Implement __opendkim and __opendkim_genkey type.

2021-05-31 11:25:29 +02:00 · 2021-05-31 11:25:29 +02:00 · bcf88606ea
commit bcf88606ea
parent 05f2bd394c
12 changed files with 476 additions and 0 deletions
--- a/type/__opendkim/files/opendkim.conf.sh
+++ b/type/__opendkim/files/opendkim.conf.sh
@ -0,0 +1,64 @@
 #!/bin/sh -e
 # Generate an opendkim.conf(5) file for opendkim(8).
 # Optional chdir(2)
 if [ "$BASEDIR" ];
 then
 	printf "BaseDirectory %s\n" "$BASEDIR"
 fi
 # Optional canonicalization settings
 if [ "$CANON" ];
 then
 	case "$CANON" in
 		"simple/simple")
 			:
 			;;
 		"simple/relaxed")
 			:
 			;;
 		"relaxed/simple")
 			:
 			;;
 		"relaxed/relaxed")
 			:
 			;;
 		*)
 			echo "Invalid Canonicalization setting!" >&2
 			exit 1
 			;;
 	esac
 	printf "Canonicalization %s\n" "$CANON"
 fi
 # Key and Domain tables
 echo 'KeyTable /etc/opendkim/KeyTable'
 echo 'SigningTable /etc/opendkim/SigningTable'
 # Required socket to listen on
 printf "Socket %s\n" "${SOCKET:?}"
 # Optional subdomain signing settings
 if [ "$SUBDOMAINS" ];
 then
 	printf "SubDomains %s\n" "$SUBDOMAINS"
 fi
 # Optional request logging to syslog
 if [ "$SYSLOG" ];
 then
 	echo "Syslog yes"
 fi
 # Optional UMask specification
 if [ "$UMASK" ];
 then
 	printf "UMask %s\n" "$UMASK"
 fi
 # Optional UserID to change to
 if [ "$USERID" ];
 then
 	printf "UserID %s\n" "$USERID"
 fi
--- a/type/__opendkim/man.rst
+++ b/type/__opendkim/man.rst
@ -0,0 +1,96 @@
 cdist-type__opendkim(7)
 =======================
 NAME
 ----
 cdist-type__opendkim - Configure an instance of OpenDKIM
 DESCRIPTION
 -----------
 OpenDKIM is a DKIM signing and verifying filter for MTAs. This type enables the
 installation and basic configuration of an instance of OpenDKIM.
 Note that this type does not generate or ensure that a key is present: use
 `cdist-type__opendkim-genkey(7)` for that.
 Note that this type is currently only implemented for Alpine Linux. Please
 contribute an implementation if you can.
 REQUIRED PARAMETERS
 -------------------
 socket
  A string specifying a socket to listen on for communication with the MTA. See
  `opendkim.conf(5)` for details on the syntax.
 OPTIONAL PARAMETERS
 -------------------
 basedir
  A directory to `chdir(2)` to before beginning operations.
 canonicalization
  Directives for message canonicalization. See `opendkim.conf(5)` for details
  on the syntax.
 subdomains
  Explicitely control whether subdomains should be signed as well. Expects a
  string containing 'Y', 'N', 'y', 'n', 'yes' or 'no'.
 umask
  Set the umask for the socket and PID file.
 userid
  Change the user the opendkim program is to run as. By default, Alpine Linux's
  OpenRC service will set this to `opendkim` on the command-line.
 custom-config
  The string following this parameter is appended as-is in the configuration, to
  enable more complex configurations.
 BOOLEAN PARAMETERS
 ------------------
 syslog
  Log to syslog.
