cdist-contrib/type/__opendkim/manifest
evilham ecd10de2d3
[__opendkim*] FreeBSD support and minor fixes
While adding FreeBSD support to the type I noticed various issues:

- We were making sure that the KeyTable and SigningTable were created in
  __opendkim_genkey, but that was being done with the default cdist permissions
  (0400) which could result in issues when reloading the service after privilege
  drop.
  This is addressed by checking that it exists/creating it in __opendkim (just
  once, not once per __opendkim_genkey call) with laxer permissions (0444).
- In __opendkim, the service was being started after the config file was
  installed. This is insufficient as OpenDKIM will refuse to start with the
  generated config if either SigningTable or KeyTable do not exist yet.
- __opendkim_genkey had the implicit assumption that the --directory parameter
  always ended in a slash. This was not documented and error-prone; we are now
  a bit laxer and add the trailing slash if it is missing.
- __opendkim_genkey was not changing permissions for the resulting .txt file.
  This was not critical for it to function, but it was inconsistent.
- As documented in #17, __opendkim allows for a --userid parameter that might
  cause issues with keys generated by __opendkim_genkey.
  This issue has not been addressed yet, but I recommend deprecating the
  --userid parameter.
2022-03-10 20:08:51 +01:00

112 lines
2.9 KiB
Bash
Executable file

#!/bin/sh -e
#
# 2021 Joachim Desroches (joachim.desroches@epfl.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "${__global:?}/explorer/os")
CFG_DIR="/etc/opendkim"
service="opendkim"
case "$os" in
'alpine')
:
;;
'freebsd')
CFG_DIR="/usr/local/etc/mail"
service="milter-opendkim"
;;
*)
printf "__opendkim does not yet support %s.\n" "$os" >&2
printf "Please contribute an implementation if you can.\n" >&2
exit 1
;;
esac
export CFG_DIR
__package opendkim
# Required parameters
SOCKET="$(cat "${__object:?}/parameter/socket")"
export SOCKET
# Optional parameters
if [ -f "${__object:?}/parameter/basedir" ]; then
BASEDIR="$(cat "${__object:?}/parameter/basedir")"
export BASEDIR
fi
if [ -f "${__object:?}/parameter/canonicalization" ]; then
CANON="$(cat "${__object:?}/parameter/canonicalization")"
export CANON
fi
if [ -f "${__object:?}/parameter/subdomains" ]; then
SUBDOMAINS="$(cat "${__object:?}/parameter/subdomains")"
export SUBDOMAINS
fi
if [ -f "${__object:?}/parameter/umask" ]; then
UMASK="$(cat "${__object:?}/parameter/umask")"
export UMASK
fi
if [ -f "${__object:?}/parameter/userid" ]; then
USERID="$(cat "${__object:?}/parameter/userid")"
export USERID
fi
# Boolean parameters
[ -f "${__object:?}/parameter/syslog" ] && export SYSLOG=yes
# Generate and deploy configuration file.
source_file="${__object:?}/files/opendkim.conf"
target_file="${CFG_DIR}/opendkim.conf"
mkdir -p "${__object:?}/files"
"${__type:?}/files/opendkim.conf.sh" >"$source_file"
# Add user custom config
if [ -f "${__object:?}/parameter/custom-config" ]; then
echo "# Custom user config" >>"$source_file"
cat "${__object:?}/parameter/custom-config" >>"$source_file"
fi
require="__package/opendkim" __file "$target_file" \
--source "$source_file" --mode 0644
require="__package/opendkim" __start_on_boot "${service}"
# Ensure Key and Signing tables exist and have proper permissions
key_table="${CFG_DIR}/KeyTable"
signing_table="${CFG_DIR}/SigningTable"
require="__package/opendkim" \
__file "${key_table}" \
--mode 444
require="__package/opendkim" \
__file "${signing_table}" \
--mode 444
require="__file${target_file} __file${key_table}
__file${signing_table} __start_on_boot/${service}" \
__check_messages opendkim \
--pattern "^__file${target_file}" \
--execute "service ${service} restart"