From d2669ee230255857edcb3a73250c55e15bd9ff18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 26 Mar 2024 16:39:12 +0100 Subject: [PATCH 1/7] [__opendkim*] add debian support --- type/__opendkim/files/opendkim.conf.sh | 16 +++++++++++ type/__opendkim/man.rst | 4 +-- type/__opendkim/manifest | 9 +++++- type/__opendkim_genkey/gencode-remote | 38 +++++++++++++++++++------- type/__opendkim_genkey/man.rst | 2 +- type/__opendkim_genkey/manifest | 22 +++++++++------ 6 files changed, 69 insertions(+), 22 deletions(-) diff --git a/type/__opendkim/files/opendkim.conf.sh b/type/__opendkim/files/opendkim.conf.sh index 468b262..52e51a5 100755 --- a/type/__opendkim/files/opendkim.conf.sh +++ b/type/__opendkim/files/opendkim.conf.sh @@ -3,6 +3,9 @@ echo "# Managed remotely, manual changes will be lost." +# Used for OS-specific configuration. +os=$(cat "${__global:?}/explorer/os") + # Optional chdir(2) if [ "$BASEDIR" ]; then @@ -63,3 +66,16 @@ if [ "$USERID" ]; then printf "UserID %s\n" "$USERID" fi + +if [ "$os" = "debian" ]; then + cat <<- EOF + # In Debian, opendkim runs as user "opendkim". A umask of 007 is required when + # using a local socket with MTAs that access the socket as a non-privileged + # user (for example, Postfix). You may need to add user "postfix" to group + # "opendkim" in that case. + UserID opendkim + UMask 007 + + PidFile /run/opendkim/opendkim.pid + EOF +fi diff --git a/type/__opendkim/man.rst b/type/__opendkim/man.rst index e3f3e7a..d800068 100644 --- a/type/__opendkim/man.rst +++ b/type/__opendkim/man.rst @@ -14,8 +14,8 @@ installation and basic configuration of an instance of OpenDKIM. Note that this type does not generate or ensure that a key is present: use `cdist-type__opendkim-genkey(7)` for that. -Note that this type is currently only implemented for Alpine Linux and FreeBSD. -Please contribute an implementation if you can. +Note that this type is currently only implemented for Debian, Alpine Linux and +FreeBSD. Please contribute an implementation if you can. REQUIRED PARAMETERS diff --git a/type/__opendkim/manifest b/type/__opendkim/manifest index dbd9fc0..42bb96e 100755 --- a/type/__opendkim/manifest +++ b/type/__opendkim/manifest @@ -21,13 +21,20 @@ os=$(cat "${__global:?}/explorer/os") CFG_DIR="/etc/opendkim" +CFG_FILE="$CFG_DIR/opendkim.conf" service="opendkim" case "$os" in 'alpine') : ;; +'debian') + CFG_DIR="/etc/dkimkeys" + CFG_FILE="/etc/opendkim.conf" + ;; 'freebsd') CFG_DIR="/usr/local/etc/mail" + CFG_FILE="$CFG_DIR/opendkim.conf" + service="milter-opendkim" ;; *) @@ -75,7 +82,7 @@ fi # Generate and deploy configuration file. source_file="${__object:?}/files/opendkim.conf" -target_file="${CFG_DIR}/opendkim.conf" +target_file="${CFG_FILE}" mkdir -p "${__object:?}/files" diff --git a/type/__opendkim_genkey/gencode-remote b/type/__opendkim_genkey/gencode-remote index d8dfb4d..6cfbb3a 100755 --- a/type/__opendkim_genkey/gencode-remote +++ b/type/__opendkim_genkey/gencode-remote @@ -18,6 +18,30 @@ # along with cdist. If not, see . # +os=$(cat "${__global:?}/explorer/os") + + +case "$os" in +'debian') + KEYS_DIR="/etc/dkimkeys/" +;; +'freebsd'|'alpine') + KEYS_DIR="/var/db/dkim/" +;; +*) + cat <<- EOF >&2 + __opendkim_genkey does not support $os (yet). Exiting. + EOF + exit 1 +;; +esac + +if [ -f "${__object:?}/parameter/directory" ]; +then + # Be forgiving about a lack of trailing slash + KEYS_DIR="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")" +fi + # Required parameters DOMAIN="$(cat "${__object:?}/parameter/domain")" SELECTOR="$(cat "${__object:?}/parameter/selector")" @@ -28,12 +52,6 @@ if [ -f "${__object:?}/parameter/bits" ]; then BITS="-b $(cat "${__object:?}/parameter/bits")" fi -DIRECTORY="/var/db/dkim/" -if [ -f "${__object:?}/parameter/directory" ]; then - # Be forgiving about a lack of trailing slash - DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")" -fi - # Boolean parameters SUBDOMAINS= if [ -f "${__object:?}/parameter/no-subdomains" ]; then @@ -48,9 +66,9 @@ fi user="$(cat "${__object:?}/user")" group="$(cat "${__object:?