romain-dartigues/cdist-contrib
1
0
Fork 0
forked from ungleich-public/cdist-contrib
Code Pull requests Activity

Compare commits

base: romain-dartigues:opendkim-improvements
Branches Tags
romain-dartigues:master
romain-dartigues:package-xbps
romain-dartigues:opendkim-debian
romain-dartigues:opendkim-improvements
romain-dartigues:php
romain-dartigues:kjg_passwordconfig
romain-dartigues:synapse-upstream-apt-repository
romain-dartigues:haproxy-dualstack
romain-dartigues:synapse-upstream-repository
romain-dartigues:root-mail-dma
ungleich-public:master
ungleich-public:opendkim-debian
ungleich-public:kjg_passwordconfig
ungleich-public:synapse-upstream-apt-repository
ungleich-public:haproxy-dualstack
ungleich-public:synapse-upstream-repository
ungleich-public:root-mail-dma
..
compare: romain-dartigues:master
Branches Tags
romain-dartigues:package-xbps
romain-dartigues:opendkim-debian
romain-dartigues:master
romain-dartigues:opendkim-improvements
romain-dartigues:php
romain-dartigues:kjg_passwordconfig
romain-dartigues:synapse-upstream-apt-repository
romain-dartigues:haproxy-dualstack
romain-dartigues:synapse-upstream-repository
romain-dartigues:root-mail-dma
ungleich-public:master
ungleich-public:opendkim-debian
ungleich-public:kjg_passwordconfig
ungleich-public:synapse-upstream-apt-repository
ungleich-public:haproxy-dualstack
ungleich-public:synapse-upstream-repository
ungleich-public:root-mail-dma

2 commits
opendkim-i ... master

Author SHA1 Message Date
Timothée Floure
f01f110463
[__bird_radv] add --default-lifetime parameter 2024-02-21 13:38:08 +01:00
Timothée Floure
f101ea4afa
[__bird_radv] fix MTU setting, link routing tables to __object_id, add preference parameters 2024-02-19 12:41:05 +01:00
10 changed files with 87 additions and 188 deletions
Show stats Expand all files Collapse all files

12
type/__bird_radv/man.rst
View file

@ -26,6 +26,18 @@ OPTIONAL PARAMETERS
mtu mtu
An optional MTU setting to include in the router advertisements. An optional MTU setting to include in the router advertisements.
default-preference
This option specifies the Default Router Preference value to advertise to
hosts. Default: medium.
route-preference
This option specifies the default value of advertised route preference for
specific routes. Default: medium.
default-lifetime
This option specifies the time (in seconds) how long (since the receipt of RA)
hosts may use the router as a default router. 0 means do not use as a default
router. Default: 3.
OPTIONAL MULTIPLE PARAMETERS OPTIONAL MULTIPLE PARAMETERS
---------------------------- ----------------------------

29
type/__bird_radv/manifest
View file

@ -58,27 +58,48 @@ fi
MTU= MTU=
if [ -f "${__object:?}/parameter/mtu" ]; if [ -f "${__object:?}/parameter/mtu" ];
then then
MTU="link mtu $(cat "${__object:?}/parameter/mtu")" MTU="link mtu $(cat "${__object:?}/parameter/mtu");"
fi
DEFAULT_PREFERENCE=
if [ -f "${__object:?}/parameter/default-preference" ];
then
DEFAULT_PREFERENCE="default preference $(cat "${__object:?}/parameter/default-preference");"
fi
ROUTE_PREFERENCE=
if [ -f "${__object:?}/parameter/route-preference" ];
then
ROUTE_PREFERENCE="route preference $(cat "${__object:?}/parameter/route-preference");"
fi
DEFAULT_LIFETIME=
if [ -f "${__object:?}/parameter/default-lifetime" ];
then
DEFAULT_LIFETIME="default lifetime $(cat "${__object:?}/parameter/default-lifetime");"
fi fi
__file "${confdir:?}/radv-${__object_id:?}.conf" \ __file "${confdir:?}/radv-${__object_id:?}.conf" \
--mode 0640 --owner root --group bird \ --mode 0640 --owner root --group bird \
--source - << EOF --source - << EOF
ipv6 table radv_routes; ipv6 table radv_routes_${__object_id};
protocol static { protocol static {
description "Routes advertised via RAs"; description "Routes advertised via RAs";
ipv6 { table radv_routes; }; ipv6 { table radv_routes_${__object_id}; };
$(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route") $(sed -e 's/^/\troute /' -e 's/$/ unreachable;/' "${__object:?}/parameter/route")
} }
protocol radv ${__object_id:?} { protocol radv ${__object_id:?} {
propagate routes ${have_routes:?}; propagate routes ${have_routes:?};
ipv6 { table radv_routes; export all; }; ipv6 { table radv_routes_${__object_id}; export all; };
interface "$(cat "${__object:?}/parameter/interface")" { interface "$(cat "${__object:?}/parameter/interface")" {
$MTU $MTU
$DEFAULT_LIFETIME
$DEFAULT_PREFERENCE
$ROUTE_PREFERENCE
}; };
$RDNS $RDNS

