debops.rspamd default variables
Sections
Packages and installation
- rspamd__packages
List of additional APT packages that should be installed with rspamd.
rspamd__packages: []
- rspamd__base_packages
APT packages required for the rspamd installation.
rspamd__base_packages:
- 'rspamd'
- '{{ "bind9-dnsutils" if rspamd__dkim_update_method is search("nsupdate") else [] }}'
- '{{ "krb5-user" if rspamd__dkim_update_method == "nsupdate_gsstsig" else [] }}'
DKIM configuration
- rspamd__dkim_enabled
Whether to enable DKIM signing of messages. Note that this defaults to false because DKIM requires some manual configuration, see DKIM for more details.
rspamd__dkim_enabled: False
- rspamd__dkim_domains
DKIM domains to generate, manage and use signing keys for.
rspamd__dkim_domains: [ '{{ ansible_domain }}' ]
- rspamd__dkim_log_dir
Absolute path to the directory which contains DKIM logs.
rspamd__dkim_log_dir: '/var/log/rspamd'
- rspamd__dkim_keygen_default_configuration
The default configuration for the rspamd-dkim-keygen
script.
rspamd__dkim_keygen_default_configuration:
- name: 'key_directory'
value: '/var/lib/rspamd/dkim/'
- name: 'key_archive'
value: '/var/lib/rspamd/dkim-archive/'
- name: 'update_script'
value: '/usr/local/sbin/rspamd-dkim-update'
- name: 'future_config'
value: 'dkim-future.conf'
- name: 'active_config'
value: 'dkim-active.conf'
- name: 'expired_config'
value: 'dkim-expired.conf'
- name: 'future_period'
value: 1
- name: 'active_period'
value: 3
- name: 'expired_period'
value: 1
- name: 'domains'
value: '{{ rspamd__dkim_domains }}'
- name: 'key_types'
value:
- { type: 'ed25519' }
- { type: 'rsa', extra_args: [ '--bits', '2048' ] }
- rspamd__dkim_keygen_configuration
The rspamd configuration options defined for all hosts in the Ansible inventory.
rspamd__dkim_keygen_configuration: []
- rspamd__dkim_keygen_group_configuration
The rspamd configuration options defined for all hosts in a specific Ansible inventory group.
rspamd__dkim_keygen_group_configuration: []
- rspamd__dkim_keygen_host_configuration
The rspamd configuration options defined for a specific host in the Ansible inventory.
rspamd__dkim_keygen_host_configuration: []
- rspamd__dkim_keygen_combined_configuration
This variable combines other rspamd configuration options and
is used by the role template to generate the configuration snippets in
/etc/rspamd/local.d
.
rspamd__dkim_keygen_combined_configuration: '{{
rspamd__dkim_keygen_default_configuration
+ rspamd__dkim_keygen_configuration
+ rspamd__dkim_keygen_group_configuration
+ rspamd__dkim_keygen_host_configuration }}'
- rspamd__dkim_update_method
The method to use to publish/remove DKIM keys as DNS RRs.
Supported values are:
- log
Key updates will simply be logged to a file.
Emails will be sent to the admin email address for manual handling.
- nsupdate
The nsupdate tool will be used to update DNS RRs as necessary.
- nsupdate_tsig
Same as
nsupdate
, but aTSIG
orSIG(0)
key will be used to authenticate the update requests.- nsupdate_gsstsig
Same as
nsupdate
, butGSS-TSIG
(Kerberos credentials) will be used to authenticate the update requests.
Note that the various nsupdate
methods most likely require some manual
configuration of the DNS server to trust this host to make the required
updates and/or to create suitable key material/keytabs on the Ansible
controller. See rspamd__configuration for more details.
rspamd__dkim_update_method: 'email'
- rspamd__dkim_update_default_configuration
The default configuration for the rspamd-dkim-update
script.
