From 7c5ec1e0df52d63a8c1104de782a62ff16840382 Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Tue, 24 Oct 2023 21:21:31 +0000
Subject: [PATCH] Add scripts/generate-dns-zone.sh

---
 .gitignore                                    |  2 +
 README.md                                     |  7 ++-
 .../src/deploy_chatmail/__init__.py           | 47 +++++++++++++------
 deploy-chatmail/src/deploy_chatmail/deploy.py |  2 +-
 .../src/deploy_chatmail/opendkim/KeyTable     |  1 +
 .../src/deploy_chatmail/opendkim/SigningTable |  1 +
 .../deploy_chatmail/opendkim/opendkim.conf    |  9 ++--
 scripts/generate-dns-zone.sh                  | 20 ++++++++
 8 files changed, 66 insertions(+), 23 deletions(-)
 create mode 100644 deploy-chatmail/src/deploy_chatmail/opendkim/KeyTable
 create mode 100644 deploy-chatmail/src/deploy_chatmail/opendkim/SigningTable
 create mode 100755 scripts/generate-dns-zone.sh

diff --git a/.gitignore b/.gitignore
index 594ea4b0..25db0487 100644
--- a/.gitignore
+++ b/.gitignore
@@ -159,3 +159,5 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+chatmail.zone
diff --git a/README.md b/README.md
index baeea45a..073cd37e 100644
--- a/README.md
+++ b/README.md
@@ -10,14 +10,17 @@ comprised of a minimal setup of the battle-tested
 
     scripts/init.sh 
 
-2. set environment variable to the chatmail domain you want to setup:
+2. setup a domain with `A` and `AAAA` records for your chatmail server
+
+3. set environment variable to the chatmail domain you want to setup:
 
     export CHATMAIL_DOMAIN=c1.testrun.org   # replace with your host
 
-3. run the deploy of the chat mail instance: 
+4. run the deploy of the chat mail instance: 
 
     scripts/deploy.sh 
 
+5. run `scripts/generate-dns-zone.sh` and create the generated DNS records at your DNS provider
 
 ## Running tests and benchmarks (offline and online) 
 
diff --git a/deploy-chatmail/src/deploy_chatmail/__init__.py b/deploy-chatmail/src/deploy_chatmail/__init__.py
index ed18bcdf..5a229798 100644
--- a/deploy-chatmail/src/deploy_chatmail/__init__.py
+++ b/deploy-chatmail/src/deploy_chatmail/__init__.py
@@ -4,8 +4,8 @@ Chat Mail pyinfra deploy.
 import importlib.resources
 from pathlib import Path
 
-from pyinfra import host, logger
-from pyinfra.operations import apt, files, server, systemd, python
+from pyinfra import host
+from pyinfra.operations import apt, files, server, systemd
 from pyinfra.facts.files import File
 from .acmetool import deploy_acmetool
 
@@ -70,6 +70,36 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
         mode="644",
         config={"domain_name": domain, "opendkim_selector": dkim_selector},
     )
+    need_restart |= main_config.changed
+
+    files.directory(
+        name="Add opendkim directory to /etc",
+        path="/etc/opendkim",
+        user="opendkim",
+        group="opendkim",
+        mode="750",
+        present=True,
+    )
+
+    keytable = files.template(
+        src=importlib.resources.files(__package__).joinpath("opendkim/KeyTable"),
+        dest="/etc/dkimkeys/KeyTable",
+        user="opendkim",
+        group="opendkim",
+        mode="644",
+        config={"domain_name": domain, "opendkim_selector": dkim_selector},
+    )
+    need_restart |= keytable.changed
+
+    signing_table = files.template(
+        src=importlib.resources.files(__package__).joinpath("opendkim/SigningTable"),
+        dest="/etc/dkimkeys/SigningTable",
+        user="opendkim",
+        group="opendkim",
+        mode="644",
+        config={"domain_name": domain, "opendkim_selector": dkim_selector},
+    )
+    need_restart |= signing_table.changed
 
     files.directory(
         name="Add opendkim socket directory to /var/spool/postfix",
@@ -90,8 +120,6 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
             _sudo_user="opendkim",
         )
 