3
type/__bird_radv/parameter/optional
View file

@ -1 +1,4 @@
mtu mtu
default-preference
route-preference
default-lifetime

32
type/__opendkim_genkey/explorer/key-state
View file

@ -1,32 +0,0 @@
#!/bin/sh -e
DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ];
then
# Be forgiving about a lack of trailing slash
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
fi
KEY_ID="$(echo "${__object_id:?)}" | tr '/' '_')"
DEFAULT_PATH="${DIRECTORY:?}${KEY_ID:?}.private"
if [ -s "${DEFAULT_PATH}" ]; then
# This is the main location for the key
FOUND_PATH="${DEFAULT_PATH}"
else
# This is a backwards-compatible location for the key
# Keys generated post March 2022 should not land here
if [ -f "${__object:?}/parameter/selector" ]; then
SELECTOR="$(cat "${__object:?}/parameter/selector")"
if [ -s "${DIRECTORY}${SELECTOR:?}.private" ]; then
FOUND_PATH="${DIRECTORY}${SELECTOR:?}.private"
fi
fi
fi
if [ -n "${FOUND_PATH}" ]; then
printf "present\t%s" "${FOUND_PATH}"
else
# We didn't find the key
# We pass the default path here, to easen logic in the rest of the type
printf "absent\t%s" "${DEFAULT_PATH}"
fi

33
type/__opendkim_genkey/gencode-remote
View file

@ -19,8 +19,8 @@
# #
# Required parameters # Required parameters
DOMAIN="$(cat "${__object:?}/domain")" DOMAIN="$(cat "${__object:?}/parameter/domain")"
SELECTOR="$(cat "${__object:?}/selector")" SELECTOR="$(cat "${__object:?}/parameter/selector")"
# Optional parameters # Optional parameters
BITS= BITS=
@ -28,6 +28,12 @@ if [ -f "${__object:?}/parameter/bits" ]; then
BITS="-b $(cat "${__object:?}/parameter/bits")" BITS="-b $(cat "${__object:?}/parameter/bits")"
fi fi
DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ]; then
# Be forgiving about a lack of trailing slash
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
fi
# Boolean parameters # Boolean parameters
SUBDOMAINS= SUBDOMAINS=
if [ -f "${__object:?}/parameter/no-subdomains" ]; then if [ -f "${__object:?}/parameter/no-subdomains" ]; then
@ -42,24 +48,9 @@ fi
user="$(cat "${__object:?}/user")" user="$(cat "${__object:?}/user")"
group="$(cat "${__object:?}/group")" group="$(cat "${__object:?}/group")"
KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")" if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then
KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")" echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS"
echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.private"
if [ "${KEY_STATE:?}" = "absent" ]; then
# opendkim-genkey(8) does not allow specifying the file name.
# To err on the safe side (and avoid potentially killing other keys)
# we operate on a temporary directory first, then move the resulting key
cat <<-EOF
tmp_dir="\$(mktemp -d cdist-dkim.XXXXXXXXXXX)"
opendkim-genkey $BITS --domain=${DOMAIN:?} --directory=\${tmp_dir:?} $RESTRICTED --selector=${SELECTOR:?} $SUBDOMAINS
# Relocate and ensure permissions
mv "\${tmp_dir:?}/${SELECTOR:?}.private" '${KEY_LOCATION:?}'
chown ${user}:${group} '${KEY_LOCATION}'
chmod 0600 '${KEY_LOCATION}'
# This is usually generated, if it weren't we do not want to fail # This is usually generated, if it weren't we do not want to fail
mv "\${tmp_dir:?}/${SELECTOR:?}.txt" '${KEY_LOCATION%.private}.txt' || true echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.txt || true"
chown ${user}:${group} '${KEY_LOCATION%.private}.txt' || true
# Cleanup after ourselves
rmdir "\${tmp_dir:?}" || true
EOF
fi fi

