new cookbook: fb_opendkim (facebook#265)

Summary:
Note this isn't added to `test_services` cookbook because it would
require keys and a real domain and such.

Signed-off-by: Phil Dibowitz <phil@ipom.com>

Pull Request resolved: facebook#265

Differential Revision: D69666424

fbshipit-source-id: 46d5953c7d8e1d4a84068bcb7ebe62138c2e9632

Author: jaymzh

cookbooks/fb_opendkim/README.md

@@ -0,0 +1,43 @@
+fb_opendkim Cookbook
+====================
+
+Requirements
+------------
+
+Attributes
+----------
+* node['fb_opendkim']['config']
+* node['fb_opendkim']['manage_packages']
+* node['fb_opendkim']['sysconfig']
+
+Usage
+-----
+### Packages
+
+This cookbook will install the necessary packages. If you prefer to install
+them yourself, set `node['fb_opendkim']['manage_packages']` to `false`.
+
+### Configuration
+
+The configuration file is generated by the single-level hash in
+`node['fb_opendkim']['config']`. A default configuration is provided in this
+cookbook, but you'll certainly need to add more.
+
+### Keys
+
+This cookbook does not manage the keys for you. You should drop them off in an
+appropriate place for your distribution. For example, in Debian, this is
+`/etc/dkimkeys/<domain>/<service>.{private,txt}`.
+
+Once you've done that you can set either
+`node['fb_opendkim']['config']['KeyFile']`,
+`node['fb_opendkim']['config']['Selector']`, and
+`node['fb_opendkim']['config']['Domain']` for simple setups, or alternatively,
+setup signingtables.
+
+### Service Environment Variables
+
+You can customize some options that the Unit file will read in the
+`node['fb_opendkim']['sysconfig']` hash. Note that if you specify `socket`, it
+will override the socket in the config file, and for this reason we recommend
+not setting socket here.

cookbooks/fb_opendkim/attributes/default.rb

@@ -0,0 +1,45 @@
+#
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
+# Copyright (c) 2025-present, Meta Platforms, Inc.
+# Copyright (c) 2025-present, Phil Dibowitz
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+rundir = '/run/opendkim'
+
+default['fb_opendkim'] = {
+  'manage_packages' => true,
+  'config' => {
+    'Syslog' => 'yes',
+    'SyslogSuccess' => 'yes',
+    'Canonicalization' => 'relaxed/simple',
+    'OversignHeaders' => 'From',
+    'UserID' => 'opendkim',
+    'UMask' => '007',
+    'Socket' => "local:#{rundir}/opendkim.sock",
+    'PidFile' => '/run/opendkim/opendkim.pid',
+    'TrustAnchorFile' => '/usr/share/dns/root.key',
+  },
+  'sysconfig' => {
+    'rundir' => '/run/opendkim',
+    # if you specify a socket here, it'll override the config
+    # since it's _required_ in the config, put it only there and
+    # not here.
+    'user' => 'opendkim',
+    'group' => 'opendkim',
+    'pidfile' => '$RUNDIR/$NAME.pid',
+  },
+}

cookbooks/fb_opendkim/metadata.rb

@@ -0,0 +1,6 @@
+name 'fb_opendkim'
+maintainer 'Meta Platforms, Inc.'
+maintainer_email 'noreply@meta.com'
+license 'Apache-2.0'
+description 'Installs/Configures opendkim'
+version '0.1.0'

cookbooks/fb_opendkim/recipes/default.rb

@@ -0,0 +1,54 @@
+#
+# Cookbook:: fb_opendkim
+# Recipe:: default
+#
+# Copyright:: 2025-present, Meta Platforms, Inc.
+# Copyright:: 2025-present, Phil Dibowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+packages = %w{
+  opendkim
+  opendkim-tools
+}
+
+package 'opendkim packages' do
+  only_if { node['fb_opendkim']['manage_packages'] }
+  package_name packages
+  action :upgrade
+end
+
+template '/etc/opendkim.conf' do
+  owner node.root_user
+  group node.root_group
+  mode '0644'
+  notifies :restart, 'service[opendkim]'
+end
+
+sysconfig = value_for_platform_family(
+  ['rhel', 'fedora'] => '/etc/sysconfig/opendkim',
+  ['debian'] => '/etc/default/opendkim',
+)
+
+template sysconfig do
+  source 'sysconfig.erb'
+  owner node.root_user
+  group node.root_group
+  mode '0644'
+  notifies :restart, 'service[opendkim]'
+end
+
+service 'opendkim' do
+  action [:enable, :start]
+end

cookbooks/fb_opendkim/templates/opendkim.conf.erb

@@ -0,0 +1,4 @@
+# This file is controlled by Chef, do not modify!
+<% node['fb_opendkim']['config'].each do |key, val| %>
+<%=  key %> <%= val %>
+<% end %>

cookbooks/fb_opendkim/templates/sysconfig.erb

@@ -0,0 +1,4 @@
+# This file is controlled by Chef, do not modify!
+<% node['fb_opendkim']['sysconfig'].each do |key, val| %>
+<%=  key.upcase %>="<%= val %>"
+<% end %>