debops.opendkim default variables¶
Sections
APT packages, application version¶
-
opendkim__base_packages¶
List of APT packages to install for OpenDKIM support.
opendkim__base_packages: [ 'opendkim', 'opendkim-tools' ]
-
opendkim__packages¶
List of additional APT packages to install with OpenDKIM.
opendkim__packages: []
-
opendkim__version¶
The version of the installed OpenDKIM service, gathered automatically by Ansible local facts.
opendkim__version: '{{ ansible_local.opendkim.version|d("0.0.0") }}'
Application environment, Postfix support¶
-
opendkim__user¶
The UNIX system account used by the OpenDKIM service.
opendkim__user: 'opendkim'
-
opendkim__group¶
The UNIX system group used by the OpenDKIM service.
opendkim__group: 'opendkim'
-
opendkim__postfix_integration¶
Enable or disable integration with Postfix SMTP server. See Postfix integration for more details.
opendkim__postfix_integration: '{{ ansible_local.postfix.installed
if (ansible_local|d() and ansible_local.postfix|d() and
ansible_local.postfix.installed is defined)
else False }}'
-
opendkim__postfix_group¶
Name of the UNIX system group used by Postfix SMTP server. This variable is used to create the OpenDKIM socket directory with correct access permissions for Postfix.
opendkim__postfix_group: '{{ ansible_local.postfix.system_group|d("postfix") }}'
-
opendkim__pidfile¶
Path to the PID file used by OpenDKIM.
opendkim__pidfile: '/var/run/opendkim/opendkim.pid'
-
opendkim__socket¶
path to the UNIX socket used by OpenDKIM.
opendkim__socket: '{{ "/var/spool/postfix/opendkim/opendkim.sock"
if opendkim__postfix_integration|bool
else "/var/run/opendkim/opendkim.sock" }}'
-
opendkim__domain¶
The main DNS domain used in the OpenDKIM configuration.
opendkim__domain: '{{ ansible_domain }}'
-
opendkim__fqdn¶
The Fully Qualified Domain Name of the current host used in the OpenDKIM configuration.
opendkim__fqdn: '{{ ansible_fqdn }}'
-
opendkim__domainkeys_path¶
Directory where DomainKeys are stored on the remote host.
opendkim__dkimkeys_path: '/etc/dkimkeys'
-
opendkim__default_key_size¶
The default size of the RSA DomainKeys generated by the role.
opendkim__default_key_size: '2048'
DomainKeys configuration¶
These variables configure the DomainKeys used by OpenDKIM. See opendkim__keys for more details.
-
opendkim__default_keys¶
The list of default DomainKeys configured by the role.
opendkim__default_keys:
- name: 'mail'
-
opendkim__keys¶
List of DomainKeys which should be present on all hosts in the Ansible inventory.
opendkim__keys: []
-
opendkim__group_keys¶
List of DomainKeys which should be present on hosts in specific Ansible inventory group.
opendkim__group_keys: []
-
opendkim__host_keys¶
List of DomainKeys which should be present on specific hosts in the Ansible inventory.
opendkim__host_keys: []
-
opendkim__combined_keys¶
This list combines the other DomainKey lists and is used in the Ansible tasks.
opendkim__combined_keys: '{{ opendkim__default_keys
+ opendkim__keys
+ opendkim__group_keys
+ opendkim__host_keys }}'
DKIM Signing Table¶
These variables configure the OpenDKIM Signing Table, which specifies what messages should be signed by which DomainKeys. See opendkim__signing_table for more details.
