updated opendkim state

states/haproxy/defaults.yaml

@@ -45,7 +45,7 @@ haproxy:
       port: 7000
     api:
       enable: true
-      filesocket: /var/run/haproxy.sock
+      filesocket: /var/run/haproxy-admin.sock
       tcpsocket: ipv4@127.0.0.1:9990
     acme_dir: /etc/acme
     acme_fullchains_dir: /etc/acme/fullchains

states/haproxy/install.sls

@@ -25,6 +25,13 @@ haproxy-config-script-dir:
     - group: {{ haproxy.config.group }}
     - mode: "0700"
 
+haproxy-config-mods-dir:
+  file.directory:
+    - name: {{ haproxy.config.dir }}/mods
+    - user: {{ haproxy.config.user }}
+    - group: {{ haproxy.config.group }}
+    - mode: "0700"
+
 {% for file in haproxy.scripts %}
 haproxy-script-{{ file.name }}:
   file.managed:

states/haproxy/maps/redirects.j2

@@ -2,6 +2,6 @@
 {%- from "haproxy/map.jinja" import haproxy with context %}
 {%- for name, values in haproxy.config.vhosts.items() %}
 {%- if values.redirect|default(false) %}
-{{ values.host }} {{ values.redirect }}
+{{ name }} {{ values.redirect }}
 {%- endif %}
 {%- endfor %}

states/haproxy/maps/vhosts.j2

@@ -2,6 +2,6 @@
 {%- from "haproxy/map.jinja" import haproxy with context %}
 {%- for name, values in haproxy.config.vhosts.items() %}
 {%- if not values.redirect|default(false) %}
-{{ values.host }} {{ name }}
+{{ name }} {{ name }}
 {%- endif %}
 {%- endfor %}

states/haproxy/templates/haproxy.cfg.j2

@@ -1,9 +1,14 @@
 ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
 {%- from "haproxy/map.jinja" import haproxy,certs with context %}
 
+{%- set fqdn = salt["grains.get"]("fqdn") %}
+{%- set default_backend = "test" %}
+{% set ns = namespace(default_backend='notdefined') %}
+{%- for name, values in haproxy.config.vhosts.items() %}{% if values.default_backend|default(false) %}{% set ns.default_backend = name %}{% endif %}{% endfor %}
+
 {%- macro internal() -%}
   acl internal src -f {{ haproxy.config.dir }}/maps/access
-  http-response return status 403 default-errorfiles if ! internal
+  http-response return status 403 content-type text/html string "403 forbidden" if ! internal
 {%- endmacro -%}
 
 {%- macro head() -%}
@@ -11,7 +16,7 @@
 {%- endmacro -%}
 
 {%- macro statusresponses() -%}
-  http-response return content-type text/html string "404 not found" if { status 404 }
+  http-response return status 404 content-type text/html string "404 not found" if { status 404 }
 {%- endmacro -%}
 
 {%- macro httpcheckrules(layer="layer7",inter="2s",fall=5,rise=5) -%}check observe {{ layer }} inter {{ inter }} fall {{ fall }} rise {{ rise }}{%- endmacro -%}
@@ -60,6 +65,7 @@ backend admin from {{ haproxy.config.namespace }}
 
 # Global config
 global
+  lua-prepend-path {{ haproxy.config.dir }}/mods/?.so cpath
   lua-prepend-path {{ haproxy.config.dir }}/scripts/?.lua
 {%- for file in haproxy.scripts %}
   {%- if not file.lib %}
@@ -97,11 +103,21 @@ backend per_ip_rates from {{ haproxy.config.namespace }}
 frontend http from {{ haproxy.config.namespace }}
   bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6
   mode http
+
+  ## ACLs
   acl http ssl_fc,not
-  acl path_host path /host
+  acl self_host req.hdr(Host) {{ fqdn }}
-  acl path_date path /date
+  acl path_root path -m dir /
-  http-request return status 200 content-type text/html lf-string "%H\n" if path_host
+  acl path_host path -m dir /host
-  http-request return status 200 content-type text/html lf-string "%T\n" if path_date
+  acl path_date path -m dir /date
+  acl path_srchash path -m dir /srchash
+
+  ## Basic rules
+  http-request set-var(txn.srchash) src,crc32,mod(100)
+  http-request set-var(txn.httpdate) date,http_date()
+  http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
+  http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
+  http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
   http-request redirect scheme https if http
 
 # Default HTTPS frontend
@@ -110,12 +126,21 @@ frontend https from {{ haproxy.config.namespace }}
   #bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
   mode http
   option httplog
+
+  ## ACLs
   acl internal src -f {{ haproxy.config.dir }}/maps/access
   acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found req.hdr(host) -m str %H
   acl robots_txt path /robots.txt
+  acl self_host req.hdr(Host) {{ fqdn }}
+  acl path_root path /
   acl path_host path /host
   acl path_date path /date
-  acl admin req.hdr(Host) {{ salt["grains.get"]("fqdn") }}
+  acl path_srchash path /srchash
+
+  ## Basic rules
+  http-request set-var(txn.random) rand,mul(5)
+  http-request set-var(txn.httpdate) date,http_date()
+  http-request set-var(txn.srchash) src,crc32,mod(100)
   http-request set-var(req.src) src
   http-request set-var(req.host) req.hdr(Host)
   http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
@@ -131,26 +156,27 @@ frontend https from {{ haproxy.config.namespace }}
 
