ansible-playbooks/roles/rspamd/tasks/dkim.yml

- name: check key parameter
  fail:
    msg: some key parameters are not defined or set incorrectly
  when: (key is not mapping) or (key.type is not defined) or (key.path is not defined)


- name: generate dkim key
  shell:
    cmd: "{{ [
      'rspamadm dkim_keygen',
      '-s ' ~ (key.selector | d(key.type) | quote),
      '-d ' ~ (key.tld | d(tld) | quote),
      '-t ' ~ (key.type | quote),
      '-k ' ~ (key.path | quote),
      ('-b 2048' if key.type == 'rsa' else '')
    ] | select() | list | join(' ') }}"
    creates: "{{ key.path }}"
  register: result


- name: change dkim key owner and group
  file:
    path: "{{ key.path }}"
    state: file
    mode: 0400
    owner: "{{ rspamd_user }}"
    group: "{{ rspamd_group }}"


- name: ed25519 - build public key from stdout
  set_fact:
    rspamd_temp_pub_key: "{{ result.stdout | regex_search('p=([A-Za-z0-9+/=]+)', '\\1') | first }}"
  when: key.type == 'ed25519' and result is defined and result.changed


- block:
  - name: rsa - get public key from dkim key
    openssl_privatekey_info:
      path: "{{ key.path }}"
    register: pub_key

  - name: rsa - build public key
    set_fact:
      rspamd_temp_pub_key: "{{ (pub_key.public_key | replace('-----BEGIN PUBLIC KEY-----', '') |
                                replace('-----END PUBLIC KEY-----', '') | replace('\n', '') | trim ) }}"
  when: key.type == 'rsa'


- block:
  - name: build dns record for public dkim key
    set_fact:
      rspamd_dkim_dns_record: "{{ [
        'v=DKIM1',
        ('h=sha256' if key.type == 'rsa' else ''),
        'k=' ~ key.type,
        's=email:tlsrpt',
        'p=' ~ rspamd_temp_pub_key,
      ] | select() | list | join('; ') }}"

  - name: wait for user interaction if external ns is missing
    pause:
    when: services.external_ns is not defined


  - name: create dns record
    include_role:
      name: external_ns
    vars:
      nse_items:
        - {name: '{{ key.selector | d(key.type) }}._domainkey', type: 'TXT', value: '{{ rspamd_dkim_dns_record }}'}
      nse_function: add_records
      nse_instant: yes

  when: (rspamd_temp_pub_key is string) and (rspamd_temp_pub_key | length > 0)


- name: unset rspamd pub key
  set_fact:
    rspamd_temp_pub_key: "{{ None }}"
init 2 years ago			`- name: check key parameter`
			`fail:`
			`msg: some key parameters are not defined or set incorrectly`
			`when: (key is not mapping) or (key.type is not defined) or (key.path is not defined)`


			`- name: generate dkim key`
			`shell:`
			`cmd: "{{ [`
			`'rspamadm dkim_keygen',`
			`'-s ' ~ (key.selector \| d(key.type) \| quote),`
			`'-d ' ~ (key.tld \| d(tld) \| quote),`
			`'-t ' ~ (key.type \| quote),`
			`'-k ' ~ (key.path \| quote),`
			`('-b 2048' if key.type == 'rsa' else '')`
			`] \| select() \| list \| join(' ') }}"`
			`creates: "{{ key.path }}"`
			`register: result`


			`- name: change dkim key owner and group`
			`file:`
			`path: "{{ key.path }}"`
			`state: file`
			`mode: 0400`
			`owner: "{{ rspamd_user }}"`
			`group: "{{ rspamd_group }}"`


			`- name: ed25519 - build public key from stdout`
			`set_fact:`
			`rspamd_temp_pub_key: "{{ result.stdout \| regex_search('p=([A-Za-z0-9+/=]+)', '\\1') \| first }}"`
			`when: key.type == 'ed25519' and result is defined and result.changed`


			`- block:`
			`- name: rsa - get public key from dkim key`
			`openssl_privatekey_info:`
			`path: "{{ key.path }}"`
			`register: pub_key`

			`- name: rsa - build public key`
			`set_fact:`
			`rspamd_temp_pub_key: "{{ (pub_key.public_key \| replace('-----BEGIN PUBLIC KEY-----', '') \|`
			`replace('-----END PUBLIC KEY-----', '') \| replace('\n', '') \| trim ) }}"`
			`when: key.type == 'rsa'`


			`- block:`
			`- name: build dns record for public dkim key`
			`set_fact:`
			`rspamd_dkim_dns_record: "{{ [`
			`'v=DKIM1',`
			`('h=sha256' if key.type == 'rsa' else ''),`
			`'k=' ~ key.type,`
			`'s=email:tlsrpt',`
			`'p=' ~ rspamd_temp_pub_key,`
			`] \| select() \| list \| join('; ') }}"`

			`- name: wait for user interaction if external ns is missing`
			`pause:`
			`when: services.external_ns is not defined`


			`- name: create dns record`
			`include_role:`
			`name: external_ns`
			`vars:`
			`nse_items:`
			`- {name: '{{ key.selector \| d(key.type) }}._domainkey', type: 'TXT', value: '{{ rspamd_dkim_dns_record }}'}`
			`nse_function: add_records`
			`nse_instant: yes`

			`when: (rspamd_temp_pub_key is string) and (rspamd_temp_pub_key \| length > 0)`


			`- name: unset rspamd pub key`
			`set_fact:`
			`rspamd_temp_pub_key: "{{ None }}"`