-
opendkim__default_signing_table¶
List of default signing table entries defined by the role.
opendkim__default_signing_table:
- name: 'mail'
from: '{{ opendkim__domain }}'
domain: '{{ opendkim__domain }}'
subdomains: True
-
opendkim__signing_table¶
List of signing table entries which should be present on all hosts in the Ansible inventory.
opendkim__signing_table: []
-
opendkim__group_signing_table¶
List of signing table entries which should be present on hosts in specific Ansible inventory group.
opendkim__group_signing_table: []
-
opendkim__host_signing_table¶
List of signing table entries which should be present on specific hosts in the Ansible inventory.
opendkim__host_signing_table: []
-
opendkim__combined_signing_table¶
The variable that combines all of the signing table list variables and is used in the configuration template.
opendkim__combined_signing_table: '{{ opendkim__default_signing_table
+ opendkim__signing_table
+ opendkim__group_signing_table
+ opendkim__host_signing_table }}'
Trusted hosts¶
These variables define lists of "trusted hosts" which will be used in the
InternalHosts and ExternalIgnoreList configuration options.
See opendkim__trusted_hosts for more details.
-
opendkim__default_trusted_hosts¶
The default list of trusted hosts defined by the role.
opendkim__default_trusted_hosts:
- '127.0.0.1'
- '::1'
- 'localhost'
- '{{ opendkim__fqdn }}'
-
opendkim__trusted_hosts¶
The list of trusted hosts which should be defined on all hosts in the Ansible inventory.
opendkim__trusted_hosts: []
-
opendkim__group_trusted_hosts¶
The list of trusted hosts which should be defined on hosts in specific Ansible inventory group.
opendkim__group_trusted_hosts: []
-
opendkim__host_trusted_hosts¶
The list of trusted hosts which should be defined on specific hosts in the Ansible inventory.
opendkim__host_trusted_hosts: []
-
opendkim__combined_trusted_hosts¶
The variable that combines all of the trusted host lists and passes them to the configuration template.
opendkim__combined_trusted_hosts: '{{ opendkim__default_trusted_hosts
+ opendkim__trusted_hosts
+ opendkim__group_trusted_hosts
+ opendkim__host_trusted_hosts }}'
OpenDKIM main configuration¶
These variables define the contents of the /etc/opendkim.conf
configuration file. See Default variable details: opendkim__config for more details.
-
opendkim__original_config¶
The configuration set by default by the Debian package after installation.
opendkim__original_config:
- name: 'config-header'
comment: |
This is a basic configuration that can easily be adapted to suit a standard
installation. For more advanced options, see opendkim.conf(5) and/or
/usr/share/doc/opendkim/examples/opendkim.conf.sample.
state: 'hidden'
- name: 'Syslog'
comment: 'Log to syslog'
value: True
- name: 'UMask'
comment: |
Required to use local socket with MTAs that access the socket as a non-
privileged user (e. g. Postfix)
value: '002'
- name: 'Domain'
comment: |
Sign for example.com with key in /etc/mail/dkim.key using
selector '2007' (e. g. 2007._domainkey.example.com)
value: 'example.com'
state: 'comment'
- name: 'KeyFile'
value: '/etc/mail/dkim.key'
state: 'comment'
- name: 'Selector'
value: '2007'
state: 'comment'
- name: 'Canonicalization'
comment: 'Commonly-used options; the commented-out versions show the defaults.'
value: 'simple'
state: 'comment'
- name: 'Mode'
value: 'sv'
state: 'comment'
- name: 'Subdomains'
value: False
state: 'comment'
- name: 'ADSPAction'
value: 'continue'
state: '{{ "comment"
if (ansible_distribution_release in [ "wheezy", "jessie" ])
else "absent" }}'
- name: 'OversignHeaders'
comment: |
Always oversign From (sign using actual From and a null From to prevent
malicious signatures header fields (From and/or others) between the signer
and the verifier. From is oversigned by default in the Debian package
because it is often the identity key used by reputation systems and thus
somewhat security sensitive.
value: [ 'From' ]
- name: 'ResolverConfiguration'
comment: |
ResolverConfiguration filename
default (none)
Specifies a configuration file to be passed to the Unbound library that
performs DNS queries applying the DNSSEC protocol. See the Unbound
documentation at https://unbound.net/ for the expected content of this file.
The results of using this and the TrustAnchorFile setting at the same
time are undefined.