}/group")" -if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then - echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS" - echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.private" +if ! [ -f "${KEYS_DIR}${SELECTOR}.private" ]; then + echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$KEYS_DIR $RESTRICTED --selector=$SELECTOR $SUBDOMAINS" + echo "chown ${user}:${group} ${KEYS_DIR}${SELECTOR}.private" # This is usually generated, if it weren't we do not want to fail - echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.txt || true" + echo "chown ${user}:${group} ${KEYS_DIR}${SELECTOR}.txt || true" fi diff --git a/type/__opendkim_genkey/man.rst b/type/__opendkim_genkey/man.rst index b3fd013..3251ec1 100644 --- a/type/__opendkim_genkey/man.rst +++ b/type/__opendkim_genkey/man.rst @@ -17,7 +17,7 @@ will be added to the OpenDKIM signing table, using either the domain or the provided key for the `domain:selector:keyfile` value in the table. An existing key will not be overwritten. -Currently, this type is only implemented for Alpine Linux and FreeBSD. +Currently, this type is only implemented for Debian, Alpine Linux and FreeBSD. Please contribute an implementation if you can. REQUIRED PARAMETERS diff --git a/type/__opendkim_genkey/manifest b/type/__opendkim_genkey/manifest index 50dcee5..289e7fe 100755 --- a/type/__opendkim_genkey/manifest +++ b/type/__opendkim_genkey/manifest @@ -21,13 +21,18 @@ os=$(cat "${__global:?}/explorer/os") -CFG_DIR="/etc/opendkim" +CFG_DIR="/etc/opendkim/" +KEYS_DIR="/var/db/dkim/" user="opendkim" group="opendkim" case "$os" in 'alpine') : ;; +'debian') + CFG_DIR="/etc/dkimkeys/" + KEYS_DIR="/etc/dkimkeys/" +;; 'freebsd') CFG_DIR="/usr/local/etc/mail" user="mailnull" @@ -35,9 +40,9 @@ case "$os" in ;; *) cat <<- EOF >&2 - __opendkim_genkey currently only supports Alpine Linux. Please - contribute an implementation for $os if you can. + __opendkim_genkey does not support $os (yet). Exiting. EOF + exit 1 ;; esac # Persist user and group for gencode-remote @@ -47,11 +52,10 @@ printf '%s' "${group}" > "${__object:?}/group" SELECTOR="$(cat "${__object:?}/parameter/selector")" DOMAIN="$(cat "${__object:?}/parameter/domain")" -DIRECTORY="/var/db/dkim/" if [ -f "${__object:?}/parameter/directory" ]; then # Be forgiving about a lack of trailing slash - DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")" + KEYS_DIR="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")" fi SIGKEY="${DOMAIN:?}" @@ -61,16 +65,18 @@ then fi # Ensure the key-container directory exists with the proper permissions -__directory "${DIRECTORY}" \ +__directory "${KEYS_DIR}" \ --mode 0750 \ --owner "${user}" --group "${group}" # OS-specific code case "$os" in 'alpine') - # This is needed for opendkim-genkey __package opendkim-utils ;; +'debian') + __package opendkim-tools +;; esac key_table="${CFG_DIR}/KeyTable" @@ -78,7 +84,7 @@ signing_table="${CFG_DIR}/SigningTable" __line "line-key-${__object_id:?}" \ --file "${key_table}" \ - --line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private" + --line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${KEYS_DIR:?}${SELECTOR:?}.private" __line "line-sig-${__object_id:?}" \ --file "${signing_table}" \ -- 2.45.2 From 3bc9a9ff4a80a91d6ba6ee0eb6d4586ce1568ec9 Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Tue, 22 Mar 2022 16:24:00 +0100 Subject: [PATCH 2/7] __php_fpm{,_pool}: initial implementation. --- type/__php_fpm/files/php.ini.sh | 45 +++++++++++ type/__php_fpm/man.rst | 75 ++++++++++++++++++ type/__php_fpm/manifest | 47 +++++++++++ type/__php_fpm/parameter/boolean | 2 + type/__php_fpm/parameter/default/memory-limit | 1 + .../parameter/default/upload-max-filesize | 1 + type/__php_fpm/parameter/optional | 2 + type/__php_fpm/parameter/required | 1 + type/__php_fpm/singleton | 0 type/__php_fpm_pool/files/www.conf.sh | 34 ++++++++ type/__php_fpm_pool/man.rst | 79 +++++++++++++++++++ type/__php_fpm_pool/manifest | 37 +++++++++ type/__php_fpm_pool/parameter/optional | 2 + type/__php_fpm_pool/parameter/required | 5 ++ 14 files changed, 331 insertions(+) create mode 100755 type/__php_fpm/files/php.ini.sh create mode 100644 type/__php_fpm/man.rst create mode 100644 type/__php_fpm/manifest create mode 100644 type/__php_fpm/parameter/boolean create mode 100644 type/__php_fpm/parameter/default/memory-limit create mode 100644 type/__php_fpm/parameter/default/upload-max-filesize create mode 100644 type/__php_fpm/parameter/optional create mode 100644 type/__php_fpm/parameter/required create mode 100644 type/__php_fpm/singleton create mode 100755 type/__php_fpm_pool/files/www.conf.sh create mode 100644 type/__php_fpm_pool/man.rst create mode 100644 type/__php_fpm_pool/manifest create mode 100644 type/__php_fpm_pool/parameter/optional create mode 100644 type/__php_fpm_pool/parameter/required diff --git a/type/__php_fpm/files/php.ini.sh b/type/__php_fpm/files/php.ini.sh new file mode 100755 index 0000000..8fbc4ac --- /dev/null +++ b/type/__php_fpm/files/php.ini.sh @@ -0,0 +1,45 @@ +#!