From: Ralf Jung <post@ralfj.de>
Date: Sun, 20 May 2018 20:16:35 +0000 (+0200)
Subject: opendkim: properly create tmpdir; use DNSSEC
X-Git-Url: https://git.ralfj.de/ansible.git/commitdiff_plain/9a7ab50f8b155bf34e3819e208cade8517e9e2ae

opendkim: properly create tmpdir; use DNSSEC
---

diff --git a/roles/email/tasks/opendkim.yml b/roles/email/tasks/opendkim.yml
index 1ac9e5a..c56d6f5 100644
--- a/roles/email/tasks/opendkim.yml
+++ b/roles/email/tasks/opendkim.yml
@@ -10,11 +10,14 @@
     src: templates/opendkim.env
 - name: regenerate opendkim service
   when: opendkim_env.changed
-  shell: /lib/opendkim/opendkim.service.generate && systemctl daemon-reload
+  shell: /lib/opendkim/opendkim.service.generate && systemctl daemon-reload && systemd-tmpfiles /etc/tmpfiles.d/opendkim.conf --create
   notify: opendkim
 # tables
+- name: create opendkim dir
+  file: name=/etc/opendkim state=directory owner=opendkim
 - name: generate opendkim keys
   shell: mkdir /etc/opendkim/{{ item }}/ && opendkim-genkey --bits=2048 -s mail -d {{ item }} -D /etc/opendkim/{{ item }}/
+  become_user: opendkim
   args:
     creates: /etc/opendkim/{{ item }}/mail.private
     warn: False
diff --git a/roles/email/templates/opendkim.conf b/roles/email/templates/opendkim.conf
index 6e4d812..6fccfc2 100644
--- a/roles/email/templates/opendkim.conf
+++ b/roles/email/templates/opendkim.conf
@@ -28,3 +28,11 @@ SenderHeaders		Sender,From
 # because it is often the identity key used by reputation systems and thus
 # somewhat security sensitive.
 OversignHeaders		From
+
+##      default (none)
+##
+## Specifies a file from which trust anchor data should be read when doing
+## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
+## at http://unbound.net for the expected format of this file.
+
+TrustAnchorFile       /usr/share/dns/root.key