---
- name: "Directory for opendkim keys for {{ domain }} present"
  file:
    path: "/etc/opendkim/keys/{{ domain }}"
    state: directory
    owner: opendkim
    group: opendkim
    mode: 0700
  tags:
    - email

- name: "OpenDKIM selector present for {{ domain }}"
  shell: "date +%Y%m%d > /etc/opendkim/{{ domain }}_selector.txt"
  args:
    executable: /bin/bash
    creates: "/etc/opendkim/{{ domain }}_selector.txt"
  tags:
    - email

- name: "OpenDKIM selector selector read for {{ domain }}"
  slurp:
    src: "/etc/opendkim/{{ domain }}_selector.txt"
  register: "selector_b64encoded"
  tags:
    - email

- name: "Set a fact for the selector for {{ domain }}"
  set_fact:
    selector: "{{ selector_b64encoded['content'] | b64decode | trim }}"
  tags:
    - email

- name: "Keys for {{ domain }} present"
  command: "opendkim-genkey -b 2048 -h sha256 -s {{ selector }} -d {{ domain }} -D /etc/opendkim/keys/{{ domain }}"
  args:
    creates: "/etc/opendkim/keys/{{ domain }}/{{ selector }}.private"
  tags:
    - email

- name: "SPF record added to /etc/opendkim/keys/{{ domain }}/{{ selector }}.txt"
  lineinfile:
    path: "/etc/opendkim/keys/{{ domain }}/{{ selector }}.txt"
    line: '{{ domain }}. IN TXT "v=spf1 a mx include:{{ domain }} ~all"'
    state: present
  tags:
    - email

- name: "OpenDKIM private key for {{ domain }} owned and only readable by opendkim user"
  file:
    path: "/etc/opendkim/keys/{{ domain }}/{{ selector }}.private"
    owner: opendkim
    group: opendkim
    mode: 0600
  tags:
    - email

- name: "OpenDKIM key check for {{ domain }}"
  shell: "opendkim-testkey -d {{ domain }} -s {{ selector }} -k {{ selector }}.private -vvv || echo 'key FAIL'"
  args:
    chdir: "/etc/opendkim/keys/{{ domain }}"
  check_mode: false
  register: opendkim_check
  changed_when: false
  tags:
    - email

- name: "DNS configuration needed for {{ domain }}"
  debug:
    msg: "Please add the DNS record from /etc/opendkim/keys/{{ domain }}/{{ selector }}.txt"
  when: '"key OK" not in opendkim_check.stdout'
  tags:
    - email

- name: "OpenDKIM key check passed so {{ domain }} added to new KeyTable and SigningTable files"
  block:

    - name: "KeyTable for {{ domain }} {{ opendkim_check.stdout }}"
      lineinfile:
        path: /etc/opendkim/KeyTable.new
        line: "{{ selector }}._domainkey.{{ domain }} {{ domain }}:{{ selector }}:/etc/opendkim/keys/{{ domain }}/{{ selector }}.private"
        regexp: "\\._domainkey\\.{{ domain }} {{ domain }}:{{ selector }}:"
        state: present
        create: true
      tags:
        - email

    - name: "SigningTable for {{ domain }} {{ opendkim_check.stdout }}"
      lineinfile:
        path: /etc/opendkim/SigningTable.new
        line: "*@{{ domain }} {{ selector }}._domainkey.{{ domain }}"
        regexp: "^\\*@{{ domain }} "
        state: present
        create: true
      tags:
        - email

  when: '"key OK" in opendkim_check.stdout'
...