rspamd__dkim_update_default_configuration:
- name: 'method'
value: '{{ rspamd__dkim_update_method }}'
- name: 'log_file'
value: '{{ rspamd__dkim_log_dir + "/rspamd-dkim-update.log" }}'
- name: 'email_to'
value: '{{ ansible_local.core.admin_public_email[0]
| d("root@" + ansible_domain) }}'
- name: 'email_from'
value: '{{ "noreply@" + ansible_domain }}'
- name: 'email_host'
value: 'localhost'
- name: 'email_port'
value: 25
- name: 'email_subject'
value: 'Rspamd DKIM DNS updates'
- name: 'nsupdate_keyfile'
value: '{{ "" if rspamd__dkim_update_method in ["email", "nsupdate"]
else "/etc/rspamd/dkim_dns_key" }}'
- name: 'nsupdate_gsstsig_princ'
value: '{{ "" if rspamd__dkim_update_method != "nsupdate_gsstsig"
else "rspamd@" + ansible_domain|upper }}'
- name: 'nsupdate_ttl'
value: 3600
- name: 'nsupdate_server'
value: '{{ ansible_dns.nameservers[0] | d("") }}'
- rspamd__dkim_update_configuration
The rspamd configuration options defined for all hosts in the Ansible inventory.
rspamd__dkim_update_configuration: []
- rspamd__dkim_update_group_configuration
The rspamd configuration options defined for all hosts in a specific Ansible inventory group.
rspamd__dkim_update_group_configuration: []
- rspamd__dkim_update_host_configuration
The rspamd configuration options defined for a specific host in the Ansible inventory.
rspamd__dkim_update_host_configuration: []
- rspamd__dkim_update_combined_configuration
This variable combines other rspamd configuration options and
is used by the role template to generate the configuration snippets in
/etc/rspamd/local.d
.
rspamd__dkim_update_combined_configuration: '{{
rspamd__dkim_update_default_configuration
+ rspamd__dkim_update_configuration
+ rspamd__dkim_update_group_configuration
+ rspamd__dkim_update_host_configuration }}'
Redis configuration
- rspamd__redis_host
The hostname of the Redis server.
rspamd__redis_host: '{{ ansible_local.redis_server.host|d("127.0.0.1") }}'
- rspamd__redis_port
The port which the Redis server is listening to.
rspamd__redis_port: '{{ ansible_local.redis_server.port|d("6379") }}'
- rspamd__redis_password
The Redis authentication password.
rspamd__redis_password: '{{ ansible_local.redis_server.password|d("") }}'
- rspamd__redis_db
The Redis db to use.
rspamd__redis_db: '0'
Service configuration
These variables define the contents of the /etc/rspamd/local.d
and
/etc/rspamd/override.d
configuration directories. See
rspamd__configuration and the Rspamd configuration documentation
for further details.
- rspamd__default_local_configuration
The default rspamd local.d
configuration.
rspamd__default_local_configuration:
- file: 'worker-proxy.inc'
comment: |
Proxy worker configuration
https://rspamd.com/doc/workers/rspamd_proxy.html
options:
- name: 'bind_socket'
value: 'localhost:11332'
- name: 'milter'
value: True
- name: 'timeout'
value: 120
- name: 'upstream "local"'
options:
- name: 'default'
value: True
- name: 'self_scan'
value: True
- file: 'worker-controller.inc'
comment: |
Controller worker configuration
https://rspamd.com/doc/workers/controller.html
options:
- name: 'password'
value: '{{ rspamd__controller_password_hash }}'
- file: 'redis.conf'
comment: |
Redis configuration
https://rspamd.com/doc/configuration/redis.html
options:
- name: 'servers'
value: '{{ rspamd__redis_host }}:{{ rspamd__redis_port }}'
- name: 'db'
value: '{{ rspamd__redis_db }}'
- name: 'password'
value: '{{ rspamd__redis_password }}'
- file: 'milter_headers.conf'
comment: |
Milter headers configuration
https://rspamd.com/doc/modules/milter_headers.html
options:
- name: 'use'
value: [ 'x-spamd-bar', 'x-spam-level', 'authentication-results' ]
- name: 'authenticated_headers'
value: [ 'authentication-results' ]
- file: 'dkim_signing.conf'
comment: |
DKIM signing configuration
https://rspamd.com/doc/modules/dkim_signing.html
state: '{{ "present" if rspamd__dkim_enabled|d(False) else "absent" }}'
options:
- name: 'allow_username_mismatch'
value: True
- name: 'include_dkim_keys'
raw: '.include(try=true,priority=1,duplicate=merge) "/var/lib/rspamd/dkim/dkim-active.conf"'
- file: 'arc.conf'
comment: |
ARC signature check configuration
https://rspamd.com/doc/modules/arc.html
state: '{{ "present" if rspamd__dkim_enabled|d(False) else "absent" }}'
options:
- name: 'allow_username_mismatch'
value: True
- name: 'include_dkim_keys'
raw: '.include(try=true,priority=1,duplicate=merge) "/var/lib/rspamd/dkim/dkim-active.conf"'
- rspamd__local_configuration
The default rspamd local.d
configuration defined for all
hosts in the Ansible inventory.