/bin/sh + +cat < + + +COPYING +------- +Copyright \(C) 2022 Joachim Desroches. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/type/__php_fpm/manifest b/type/__php_fpm/manifest new file mode 100644 index 0000000..84c4383 --- /dev/null +++ b/type/__php_fpm/manifest @@ -0,0 +1,47 @@ +#!/bin/sh + +os=$(cat "${__global:?}/explorer/os") + +PHPVER=$(cat "${__object:?}/parameter/php-version") +export PHPVER + +case "$os" in +'alpine') + package="php${PHPVER}-fpm" + service="php-fpm${PHPVER}" + opcache_package="php${PHPVER}-opcache" + apcu_package="php${PHPVER}-pecl-apcu" + ;; + +*) + printf "Your operating system is currently not supported by this type\n" >&2 + printf "Please contribute an implementation for it if you can.\n" >&2 + exit 1 + ;; +esac + +__package "$package" +require="__package/$package" __start_on_boot "$service" + +if [ -f "${__object:?}/parameter/enable-opcache" ]; then + __package "$opcache_package" +fi + +if [ -f "${__object:?}/parameter/enable-apcu" ]; then + __package "$apcu_package" +fi + +MEMORY_LIMIT=$(cat "${__object:?}/parameter/memory-limit") +export MEMORY_LIMIT + +UPLOAD_MAX_FILESIZE=$(cat "${__object:?}/parameter/upload-max-filesize") +export UPLOAD_MAX_FILESIZE + +mkdir -p "${__object:?}/files" +"${__type:?}/files/php.ini.sh" >"${__object:?}/files/php.ini" + +require="__package/$package" __file "/etc/php${PHPVER}/php.ini" \ + --mode 644 --source "${__object:?}/files/php.ini" \ + --onchange "service $service restart" + +require="__file/etc/php${PHPVER}/php.ini" __service "$service" --action start diff --git a/type/__php_fpm/parameter/boolean b/type/__php_fpm/parameter/boolean new file mode 100644 index 0000000..9964486 --- /dev/null +++ b/type/__php_fpm/parameter/boolean @@ -0,0 +1,2 @@ +enable-opcache +enable-apcu diff --git a/type/__php_fpm/parameter/default/memory-limit b/type/__php_fpm/parameter/default/memory-limit new file mode 100644 index 0000000..d95fe12 --- /dev/null +++ b/type/__php_fpm/parameter/default/memory-limit @@ -0,0 +1 @@ +512M diff --git a/type/__php_fpm/parameter/default/upload-max-filesize b/type/__php_fpm/parameter/default/upload-max-filesize new file mode 100644 index 0000000..5fbcf1c --- /dev/null +++ b/type/__php_fpm/parameter/default/upload-max-filesize @@ -0,0 +1 @@ +2M diff --git a/type/__php_fpm/parameter/optional b/type/__php_fpm/parameter/optional new file mode 100644 index 0000000..a41a87c --- /dev/null +++ b/type/__php_fpm/parameter/optional @@ -0,0 +1,2 @@ +upload-max-filesize +memory-limit diff --git a/type/__php_fpm/parameter/required b/type/__php_fpm/parameter/required new file mode 100644 index 0000000..173609d --- /dev/null +++ b/type/__php_fpm/parameter/required @@ -0,0 +1 @@ +php-version diff --git a/type/__php_fpm/singleton b/type/__php_fpm/singleton new file mode 100644 index 0000000..e69de29 diff --git a/type/__php_fpm_pool/files/www.conf.sh b/type/__php_fpm_pool/files/www.conf.sh new file mode 100755 index 0000000..aa8fa7c --- /dev/null +++ b/type/__php_fpm_pool/files/www.conf.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +cat < + + +COPYING +------- +Copyright \(C) 2022 Joachim Desroches. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/type/__php_fpm_pool/manifest b/type/__php_fpm_pool/manifest new file mode 100644 index 0000000..b090c9d --- /dev/null +++ b/type/__php_fpm_pool/manifest @@ -0,0 +1,37 @@ +#!/bin/sh + +# XXX: this type does not configure or install php-fpm: it expects the +# __recycledcloud_php_fpm type to be used first before pools are configured. + +os=$(cat "${__global:?}/explorer/os") +name=${__object_id:?} + +PHPVER=$(cat "${__object:?}/parameter/php-version") +export PHPVER + +case "$os" in +'alpine') + service="php-fpm${PHPVER}" + : + ;; + +*) + printf "Your operating system is currently not supported by this type\n" >&2 + printf "Please contribute an implementation for it if you can.\n" >&2 + exit 1 + ;; +esac + +POOL_NAME="$name" +POOL_USER=$(cat "${__object:?}/parameter/pool-user") +POOL_GROUP=$(cat "${__object:?}/parameter/pool-group") +POOL_LISTEN_ADDR=$(cat "${__object:?}/parameter/pool-listen-addr") +POOL_LISTEN_OWNER=$(cat "${__object:?}/parameter/pool-listen-owner") +export POOL_USER POOL_GROUP POOL_LISTEN_ADDR POOL_LISTEN_OWNER POOL_NAME + +mkdir -p "${__object:?}/files" +"${__type:?}/files/www.conf.sh" >"${__object:?}/files/www.conf" + +__file "/etc/php${PHPVER:?}/php-fpm.d/${name}.conf" \ + --mode 644 --source "${__object:?