From fed57b48c33487f7e2ac294b9aa0cc42f8220994 Mon Sep 17 00:00:00 2001
From: Johannes Christ <jc@jchri.st>
Date: Sun, 20 Apr 2025 19:32:22 +0200
Subject: [PATCH] Set up new dkim milter

The existing `opendkim` milter is no longer maintained.
This commit introduces a role which deploys `dkim-milter`.
As-is, it is not a complete replacement, since the role does not (yet)
migrate keys of the old `opendkim` setup.
---
 ansible/playbook.yml                          |   2 +-
 ansible/roles/dkim-milter/handlers/main.yml   |  14 ++
 ansible/roles/dkim-milter/tasks/main.yml      | 148 ++++++++++++++++++
 .../dkim-milter/templates/dkim-milter.conf.j2 |   2 +
 .../templates/dkim-milter.service.j2          |  21 +++
 ansible/roles/dkim-milter/vars/main.yml       |  10 ++
 6 files changed, 196 insertions(+), 1 deletion(-)
 create mode 100644 ansible/roles/dkim-milter/handlers/main.yml
 create mode 100644 ansible/roles/dkim-milter/tasks/main.yml
 create mode 100644 ansible/roles/dkim-milter/templates/dkim-milter.conf.j2
 create mode 100644 ansible/roles/dkim-milter/templates/dkim-milter.service.j2
 create mode 100644 ansible/roles/dkim-milter/vars/main.yml

diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index 976752e2..375e2d5c 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -21,7 +21,7 @@
 - name: Deploy mailservers
   hosts: mail
   roles:
-    - opendkim
+    - dkim-milter
     - opendmarc
     - opendmarc-inbox
     - sasl
diff --git a/ansible/roles/dkim-milter/handlers/main.yml b/ansible/roles/dkim-milter/handlers/main.yml
new file mode 100644
index 00000000..680b6a6f
--- /dev/null
+++ b/ansible/roles/dkim-milter/handlers/main.yml
@@ -0,0 +1,14 @@
+---
+- name: Reload dkim-milter
+  ansible.builtin.service:
+    name: dkim-milter.service
+    state: restarted
+  tags:
+    - role::dkim-milter
+
+- name: Restart dkim-milter
+  ansible.builtin.service:
+    name: dkim-milter.service
+    state: restarted
+  tags:
+    - role::dkim-milter
diff --git a/ansible/roles/dkim-milter/tasks/main.yml b/ansible/roles/dkim-milter/tasks/main.yml
new file mode 100644
index 00000000..071e0189
--- /dev/null
+++ b/ansible/roles/dkim-milter/tasks/main.yml
@@ -0,0 +1,148 @@
+---
+- name: Install opendkim-tools
+  # Used currently to generate keys. Could theoretically replace this with dkimdo
+  # https://codeberg.org/glts/dkimdo
+  ansible.builtin.package:
+    name: opendkim-tools
+    state: present
+  tags:
+    - role::dkim-milter
+
+- name: Pull dkim-milter AppImage from Uncle Christ
+  ansible.builtin.get_url:
+    checksum: sha256:{{ dkim_milter_package_root }}/sha256sums.txt
+    url: "{{ dkim_milter_package_root }}/dkim-milter"
+    dest: /usr/local/sbin/dkim-milter
+    owner: root
+    group: root
+    mode: 0o755
+  vars:
+    dkim_milter_version: 0.2.0-alpha.1
+    uncle_christ_package_root: https://git.jchri.st/api/packages/jc/generic
+    dkim_milter_package_root: "{{ uncle_christ_package_root }}/dkim-milter/{{ dkim_milter_version }}"
+  tags:
+    - role::dkim-milter
+  # https://codeberg.org/forgejo/forgejo/issues/6871
+  when:
+    - not ansible_check_mode
+
+- name: Create dkim-milter user
+  ansible.builtin.user:
+    name: dkim-milter
+    home: /var/lib/dkim-milter
+    group: dkim-milter
+    create_home: false
+    system: true
+    shell: /usr/sbin/nologin
+  tags:
+    - role::dkim-milter
+
+- name: Create dkim-milter directory
+  ansible.builtin.file:
+    path: /etc/dkim-milter
+    state: directory
+    owner: dkim-milter
+    group: dkim-milter
+    mode: 0o700
+  tags:
+    - role::dkim-milter
+
+- name: Create dkim-milter keys directory
+  ansible.builtin.file:
+    path: /etc/dkim-milter/keys
+    state: directory
+    owner: dkim-milter
+    group: dkim-milter
+    mode: 0o700
+  tags:
+    - role::dkim-milter
+
+- name: Template dkim-milter configuration file
+  ansible.builtin.template:
+    src: dkim-milter.conf.j2
+    dest: /etc/dkim-milter/dkim-milter.conf
+    owner: dkim-milter
