debops.opendkim default variables

APT packages, application version

opendkim__base_packages

List of APT packages to install for OpenDKIM support.

opendkim__base_packages: [ 'opendkim', 'opendkim-tools' ]
opendkim__packages

List of additional APT packages to install with OpenDKIM.

opendkim__packages: []
opendkim__version

The version of the installed OpenDKIM service, gathered automatically by Ansible local facts.

opendkim__version: '{{ ansible_local.opendkim.version | d("0.0.0") }}'

Application environment, Postfix support

opendkim__user

The UNIX system account used by the OpenDKIM service.

opendkim__user: 'opendkim'
opendkim__group

The UNIX system group used by the OpenDKIM service.

opendkim__group: 'opendkim'
opendkim__postfix_integration

Enable or disable integration with Postfix SMTP server. See Postfix integration for more details.

opendkim__postfix_integration: '{{ ansible_local.postfix.installed
                                   if (ansible_local | d() and ansible_local.postfix | d() and
                                       ansible_local.postfix.installed is defined)
                                   else False }}'
opendkim__postfix_group

Name of the UNIX system group used by Postfix SMTP server. This variable is used to create the OpenDKIM socket directory with correct access permissions for Postfix.

opendkim__postfix_group: '{{ ansible_local.postfix.system_group | d("postfix") }}'
opendkim__pidfile

Path to the PID file used by OpenDKIM.

opendkim__pidfile: '/var/run/opendkim/opendkim.pid'
opendkim__socket

path to the UNIX socket used by OpenDKIM.

opendkim__socket: '{{ "/var/spool/postfix/opendkim/opendkim.sock"
                      if opendkim__postfix_integration | bool
                      else "/var/run/opendkim/opendkim.sock" }}'
opendkim__domain

The main DNS domain used in the OpenDKIM configuration.

opendkim__domain: '{{ ansible_domain }}'
opendkim__fqdn

The Fully Qualified Domain Name of the current host used in the OpenDKIM configuration.

opendkim__fqdn: '{{ ansible_fqdn }}'
opendkim__domainkeys_path

Directory where DomainKeys are stored on the remote host.

opendkim__dkimkeys_path: '/etc/dkimkeys'
opendkim__default_key_size

The default size of the RSA DomainKeys generated by the role.

opendkim__default_key_size: '2048'

DomainKeys configuration

These variables configure the DomainKeys used by OpenDKIM. See opendkim__keys for more details.

opendkim__default_keys

The list of default DomainKeys configured by the role.

opendkim__default_keys:

  - name: 'mail'
opendkim__keys

List of DomainKeys which should be present on all hosts in the Ansible inventory.

opendkim__keys: []
opendkim__group_keys

List of DomainKeys which should be present on hosts in specific Ansible inventory group.

opendkim__group_keys: []
opendkim__host_keys

List of DomainKeys which should be present on specific hosts in the Ansible inventory.

opendkim__host_keys: []
opendkim__combined_keys

This list combines the other DomainKey lists and is used in the Ansible tasks.

opendkim__combined_keys: '{{ opendkim__default_keys
                             + opendkim__keys
                             + opendkim__group_keys
                             + opendkim__host_keys }}'

DKIM Signing Table

These variables configure the OpenDKIM Signing Table, which specifies what messages should be signed by which DomainKeys. See opendkim__signing_table for more details.

opendkim__default_signing_table

List of default signing table entries defined by the role.

opendkim__default_signing_table:

  - name: 'mail'
    from: '{{ opendkim__domain }}'
    domain: '{{ opendkim__domain }}'
    subdomains: True
opendkim__signing_table

List of signing table entries which should be present on all hosts in the Ansible inventory.

opendkim__signing_table: []
opendkim__group_signing_table

List of signing table entries which should be present on hosts in specific Ansible inventory group.

opendkim__group_signing_table: []
opendkim__host_signing_table

List of signing table entries which should be present on specific hosts in the Ansible inventory.

opendkim__host_signing_table: []
opendkim__combined_signing_table

The variable that combines all of the signing table list variables and is used in the configuration template.

opendkim__combined_signing_table: '{{ opendkim__default_signing_table
                                      + opendkim__signing_table
                                      + opendkim__group_signing_table
                                      + opendkim__host_signing_table }}'

Trusted hosts

These variables define lists of "trusted hosts" which will be used in the InternalHosts and ExternalIgnoreList configuration options. See opendkim__trusted_hosts for more details.

opendkim__default_trusted_hosts

The default list of trusted hosts defined by the role.

opendkim__default_trusted_hosts:
  - '127.0.0.1'
  - '::1'
  - 'localhost'
  - '{{ opendkim__fqdn }}'
opendkim__trusted_hosts

The list of trusted hosts which should be defined on all hosts in the Ansible inventory.

opendkim__trusted_hosts: []
opendkim__group_trusted_hosts

The list of trusted hosts which should be defined on hosts in specific Ansible inventory group.

opendkim__group_trusted_hosts: []
opendkim__host_trusted_hosts

The list of trusted hosts which should be defined on specific hosts in the Ansible inventory.

opendkim__host_trusted_hosts: []
opendkim__combined_trusted_hosts

The variable that combines all of the trusted host lists and passes them to the configuration template.

opendkim__combined_trusted_hosts: '{{ opendkim__default_trusted_hosts
                                      + opendkim__trusted_hosts
                                      + opendkim__group_trusted_hosts
                                      + opendkim__host_trusted_hosts }}'