}/files/www.conf" \ + --onchange "service $service reload" diff --git a/type/__php_fpm_pool/parameter/optional b/type/__php_fpm_pool/parameter/optional new file mode 100644 index 0000000..7adc0a3 --- /dev/null +++ b/type/__php_fpm_pool/parameter/optional @@ -0,0 +1,2 @@ +memory-limit +open-basedir diff --git a/type/__php_fpm_pool/parameter/required b/type/__php_fpm_pool/parameter/required new file mode 100644 index 0000000..d247290 --- /dev/null +++ b/type/__php_fpm_pool/parameter/required @@ -0,0 +1,5 @@ +php-version +pool-user +pool-group +pool-listen-addr +pool-listen-owner -- 2.45.2 From f2850de5eba95c42e2d887b150f75ccdbb096d93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Wed, 15 May 2024 12:16:08 +0200 Subject: [PATCH 3/7] [__php_fpm_pool] remove mention to recycledcloud / e-Durable SA --- type/__php_fpm_pool/manifest | 3 --- 1 file changed, 3 deletions(-) diff --git a/type/__php_fpm_pool/manifest b/type/__php_fpm_pool/manifest index b090c9d..49579d7 100644 --- a/type/__php_fpm_pool/manifest +++ b/type/__php_fpm_pool/manifest @@ -1,8 +1,5 @@ #!/bin/sh -# XXX: this type does not configure or install php-fpm: it expects the -# __recycledcloud_php_fpm type to be used first before pools are configured. - os=$(cat "${__global:?}/explorer/os") name=${__object_id:?} -- 2.45.2 From cc2b1af65354a53d87a14c9a28200cd36ad9128c Mon Sep 17 00:00:00 2001 From: Evilham Date: Fri, 25 Mar 2022 10:56:53 +0100 Subject: [PATCH 4/7] [__opendkim_key] Overall improvements in key management While developing this, I noticed that the type was handling inconsistently the expectation that a cdist object with the same __object_id gets *modified*. Instead more and more lines were added to, e.g. SigningTable and KeyTable. In order to solve this, some backwards compatibility breaking is necessary. This is probably not too terrible since: - the `--selector` parameter was mandatory, therefore the fallback for the key location is triggered. - OpenDKIM uses the first match in `SigningTable` and `KeyTable` - __line and __block respectively append if they do not match Closes #19 and #20. --- type/__opendkim_genkey/explorer/key-state | 32 +++++++ type/__opendkim_genkey/gencode-remote | 33 +++++--- type/__opendkim_genkey/man.rst | 83 ++++++++++++++----- type/__opendkim_genkey/manifest | 74 ++++++++++++++--- type/__opendkim_genkey/parameter/optional | 4 +- .../parameter/optional_multiple | 1 + type/__opendkim_genkey/parameter/required | 2 - 7 files changed, 183 insertions(+), 46 deletions(-) create mode 100755 type/__opendkim_genkey/explorer/key-state create mode 100644 type/__opendkim_genkey/parameter/optional_multiple delete mode 100644 type/__opendkim_genkey/parameter/required diff --git a/type/__opendkim_genkey/explorer/key-state b/type/__opendkim_genkey/explorer/key-state new file mode 100755 index 0000000..75998f9 --- /dev/null +++ b/type/__opendkim_genkey/explorer/key-state @@ -0,0 +1,32 @@ +#!/bin/sh -e +DIRECTORY="/var/db/dkim/" +if [ -f "${__object:?}/parameter/directory" ]; +then + # Be forgiving about a lack of trailing slash + DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")" +fi + + +KEY_ID="$(echo "${__object_id:?)}" | tr '/' '_')" +DEFAULT_PATH="${DIRECTORY:?}${KEY_ID:?}.private" +if [ -s "${DEFAULT_PATH}" ]; then + # This is the main location for the key + FOUND_PATH="${DEFAULT_PATH}" +else + # This is a backwards-compatible location for the key + # Keys generated post March 2022 should not land here + if [ -f "${__object:?}/parameter/selector" ]; then + SELECTOR="$(cat "${__object:?}/parameter/selector")" + if [ -s "${DIRECTORY}${SELECTOR:?}.private" ]; then + FOUND_PATH="${DIRECTORY}${SELECTOR:?}.private" + fi + fi +fi + +if [ -n "${FOUND_PATH}" ]; then + printf "present\t%s" "${FOUND_PATH}" +else + # We didn't find the key + # We pass the default path here, to easen logic in the rest of the type + printf "absent\t%s" "${DEFAULT_PATH}" +fi diff --git a/type/__opendkim_genkey/gencode-remote b/type/__opendkim_genkey/gencode-remote index d8dfb4d..d2bea50 100755 --- a/type/__opendkim_genkey/gencode-remote +++ b/type/__opendkim_genkey/gencode-remote @@ -19,8 +19,8 @@ # # Required parameters -DOMAIN="$(cat "${__object:?}/parameter/domain")" -SELECTOR="$(cat "${__object:?}/parameter/selector")" +DOMAIN="$(cat "${__object:?}/domain")" +SELECTOR="$(cat "${__object:?}/selector")" # Optional parameters BITS= @@ -28,12 +28,6 @@ if [ -f "${__object:?}/parameter/bits" ]; then BITS="-b $(cat "${__object:?}/parameter/bits")" fi -DIRECTORY="/var/db/dkim/" -if [ -f "${__object:?}/parameter/directory" ]; then - # Be forgiving about a lack of trailing slash - DIRECTORY="$(sed -E 's!([^/])$!\1/!' < "${__object:?