 EXAMPLES
 --------
 .. code-block:: sh
    __opendkim \
        --socket inet:8891@localhost \
        --basedir /var/lib/opendkim \
        --canonicalization relaxed/simple \
        --subdomains no \
        --umask 002 \
        --syslog \
        --custom-config "Mode v"
    require='__opendkim' \
        __opendkim_genkey mykey \
                --domain example.com \
                --selector default \
                --sigkey example.com
 SEE ALSO
 --------
 `cdist-type__opendkim-genkey(7)`
 `opendkim(8)`
 `opendkim.conf(5)`
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
 COPYING
 -------
 Copyright \(C) 2021 Joachim Desroches. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__opendkim/manifest
+++ b/type/__opendkim/manifest
@ -0,0 +1,91 @@
 #!/bin/sh -e
 #
 # 2021 Joachim Desroches (joachim.desroches@epfl.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 os=$(cat "${__global:?}/explorer/os")
 case "$os" in
 'alpine')
 	:
 	;;
 *)
 	printf "__opendkim does not yet support %s.\n" "$os" >&2
 	printf "Please contribute an implementation if you can.\n" >&2
 	exit 1
 	;;
 esac
 __package opendkim
 # Required parameters
 SOCKET="$(cat "${__object:?}/parameter/socket")"
 export SOCKET
 # Optional parameters
 if [ -f "${__object:?}/parameter/basedir" ]; then
 	BASEDIR="$(cat "${__object:?}/parameter/basedir")"
 	export BASEDIR
 fi
 if [ -f "${__object:?}/parameter/canonicalization" ]; then
 	CANON="$(cat "${__object:?}/parameter/canonicalization")"
 	export CANON
 fi
 if [ -f "${__object:?}/parameter/subdomains" ]; then
 	SUBDOMAINS="$(cat "${__object:?}/parameter/subdomains")"
 	export SUBDOMAINS
 fi
 if [ -f "${__object:?}/parameter/umask" ]; then
 	UMASK="$(cat "${__object:?}/parameter/umask")"
 	export UMASK
 fi
 if [ -f "${__object:?}/parameter/userid" ]; then
 	USERID="$(cat "${__object:?}/parameter/userid")"
 	export USERID
 fi
 # Boolean parameters
 [ -f "${__object:?}/parameter/syslog" ] && export SYSLOG=yes
 # Generate and deploy configuration file.
 source_file="${__object:?}/files/opendkim.conf"
 target_file="/etc/opendkim/opendkim.conf"
 mkdir -p "${__object:?}/files"
 "${__type:?}/files/opendkim.conf.sh" >"$source_file"
 # Add user custom config
 if [ -f "${__object:?}/parameter/custom-config" ]; then
 	echo "# Custom user config" >>"$source_file"
 	cat "${__object:?}/parameter/custom-config" >>"$source_file"
 fi
 require="__package/opendkim" __file "$target_file" \
 	--source "$source_file" --mode 0644
 require="__package/opendkim" __start_on_boot opendkim
 require="__file${target_file}" \
 	__check_messages opendkim \
 		--pattern "^__file${target_file}" \
 		--execute "service opendkim restart"
--- a/type/__opendkim/parameter/boolean
+++ b/type/__opendkim/parameter/boolean
@ -0,0 +1 @@
 syslog
--- a/type/__opendkim/parameter/optional
+++ b/type/__opendkim/parameter/optional
@ -0,0 +1,6 @@
 basedir
 canonicalization
 subdomains
 umask
 userid
 custom-config
--- a/type/__opendkim/parameter/required
+++ b/type/__opendkim/parameter/required
@ -0,0 +1 @@
 socket
--- a/type/__opendkim/singleton
+++ b/type/__opendkim/singleton
--- a/type/__opendkim_genkey/gencode-remote
+++ b/type/__opendkim_genkey/gencode-remote
@ -0,0 +1,50 @@
 #!/bin/sh -e
 #
 # 2021 Joachim Desroches (joachim.desroches@epfl.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 # Required parameters
 DOMAIN="$(cat "${__object:?}/parameter/domain")"
 SELECTOR="$(cat "${__object:?}/parameter/selector")"
 # Optional parameters
 BITS=
 if [ -f "${__object:?}/parameter/bits" ]; then
 	BITS="-b $(cat "${__object:?}/parameter/bits")"
 fi
 DIRECTORY="/var/db/dkim/"
 if [ -f "${__object:?}/parameter/directory" ]; then
 	DIRECTORY="$(cat "${__object:?}/parameter/directory")"
 fi
 # Boolean parameters
 SUBDOMAINS=
 if [ -f "${__object:?}/parameter/no-subdomains" ]; then
 	SUBDOMAINS='--nosubdomains'
 fi
 RESTRICTED='--restrict'
 if [ -f "${__object:?}/parameters/unrestricted" ]; then
 	RESTRICTED=
 fi
 if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then
 	echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS"
 	echo "chown opendkim:opendkim ${DIRECTORY}${SELECTOR}.private"
 fi
--- a/type/__opendkim_genkey/man.rst
+++ b/type/__opendkim_genkey/man.rst
@ -0,0 +1,95 @@
 cdist-type__opendkim_genkey(7)
 ==============================
 NAME
 ----
 cdist-type__opendkim_genkey - Generate DKIM keys suitable for OpenDKIM
 DESCRIPTION
 -----------
 This type uses the `opendkim-genkey(8)` to generate signing keys suitable for
 usage by `opendkim(8)` to sign outgoing emails. Then, a line with the domain,
 selector and keyname in the `$selector._domainkey.$domain` format will be added
 to the OpenDKIM key table located at `/etc/opendkim/KeyTable`. Finally, a line
 will be added to the OpenDKIM signing table, using either the domain or the
 provided key for the `domain:selector:keyfile` value in the table. An existing
 key will not be overwritten.