OpenDKIM main configuration

These variables define the contents of the /etc/opendkim.conf configuration file. See Default variable details: opendkim__config for more details.

opendkim__original_config

The configuration set by default by the Debian package after installation.

opendkim__original_config:

  - name: 'config-header'
    comment: |
      This is a basic configuration that can easily be adapted to suit a standard
      installation. For more advanced options, see opendkim.conf(5) and/or
      /usr/share/doc/opendkim/examples/opendkim.conf.sample.
    state: 'hidden'

  - name: 'Syslog'
    comment: 'Log to syslog'
    value: True

  - name: 'UMask'
    comment: |
      Required to use local socket with MTAs that access the socket as a non-
      privileged user (e. g. Postfix)
    value: '002'

  - name: 'Domain'
    comment: |
      Sign for example.com with key in /etc/mail/dkim.key using
      selector '2007' (e. g. 2007._domainkey.example.com)
    value: 'example.com'
    state: 'comment'

  - name: 'KeyFile'
    value: '/etc/mail/dkim.key'
    state: 'comment'

  - name: 'Selector'
    value: '2007'
    state: 'comment'

  - name: 'Canonicalization'
    comment: 'Commonly-used options; the commented-out versions show the defaults.'
    value: 'simple'
    state: 'comment'

  - name: 'Mode'
    value: 'sv'
    state: 'comment'

  - name: 'Subdomains'
    value: False
    state: 'comment'

  - name: 'OversignHeaders'
    comment: |
      Always oversign From (sign using actual From and a null From to prevent
      malicious signatures header fields (From and/or others) between the signer
      and the verifier.  From is oversigned by default in the Debian package
      because it is often the identity key used by reputation systems and thus
      somewhat security sensitive.
    value: [ 'From' ]

  - name: 'ResolverConfiguration'
    comment: |
      ResolverConfiguration filename
          default (none)

      Specifies a configuration file to be passed to the Unbound library that
      performs DNS queries applying the DNSSEC protocol.  See the Unbound
      documentation at https://unbound.net/ for the expected content of this file.
      The results of using this and the TrustAnchorFile setting at the same
      time are undefined.
      In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
      unbound package
    value: '/etc/unbound/unbound.conf'
    state: 'comment'

  - name: 'TrustAnchorFile'
    comment: |
      TrustAnchorFile filename
          default (none)

      Specifies a file from which trust anchor data should be read when doing
      DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
      at https://unbound.net/ for the expected format of this file.
    value: '/usr/share/dns/root.key'
opendkim__default_config

The OpenDKIM configuration defined by the debops.opendkim Ansible role.

opendkim__default_config:

  - name: 'ResolverConfiguration'
    state: '{{ "present"
               if (ansible_local | d() and ansible_local.unbound | d() and
                   (ansible_local.unbound.installed | d()) | bool)
               else "ignore" }}'

  - name: 'TrustAnchorFile'
    state: '{{ "absent"
               if (ansible_local | d() and ansible_local.unbound | d() and
                   (ansible_local.unbound.installed | d()) | bool)
               else "ignore" }}'

  - name: 'Socket'
    comment: 'Listen for connections in the Postfix chroot'
    value: 'local:{{ opendkim__socket }}'
    state: '{{ "present" if opendkim__postfix_integration | bool else "ignore" }}'

  - name: 'UserID'
    comment: 'Required by the systemd opendkim.service unit'
    value: '{{ opendkim__user + ":" + opendkim__group }}'

  - name: 'PidFile'
    comment: 'Required by the systemd opendkim.service unit'
    value: '/run/opendkim/opendkim.pid'

  - name: 'KeyTable'
    value: '{{ opendkim__dkimkeys_path + "/KeyTable" }}'
    copy_id_from: 'Selector'
    weight: 1

  - name: 'SigningTable'
    value: '{{ opendkim__dkimkeys_path + "/SigningTable" }}'
    copy_id_from: 'KeyTable'
    weight: 2

  - name: 'InternalHosts'
    value: '{{ opendkim__dkimkeys_path + "/TrustedHosts" }}'
    copy_id_from: 'KeyTable'
    weight: 3

  - name: 'ExternalIgnoreList'
    value: '{{ opendkim__dkimkeys_path + "/TrustedHosts" }}'
    copy_id_from: 'KeyTable'
    weight: 4
opendkim__config

The configuration which should be set on all hosts in the Ansible inventory.

opendkim__config: []
opendkim__group_config

The configuration which should be set on hosts in specific Ansible inventory group.

opendkim__group_config: []
opendkim__host_config

The configuration which should be set on specific hosts in the Ansible inventory.

opendkim__host_config: []
opendkim__combined_config

The combined OpenDKIM configuration passed to the config file template.

opendkim__combined_config: '{{ opendkim__original_config
                               + opendkim__default_config
                               + opendkim__config
                               + opendkim__group_config
                               + opendkim__host_config }}'

Configuration for other Ansible roles

opendkim__postfix__dependent_maincf

The main.cf configuration for debops.postfix Ansible role.

opendkim__postfix__dependent_maincf:

  - name: 'smtpd_milters'
    value:
      - name: 'unix:/opendkim/opendkim.sock'
        weight: -300
    state: 'present'

  - name: 'non_smtpd_milters'
    value:
      - name: 'unix:/opendkim/opendkim.sock'
        weight: -300
    state: 'present'