   ## Returns
   http-request return status 200 content-type text/plain string "User-agent: *\r\nDisallow: /" if robots_txt
-  http-request return status 200 content-type text/html lf-string "%H\n" if path_host
+  http-request return status 200 content-type text/html lf-string "%H\n" if self_host path_host
-  http-request return status 200 content-type text/html lf-string "%T\n" if path_date
+  http-request return status 200 content-type text/html lf-string "%[var(txn.httpdate)]\n" if self_host path_date
+  http-request return status 200 content-type text/html lf-string "%[var(txn.srchash)]\n" if self_host path_srchash
 
   ## Headers
   http-request set-header X-Proxy-Id "%H"
   http-request set-header X-Proto https if { ssl_fc }
 
-  http-response set-header Date "%[date,http_date()]"
+  http-response set-header Date "%[var(txn.httpdate)]"
   http-response set-header Server "{{ haproxy.config.servername }}"
-  http-response set-header X-Random "%[rand,mul(5)]"
+  http-response set-header X-Random "%[var(txn.random)]"
 
   log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
   http-request redirect location %[req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
   http-request deny deny_status 404 unless domains
 {%- if haproxy.config.admin.enable %}
-  use_backend admin if admin internal
+  use_backend admin if self_host internal path_root
 {%- endif %}
-  use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
+  use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts)]
   monitor-uri /dead_or_alive
-  default_backend nginx
+  default_backend {{ ns.default_backend }}
 
 # HTTP Backends
 {%- for name, values in haproxy.config.vhosts.items() %}

states/opendkim/config.sls

@@ -10,7 +10,7 @@ opendkim-config-dir:
 opendkim-configuration-key:
   file.managed:
     - name: {{ opendkim.config.dir }}/{{ opendkim.config.key.name }}
-    - source: salt://opendkim/key.j2
+    - source: salt://opendkim/templates/key.j2
     - user: {{ opendkim.config.user }}
     - group: {{ opendkim.config.group }}
     - mode: 600
@@ -21,7 +21,7 @@ opendkim-configuration-key:
 opendkim-trusted-hosts:
   file.managed:
     - name: {{ opendkim.config.dir }}/TrustedHosts
-    - source: salt://opendkim/TrustedHosts.j2
+    - source: salt://opendkim/templates/TrustedHosts.j2
     - user: {{ opendkim.config.user }}
     - group: {{ opendkim.config.group }}
     - mode: 644
@@ -32,7 +32,7 @@ opendkim-trusted-hosts:
 opendkim-service-defaults:
   file.managed:
     - name: {{ opendkim.config.default_file }}
-    - source: salt://opendkim/service_defaults.j2
+    - source: salt://opendkim/templates/service_defaults.j2
     - user: {{ opendkim.config.user }}
     - group: {{ opendkim.config.group }}
     - mode: 644
@@ -43,7 +43,7 @@ opendkim-service-defaults:
 opendkim-config-file:
   file.managed:
     - name: {{ opendkim.config.file }}
-    - source: salt://opendkim/opendkim.conf.j2
+    - source: salt://opendkim/templates/opendkim.conf.j2
     - user: {{ opendkim.config.user }}
     - group: {{ opendkim.config.group }}
     - mode: 644

states/opendkim/defaults.yaml

@@ -1,6 +1,9 @@
 ---
 opendkim:
   enabled: true
+  pkgs:
+    - opendkim
+    - opendkim-tools
   config:
     dir: '/etc/opendkim'
     file: '/etc/opendkim.conf'

states/opendkim/init.sls

@@ -1,5 +1,4 @@
 ---
-{%- from "opendkim/map.jinja" import opendkim with context %}
 include:
   - .install
   - .config

states/opendkim/install.sls

@@ -2,6 +2,4 @@
 {%- from "opendkim/map.jinja" import opendkim with context %}
 opendkim-pkg:
   pkg.installed:
-    - pkgs:
+    - pkgs: {{ opendkim.pkgs }}
-      - opendkim
-      - opendkim-tools

states/opendkim/templates/TrustedHosts.j2

@@ -6,4 +6,4 @@
 {%- endfor %}
 {%- for hostname in salt['pillar.get']('mail:hostnames') %}
 {{ hostname }}
-{%- endfor %}
+{%- endfor %}

states/opendkim/templates/key.j2

@@ -1,2 +1,2 @@
 {%- from "opendkim/map.jinja" import opendkim with context -%}
-{{ opendkim.config.key.content }}
+{{ opendkim.config.key.content }}

states/opendkim/templates/opendkim.conf.j2

@@ -20,4 +20,4 @@ PidFile             {{ opendkim.config.pid_file }}
 Socket              inet:{{ opendkim.config.port }}@{{ opendkim.config.host }}
 
 ReportAddress       {{ opendkim.config.notify_addr }}
-SendReports         {{ opendkim.config.notify_report }}
+SendReports         {{ opendkim.config.notify_report }}

states/opendkim/templates/service_defaults.j2

@@ -1,2 +1,2 @@
 {%- from "opendkim/map.jinja" import opendkim with context %}
-SOCKET="inet:{{ opendkim.config.port }}@{{ opendkim.config.host }}"
+SOCKET="inet:{{ opendkim.config.port }}@{{ opendkim.config.host }}"