 Currently, this type is only implemented for Alpine Linux. Please contribute an
 implementation if you can.
 REQUIRED PARAMETERS
 -------------------
 domain
  The domain to generate the key for.
 selector
  The DKIM selector to generate the key for.
 OPTIONAL PARAMETERS
 -------------------
 bits
  The size of the generated key, in bits. The default is 1024, the recommended
  by the DKIM standard.
 directory
  The directory in which to generate the key, `/var/db/dkim/` by default.
 sigkey
  The key used in the SigningTable for this signing key. Defaults to the
  specified domain. If `%`, OpenDKIM will replace it with the domain found
  in the `From:` header. See `opendkim.conf(5)` for more options.
 BOOLEAN PARAMETERS
 ------------------
 no-subdomains
  Disallows subdomain signing by this key.
 unrestricted
  Do not restrict this key to email signing usage.
 EXAMPLES
 --------
 .. code-block:: sh
    __opendkim \
        --socket inet:8891@localhost \
        --basedir /var/lib/opendkim \
        --canonicalization relaxed/simple \
        --subdomains no \
        --umask 002 \
        --syslog
    require='__opendkim' \
        __opendkim_genkey default \
                --domain example.com \
                --selector default
        __opendkim_genkey myfoo \
                --domain foo.com \
                --selector backup
 SEE ALSO
 --------
 `opendkim(8)`
 `opendkim-genkey(8)`
 `cdist-type__opendkim(7)`
 AUTHORS
 -------
 Joachim Desroches <joachim.desroches@epfl.ch>
 COPYING
 -------
 Copyright \(C) 2021 Joachim Desroches. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.
--- a/type/__opendkim_genkey/manifest
+++ b/type/__opendkim_genkey/manifest
@ -0,0 +1,66 @@
 #!/bin/sh -e
 #
 # 2021 Joachim Desroches (joachim.desroches@epfl.ch)
 #
 # This file is part of cdist.
 #
 # cdist is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # cdist is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 os=$(cat "${__global:?}/explorer/os")
 case "$os" in
 'alpine')
 	:
 ;;
 *)
 	cat <<- EOF >&2
 	__opendkim_genkey currently only supports Alpine Linux. Please
 	contribute an implementation for $os if you can.
 	EOF
 ;;
 esac
 SELECTOR="$(cat "${__object:?}/parameter/selector")"
 DOMAIN="$(cat "${__object:?}/parameter/domain")"
 DIRECTORY="/var/db/dkim/"
 if [ -f "${__object:?}/parameter/directory" ];
 then
 	DIRECTORY="$(cat "${__object:?}/parameter/directory")"
 fi
 SIGKEY="${DOMAIN:?}"
 if [ -f "${__object:?}/parameter/sigkey" ];
 then
 	SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
 fi
 __package opendkim-utils
 require='__package/opendkim-utils' \
 	__file /etc/opendkim/KeyTable
 require='__package/opendkim-utils' \
 	__file /etc/opendkim/SigningTable
 require='__file/etc/opendkim/KeyTable' \
 	__line "line-key-${__object_id:?}" \
 		--file /etc/opendkim/KeyTable \
 		--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
 require='__file/etc/opendkim/SigningTable' \
 	__line "line-sig-${__object_id:?}" \
 		--file /etc/opendkim/SigningTable \
 		--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"
--- a/type/__opendkim_genkey/parameter/optional
+++ b/type/__opendkim_genkey/parameter/optional
@ -0,0 +1,4 @@
 bits
 directory
 unrestricted
 sigkey
--- a/type/__opendkim_genkey/parameter/required
+++ b/type/__opendkim_genkey/parameter/required
@ -0,0 +1,2 @@
 domain
 selector