77
type/__opendkim_genkey/man.rst
View file

@ -10,27 +10,23 @@ DESCRIPTION
----------- -----------
This type uses the `opendkim-genkey(8)` to generate signing keys suitable for This type uses the `opendkim-genkey(8)` to generate signing keys suitable for
usage by `opendkim(8)` to sign outgoing emails. usage by `opendkim(8)` to sign outgoing emails. Then, a line with the domain,
selector and keyname in the `$selector._domainkey.$domain` format will be added
It also manages the key, identified by its `$__object_id` in OpenDKIM's to the OpenDKIM key table located at `/etc/opendkim/KeyTable`. Finally, a line
KeyTable and sets its `s=` and `d=` parameters (see: `--selector` and will be added to the OpenDKIM signing table, using either the domain or the
`--sigdomain` respectively). provided key for the `domain:selector:keyfile` value in the table. An existing
key will not be overwritten.
This type will also manage the entries in the OpenDKIM's SigningTable by
associating any given `sigkey` values to this key.
Take into account that if you use this type without the `--domain` and
`--selector` parameters, the `$__object_id` must be in form `$domain/$selector`.
Currently, this type is only implemented for Alpine Linux and FreeBSD. Currently, this type is only implemented for Alpine Linux and FreeBSD.
Please contribute an implementation if you can. Please contribute an implementation if you can.
NOTE: the name of the key file under `--directory` will default to REQUIRED PARAMETERS
`$__object_id.private`, but if that fails and `--selector` is used, -------------------
`SELECTOR.private` will be considered. domain
Take care when using unrelated keys that might collide this way. The domain to generate the key for.
For more information see:
https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20 selector
The DKIM selector to generate the key for.
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
@ -42,36 +38,10 @@ bits
directory directory
The directory in which to generate the key, `/var/db/dkim/` by default. The directory in which to generate the key, `/var/db/dkim/` by default.
domain
The domain to generate the key for.
If omitted, `--selector` must be omitted as well and `$__object_id` must be
in form: `$domain/$selector`.
selector
The DKIM selector to generate the key for.
If omitted, `--domain` must be omitted as well and `$__object_id` must be
in form: `$domain/$selector`.
sigdomain
Specified in the KeyTable, the domain to use in the signature's "d=" value.
Defaults to the specified domain. If `%`, it will be replaced by the apparent
domain of the sender when generating a signature.
Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
See `KeyTable` in `opendkim.conf(5)` for more information.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
sigkey sigkey
The key used in the `SigningTable` for this signing key. Defaults to the The key used in the SigningTable for this signing key. Defaults to the
specified domain. If `%`, OpenDKIM will replace it with the domain found specified domain. If `%`, OpenDKIM will replace it with the domain found
in the `From:` header. See `opendkim.conf(5)` for more options. in the `From:` header. See `opendkim.conf(5)` for more options.
Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`.
This can be passed multiple times, resulting in multiple lines in the
SigningTable, which can be used to support signing of subdomains or multiple
domains with the same key; in that case, you probably want to set
`--sigdomain` to `%`, else the domains will not be aligned.
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
@ -87,7 +57,6 @@ EXAMPLES
.. code-block:: sh .. code-block:: sh
# Setup the OpenDKIM service
__opendkim \ __opendkim \
--socket inet:8891@localhost \ --socket inet:8891@localhost \
--basedir /var/lib/opendkim \ --basedir /var/lib/opendkim \
@ -96,24 +65,14 @@ EXAMPLES
--umask 002 \ --umask 002 \
--syslog --syslog
# Continue only after the service has been set up require='__opendkim' \
export require="__opendkim"
# Generate a key for 'example.com' with selector 'default'
__opendkim_genkey default \ __opendkim_genkey default \
--domain example.com \ --domain example.com \
--selector default --selector default
# Generate a key for 'foo.com' with selector 'backup' __opendkim_genkey myfoo \
__opendkim_genkey 'foo.com/backup' --domain foo.com \
--selector backup
# Generate a key for 'example.org' with selector 'main'
# that can also sign 'cdi.st' and subdomains of 'example.org'
__opendkim_genkey 'example.org/main' \
--sigdomain '%' \
--sigkey 'example.org' \
--sigkey '.example.org' \
--sigkey 'cdi.st'
SEE ALSO SEE ALSO

