foxyroles / ansible-dkim Goto Github PK

Hi - I just ran into the following error:

ERROR! The 'pause' module bypasses the host loop, which is currently not supported in the free strategy and would instead execute for every host in the inventory list.

The error appears to be in '.../roles/FoxyRoles.ansible-dkim/tasks/dns_records.yml': line 9, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

- name: display DKIM public key DNS record
  ^ here

Code:

Host running Ansible:

• Ubuntu 20.04
• Ansible 20.10.4
• Python 3.8.6

After a quick search, I've found others having similar problems:

• sensu/sensu-ansible#227

Any ideas?

Edit: small improvement suggestion on the following line:

Replace /etc/opendkim with {{ dkim_opendkim_config_dir }}

Hi there!
I was trying your role and seems like that the release url is not picked up by ansible-galaxy:

$ ansible-galaxy install sunfoxcz.dkim -p .
- downloading role 'dkim', owned by sunfoxcz
- downloading role from https://github.com/FoxyRoles/ansible-dkim/archive/v1.0.0.tar.gz
 [ERROR]: failed to download the file: HTTP Error 404: Not Found
[WARNING]: - sunfoxcz.dkim was NOT installed successfully.
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.

Dunno if something changed on your galaxy account or it's just a naming issue of github release

Hi,
The script works nicely for generating keys and putting them into postfix. Super, thanks!

But we wonder about the order of things: should the keys keys not be added to dns first, wait for dns propagation, and once that is complete: configure postfix to start signing.

The way I look at ansible-dkim now, the order is reversed: you run the script, keys are generated, postfix is configured & restarted: off you go. But nothing in DNS yet.

Is there logic or a way to upload keys to dns FIRST, and LATER start using them on postfix?
(question is both for initial setup, but also for keys rotation: rotated keys need to published first, and THEN start using them)

Any feedback? Or are we missing something?

Hi again,

After running the role (on Ubuntu 20.04 LTS with some specific security configuration), I get:

Jan  1 22:44:43 s89499 opendkim[179674]: can't load key from /etc/opendkim/keys/mail.private: Permission denied

The problem is that dkim_group (opendkim) doesn't have read permissions on all the directories in path.

It might be a good idea if the role ensures:

• Read permission on dkim_opendkim_config_dir (ie /etc/opendkim) for dkim_group (ie opendkim): either set o+r or, maybe better, set group ownership for this folder to dkim_group (ie opendkim) ensuring that dir has g+r but g-w (group should not have write permissions).
• Same for the keys/ subdir.

Locally I used:

    - file:
        path: "{{ item }}"
        group: "{{ dkim_group }}"
        mode: g-w,g+r
      with_items:
        - "{{ dkim_opendkim_config_dir }}"
        - "{{ dkim_opendkim_config_dir }}/keys"

Hi,

maybe you should include the admin_email in the example, because its mandatory.

Hi, I have noticed that opendkim-keygen runs with the default parameter for the RSA key length, which is 1024 bits:

The suggestion is to include a variable that allows the user to set for example -b {{ dkim_opendkim_rsa_keylen }} to 2048/4096 bits. Also, it may be worth considering the possibility of going for EdDSA instead of RSA in the future.

I added role to Galaxy: https://galaxy.ansible.com/sunfoxcz/dkim

@ulvida Can you please check if it works? I don't use Galaxy yet.

Hi.

you have tested your playbook in 2018?