#!/bin/bash

# Core defaults.
: "${OPENDKIM_USER:=opendkim}"
: "${OPENDKIM_GROUP:=opendkim}"
: "${OPENDKIM_USERID:=${OPENDKIM_USER}:${OPENDKIM_GROUP}}"
: "${OPENDKIM_SOCKET:=inet:8892@0.0.0.0}"

# Signing defaults.
: "${OPENDKIM_DOMAIN:=*}"
: "${OPENDKIM_SELECTOR:=dkim}"
: "${OPENDKIM_KEYFILE:=/opt/opendkim/keys/dkim.private}"
: "${OPENDKIM_CANONICALIZATION:=relaxed/simple}"
: "${OPENDKIM_MODE:=sv}"
: "${OPENDKIM_SUBDOMAINS:=true}"
: "${OPENDKIM_OVERSIGNHEADERS:=From}"

# DNS / trust defaults.
: "${OPENDKIM_TRUSTANCHORFILE:=}"
: "${OPENDKIM_INTERNALHOSTS:=127.0.0.1,localhost,127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8}"
: "${OPENDKIM_EXTERNALIGNORELIST:=}"

# Table files.
: "${OPENDKIM_KEYTABLE:=/etc/opendkim/KeyTable}"
: "${OPENDKIM_SIGNINGTABLE:=refile:/etc/opendkim/SigningTable}"
: "${OPENDKIM_PIDFILE:=/run/opendkim/opendkim.pid}"

# Behavior.
: "${OPENDKIM_UMASK:=002}"
: "${OPENDKIM_BACKGROUND:=no}"
: "${OPENDKIM_AUTO_RESTART:=no}"
: "${OPENDKIM_AUTO_RESTART_RATE:=10/1h}"
: "${OPENDKIM_DNS_TIMEOUT:=5}"
: "${OPENDKIM_SIGNATURE_ALGORITHM:=rsa-sha256}"

# Optional extras.
: "${OPENDKIM_REQUIRE_SAFE_KEYS:=yes}"
: "${OPENDKIM_REMOVE_OLD_SIGNATURES:=no}"
: "${OPENDKIM_LOGRESULTS:=yes}"
: "${OPENDKIM_MILTER_DEBUG:=6}"
: "${OPENDKIM_NAMESERVERS:=}"

mkdir -p \
  /etc/opendkim \
  /run/opendkim \
  /var/lib/opendkim \
  /var/opendkim

touch /etc/opendkim/KeyTable /etc/opendkim/SigningTable

chown -R "${OPENDKIM_USER}:${OPENDKIM_GROUP}" /run/opendkim /var/lib/opendkim /var/opendkim
chmod 0755 /run/opendkim /var/lib/opendkim /var/opendkim

# Copy private key to runtime location with safe permissions.
if [ -f "${OPENDKIM_KEYFILE}" ]; then
  cp "${OPENDKIM_KEYFILE}" /var/opendkim/dkim.private
  chown "${OPENDKIM_USER}:${OPENDKIM_GROUP}" /var/opendkim/dkim.private
  chmod 0600 /var/opendkim/dkim.private
fi

# Generate KeyTable from env if file is empty.
if [ ! -s /etc/opendkim/KeyTable ]; then
  printf '%s._domainkey.%s %s:%s:/var/opendkim/dkim.private\n' \
    "${OPENDKIM_SELECTOR}" \
    "${OPENDKIM_DOMAIN}" \
    "${OPENDKIM_DOMAIN}" \
    "${OPENDKIM_SELECTOR}" \
    > /etc/opendkim/KeyTable
fi

# Generate SigningTable from env if file is empty.
if [ ! -s /etc/opendkim/SigningTable ]; then
  printf '*@%s %s._domainkey.%s\n' \
    "${OPENDKIM_DOMAIN}" \
    "${OPENDKIM_SELECTOR}" \
    "${OPENDKIM_DOMAIN}" \
    > /etc/opendkim/SigningTable
fi

chown "${OPENDKIM_USER}:${OPENDKIM_GROUP}" /etc/opendkim/TrustedHosts /etc/opendkim/KeyTable /etc/opendkim/SigningTable

cat > /etc/opendkim.conf <<EOF
Syslog                  yes
LogWhy                  yes
UMask                   ${OPENDKIM_UMASK}
Canonicalization        ${OPENDKIM_CANONICALIZATION}
Mode                    ${OPENDKIM_MODE}
SubDomains              ${OPENDKIM_SUBDOMAINS}
OversignHeaders         ${OPENDKIM_OVERSIGNHEADERS}
UserID                  ${OPENDKIM_USERID}
Socket                  ${OPENDKIM_SOCKET}
PidFile                 ${OPENDKIM_PIDFILE}
KeyTable                ${OPENDKIM_KEYTABLE}
SigningTable            ${OPENDKIM_SIGNINGTABLE}
InternalHosts           ${OPENDKIM_INTERNALHOSTS}
AutoRestart             ${OPENDKIM_AUTO_RESTART}
AutoRestartRate         ${OPENDKIM_AUTO_RESTART_RATE}
DNSTimeout              ${OPENDKIM_DNS_TIMEOUT}
SignatureAlgorithm      ${OPENDKIM_SIGNATURE_ALGORITHM}
RequireSafeKeys         ${OPENDKIM_REQUIRE_SAFE_KEYS}
RemoveOldSignatures     ${OPENDKIM_REMOVE_OLD_SIGNATURES}
MilterDebug             ${OPENDKIM_MILTER_DEBUG}
EOF

if [ -n "${OPENDKIM_TRUSTANCHORFILE}" ] && [ -f "${OPENDKIM_TRUSTANCHORFILE}" ]; then
  echo "TrustAnchorFile         ${OPENDKIM_TRUSTANCHORFILE}" >> /etc/opendkim.conf
fi

if [ -n "${OPENDKIM_EXTERNALIGNORELIST}" ] && [ -f "${OPENDKIM_EXTERNALIGNORELIST}" ]; then
  echo "ExternalIgnoreList      ${OPENDKIM_EXTERNALIGNORELIST}" >> /etc/opendkim.conf
fi

if [ "${OPENDKIM_LOGRESULTS}" = "yes" ]; then
  echo "SoftwareHeader          yes" >> /etc/opendkim.conf
fi

if [ -n "${OPENDKIM_NAMESERVERS}" ]; then
  echo "Nameservers             ${OPENDKIM_NAMESERVERS}" >> /etc/opendkim.conf
fi

./usr/sbin/opendkim -x /etc/opendkim.conf
syslogd -n -f /etc/rsyslog.d/stdout.conf