From: Ralf Jung Date: Sun, 20 May 2018 20:16:35 +0000 (+0200) Subject: opendkim: properly create tmpdir; use DNSSEC X-Git-Url: https://git.ralfj.de/ansible.git/commitdiff_plain/9a7ab50f8b155bf34e3819e208cade8517e9e2ae opendkim: properly create tmpdir; use DNSSEC --- diff --git a/roles/email/tasks/opendkim.yml b/roles/email/tasks/opendkim.yml index 1ac9e5a..c56d6f5 100644 --- a/roles/email/tasks/opendkim.yml +++ b/roles/email/tasks/opendkim.yml @@ -10,11 +10,14 @@ src: templates/opendkim.env - name: regenerate opendkim service when: opendkim_env.changed - shell: /lib/opendkim/opendkim.service.generate && systemctl daemon-reload + shell: /lib/opendkim/opendkim.service.generate && systemctl daemon-reload && systemd-tmpfiles /etc/tmpfiles.d/opendkim.conf --create notify: opendkim # tables +- name: create opendkim dir + file: name=/etc/opendkim state=directory owner=opendkim - name: generate opendkim keys shell: mkdir /etc/opendkim/{{ item }}/ && opendkim-genkey --bits=2048 -s mail -d {{ item }} -D /etc/opendkim/{{ item }}/ + become_user: opendkim args: creates: /etc/opendkim/{{ item }}/mail.private warn: False diff --git a/roles/email/templates/opendkim.conf b/roles/email/templates/opendkim.conf index 6e4d812..6fccfc2 100644 --- a/roles/email/templates/opendkim.conf +++ b/roles/email/templates/opendkim.conf @@ -28,3 +28,11 @@ SenderHeaders Sender,From # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From + +## default (none) +## +## Specifies a file from which trust anchor data should be read when doing +## DNS queries and applying the DNSSEC protocol. See the Unbound documentation +## at http://unbound.net for the expected format of this file. + +TrustAnchorFile /usr/share/dns/root.key