ungleich-public/cdist-contrib
ungleich-public/cdist-contrib
8
2
Fork 3
Code Issues 2 Pull requests 3 Projects Releases Wiki Activity

Compare commits

base: ungleich-public:422b97bc1b310c8f3515f3911794d2d674eb964a
Branches Tags
ungleich-public:master
ungleich-public:opendkim-debian
ungleich-public:kjg_passwordconfig
ungleich-public:synapse-upstream-apt-repository
ungleich-public:haproxy-dualstack
ungleich-public:synapse-upstream-repository
ungleich-public:root-mail-dma
...
compare: ungleich-public:ac03f05766f2ef12b893918b6d206b281d32e263
Branches Tags
ungleich-public:master
ungleich-public:opendkim-debian
ungleich-public:kjg_passwordconfig
ungleich-public:synapse-upstream-apt-repository
ungleich-public:haproxy-dualstack
ungleich-public:synapse-upstream-repository
ungleich-public:root-mail-dma

2 commits
422b97bc1b ... ac03f05766

Author SHA1 Message Date
Evilham
ac03f05766 [__jitsi_meet] Fix bug with secured domains 
This is a leftover from when we were using __line instead of __block.

Closes #15

Reported by:  @pedro
 2022-03-10 21:20:52 +01:00
Evilham
ecd10de2d3
[__opendkim*] FreeBSD support and minor fixes 
While adding FreeBSD support to the type I noticed various issues:

- We were making sure that the KeyTable and SigningTable were created in
  __opendkim_genkey, but that was being done with the default cdist permissions
  (0400) which could result in issues when reloading the service after privilege
  drop.
  This is addressed by checking that it exists/creating it in __opendkim (just
  once, not once per __opendkim_genkey call) with laxer permissions (0444).
- In __opendkim, the service was being started after the config file was
  installed. This is insufficient as OpenDKIM will refuse to start with the
  generated config if either SigningTable or KeyTable do not exist yet.
- __opendkim_genkey had the implicit assumption that the --directory parameter
  always ended in a slash. This was not documented and error-prone; we are now
  a bit laxer and add the trailing slash if it is missing.
- __opendkim_genkey was not changing permissions for the resulting .txt file.
  This was not critical for it to function, but it was inconsistent.
- As documented in #17, __opendkim allows for a --userid parameter that might
  cause issues with keys generated by __opendkim_genkey.
  This issue has not been addressed yet, but I recommend deprecating the
  --userid parameter.
 2022-03-10 20:08:51 +01:00
7 changed files with 80 additions and 31 deletions
Show stats Expand all files Collapse all files

2
type/__jitsi_meet/manifest
View file

@ -153,7 +153,7 @@ EOF
if [ -f "${__object}/parameter/secured-domains" ]; then if [ -f "${__object}/parameter/secured-domains" ]; then
SECURED_DOMAINS_STATE='present' SECURED_DOMAINS_STATE='present'
SECURED_DOMAINS_STATE_JICOFO='replace' SECURED_DOMAINS_STATE_JICOFO='present'
else else
SECURED_DOMAINS_STATE='absent' SECURED_DOMAINS_STATE='absent'
SECURED_DOMAINS_STATE_JICOFO='absent' SECURED_DOMAINS_STATE_JICOFO='absent'

5
type/__opendkim/files/opendkim.conf.sh
View file

@ -1,6 +1,7 @@
#!/bin/sh -e #!/bin/sh -e
# Generate an opendkim.conf(5) file for opendkim(8). # Generate an opendkim.conf(5) file for opendkim(8).
echo "# Managed remotely, manual changes will be lost."
# Optional chdir(2) # Optional chdir(2)
if [ "$BASEDIR" ]; if [ "$BASEDIR" ];
@ -33,8 +34,8 @@ then
fi fi
# Key and Domain tables # Key and Domain tables
echo 'KeyTable /etc/opendkim/KeyTable' echo "KeyTable ${CFG_DIR}/KeyTable"
echo 'SigningTable /etc/opendkim/SigningTable' echo "SigningTable ${CFG_DIR}/SigningTable"
# Required socket to listen on # Required socket to listen on
printf "Socket %s\n" "${SOCKET:?}" printf "Socket %s\n" "${SOCKET:?}"