-    need_restart |= main_config.changed
-
     return need_restart
 
 
@@ -292,14 +320,3 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
         enabled=True,
         restarted=journald_conf,
     )
-
-    def callback():
-        result = server.shell(
-            commands=[
-                f"""sed 's/\tIN/ 600 IN/;s/\t(//;s/\"$//;s/^\t  \"//g; s/ ).*//' """
-                f"""/etc/dkimkeys/{dkim_selector}.txt | tr --delete '\n'"""
-            ]
-        )
-        logger.info(f"Add this TXT entry into DNS zone: {result.stdout}")
-
-    python.call(name="Print TXT entry for DKIM", function=callback)
diff --git a/deploy-chatmail/src/deploy_chatmail/deploy.py b/deploy-chatmail/src/deploy_chatmail/deploy.py
index ab8d4ed9..b2a461ae 100644
--- a/deploy-chatmail/src/deploy_chatmail/deploy.py
+++ b/deploy-chatmail/src/deploy_chatmail/deploy.py
@@ -6,7 +6,7 @@ from deploy_chatmail import deploy_chatmail
 def main():
     mail_domain = os.getenv("CHATMAIL_DOMAIN")
     mail_server = os.getenv("CHATMAIL_SERVER", mail_domain)
-    dkim_selector = os.getenv("CHATMAIL_DKIM_SELECTOR", "2023")
+    dkim_selector = os.getenv("CHATMAIL_DKIM_SELECTOR", "dkim")
 
     assert mail_domain
     assert mail_server
diff --git a/deploy-chatmail/src/deploy_chatmail/opendkim/KeyTable b/deploy-chatmail/src/deploy_chatmail/opendkim/KeyTable
new file mode 100644
index 00000000..63758eed
--- /dev/null
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/KeyTable
@@ -0,0 +1 @@
+dkim._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/dkim.private
diff --git a/deploy-chatmail/src/deploy_chatmail/opendkim/SigningTable b/deploy-chatmail/src/deploy_chatmail/opendkim/SigningTable
new file mode 100644
index 00000000..b41f3c7d
--- /dev/null
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/SigningTable
@@ -0,0 +1 @@
+*@{{ config.domain_name }} {{ config.opendkim_selector }}._domainkey.{{ config.domain_name }}
diff --git a/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf b/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
index 1668ea44..4aafa35d 100644
--- a/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
@@ -1,7 +1,4 @@
-# This is a basic configuration for signing and verifying. It can easily be
-# adapted to suit a basic installation. See opendkim.conf(5) and
-# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
-# documentation of available configuration parameters.
+# OpenDKIM configuration.
 
 Syslog			yes
 SyslogSuccess		yes
@@ -21,7 +18,9 @@ OversignHeaders		From
 # setup options can be found in /usr/share/doc/opendkim/README.opendkim.
 Domain			{{ config.domain_name }}
 Selector		{{ config.opendkim_selector }}
-KeyFile		/etc/dkimkeys/{{ config.opendkim_selector }}.private
+KeyFile		  /etc/dkimkeys/{{ config.opendkim_selector }}.private
+KeyTable          /etc/dkimkeys/KeyTable
+SigningTable      /etc/dkimkeys/SigningTable
 
 # In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
 # using a local socket with MTAs that access the socket as a non-privileged
diff --git a/scripts/generate-dns-zone.sh b/scripts/generate-dns-zone.sh
new file mode 100755
index 00000000..b236ad8c
--- /dev/null
+++ b/scripts/generate-dns-zone.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+: ${CHATMAIL_DOMAIN:=c1.testrun.org}
+: ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
+
+set -e
+SSH="ssh root@$CHATMAIL_SSH"
+EMAIL="root@$CHATMAIL_DOMAIN"
+ACME_ACCOUNT_URL="$($SSH -- acmetool account-url)"
+
+cat <<EOF
+$CHATMAIL_DOMAIN. MX 10 $CHATMAIL_DOMAIN.
+$CHATMAIL_DOMAIN. TXT "v=spf1 a:$CHATMAIL_DOMAIN -all"
+_dmarc.$CHATMAIL_DOMAIN. TXT "v=DMARC1;p=reject;rua=mailto:$EMAIL;ruf=mailto:$EMAIL;fo=1;adkim=r;aspf=r"
+_submission._tcp.$CHATMAIL_DOMAIN.  SRV 0 1 587 $CHATMAIL_DOMAIN.
+_submissions._tcp.$CHATMAIL_DOMAIN. SRV 0 1 465 $CHATMAIL_DOMAIN.
+_imap._tcp.$CHATMAIL_DOMAIN.        SRV 0 1 143 $CHATMAIL_DOMAIN.
+_imaps._tcp.$CHATMAIL_DOMAIN.       SRV 0 1 993 $CHATMAIL_DOMAIN.
+$CHATMAIL_DOMAIN. IN CAA 0 issue "letsencrypt.org; accounturi=$ACME_ACCOUNT_URL"
+EOF
+$SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'