76
type/__opendkim_genkey/manifest
View file

@ -35,48 +35,17 @@ case "$os" in
;; ;;
*) *)
cat <<- EOF >&2 cat <<- EOF >&2
__opendkim_genkey currently only supports Alpine Linux and FreeBSD. __opendkim_genkey currently only supports Alpine Linux. Please
Please contribute an implementation for $os if you can. contribute an implementation for $os if you can.
EOF EOF
exit 1
;; ;;
esac esac
# Persist user and group for gencode-remote
printf '%s' "${user}" > "${__object:?}/user"
printf '%s' "${group}" > "${__object:?}/group"
# Logic to simplify the type as documented in SELECTOR="$(cat "${__object:?}/parameter/selector")"
# https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20#issuecomment-14711 DOMAIN="$(cat "${__object:?}/parameter/domain")"
DOMAIN="$(cat "${__object:?}/parameter/domain" 2>/dev/null || true)"
SELECTOR="$(cat "${__object:?}/parameter/selector" 2>/dev/null || true)"
if [ -z "${DOMAIN}${SELECTOR}" ]; then
# Neither SELECTOR nor DOMAIN were passed, try to use __object_id
if echo "${__object_id:?}" | \
grep -qE '^[^/[:space:]]+/[^/[:space:]]+$'; then
# __object_id matches, let's get the data
DOMAIN="$(echo "${__object_id:?}" | cut -d '/' -f 1)"
SELECTOR="$(echo "${__object_id:?}" | cut -d '/' -f 2)"
else
# It doesn't match the pattern, this is sad
cat <<- EOF >&2
The arguments --domain and --selector were not used.
So __object_id must match DOMAIN/SELECTOR.
But instead the type got: ${__object_id:?}
EOF
exit 1
fi
elif [ -z "${DOMAIN}" ] || [ -z "${SELECTOR}" ]; then
# Only one was passed, this is sad :-(
cat <<- EOF >&2
You must pass either both --selector and --domain or none of them.
If these arguments are absent, __object_id must match: DOMAIN/SELECTOR.
EOF
exit 1
# else: both were passed
fi
# Persist data for gencode-remote
printf '%s' "${user:?}" > "${__object:?}/user"
printf '%s' "${group:?}" > "${__object:?}/group"
printf '%s' "${DOMAIN:?}" > "${__object:?}/domain"
printf '%s' "${SELECTOR:?}" > "${__object:?}/selector"
DIRECTORY="/var/db/dkim/" DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ]; if [ -f "${__object:?}/parameter/directory" ];
@ -90,11 +59,6 @@ if [ -f "${__object:?}/parameter/sigkey" ];
then then
SIGKEY="$(cat "${__object:?}/parameter/sigkey")" SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
fi fi
SIGDOMAIN="${DOMAIN:?}"
if [ -f "${__object:?}/parameter/sigdomain" ];
then
SIGDOMAIN="$(cat "${__object:?}/parameter/sigdomain")"
fi
# Ensure the key-container directory exists with the proper permissions # Ensure the key-container directory exists with the proper permissions
__directory "${DIRECTORY}" \ __directory "${DIRECTORY}" \
@ -112,28 +76,10 @@ esac
key_table="${CFG_DIR}/KeyTable" key_table="${CFG_DIR}/KeyTable"
signing_table="${CFG_DIR}/SigningTable" signing_table="${CFG_DIR}/SigningTable"
KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")" __line "line-key-${__object_id:?}" \
KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")"
__line "__opendkim_genkey/${__object_id:?}" \
--file "${key_table}" \ --file "${key_table}" \
--line "${__object_id:?} ${SIGDOMAIN:?}:${SELECTOR:?}:${KEY_LOCATION:?}" \ --line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
--regex "^${__object_id:?}[[:space:]]" \
--state 'replace'
sigtable_block() { __line "line-sig-${__object_id:?}" \
for sigkey in ${SIGKEY:?}; do
echo "${sigkey:?} ${__object_id:?}"
done
}
__block "__opendkim_genkey/${__object_id:?}" \
--file "${signing_table}" \ --file "${signing_table}" \
--text "$(sigtable_block)" --line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"
if [ "${KEY_STATE:?}" = "present" ]; then
# Ensure proper permissions for the key file
__file "${KEY_LOCATION}" \
--owner "${user}" \
--group "${group}" \
--mode 0600
fi

4
type/__opendkim_genkey/parameter/optional
View file

@ -1,6 +1,4 @@
bits bits
directory directory
domain
unrestricted unrestricted
selector sigkey
sigdomain

1
type/__opendkim_genkey/parameter/optional_multiple
View file

@ -1 +0,0 @@
sigkey

2
type/__opendkim_genkey/parameter/required Normal file
View file

@ -0,0 +1,2 @@
domain
selector