"
# digest: sha256
# localityName: "TUSCANY"
# organizationName: "IT"
# path: "/etc/exim4/exim.csr"
# privatekey_path: "/etc/exim4/exim.key"
# state: present
# stateOrProvinceName: "ITALY"
shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ fqdn_domain }}" -key /etc/exim4/exim.key -out /etc/exim4/exim.csr'
args:
creates: /etc/exim4/exim.csr
notify: restart exim4
- name: lookup ssl ca key
set_fact:
ssl_ca_key: "{{ lookup('file', 'test_ssl_ca.crt') }}"
- name: Update ssl CA key
copy:
content: "{{ ssl_ca_key }}"
dest: "/etc/exim4/ssl_ca.crt"
- name: check if exim4 cert is valid
command: 'openssl verify -CAfile /etc/exim4/ssl_ca.crt /etc/exim4/exim.crt'
register: exim4_cert_is_valid
changed_when: false
failed_when: false
- block:
- name: get pub key
slurp:
src: "/etc/exim4/exim.csr"
register: pub_key
- debug:
var: pub_key
verbosity: 2
- name: generate host request
set_fact:
ca_request:
type: 'sign_request'
request:
keyType: 'ssl_host'
hostName: '{{ inventory_hostname }}.lilik.it'
keyData: "{{ pub_key.content| b64decode}}"
- debug:
var: ca_request
verbosity: 2
- name: start sign request
include: ca-dialog.yaml
- debug:
var: request_result
verbosity: 2
- set_fact:
request_output: "{{ request_result.stdout|string|from_json }}"
- debug:
var: request_result
- name: generate get request
set_fact:
ca_request:
type: 'get_certificate'
requestID: '{{ request_output.requestID }}'
- debug:
var: ca_request
verbosity: 2
- debug:
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
- name: wait for cert
include: ca-dialog.yaml
- debug:
var: request_result
verbosity: 2
- set_fact:
cert_key: "{{ request_result.stdout|string|from_json }}"
- debug:
var: request_result
verbosity: 2
- name: set pub key
copy:
content: "{{ cert_key.result }}"
dest: "/etc/exim4/exim.crt"
register: set_pub_key
when: 'exim4_cert_is_valid.rc != 0'
- include_role:
name: service
vars:
@ -84,29 +193,39 @@
group: Debian-exim
- name: create opendkim key for lilik.it
command: opendkim-genkey -D /etc/opendkim/ -d lists.lilik.it -s lists
command: "opendkim-genkey -D /etc/opendkim/ -d {{ fqdn_domain }} -s {{ ansible_hostname }}"
args:
creates:
- /etc/opendkim/mail.private
- /etc/opendkim/mail.txt
creates: '/etc/opendkim/{{ ansible_hostname }}.private'
- name: check /etc/opendkim/mail.private permissions
- name: check /etc/opendkim/{{ ansible_hostname }}.private permissions
file:
path: /etc/opendkim/mail.private
path: '/etc/opendkim/{{ ansible_hostname }}.private'
owner: root
group: Debian-exim
mode: 0640
- name: exim4 macro for TLS, DKIM and sympa aliases
- name: exim4 macro for TLS, DKIM
blockinfile:
dest: /etc/exim4/exim4.conf.localmacros
block: |
MAIN_TLS_ENABLE = yes
DKIM_CANON = relaxed
DKIM_SELECTOR = {{ ansible_hostname}}
DKIM_DOMAIN = {{ fqdn_domain }}
DKIM_PRIVATE_KEY = /etc/opendkim/{{ ansible_hostname }}.private
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK 1"
notify:
- update exim4 configuration
- restart exim4
- block:
- name: exim4 macro for sympa aliases
blockinfile:
dest: /etc/exim4/exim4.conf.localmacros
block: |
MAIN_TLS_ENABLE = yes
DKIM_CANON = relaxed
DKIM_SELECTOR = lists
DKIM_DOMAIN = lists.lilik.it
DKIM_PRIVATE_KEY = /etc/opendkim/lists.private
#--------------
# Activating pipe transport in system_aliases router (pipes in /etc/aliases)
@ -121,6 +240,7 @@
.endif
#--------------
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK 2"
notify:
- update exim4 configuration
- restart exim4


+ 7
- 9
roles/postfix/tasks/dkim.yaml View File

@ -28,22 +28,20 @@
notify: restart opendkim
- name: create opendkim key for lilik.it
command: opendkim-genkey -D /etc/opendkim/ -d lilik.it -s mail
command: opendkim-genkey -D /etc/opendkim/ -d lilik.it -s {{ ansible_hostname }}
args:
creates:
- /etc/opendkim/mail.private
- /etc/opendkim/mail.txt
creates: '/etc/opendkim/{{ ansible_hostname }}.private'
- name: check /etc/opendkim/mail.private permissions
- name: check /etc/opendkim/{{ ansible_hostname }}.private permissions
file:
path: /etc/opendkim/mail.private
path: '/etc/opendkim/{{ ansible_hostname }}.private'
owner: opendkim
group: opendkim
mode: 0600
- name: check /etc/opendkim/mail.txt permissions
- name: check /etc/opendkim/{{ ansible_hostname }}.txt permissions
file:
path: /etc/opendkim/mail.txt
path: '/etc/opendkim/{{ ansible_hostname }}.txt'
owner: opendkim
group: opendkim
mode: 0660
@ -53,7 +51,7 @@
dest: '/etc/opendkim.conf'
block: |
Domain lilik.it
KeyFile /etc/opendkim/mail.private
KeyFile /etc/opendkim/{{ ansible_hostname }}.private
Selector mail
notify: restart opendkim


Write Preview
Loading…
Cancel
Save