From cc4f831357d48c4c73206cdd7b8cc4aa97ae5812 Mon Sep 17 00:00:00 2001
From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Mon, 12 Jan 2026 12:07:07 -0700
Subject: [PATCH] Add opendkim-genkey to the './inst CA' command.

---
 README.org | 29 ++++++++++++++++++++---------
 inst       | 24 ++++++++++++++++++------
 2 files changed, 38 insertions(+), 15 deletions(-)

diff --git a/README.org b/README.org
index b0c55ee..c6cc5ce 100644
--- a/README.org
+++ b/README.org
@@ -6175,9 +6175,8 @@ the appropriate names (or just to set ~EASYRSA_DN~ to ~cn_only~).
 Running ~./inst CA~ creates the new CA and keys.  The command prompts
 for the Common Name (or several levels of Organizational names) of the
 certificate authority.  The ~full_name~ is given: ~Small Institute
-LLC~.  The CA is used to issue certificates for ~front~, ~gate~ and
-~core~, which are installed on the servers during the next ~./inst
-config~.
+LLC~.  The CA is used to issue certificates for ~front~ and ~core~
+that will be installed on their servers by the next ~./inst config~.
 
 #+CAPTION: [[file:inst][=inst=]]
 #+BEGIN_SRC perl :tangle inst
@@ -6187,6 +6186,8 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") {
   die "Secret/CA/easyrsa: not an executable\n"
     if ! -x "Secret/CA/easyrsa";
   die "Secret/CA/pki/: already exists\n" if -e "Secret/CA/pki";
+  die "gpg: command not found" if system "which -s gpg";
+  die "ssh-keygen: command not found" if system "which -s ssh-keygen";
 
   umask 077;
   mysystem "cd Secret/CA; ./easyrsa init-pki";
@@ -6195,9 +6196,11 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") {
 
   my $dom = $domain_name;
   my $pvt = $domain_priv;
-  mysystem "cd Secret/CA; ./easyrsa build-server-full $dom nopass";
-  mysystem "cd Secret/CA; ./easyrsa build-server-full core.$pvt nopass";
-  umask 077;
+
+  mysystem ("cd Secret/CA;",
+	    "./easyrsa build-server-full $dom nopass");
+  mysystem ("cd Secret/CA;",
+	    "./easyrsa build-server-full core.$pvt nopass");
 
   mysystem "mkdir --mode=700 Secret/root.gnupg";
   mysystem ("gpg --homedir Secret/root.gnupg",
@@ -6208,7 +6211,8 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") {
 	    "root\@core.$pvt");
   chmod 0440, "root-pub.pem";
   mysystem ("gpg --homedir Secret/root.gnupg",
-	    "--export-secret-key --armor --output Secret/root-sec.pem",
+	    "--export-secret-key --armor",
+	    "--output Secret/root-sec.pem",
 	    "root\@core.$pvt");
   chmod 0400, "root-sec.pem";
 
@@ -6221,9 +6225,16 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") {
   mysystem "mkdir Secret/ssh_monkey";
   chmod 0700, "Secret/ssh_monkey";
   mysystem "echo 'HashKnownHosts  no' >Secret/ssh_monkey/config";
-  mysystem ("ssh-keygen -q -t ed25519",
-	    "-C monkey\@core.$domain_priv",
+  mysystem ("ssh-keygen -q -t ed25519 -C monkey\@core.$pvt",
 	    "-N '' -f Secret/ssh_monkey/id_ed25519");
+
+  mysystem "mkdir --mode=700 Secret/opendkim";
+  if (system "which opendkim-genkey") {
+    warn "opendkim-genkey: command not found, skipped"
+  } else {
+    mysystem ("opendkim-genkey -D Secret/opendkim",
+	      "-b 2048 -d $dom -s default -S");
+  }
   exit;
 }
 #+END_SRC
diff --git a/inst b/inst
index fc08806..7d7975e 100755
--- a/inst
+++ b/inst
@@ -74,6 +74,8 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") {
   die "Secret/CA/easyrsa: not an executable\n"
     if ! -x "Secret/CA/easyrsa";
   die "Secret/CA/pki/: already exists\n" if -e "Secret/CA/pki";
+  die "gpg: command not found" if system "which -s gpg";
+  die "ssh-keygen: command not found" if system "which -s ssh-keygen";
 
   umask 077;
   mysystem "cd Secret/CA; ./easyrsa init-pki";
@@ -82,9 +84,11 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") {
 
   my $dom = $domain_name;
   my $pvt = $domain_priv;
-  mysystem "cd Secret/CA; ./easyrsa build-server-full $dom nopass";
-  mysystem "cd Secret/CA; ./easyrsa build-server-full core.$pvt nopass";
-  umask 077;
+
+  mysystem ("cd Secret/CA;",
+	    "./easyrsa build-server-full $dom nopass");
+  mysystem ("cd Secret/CA;",
+	    "./easyrsa build-server-full core.$pvt nopass");
 
   mysystem "mkdir --mode=700 Secret/root.gnupg";
   mysystem ("gpg --homedir Secret/root.gnupg",
@@ -95,7 +99,8 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") {
 	    "root\@core.$pvt");
   chmod 0440, "root-pub.pem";
   mysystem ("gpg --homedir Secret/root.gnupg",
-	    "--export-secret-key --armor --output Secret/root-sec.pem",
+	    "--export-secret-key --armor",
+	    "--output Secret/root-sec.pem",
 	    "root\@core.$pvt");
   chmod 0400, "root-sec.pem";
 
@@ -108,9 +113,16 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") {
   mysystem "mkdir Secret/ssh_monkey";
   chmod 0700, "Secret/ssh_monkey";
   mysystem "echo 'HashKnownHosts  no' >Secret/ssh_monkey/config";
-  mysystem ("ssh-keygen -q -t ed25519",
-	    "-C monkey\@core.$domain_priv",
+  mysystem ("ssh-keygen -q -t ed25519 -C monkey\@core.$pvt",
 	    "-N '' -f Secret/ssh_monkey/id_ed25519");
+
+  mysystem "mkdir --mode=700 Secret/opendkim";
+  if (system "which opendkim-genkey") {
+    warn "opendkim-genkey: command not found, skipped"
+  } else {
+    mysystem ("opendkim-genkey -D Secret/opendkim",
+	      "-b 2048 -d $dom -s default -S");
+  }
   exit;
 }
 
-- 
2.47.3