In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
unbound package
value: '/etc/unbound/unbound.conf'
state: '{{ "absent"
if (ansible_distribution_release in [ "wheezy", "jessie" ])
else "comment" }}'
- name: 'TrustAnchorFile'
comment: |
TrustAnchorFile filename
default (none)
Specifies a file from which trust anchor data should be read when doing
DNS queries and applying the DNSSEC protocol. See the Unbound documentation
at https://unbound.net/ for the expected format of this file.
value: '/usr/share/dns/root.key'
state: '{{ "absent"
if (ansible_distribution_release in [ "wheezy", "jessie" ])
else "present" }}'
- name: 'ATPSDomains'
comment: |
List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
(ATPS) (experimental)
value: [ 'example.com' ]
state: '{{ "comment"
if (ansible_distribution_release in [ "wheezy", "jessie" ])
else "absent" }}'
-
opendkim__default_config¶
The OpenDKIM configuration defined by the debops.opendkim Ansible role.
opendkim__default_config:
- name: 'ResolverConfiguration'
state: '{{ "present"
if (ansible_local|d() and ansible_local.unbound|d() and
(ansible_local.unbound.installed|d()) | bool)
else "ignore" }}'
- name: 'TrustAnchorFile'
state: '{{ "absent"
if (ansible_local|d() and ansible_local.unbound|d() and
(ansible_local.unbound.installed|d()) | bool)
else "ignore" }}'
- name: 'Socket'
comment: 'Listen for connections in the Postfix chroot'
value: 'local:{{ opendkim__socket }}'
state: '{{ "present" if opendkim__postfix_integration|bool else "ignore" }}'
- name: 'UserID'
comment: 'Required by the systemd opendkim.service unit'
value: '{{ opendkim__user + ":" + opendkim__group }}'
state: '{{ "comment"
if (ansible_distribution_release in [ "wheezy", "jessie" ])
else "present" }}'
- name: 'PidFile'
comment: 'Required by the systemd opendkim.service unit'
value: '/run/opendkim/opendkim.pid'
state: '{{ "comment"
if (ansible_distribution_release in [ "wheezy", "jessie" ])
else "present" }}'
- name: 'KeyTable'
value: '{{ opendkim__dkimkeys_path + "/KeyTable" }}'
copy_id_from: 'Selector'
weight: 1
- name: 'SigningTable'
value: '{{ opendkim__dkimkeys_path + "/SigningTable" }}'
copy_id_from: 'KeyTable'
weight: 2
- name: 'InternalHosts'
value: '{{ opendkim__dkimkeys_path + "/TrustedHosts" }}'
copy_id_from: 'KeyTable'
weight: 3
- name: 'ExternalIgnoreList'
value: '{{ opendkim__dkimkeys_path + "/TrustedHosts" }}'
copy_id_from: 'KeyTable'
weight: 4
-
opendkim__config¶
The configuration which should be set on all hosts in the Ansible inventory.
opendkim__config: []
-
opendkim__group_config¶
The configuration which should be set on hosts in specific Ansible inventory group.
opendkim__group_config: []
-
opendkim__host_config¶
The configuration which should be set on specific hosts in the Ansible inventory.
opendkim__host_config: []
-
opendkim__combined_config¶
The combined OpenDKIM configuration passed to the config file template.
opendkim__combined_config: '{{ opendkim__original_config
+ opendkim__default_config
+ opendkim__config
+ opendkim__group_config
+ opendkim__host_config }}'
Configuration for other Ansible roles¶
-
opendkim__postfix__dependent_maincf¶
The main.cf configuration for debops.postfix Ansible role.
opendkim__postfix__dependent_maincf:
- name: 'smtpd_milters'
value:
- name: 'unix:/opendkim/opendkim.sock'
weight: -300
state: 'present'
- name: 'non_smtpd_milters'
value:
- name: 'unix:/opendkim/opendkim.sock'
weight: -300
state: 'present'