Optimized DKIM and DNS for mailu and Letsencrypt. Solved some bugs

2025-08-29 15:06:26 +02:00 · 2025-04-29 20:24:09 +02:00
parent f4db4ca6ea
commit fa9831ef08
9 changed files with 84 additions and 54 deletions
--- a/roles/docker-mailu/tasks/generate-and-read-dkim.yml
+++ b/roles/docker-mailu/tasks/generate-and-read-dkim.yml
@@ -1,13 +1,49 @@
+- name: Check if DKIM private key file exists in the antispam container
+  command: >
+    docker compose exec -T antispam
+    test -f {{mailu_dkim_key_path}}
+  register: dkim_key_file_stat
+  failed_when:  false
+  changed_when: false
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+
 - name: Generate DKIM key
  command: >
    docker compose exec -T antispam
-    rspamadm dkim_keygen -s dkim -d {{ applications[application_id].domain }} -k {{ applications[application_id].domain }}.dkim.key
+    rspamadm dkim_keygen -s dkim -d {{ applications[application_id].domain }} -k {{ mailu_dkim_key_path }}
  register: dkim_keygen_output
-  chdir: "{{ docker_compose.directories.instance }}"
+  when: dkim_key_file_stat.rc != 0
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"

- name: Extract DKIM record from parentheses
+- name: Fetch DKIM private key from antispam container
+  shell: >
+    docker compose exec -T antispam
+    cat {{ mailu_dkim_key_path }}
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: dkim_priv_content
+  failed_when: dkim_priv_content.rc != 0
+  changed_when: false
+
+- name: Generate DKIM public key on the host
+  command: openssl rsa -pubout
+  args:
+    stdin: "{{ dkim_priv_content.stdout }}"
+  register: dkim_pub_raw
+  changed_when: false
+
+- name: Normalize and build Mailu DKIM TXT record
  set_fact:
    mailu_dkim_public_key: >-
-      {{ dkim_keygen_output.stdout
-         | regex_search('(?s)\((.*?)\)', '\\1')
-         | default('') }}
+      v=DKIM1; k=rsa; p={{
+        dkim_pub_raw.stdout
+        | regex_replace('-----BEGIN PUBLIC KEY-----', '')
+        | regex_replace('-----END PUBLIC KEY-----', '')
+        | regex_replace('\s+', '')
+      }}
+
+- name: Debug Mailu DKIM public key
+  debug:
+    msg: "Mailu DKIM public key: {{ mailu_dkim_public_key }}"
--- a/roles/docker-mailu/tasks/main.yml
+++ b/roles/docker-mailu/tasks/main.yml
@@ -41,22 +41,7 @@
  loop_control:
    loop_var: item
  when: run_once_docker_mailu is not defined
-
- name: "Load Mailu DNS variables"
-  include_vars: vars/mailu-dns.yml
-  when: dns_provider == 'cloudflare'
-
- name: Generate DKIM public key
-  include_tasks: generate-and-read-dkim.yml
-  when:
-    - not applications[application_id].credentials.dkim_public_key is defined
-
- name: Set DKIM public key
-  set_fact:
-    mailu_dkim_public_key: >-
-      {{ applications[application_id].credentials.dkim_public_key }}
-  when: applications[application_id].credentials.dkim_public_key is defined
-
+  
 - name: Set Mailu DNS records
  include_tasks: set-mailu-dns-records.yml
  when: dns_provider == 'cloudflare'
--- a/roles/docker-mailu/tasks/set-mailu-dns-records.yml
+++ b/roles/docker-mailu/tasks/set-mailu-dns-records.yml
@@ -1,3 +1,9 @@
+- name: "Load Mailu DNS variables"
+  include_vars: vars/mailu-dns.yml
+
+- name: Generate DKIM public key
+  include_tasks: generate-and-read-dkim.yml
+
 - name: "Set A record for mail server"
  community.general.cloudflare_dns:
    api_token: "{{ cloudflare_record_api_token }}"
@@ -6,7 +12,7 @@
    name: "{{ domain }}"
    content: "{{ mailu_dns_ip }}"
    proxied: false
-    ttl: 3600
+    ttl: 1
    state: present

 - name: "Set CNAME record for autoconfig"
@@ -17,7 +23,7 @@
    name: "autoconfig.{{ mailu_dns_zone }}"
    value: "{{ domain }}"
    proxied: false
-    ttl: 3600
+    ttl: 1
    state: present

 - name: "Set MX record"
@@ -28,7 +34,7 @@
    name: "{{ mailu_dns_zone }}"
    value: "{{ domain }}"
    priority: 10
-    ttl: 3600
+    ttl: 1
    state: present

 - name: "Set SRV records"
@@ -36,18 +42,19 @@
    api_token: "{{ cloudflare_record_api_token }}"
    zone: "{{ mailu_dns_zone }}"
    type: SRV
-    name: "_{{ item.key }}._tcp"
-    data:
-      service: "_{{ item.key }}"
-      proto: "_tcp"
-      name: "{{ mailu_dns_zone }}"
-      priority: "{{ item.value.priority }}"
-      weight: "{{ item.value.weight }}"
-      port: "{{ item.value.port }}"
-      target: "{{ domain }}"
-    ttl: 3600
+    service: "_{{ item.key }}"
+    proto: "_tcp"
+    priority: "{{ item.value.priority }}"
+    weight: "{{ item.value.weight }}"
+    port: "{{ item.value.port }}"
+    value: "{{ domain }}"
+    ttl: 1
    state: present
  loop: "{{ mailu_dns_srv_records | dict2items }}"
+  ignore_errors: true
+  #register: srv_result
+  #failed_when: srv_result.rc != 0 and ("An identical record already exists" not in srv_result.stdout)
+  #changed_when: srv_result.rc == 0 and ("An identical record already exists" not in srv_result.stdout)

 - name: "Set SPF TXT record"
  community.general.cloudflare_dns:
@@ -56,7 +63,7 @@
    type: TXT
    name: "{{ mailu_dns_zone }}"
    value: "v=spf1 mx a:{{ domain }} ~all"
-    ttl: 3600
+    ttl: 1
    state: present

 - name: "Set DMARC TXT record"
@@ -66,7 +73,7 @@
    type: TXT
    name: "_dmarc.{{ mailu_dns_zone }}"
    value: "v=DMARC1; p=reject; ruf=mailto:{{ mailu_dmarc_ruf }}; adkim=s; aspf=s"
-    ttl: 3600
+    ttl: 1
    state: present

 - name: "Set DKIM TXT record"
@@ -76,5 +83,5 @@
    type: TXT
    name: "dkim._domainkey.{{ mailu_dns_zone }}"
    value: "{{ mailu_dkim_public_key }}"
-    ttl: 3600
+    ttl: 1
    state: present