12
type/__opendkim/man.rst
View file

@ -14,8 +14,8 @@ installation and basic configuration of an instance of OpenDKIM.
Note that this type does not generate or ensure that a key is present: use Note that this type does not generate or ensure that a key is present: use
`cdist-type__opendkim-genkey(7)` for that. `cdist-type__opendkim-genkey(7)` for that.
Note that this type is currently only implemented for Alpine Linux. Please Note that this type is currently only implemented for Alpine Linux and FreeBSD.
contribute an implementation if you can. Please contribute an implementation if you can.
REQUIRED PARAMETERS REQUIRED PARAMETERS
@ -42,8 +42,9 @@ umask
Set the umask for the socket and PID file. Set the umask for the socket and PID file.
userid userid
Change the user the opendkim program is to run as. By default, Alpine Linux's Change the user the opendkim program is to run as.
OpenRC service will set this to `opendkim` on the command-line. By default, Alpine Linux's OpenRC service will set this to `opendkim` on the
command-line and FreeBSD's rc will set it to `mailnull`.
custom-config custom-config
The string following this parameter is appended as-is in the configuration, to The string following this parameter is appended as-is in the configuration, to
@ -86,11 +87,12 @@ SEE ALSO
AUTHORS AUTHORS
------- -------
Joachim Desroches <joachim.desroches@epfl.ch> Joachim Desroches <joachim.desroches@epfl.ch>
Evilham <contact@evilham.com>
COPYING COPYING
------- -------
Copyright \(C) 2021 Joachim Desroches. You can redistribute it Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
and/or modify it under the terms of the GNU General Public License as and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version. License, or (at your option) any later version.

28
type/__opendkim/manifest
View file

@ -20,16 +20,23 @@
os=$(cat "${__global:?}/explorer/os") os=$(cat "${__global:?}/explorer/os")
CFG_DIR="/etc/opendkim"
service="opendkim"
case "$os" in case "$os" in
'alpine') 'alpine')
: :
;; ;;
'freebsd')
CFG_DIR="/usr/local/etc/mail"
service="milter-opendkim"
;;
*) *)
printf "__opendkim does not yet support %s.\n" "$os" >&2 printf "__opendkim does not yet support %s.\n" "$os" >&2
printf "Please contribute an implementation if you can.\n" >&2 printf "Please contribute an implementation if you can.\n" >&2
exit 1 exit 1
;; ;;
esac esac
export CFG_DIR
__package opendkim __package opendkim
@ -68,7 +75,7 @@ fi
# Generate and deploy configuration file. # Generate and deploy configuration file.
source_file="${__object:?}/files/opendkim.conf" source_file="${__object:?}/files/opendkim.conf"
target_file="/etc/opendkim/opendkim.conf" target_file="${CFG_DIR}/opendkim.conf"
mkdir -p "${__object:?}/files" mkdir -p "${__object:?}/files"
@ -83,9 +90,22 @@ fi
require="__package/opendkim" __file "$target_file" \ require="__package/opendkim" __file "$target_file" \
--source "$source_file" --mode 0644 --source "$source_file" --mode 0644
require="__package/opendkim" __start_on_boot opendkim require="__package/opendkim" __start_on_boot "${service}"
require="__file${target_file}" \ # Ensure Key and Signing tables exist and have proper permissions
key_table="${CFG_DIR}/KeyTable"
signing_table="${CFG_DIR}/SigningTable"
require="__package/opendkim" \
__file "${key_table}" \
--mode 444
require="__package/opendkim" \
__file "${signing_table}" \
--mode 444
require="__file${target_file} __file${key_table}
__file${signing_table} __start_on_boot/${service}" \
__check_messages opendkim \ __check_messages opendkim \
--pattern "^__file${target_file}" \ --pattern "^__file${target_file}" \
--execute "service opendkim restart" --execute "service ${service} restart"

10
type/__opendkim_genkey/gencode-remote
View file

@ -30,7 +30,8 @@ fi
DIRECTORY="/var/db/dkim/" DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ]; then if [ -f "${__object:?}/parameter/directory" ]; then
DIRECTORY="$(cat "${__object:?}/parameter/directory")" # Be forgiving about a lack of trailing slash
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
fi fi
# Boolean parameters # Boolean parameters
@ -44,7 +45,12 @@ if [ -f "${__object:?}/parameters/unrestricted" ]; then
RESTRICTED= RESTRICTED=
fi fi
user="$(cat "${__object:?}/user")"
group="$(cat "${__object:?}/group")"
if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then
echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS" echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS"
echo "chown opendkim:opendkim ${DIRECTORY}${SELECTOR}.private" echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.private"
# This is usually generated, if it weren't we do not want to fail
echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.txt || true"
fi fi