}/parameter/directory")" -fi - # Boolean parameters SUBDOMAINS= if [ -f "${__object:?}/parameter/no-subdomains" ]; then @@ -48,9 +42,24 @@ fi user="$(cat "${__object:?}/user")" group="$(cat "${__object:?}/group")" -if ! [ -f "${DIRECTORY}${SELECTOR}.private" ]; then - echo "opendkim-genkey $BITS --domain=$DOMAIN --directory=$DIRECTORY $RESTRICTED --selector=$SELECTOR $SUBDOMAINS" - echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.private" +KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")" +KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")" + +if [ "${KEY_STATE:?}" = "absent" ]; then + # opendkim-genkey(8) does not allow specifying the file name. + # To err on the safe side (and avoid potentially killing other keys) + # we operate on a temporary directory first, then move the resulting key + cat <<-EOF + tmp_dir="\$(mktemp -d cdist-dkim.XXXXXXXXXXX)" + opendkim-genkey $BITS --domain=${DOMAIN:?} --directory=\${tmp_dir:?} $RESTRICTED --selector=${SELECTOR:?} $SUBDOMAINS + # Relocate and ensure permissions + mv "\${tmp_dir:?}/${SELECTOR:?}.private" '${KEY_LOCATION:?}' + chown ${user}:${group} '${KEY_LOCATION}' + chmod 0600 '${KEY_LOCATION}' # This is usually generated, if it weren't we do not want to fail - echo "chown ${user}:${group} ${DIRECTORY}${SELECTOR}.txt || true" + mv "\${tmp_dir:?}/${SELECTOR:?}.txt" '${KEY_LOCATION%.private}.txt' || true + chown ${user}:${group} '${KEY_LOCATION%.private}.txt' || true + # Cleanup after ourselves + rmdir "\${tmp_dir:?}" || true + EOF fi diff --git a/type/__opendkim_genkey/man.rst b/type/__opendkim_genkey/man.rst index b3fd013..0d52ca3 100644 --- a/type/__opendkim_genkey/man.rst +++ b/type/__opendkim_genkey/man.rst @@ -10,23 +10,27 @@ DESCRIPTION ----------- This type uses the `opendkim-genkey(8)` to generate signing keys suitable for -usage by `opendkim(8)` to sign outgoing emails. Then, a line with the domain, -selector and keyname in the `$selector._domainkey.$domain` format will be added -to the OpenDKIM key table located at `/etc/opendkim/KeyTable`. Finally, a line -will be added to the OpenDKIM signing table, using either the domain or the -provided key for the `domain:selector:keyfile` value in the table. An existing -key will not be overwritten. +usage by `opendkim(8)` to sign outgoing emails. + +It also manages the key, identified by its `$__object_id` in OpenDKIM's +KeyTable and sets its `s=` and `d=` parameters (see: `--selector` and +`--sigdomain` respectively). + +This type will also manage the entries in the OpenDKIM's SigningTable by +associating any given `sigkey` values to this key. + +Take into account that if you use this type without the `--domain` and +`--selector` parameters, the `$__object_id` must be in form `$domain/$selector`. Currently, this type is only implemented for Alpine Linux and FreeBSD. Please contribute an implementation if you can. -REQUIRED PARAMETERS -------------------- -domain - The domain to generate the key for. - -selector - The DKIM selector to generate the key for. +NOTE: the name of the key file under `--directory` will default to +`$__object_id.private`, but if that fails and `--selector` is used, +`SELECTOR.private` will be considered. +Take care when using unrelated keys that might collide this way. +For more information see: +https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20 OPTIONAL PARAMETERS @@ -38,10 +42,36 @@ bits directory The directory in which to generate the key, `/var/db/dkim/` by default. +domain + The domain to generate the key for. + If omitted, `--selector` must be omitted as well and `$__object_id` must be + in form: `$domain/$selector`. + +selector + The DKIM selector to generate the key for. + If omitted, `--domain` must be omitted as well and `$__object_id` must be + in form: `$domain/$selector`. + +sigdomain + Specified in the KeyTable, the domain to use in the signature's "d=" value. + Defaults to the specified domain. If `%`, it will be replaced by the apparent + domain of the sender when generating a signature. + Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`. + See `KeyTable` in `opendkim.conf(5)` for more information. + + +OPTIONAL MULTIPLE PARAMETERS +---------------------------- sigkey - The key used in the SigningTable for this signing key. Defaults to the + The key used in the `SigningTable` for this signing key. Defaults to the specified domain. If `%`, OpenDKIM will replace it with the domain found in the `From:` header. See `opendkim.conf(5)` for more options. + Note you probably don't want to set both `--sigdomain` and `--sigkey` to `%`. + This can be passed multiple times, resulting in multiple lines in the + SigningTable, which can be used to support signing of subdomains or multiple + domains with the same key; in that case, you probably want to set + `--sigdomain` to `%`, else the domains will not be aligned. + BOOLEAN PARAMETERS ------------------ @@ -57,6 +87,7 @@ EXAMPLES .. code-block:: sh + # Setup the OpenDKIM service __opendkim \ --socket inet:8891@localhost \ --basedir /var/lib/opendkim \ @@ -65,14 +96,24 @@ EXAMPLES --umask 002 \ --syslog - require='__opendkim' \ - __opendkim_genkey default \ - --domain example.com \ - --selector default + # Continue only after the service has been set up + export require="__opendkim" - __opendkim_genkey myfoo \ - --domain foo.com \ - --selector backup + # Generate a key for 'example.com' with selector 'default' + __opendkim_genkey default \ + --domain example.com \ + --selector default + + # Generate a key for 'foo.com' with selector 'backup' + __opendkim_genkey 'foo.com/backup' + + # Generate a key for 'example.org' with selector 'main' + # that can also sign 'cdi.st' and subdomains of 'example.org' + __opendkim_genkey 'example.org/main' \ + --sigdomain '%' \ + --sigkey 'example.org' \ + --sigkey '.example.org' \ + --sigkey 'cdi.st' SEE ALSO diff --git a/type/__opendkim_genkey/manifest b/type/__opendkim_genkey/manifest index 50dcee5..1fee0c1 100755 --- a/type/__opendkim_genkey/manifest +++ b/type/__opendkim_genkey/manifest @@ -38,14 +38,45 @@ case "$os" in __opendkim_genkey currently only supports Alpine Linux. Please contribute an implementation for $os if you can. EOF + exit 1 ;; esac -# Persist user and group for gencode-remote -printf '%s' "${user}" > "${__object:?}/user" -printf '%s' "${group}" > "${__object:?}/group" -SELECTOR="$(cat "${__object:?}/parameter/selector")" -DOMAIN="$(cat "${__object:?}/parameter/domain")" +# Logic to simplify the type as documented in +# https://code.ungleich.ch/ungleich-public/cdist-contrib/issues/20#issuecomment-14711 +DOMAIN="$(cat "${__object:?}/parameter/domain" 2>/dev/null || true)" +SELECTOR="$(cat "${__object:?}/parameter/selector" 2>/dev/null || true)" +if [ -z "${DOMAIN}${SELECTOR}" ]; then + # Neither SELECTOR nor DOMAIN were passed, try to use __object_id + if echo "${__object_id:?}" | \ + grep -qE '^[^/[:space:]]+/[^/[:space:]]+$'; then + # __object_id matches, let's get the data + DOMAIN="$(echo "${__object_id:?}" | cut -d '/' -f 1)" + SELECTOR="$(echo "${__object_id:?}" | cut -d '/' -f 2)" + else + # It doesn't match the pattern, this is sad + cat <<- EOF >&2 + The arguments --domain and --selector were not used. + So __object_id must match DOMAIN/SELECTOR. + But instead the type got: ${__object_id:?} + EOF + exit 1 + fi +elif [ -z "${DOMAIN}" ] || [ -z "${SELECTOR}" ]; then + # Only one was passed, this is sad :-( + cat <<- EOF >&2 + You must pass either both --selector and --domain or none of them. + If these arguments are absent, __object_id must match: DOMAIN/SELECTOR. + EOF + exit 1 +# else: both were passed +fi + +# Persist data for gencode-remote +printf '%s' "${user:?}" > "${__object:?}/user" +printf '%s' "${group:?}" > "${__object:?}/group" +printf '%s' "${DOMAIN:?}" > "${__object:?}/domain" +printf '%s' "${SELECTOR:?}" > "${__object:?}/selector" DIRECTORY="/var/db/dkim/" if [ -f "${__object:?}/parameter/directory" ]; @@ -59,6 +90,11 @@ if [ -f "${__object:?}/parameter/sigkey" ]; then SIGKEY="$(cat "${__object:?}/parameter/sigkey")" fi +SIGDOMAIN="${DOMAIN:?}" +if [ -f "${__object:?}/parameter/sigdomain" ]; +then + SIGDOMAIN="$(cat "${__object:?}/parameter/sigdomain")" +fi # Ensure the key-container directory exists with the proper permissions __directory "${DIRECTORY}" \ @@ -76,10 +112,28 @@ esac key_table="${CFG_DIR}/KeyTable" signing_table="${CFG_DIR}/SigningTable" -__line "line-key-${__object_id:?}" \ - --file "${key_table}" \ - --line "${SELECTOR:?}._domainkey.${DOMAIN:?} ${DOMAIN:?}:${SELECTOR:?}:${DIRECTORY:?}${SELECTOR:?}.private" +KEY_STATE="$(cut -f 1 "${__object:?}/explorer/key-state")" +KEY_LOCATION="$(cut -f 2- "${__object:?}/explorer/key-state")" -__line "line-sig-${__object_id:?}" \ +__line "__opendkim_genkey/${__object_id:?}" \ + --file "${key_table}" \ + --line "${__object_id:?} ${SIGDOMAIN:?}:${SELECTOR:?}:${KEY_LOCATION:?}" \ + --regex "^${__object_id:?}[[:space:]]" \ + --state 'replace' + +sigtable_block() { + for sigkey in ${SIGKEY:?}; do + echo "${sigkey:?} ${__object_id:?}" + done +} +__block "__opendkim_genkey/${__object_id:?}" \ --file "${signing_table}" \ - --line "${SIGKEY:?