rspamd: Don't hardcode the dkim signing domain

We want to use rspamd for lists.al.org at some point, so we can't hardcode the domain to archlinux.org.

rspamd: Don't hardcode the dkim signing domain
c6e740b8 · Kristian Klausen · c14c2c1a · c6e740b8 · c6e740b8 · c6e740b8
Commit c6e740b8 authored 3 years ago by Kristian Klausen
--- a/playbooks/mail.archlinux.org.yml
+++ b/playbooks/mail.archlinux.org.yml
@@ -12,7 +12,7 @@
    - { role: mta_sts }
    - { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }
    - { role: dovecot }
-    - { role: rspamd, tags: ["mail"] }
+    - { role: rspamd, rspamd_dkim_domain: archlinux.org, tags: ["mail"] }
    - { role: unbound, unbound_port: 5353, tags: ["mail"] }
    - { role: postfwd, tags: ['mail'] }
    - { role: archusers }

--- a/roles/rspamd/defaults/main.yml
+++ b/roles/rspamd/defaults/main.yml
+rspamd_dkim_use_esld: true
--- a/roles/rspamd/tasks/main.yml
+++ b/roles/rspamd/tasks/main.yml
@@ -7,6 +7,11 @@
  notify:
    - reload rspamd

+- name: install dkim_signing.conf
+  template: src=dkim_signing.conf.j2 dest=/etc/rspamd/local.d/dkim_signing.conf owner=root group=root mode=0644
+  notify:
+    - reload rspamd
+
 - name: create rspamd dkim directory
  file: path=/var/lib/rspamd/dkim state=directory owner=rspamd group=rspamd mode=0750

@@ -24,8 +29,8 @@
 - name: install DKIM keys
  copy: src={{ item }} dest=/var/lib/rspamd/dkim/ owner=rspamd group=rspamd mode=0600
  loop:
-    - archlinux.org.dkim-ed25519.key
-    - archlinux.org.dkim-rsa.key
+    - "{{ rspamd_dkim_domain }}.dkim-ed25519.key"
+    - "{{ rspamd_dkim_domain }}.dkim-rsa.key"
  notify:
    - reload rspamd


--- a/roles/rspamd/files/local.d/dkim_signing.conf
+++ b/roles/rspamd/files/local.d/dkim_signing.conf
 domain {
-  archlinux.org {
+  {{ rspamd_dkim_domain }} {
    selectors [
      {
        selector = "dkim-ed25519";
-        path = "/var/lib/rspamd/dkim/archlinux.org.dkim-ed25519.key";
+        path = "/var/lib/rspamd/dkim/{{ rspamd_dkim_domain }}.dkim-ed25519.key";
      },
      {
        selector = "dkim-rsa";
-        path = "/var/lib/rspamd/dkim/archlinux.org.dkim-rsa.key";
+        path = "/var/lib/rspamd/dkim/{{ rspamd_dkim_domain }}.dkim-rsa.key";
      }
    ]
  }
@@ -20,4 +20,4 @@ allow_hdrfrom_mismatch_sign_networks = true;
 allow_username_mismatch = true;
 use_domain = "header";
 sign_authenticated = true;
-use_esld = true;
+use_esld = {{ 'true' if rspamd_dkim_use_esld else 'false' }};