diff --git a/dns/cloudflare/main.tf b/dns/cloudflare/main.tf index 9fe4fa244..e2959c9af 100644 --- a/dns/cloudflare/main.tf +++ b/dns/cloudflare/main.tf @@ -10,6 +10,14 @@ data "cloudflare_zones" "domain" { } } + +module "dkim" { + source = "../dkim" + sudoer_username = var.sudoer_username + public_instances = var.public_instances + ssh_private_key = var.ssh_private_key +} + module "record_generator" { source = "../record_generator" name = lower(var.name) @@ -17,6 +25,7 @@ module "record_generator" { vhosts = var.vhosts domain_tag = var.domain_tag vhost_tag = var.vhost_tag + dkim_public_key = module.dkim.public_key } resource "cloudflare_record" "records" { diff --git a/dns/dkim/main.tf b/dns/dkim/main.tf new file mode 100644 index 000000000..239d87470 --- /dev/null +++ b/dns/dkim/main.tf @@ -0,0 +1,53 @@ + +variable "sudoer_username" {} + +variable "public_instances" {} + +variable "ssh_private_key" { + type = string +} + +resource "tls_private_key" "dkim" { + algorithm = "RSA" +} + +resource "null_resource" "deploy_certs" { + for_each = var.public_instances + + triggers = { + instance_id = each.value["id"] + certificate_id = tls_private_key.dkim.id + } + + connection { + type = "ssh" + user = var.sudoer_username + host = each.value["public_ip"] + host_key = each.value["hostkeys"]["rsa"] + private_key = var.ssh_private_key + } + + provisioner "file" { + content = tls_private_key.dkim.private_key_pem + destination = "default.private" + } + + provisioner "remote-exec" { + inline = [ + "sudo mkdir -p /etc/opendkim/keys", + "sudo install -m 600 -o root -g root default.private /etc/opendkim/keys/", + "rm default.private", + ] + } +} + +data "external" "rsa2der" { + program = ["python", "${path.module}/rsa2der.py"] + query = { + private_key = tls_private_key.dkim.private_key_pem + } +} + +output "public_key" { + value = data.external.rsa2der.result["public_key"] +} \ No newline at end of file diff --git a/dns/dkim/rsa2der.py b/dns/dkim/rsa2der.py new file mode 100644 index 000000000..7165d6764 --- /dev/null +++ b/dns/dkim/rsa2der.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python3 + +import base64 +import json +import sys +from subprocess import Popen, PIPE + +inputs = json.load(sys.stdin) +private_key = inputs['private_key'] + +cmd = ["openssl", "rsa", "-pubout", "-outform", "DER"] +ssl_cmd = Popen(cmd, stdin=PIPE, stdout=PIPE) +ssl_out = ssl_cmd.communicate(private_key.encode())[0] +public_key = base64.b64encode(ssl_out).decode() + +output = {'public_key' : public_key} +print(json.dumps(output)) diff --git a/dns/gcloud/main.tf b/dns/gcloud/main.tf index 3d64559f7..6a0ce549d 100644 --- a/dns/gcloud/main.tf +++ b/dns/gcloud/main.tf @@ -7,6 +7,13 @@ data "google_dns_managed_zone" "domain" { project = var.project } +module "dkim" { + source = "../dkim" + sudoer_username = var.sudoer_username + public_instances = var.public_instances + ssh_private_key = var.ssh_private_key +} + module "record_generator" { source = "../record_generator" name = lower(var.name) @@ -14,6 +21,7 @@ module "record_generator" { vhosts = var.vhosts domain_tag = var.domain_tag vhost_tag = var.vhost_tag + dkim_public_key = module.dkim.public_key } resource "google_dns_record_set" "records" { diff --git a/dns/record_generator/main.tf b/dns/record_generator/main.tf index 884e721d0..3d86f0709 100644 --- a/dns/record_generator/main.tf +++ b/dns/record_generator/main.tf @@ -9,6 +9,8 @@ variable "public_instances" {} variable "domain_tag" {} variable "vhost_tag" {} +variable "dkim_public_key" {} + data "external" "key2fp" { for_each = var.public_instances program = ["bash", "${path.module}/key2fp.sh"] @@ -95,7 +97,19 @@ locals { type = 2 fingerprint = try(coalesce([for key, values in var.public_instances: data.external.key2fp[key].result["ed25519_sha256"] if contains(values["tags"], var.domain_tag)]...), 0) } - } + }, + { + type = "TXT" + name = var.name + value = "v=spf1 a -all" + data = null + }, + { + type = "TXT" + name = "default._domainkey.${var.name}" + value = "v=DKIM1; k=rsa; p=${var.dkim_public_key}" + data = null + }, ]) }