} ${SELECTOR:?}._domainkey.${DOMAIN:?}" + --text "$(sigtable_block)" + +if [ "${KEY_STATE:?}" = "present" ]; then + # Ensure proper permissions for the key file + __file "${KEY_LOCATION}" \ + --owner "${user}" \ + --group "${group}" \ + --mode 0600 +fi diff --git a/type/__opendkim_genkey/parameter/optional b/type/__opendkim_genkey/parameter/optional index e44793f..9d9b6d1 100644 --- a/type/__opendkim_genkey/parameter/optional +++ b/type/__opendkim_genkey/parameter/optional @@ -1,4 +1,6 @@ bits directory +domain unrestricted -sigkey +selector +sigdomain diff --git a/type/__opendkim_genkey/parameter/optional_multiple b/type/__opendkim_genkey/parameter/optional_multiple new file mode 100644 index 0000000..35978a9 --- /dev/null +++ b/type/__opendkim_genkey/parameter/optional_multiple @@ -0,0 +1 @@ +sigkey diff --git a/type/__opendkim_genkey/parameter/required b/type/__opendkim_genkey/parameter/required deleted file mode 100644 index 4dacb77..0000000 --- a/type/__opendkim_genkey/parameter/required +++ /dev/null @@ -1,2 +0,0 @@ -domain -selector -- 2.45.2 From 79baaf02b1ffd472679ecb6fb3ff0fd927f75c51 Mon Sep 17 00:00:00 2001 From: Evilham Date: Fri, 25 Mar 2022 11:08:39 +0100 Subject: [PATCH 5/7] [__opendkim_genkey] Improve error text for unsupported OS It was not listing FreeBSD, which is currently supported. --- type/__opendkim_genkey/manifest | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/type/__opendkim_genkey/manifest b/type/__opendkim_genkey/manifest index 1fee0c1..58e9b06 100755 --- a/type/__opendkim_genkey/manifest +++ b/type/__opendkim_genkey/manifest @@ -35,8 +35,8 @@ case "$os" in ;; *) cat <<- EOF >&2 - __opendkim_genkey currently only supports Alpine Linux. Please - contribute an implementation for $os if you can. + __opendkim_genkey currently only supports Alpine Linux and FreeBSD. + Please contribute an implementation for $os if you can. EOF exit 1 ;; -- 2.45.2 From 116acebd102986303921d24209084b2c28e6416a Mon Sep 17 00:00:00 2001 From: Evilham Date: Tue, 15 Mar 2022 21:39:26 +0100 Subject: [PATCH 6/7] [__opendkim] Deprecate --userid The parameter could produce inconsistencies permissions-wise. Users of the type that need this functionality can still use: --custom-config 'UserId $USERID' Closes #17 --- type/__opendkim/man.rst | 14 +++++++++----- type/__opendkim/parameter/deprecated/userid | 2 ++ 2 files changed, 11 insertions(+), 5 deletions(-) create mode 100644 type/__opendkim/parameter/deprecated/userid diff --git a/type/__opendkim/man.rst b/type/__opendkim/man.rst index e3f3e7a..996f16d 100644 --- a/type/__opendkim/man.rst +++ b/type/__opendkim/man.rst @@ -41,21 +41,25 @@ subdomains umask Set the umask for the socket and PID file. -userid - Change the user the opendkim program is to run as. - By default, Alpine Linux's OpenRC service will set this to `opendkim` on the - command-line and FreeBSD's rc will set it to `mailnull`. - custom-config The string following this parameter is appended as-is in the configuration, to enable more complex configurations. + BOOLEAN PARAMETERS ------------------ syslog Log to syslog. +DEPRECATED PARAMETERS +--------------------- +userid + Change the user the opendkim program is to run as. + By default, Alpine Linux's OpenRC service will set this to `opendkim` on the + command-line and FreeBSD's rc will set it to `mailnull`. + + EXAMPLES -------- diff --git a/type/__opendkim/parameter/deprecated/userid b/type/__opendkim/parameter/deprecated/userid new file mode 100644 index 0000000..1815a0a --- /dev/null +++ b/type/__opendkim/parameter/deprecated/userid @@ -0,0 +1,2 @@ +This can cause inconsistencies with permissions and will stop being supported. +If you still need this, you can use --custom-config 'UserId $USERID'. -- 2.45.2 From b7ba43553b5af90df2d18e83f4ad86b7820553dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Thu, 16 May 2024 17:05:45 +0200 Subject: [PATCH 7/7] [__php_fpm*] add support for Debian and Ubuntu --- type/__php_fpm/files/php.ini.sh | 2 +- type/__php_fpm/man.rst | 3 +-- type/__php_fpm/manifest | 45 ++++++++++++++++++++++++--------- type/__php_fpm_pool/man.rst | 2 +- type/__php_fpm_pool/manifest | 24 +++++++++++------- 5 files changed, 51 insertions(+), 25 deletions(-) diff --git a/type/__php_fpm/files/php.ini.sh b/type/__php_fpm/files/php.ini.sh index 8fbc4ac..ec7e446 100755 --- a/type/__php_fpm/files/php.ini.sh +++ b/type/__php_fpm/files/php.ini.sh @@ -20,7 +20,7 @@ variables_order = "GPCS" zend.assertions = -1 ; Local custom variations -include_path = ".:/usr/share/php${PHPVER:?