debops.opendkim default variables
Sections
APT packages, application version
- opendkim__base_packages
List of APT packages to install for OpenDKIM support.
opendkim__base_packages: [ 'opendkim', 'opendkim-tools' ]
- opendkim__packages
List of additional APT packages to install with OpenDKIM.
opendkim__packages: []
- opendkim__version
The version of the installed OpenDKIM service, gathered automatically by Ansible local facts.
opendkim__version: '{{ ansible_local.opendkim.version | d("0.0.0") }}'
Application environment, Postfix support
- opendkim__user
The UNIX system account used by the OpenDKIM service.
opendkim__user: 'opendkim'
- opendkim__group
The UNIX system group used by the OpenDKIM service.
opendkim__group: 'opendkim'
- opendkim__postfix_integration
Enable or disable integration with Postfix SMTP server. See Postfix integration for more details.
opendkim__postfix_integration: '{{ ansible_local.postfix.installed
if (ansible_local | d() and ansible_local.postfix | d() and
ansible_local.postfix.installed is defined)
else False }}'
- opendkim__postfix_group
Name of the UNIX system group used by Postfix SMTP server. This variable is used to create the OpenDKIM socket directory with correct access permissions for Postfix.
opendkim__postfix_group: '{{ ansible_local.postfix.system_group | d("postfix") }}'
- opendkim__pidfile
Path to the PID file used by OpenDKIM.
opendkim__pidfile: '/var/run/opendkim/opendkim.pid'
- opendkim__socket
path to the UNIX socket used by OpenDKIM.
opendkim__socket: '{{ "/var/spool/postfix/opendkim/opendkim.sock"
if opendkim__postfix_integration | bool
else "/var/run/opendkim/opendkim.sock" }}'
- opendkim__domain
The main DNS domain used in the OpenDKIM configuration.
opendkim__domain: '{{ ansible_domain }}'
- opendkim__fqdn
The Fully Qualified Domain Name of the current host used in the OpenDKIM configuration.
opendkim__fqdn: '{{ ansible_fqdn }}'
- opendkim__domainkeys_path
Directory where DomainKeys are stored on the remote host.
opendkim__dkimkeys_path: '/etc/dkimkeys'
- opendkim__default_key_size
The default size of the RSA DomainKeys generated by the role.
opendkim__default_key_size: '2048'
DomainKeys configuration
These variables configure the DomainKeys used by OpenDKIM. See opendkim__keys for more details.
- opendkim__default_keys
The list of default DomainKeys configured by the role.
opendkim__default_keys:
- name: 'mail'
- opendkim__keys
List of DomainKeys which should be present on all hosts in the Ansible inventory.
opendkim__keys: []
- opendkim__group_keys
List of DomainKeys which should be present on hosts in specific Ansible inventory group.
opendkim__group_keys: []
- opendkim__host_keys
List of DomainKeys which should be present on specific hosts in the Ansible inventory.
opendkim__host_keys: []
- opendkim__combined_keys
This list combines the other DomainKey lists and is used in the Ansible tasks.
opendkim__combined_keys: '{{ opendkim__default_keys
+ opendkim__keys
+ opendkim__group_keys
+ opendkim__host_keys }}'
DKIM Signing Table
These variables configure the OpenDKIM Signing Table, which specifies what messages should be signed by which DomainKeys. See opendkim__signing_table for more details.
- opendkim__default_signing_table
List of default signing table entries defined by the role.
opendkim__default_signing_table:
- name: 'mail'
from: '{{ opendkim__domain }}'
domain: '{{ opendkim__domain }}'
subdomains: True
- opendkim__signing_table
List of signing table entries which should be present on all hosts in the Ansible inventory.
opendkim__signing_table: []
- opendkim__group_signing_table
List of signing table entries which should be present on hosts in specific Ansible inventory group.
opendkim__group_signing_table: []
- opendkim__host_signing_table
List of signing table entries which should be present on specific hosts in the Ansible inventory.
opendkim__host_signing_table: []
- opendkim__combined_signing_table
The variable that combines all of the signing table list variables and is used in the configuration template.
opendkim__combined_signing_table: '{{ opendkim__default_signing_table
+ opendkim__signing_table
+ opendkim__group_signing_table
+ opendkim__host_signing_table }}'
Trusted hosts
These variables define lists of "trusted hosts" which will be used in the
InternalHosts
and ExternalIgnoreList
configuration options.
See opendkim__trusted_hosts for more details.
- opendkim__default_trusted_hosts
The default list of trusted hosts defined by the role.
opendkim__default_trusted_hosts:
- '127.0.0.1'
- '::1'
- 'localhost'
- '{{ opendkim__fqdn }}'
- opendkim__trusted_hosts
The list of trusted hosts which should be defined on all hosts in the Ansible inventory.
opendkim__trusted_hosts: []
- opendkim__group_trusted_hosts
The list of trusted hosts which should be defined on hosts in specific Ansible inventory group.
opendkim__group_trusted_hosts: []
- opendkim__host_trusted_hosts
The list of trusted hosts which should be defined on specific hosts in the Ansible inventory.
opendkim__host_trusted_hosts: []
- opendkim__combined_trusted_hosts
The variable that combines all of the trusted host lists and passes them to the configuration template.
opendkim__combined_trusted_hosts: '{{ opendkim__default_trusted_hosts
+ opendkim__trusted_hosts
+ opendkim__group_trusted_hosts
+ opendkim__host_trusted_hosts }}'
OpenDKIM main configuration
These variables define the contents of the /etc/opendkim.conf
configuration file. See Default variable details: opendkim__config for more details.
