Configure DKIM.

2021-11-18 18:45:04 +01:00 · 2021-11-18 18:45:04 +01:00 · b9018a9171
parent 0ae5a0a169
commit b9018a9171
4 changed files with 73 additions and 0 deletions
--- a/discuss.yml
+++ b/discuss.yml
@ -7,4 +7,5 @@
      - julien@palard.fr
      - marc@debureaux.fr
  roles:
+    - common
    - discourse
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -2,3 +2,6 @@

 - name: reload nftables
  service: name=nftables state=reloaded
+
+- name: reload exim4
+  service: name=exim4 state=reloaded
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -5,6 +5,63 @@
    hostname:
      name: "{{ inventory_hostname_short }}"

+  - name: Configure FQDN
+    lineinfile:
+      path: /etc/hosts
+      regexp: '^127\.0\.0\.1'
+      line: "127.0.0.1 {{ inventory_hostname }} {{ inventory_hostname_short }} localhost"
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Choose a DKIM selector
+    set_fact:
+      dkim_selector: "{{ inventory_hostname | replace('.', '-') }}"
+
+  - name: Create /etc/exim4/dkim/ directory
+    file:
+      path: /etc/exim4/dkim/
+      state: directory
+      mode: 0750
+      owner: Debian-exim
+      group: Debian-exim
+
+  - name: Generate a private key for DKIM
+    command: openssl genrsa -out /etc/exim4/dkim/{{ dkim_selector }}-private.key 1024
+    args:
+      creates: /etc/exim4/dkim/{{ dkim_selector }}-private.key
+
+  - name: Allow exim to read the DKIM private key
+    file:
+      path: /etc/exim4/dkim/{{ dkim_selector }}-private.key
+      owner: root
+      group: Debian-exim
+      mode: 0640
+
+  - name: Derive the public key for DKIM
+    command: openssl rsa -in {{ dkim_selector }}-private.key -out {{ dkim_selector }}.pem -pubout -outform PEM
+    args:
+      chdir: /etc/exim4/dkim/
+      creates: /etc/exim4/dkim/{{ dkim_selector }}.pem
+
+  - name: Configure exim to use our DKIM key
+    copy:
+      dest: /etc/exim4/conf.d/main/00_local_macros
+      content: |
+        DKIM_CANON = relaxed
+        DKIM_SELECTOR = {{ dkim_selector }}
+        DKIM_DOMAIN = {{ inventory_hostname }}
+        DKIM_PRIVATE_KEY = /etc/exim4/dkim/{{ dkim_selector }}-private.key
+      owner: root
+      group: root
+      mode: 0644
+    notify: reload exim4
+    register: config_exim
+
+  - name: Reconfigure exim4
+    command: update-exim4.conf
+    when: config_exim is changed
+
  - package: name=nftables state=present

  - service: name=nftables enabled=yes state=started daemon_reload=yes
--- a/roles/discourse/tasks/main.yml
+++ b/roles/discourse/tasks/main.yml
@ -41,3 +41,15 @@
  template:
    src: app.yml
    dest: /var/discourse/containers/app.yml
+
+- name: Allow docker to send emails via exim
+  lineinfile:
+    path: /etc/exim4/update-exim4.conf.conf
+    regexp: ^dc_local_interfaces=
+    line: "dc_local_interfaces='127.0.0.1;172.17.0.1'"
+
+- name: Allow docker to send emails via exim
+  lineinfile:
+    path: /etc/exim4/update-exim4.conf.conf
+    regexp: ^dc_relay_nets=
+    line: "dc_relay_nets='172.16.0.0/12'"