7
type/__opendkim_genkey/man.rst
View file

@ -17,8 +17,8 @@ will be added to the OpenDKIM signing table, using either the domain or the
provided key for the `domain:selector:keyfile` value in the table. An existing provided key for the `domain:selector:keyfile` value in the table. An existing
key will not be overwritten. key will not be overwritten.
Currently, this type is only implemented for Alpine Linux. Please contribute an Currently, this type is only implemented for Alpine Linux and FreeBSD.
implementation if you can. Please contribute an implementation if you can.
REQUIRED PARAMETERS REQUIRED PARAMETERS
------------------- -------------------
@ -85,11 +85,12 @@ SEE ALSO
AUTHORS AUTHORS
------- -------
Joachim Desroches <joachim.desroches@epfl.ch> Joachim Desroches <joachim.desroches@epfl.ch>
Evilham <contact@evilham.com>
COPYING COPYING
------- -------
Copyright \(C) 2021 Joachim Desroches. You can redistribute it Copyright \(C) 2022 Joachim Desroches, Evilham. You can redistribute it
and/or modify it under the terms of the GNU General Public License as and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version. License, or (at your option) any later version.

47
type/__opendkim_genkey/manifest
View file

@ -21,10 +21,18 @@
os=$(cat "${__global:?}/explorer/os") os=$(cat "${__global:?}/explorer/os")
CFG_DIR="/etc/opendkim"
user="opendkim"
group="opendkim"
case "$os" in case "$os" in
'alpine') 'alpine')
: :
;; ;;
'freebsd')
CFG_DIR="/usr/local/etc/mail"
user="mailnull"
group="mailnull"
;;
*) *)
cat <<- EOF >&2 cat <<- EOF >&2
__opendkim_genkey currently only supports Alpine Linux. Please __opendkim_genkey currently only supports Alpine Linux. Please
@ -32,6 +40,9 @@ case "$os" in
EOF EOF
;; ;;
esac esac
# Persist user and group for gencode-remote
printf '%s' "${user}" > "${__object:?}/user"
printf '%s' "${group}" > "${__object:?}/group"
SELECTOR="$(cat "${__object:?}/parameter/selector")" SELECTOR="$(cat "${__object:?}/parameter/selector")"
DOMAIN="$(cat "${__object:?}/parameter/domain")" DOMAIN="$(cat "${__object:?}/parameter/domain")"
@ -39,7 +50,8 @@ DOMAIN="$(cat "${__object:?}/parameter/domain")"
DIRECTORY="/var/db/dkim/" DIRECTORY="/var/db/dkim/"
if [ -f "${__object:?}/parameter/directory" ]; if [ -f "${__object:?}/parameter/directory" ];
then then
DIRECTORY="$(cat "${__object:?}/parameter/directory")" # Be forgiving about a lack of trailing slash
DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")"
fi fi
SIGKEY="${DOMAIN:?}" SIGKEY="${DOMAIN:?}"
@ -48,19 +60,26 @@ then
SIGKEY="$(cat "${__object:?}/parameter/sigkey")" SIGKEY="$(cat "${__object:?}/parameter/sigkey")"
fi fi
__package opendkim-utils # Ensure the key-container directory exists with the proper permissions
__directory "${DIRECTORY}" \
--mode 0750 \
--owner "${user}" --group "${group}"
require='__package/opendkim-utils' \ # OS-specific code
__file /etc/opendkim/KeyTable case "$os" in
require='__package/opendkim-utils' \ 'alpine')
__file /etc/opendkim/SigningTable # This is needed for opendkim-genkey
__package opendkim-utils
;;
esac
require='__file/etc/opendkim/KeyTable' \ key_table="${CFG_DIR}/KeyTable"
__line "line-key-${__object_id:?}" \ signing_table="${CFG_DIR}/SigningTable"
--file /etc/opendkim/KeyTable \
--line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
require='__file/etc/opendkim/SigningTable' \ __line "line-key-${__object_id:?}" \
__line "line-sig-${__object_id:?}" \ --file "${key_table}" \
--file /etc/opendkim/SigningTable \ --line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private"
--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"
__line "line-sig-${__object_id:?}" \
--file "${signing_table}" \
--line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}"