- opendkim__original_config
The configuration set by default by the Debian package after installation.
opendkim__original_config:
- name: 'config-header'
comment: |
This is a basic configuration that can easily be adapted to suit a standard
installation. For more advanced options, see opendkim.conf(5) and/or
/usr/share/doc/opendkim/examples/opendkim.conf.sample.
state: 'hidden'
- name: 'Syslog'
comment: 'Log to syslog'
value: True
- name: 'UMask'
comment: |
Required to use local socket with MTAs that access the socket as a non-
privileged user (e. g. Postfix)
value: '002'
- name: 'Domain'
comment: |
Sign for example.com with key in /etc/mail/dkim.key using
selector '2007' (e. g. 2007._domainkey.example.com)
value: 'example.com'
state: 'comment'
- name: 'KeyFile'
value: '/etc/mail/dkim.key'
state: 'comment'
- name: 'Selector'
value: '2007'
state: 'comment'
- name: 'Canonicalization'
comment: 'Commonly-used options; the commented-out versions show the defaults.'
value: 'simple'
state: 'comment'
- name: 'Mode'
value: 'sv'
state: 'comment'
- name: 'Subdomains'
value: False
state: 'comment'
- name: 'OversignHeaders'
comment: |
Always oversign From (sign using actual From and a null From to prevent
malicious signatures header fields (From and/or others) between the signer
and the verifier. From is oversigned by default in the Debian package
because it is often the identity key used by reputation systems and thus
somewhat security sensitive.
value: [ 'From' ]
- name: 'ResolverConfiguration'
comment: |
ResolverConfiguration filename
default (none)
Specifies a configuration file to be passed to the Unbound library that
performs DNS queries applying the DNSSEC protocol. See the Unbound
documentation at https://unbound.net/ for the expected content of this file.
The results of using this and the TrustAnchorFile setting at the same
time are undefined.
In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
unbound package
value: '/etc/unbound/unbound.conf'
state: 'comment'
- name: 'TrustAnchorFile'
comment: |
TrustAnchorFile filename
default (none)
Specifies a file from which trust anchor data should be read when doing
DNS queries and applying the DNSSEC protocol. See the Unbound documentation
at https://unbound.net/ for the expected format of this file.
value: '/usr/share/dns/root.key'
- opendkim__default_config
The OpenDKIM configuration defined by the debops.opendkim
Ansible role.
opendkim__default_config:
- name: 'ResolverConfiguration'
state: '{{ "present"
if (ansible_local | d() and ansible_local.unbound | d() and
(ansible_local.unbound.installed | d()) | bool)
else "ignore" }}'
- name: 'TrustAnchorFile'
state: '{{ "absent"
if (ansible_local | d() and ansible_local.unbound | d() and
(ansible_local.unbound.installed | d()) | bool)
else "ignore" }}'
- name: 'Socket'
comment: 'Listen for connections in the Postfix chroot'
value: 'local:{{ opendkim__socket }}'
state: '{{ "present" if opendkim__postfix_integration | bool else "ignore" }}'
- name: 'UserID'
comment: 'Required by the systemd opendkim.service unit'
value: '{{ opendkim__user + ":" + opendkim__group }}'
- name: 'PidFile'
comment: 'Required by the systemd opendkim.service unit'
value: '/run/opendkim/opendkim.pid'
- name: 'KeyTable'
value: '{{ opendkim__dkimkeys_path + "/KeyTable" }}'
copy_id_from: 'Selector'
weight: 1
- name: 'SigningTable'
value: '{{ opendkim__dkimkeys_path + "/SigningTable" }}'
copy_id_from: 'KeyTable'
weight: 2
- name: 'InternalHosts'
value: '{{ opendkim__dkimkeys_path + "/TrustedHosts" }}'
copy_id_from: 'KeyTable'
weight: 3
- name: 'ExternalIgnoreList'
value: '{{ opendkim__dkimkeys_path + "/TrustedHosts" }}'
copy_id_from: 'KeyTable'
weight: 4
- opendkim__config
The configuration which should be set on all hosts in the Ansible inventory.
opendkim__config: []
- opendkim__group_config
The configuration which should be set on hosts in specific Ansible inventory group.
opendkim__group_config: []
- opendkim__host_config
The configuration which should be set on specific hosts in the Ansible inventory.
opendkim__host_config: []
- opendkim__combined_config
The combined OpenDKIM configuration passed to the config file template.
opendkim__combined_config: '{{ opendkim__original_config
+ opendkim__default_config
+ opendkim__config
+ opendkim__group_config
+ opendkim__host_config }}'
Configuration for other Ansible roles
- opendkim__postfix__dependent_maincf
The main.cf
configuration for debops.postfix Ansible role.
opendkim__postfix__dependent_maincf:
- name: 'smtpd_milters'
value:
- name: 'unix:/opendkim/opendkim.sock'
weight: -300
state: 'present'
- name: 'non_smtpd_milters'
value:
- name: 'unix:/opendkim/opendkim.sock'
weight: -300
state: 'present'