+    group: dkim-milter
+    mode: 0o400
+  notify:
+    - Reload dkim-milter
+  tags:
+    - role::dkim-milter
+
+- name: Template signing-keys file
+  ansible.builtin.copy:
+    content: |
+      {% for domain in dkim_milter_domains %}
+      {% set keyname = (domain | replace(".", "_")) %}
+      {{ keyname }} < /etc/dkim-milter/keys/{{ keyname }}.pem
+      {% endfor %}
+      {% for item in dkim_milter_extra_signings %}
+      {% set keyname = (item['domain'] | replace(".", "_")) %}
+      {{ keyname }} < /etc/dkim-milter/keys/{{ keyname }}.pem
+      {% endfor %}
+    dest: /etc/dkim-milter/signing-keys
+    owner: dkim-milter
+    group: dkim-milter
+    mode: 0o400
+  notify:
+    - Reload dkim-milter
+  tags:
+    - role::dkim-milter
+
+- name: Template signing-senders file
+  ansible.builtin.copy:
+    content: |
+      # Sender expression    Domain         Selector                    Key name
+      {% for domain in dkim_milter_domains %}
+      {% set keyname = (domain | replace(".", "_")) %}
+      .{{ domain }}          {{ domain }}   {{ dkim_milter_selector }}  {{ keyname }}
+      {% endfor %}
+      {% for item in dkim_milter_extra_signings %}
+      {% set keyname = (item['use_key'] | replace(".", "_")) %}
+      {% set domain = item['domain'] %}
+      .{{ domain }}          {{ domain }}   {{ dkim_milter_selector }}  {{ keyname }}
+      {% endfor %}
+    dest: /etc/dkim-milter/signing-senders
+    owner: dkim-milter
+    group: dkim-milter
+    mode: 0o400
+  notify:
+    - Reload dkim-milter
+  tags:
+    - role::dkim-milter
+
+- name: Generate dkim keys
+  become: true
+  become_user: dkim-milter
+  ansible.builtin.command: |
+    opendkim-genkey -D /etc/dkim-milter/keys/{{ item }} -d {{ item }} -s {{ dkim_milter_selector }}
+  with_items:
+    - "{{ dkim_milter_domains }}"
+  args:
+    creates: /etc/dkim-milter/keys/{{ item }}/{{ dkim_milter_selector }}.private
+  notify:
+    - Reload dkim-milter
+  tags:
+    - role::dkim-milter
+
+- name: Template systemd service
+  ansible.builtin.template:
+    src: dkim-milter.service.j2
+    dest: /etc/systemd/system/dkim-milter.service
+    owner: root
+    group: root
+    mode: 0o444
+  register: dkim_milter_service
+  notify:
+    - Restart dkim-milter
+  tags:
+    - role::dkim-milter
+
+- name: Start and enable dkim-milter
+  ansible.builtin.service:
+    name: dkim-milter.service
+    state: started
+    enabled: true
+    daemon_reload: "{{ dkim_milter_service is changed }}"
+  tags:
+    - role::dkim-milter
diff --git a/ansible/roles/dkim-milter/templates/dkim-milter.conf.j2 b/ansible/roles/dkim-milter/templates/dkim-milter.conf.j2
new file mode 100644
index 00000000..69b3230b
--- /dev/null
+++ b/ansible/roles/dkim-milter/templates/dkim-milter.conf.j2
@@ -0,0 +1,2 @@
+signing_keys = </etc/dkim-milter/signing-keys
+signing_senders = </etc/dkim-milter/signing-senders
diff --git a/ansible/roles/dkim-milter/templates/dkim-milter.service.j2 b/ansible/roles/dkim-milter/templates/dkim-milter.service.j2
new file mode 100644
index 00000000..e2c48272
--- /dev/null
+++ b/ansible/roles/dkim-milter/templates/dkim-milter.service.j2
@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=DKIM Milter
+# Documentation=man:dkim-milter(8) man:dkim-milter.conf(5)
+After=network-online.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+User=dkim-milter
+ExecStart=/usr/local/sbin/dkim-milter
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+
+# schizophrenia
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target
+
+# vim: ft=dosini.jinja2:
diff --git a/ansible/roles/dkim-milter/vars/main.yml b/ansible/roles/dkim-milter/vars/main.yml
new file mode 100644
index 00000000..81cfa1b5
--- /dev/null
+++ b/ansible/roles/dkim-milter/vars/main.yml
@@ -0,0 +1,10 @@
+---
+dkim_milter_domains:
+  - pydis.wtf
+  - pydis.com
+  - pythondiscord.com
+  - owlcorp.uk
+dkim_milter_extra_signings:
+  - domain: int.pydis.wtf
+    use_key: pydis.wtf
+dkim_milter_selector: lovelace