}" +include_path = ".:${PHP_INCLUDEDIR}" memory_limit = ${MEMORY_LIMIT:?} post_max_size = ${UPLOAD_MAX_FILESIZE:?} upload_max_filesize = ${UPLOAD_MAX_FILESIZE:?} diff --git a/type/__php_fpm/man.rst b/type/__php_fpm/man.rst index 08b479e..4306687 100644 --- a/type/__php_fpm/man.rst +++ b/type/__php_fpm/man.rst @@ -12,8 +12,7 @@ This type installs and configures PHP-FPM for a given version of PHP. It is expected to be used in combination with cdist-type__php_fpm_pool, which configures specific pools. -Note that currently, this type is only implemented for Alpine Linux. - +This type supports Debian, Ubuntu and Alpine Linux. REQUIRED PARAMETERS ------------------- diff --git a/type/__php_fpm/manifest b/type/__php_fpm/manifest index 84c4383..9c32716 100644 --- a/type/__php_fpm/manifest +++ b/type/__php_fpm/manifest @@ -6,18 +6,39 @@ PHPVER=$(cat "${__object:?}/parameter/php-version") export PHPVER case "$os" in -'alpine') - package="php${PHPVER}-fpm" - service="php-fpm${PHPVER}" - opcache_package="php${PHPVER}-opcache" - apcu_package="php${PHPVER}-pecl-apcu" - ;; + 'alpine') + # Alpine packages looks like php81-fpm - we make sure to remove dots from user + # input. + PHPVER=$(echo "$PHPVER" | tr -d '.') -*) - printf "Your operating system is currently not supported by this type\n" >&2 - printf "Please contribute an implementation for it if you can.\n" >&2 - exit 1 + package="php${PHPVER}-fpm" + opcache_package="php${PHPVER}-opcache" + apcu_package="php${PHPVER}-pecl-apcu" + + service="php-fpm${PHPVER}" + php_confdir="/etc/php${PHPVER}" + php_ini="${php_confdir:?}/php.ini" + + PHP_INCLUDEDIR="/usr/share/php${PHPVER:?}" + export PHP_INCLUDEDIR ;; + 'debian'|'ubuntu') + package="php${PHPVER}-fpm" + opcache_package="php${PHPVER}-opcache" + apcu_package="php${PHPVER}-apcu" + + service="php${PHPVER}-fpm" + php_confdir="/etc/php/${PHPVER}" + php_ini="${php_confdir:?}/fpm/php.ini" + + PHP_INCLUDEDIR="/usr/share/php/${PHPVER:?}" + export PHP_INCLUDEDIR + ;; + *) + printf "Your operating system is currently not supported by this type\n" >&2 + printf "Please contribute an implementation for it if you can.\n" >&2 + exit 1 + ;; esac __package "$package" @@ -40,8 +61,8 @@ export UPLOAD_MAX_FILESIZE mkdir -p "${__object:?}/files" "${__type:?}/files/php.ini.sh" >"${__object:?}/files/php.ini" -require="__package/$package" __file "/etc/php${PHPVER}/php.ini" \ +require="__package/$package" __file "${php_ini:?}" \ --mode 644 --source "${__object:?}/files/php.ini" \ --onchange "service $service restart" -require="__file/etc/php${PHPVER}/php.ini" __service "$service" --action start +require="__file/${php_ini:?}" __service "$service" --action start diff --git a/type/__php_fpm_pool/man.rst b/type/__php_fpm_pool/man.rst index cd96175..da6dd3a 100644 --- a/type/__php_fpm_pool/man.rst +++ b/type/__php_fpm_pool/man.rst @@ -13,7 +13,7 @@ This type configures a pool named after the `__object_id` for a specified PHP version. Note that this types expects a same-version cdist-type__php_fpm type to have been run first: the user is responsible for doing so. -Note that currently, this type is only implemented for Alpine Linux. +This type supports Debian, Ubuntu and Alpine Linux. REQUIRED PARAMETERS diff --git a/type/__php_fpm_pool/manifest b/type/__php_fpm_pool/manifest index 49579d7..3c8491a 100644 --- a/type/__php_fpm_pool/manifest +++ b/type/__php_fpm_pool/manifest @@ -7,16 +7,22 @@ PHPVER=$(cat "${__object:?}/parameter/php-version") export PHPVER case "$os" in -'alpine') - service="php-fpm${PHPVER}" - : + 'alpine') + PHPVER=$(echo "$PHP_VERSION" | tr -d '.') + service="php-fpm${PHPVER}" + php_confdir="/etc/php${PHPVER}" + php_pooldir="${php_confdir:?}/php-fpm.d" ;; - -*) - printf "Your operating system is currently not supported by this type\n" >&2 - printf "Please contribute an implementation for it if you can.\n" >&2 - exit 1 + 'debian'|'ubuntu') + service="php${PHPVER}-fpm" + php_confdir="/etc/php/${PHPVER}" + php_pooldir="${php_confdir:?}/fpm/pool.d" ;; + *) + printf "Your operating system is currently not supported by this type\n" >&2 + printf "Please contribute an implementation for it if you can.\n" >&2 + exit 1 + ;; esac POOL_NAME="$name" @@ -29,6 +35,6 @@ export POOL_USER POOL_GROUP POOL_LISTEN_ADDR POOL_LISTEN_OWNER POOL_NAME mkdir -p "${__object:?}/files" "${__type:?}/files/www.conf.sh" >"${__object:?}/files/www.conf" -__file "/etc/php${PHPVER:?}/php-fpm.d/${name}.conf" \ +__file "${php_pooldir:?}/${name}.conf" \ --mode 644 --source "${__object:?}/files/www.conf" \ --onchange "service $service reload" -- 2.45.2