rspamd__local_configuration: []
- rspamd__group_local_configuration
The default rspamd local.d
configuration defined for all
hosts in a specific Ansible inventory group.
rspamd__group_local_configuration: []
- rspamd__host_local_configuration
The default rspamd local.d
configuration defined for a
specific host in the Ansible inventory.
rspamd__host_local_configuration: []
- rspamd__combined_local_configuration
This variable combines other rspamd configuration options and
is used by the role template to generate the configuration snippets in
/etc/rspamd/local.d
.
rspamd__combined_local_configuration: '{{ rspamd__default_local_configuration
+ rspamd__local_configuration
+ rspamd__group_local_configuration
+ rspamd__host_local_configuration }}'
- rspamd__default_override_configuration
The default rspamd override.d
configuration.
rspamd__default_override_configuration: []
- rspamd__override_configuration
The default rspamd override.d
configuration defined for
all hosts in the Ansible inventory.
rspamd__override_configuration: []
- rspamd__group_override_configuration
The default rspamd override.d
configuration defined for
all hosts in a specific Ansible inventory group.
rspamd__group_override_configuration: []
- rspamd__host_override_configuration
The default rspamd override.d
configuration defined for a
specific host in the Ansible inventory.
rspamd__host_override_configuration: []
- rspamd__combined_override_configuration
This variable combines other rspamd configuration options and
is used by the role template to generate the configuration snippets in
/etc/rspamd/override.d
.
rspamd__combined_override_configuration: '{{ rspamd__default_override_configuration
+ rspamd__override_configuration
+ rspamd__group_override_configuration
+ rspamd__host_override_configuration }}'
- rspamd__controller_password
This variable controls the password necessary to access e.g. the web-based
user interface of rspamd. Note that the WebUI is only accessible
via http://localhost:11334/
, so for remote access, a ssh
tunnel or local proxy server is necessary. The latter can be configured
automatically by this role (see rspamd__nginx_enabled
below).
rspamd__controller_password: '{{ lookup("password",
secret
+ "/credentials/"
+ inventory_hostname
+ "/rspamd/controller_password"
+ " chars=ascii_letters,digits"
+ " length=32") }}'
- rspamd__controller_password_salt
The salt used to hash the rspamd__controller_password
.
The default might look complicated, but it's a workaround for
Ansible issue #36129.
rspamd__controller_password_salt: '{{ (lookup("password",
secret
+ "/credentials/"
+ inventory_hostname
+ "/rspamd/salt"
+ " chars=ascii_letters,digits"
+ " length=21"))[:21]
+ ("Oeu"
| shuffle(seed=inventory_hostname)
| join)[1] }}'
- rspamd__controller_password_hash
The hashed version of rspamd__controller_password
. If you want to
set a password manually, you probably want to change that variable instead.
rspamd__controller_password_hash: '{{ rspamd__controller_password
| password_hash("bcrypt",
salt=rspamd__controller_password_salt) }}'
- rspamd__nginx_enabled
If enabled, nginx will be setup to provide remote access to the WebUI of rspamd.
rspamd__nginx_enabled: False
- rspamd__nginx_fqdns
List of FQDNs which nginx should use to make the WebUI available.
rspamd__nginx_fqdns:
- 'rspamd.{{ ansible_domain }}'
- '{{ ansible_hostname }}-rspamd.{{ ansible_domain }}'
- rspamd__nginx_access_policy
The nginx access policy, by default none.
rspamd__nginx_access_policy: ''
- rspamd__proxy_allow
List of IP addresses or CIDR subnets which are allowed to connect to
rspamd's proxy
worker remotely. If the list is empty, remote
connections are denied. Note that this only influences the firewall settings,
further configuration is still necessary to make rspamd actually
listen for remote connections (see the bind_socket
and secure_ip
options in the workers documentation).
rspamd__proxy_allow: []
- rspamd__normal_allow
Same as rspamd__proxy_allow
, but for the normal
worker.
rspamd__normal_allow: []
- rspamd__controller_allow
Same as rspamd__proxy_allow
, but for the controller
worker.
rspamd__controller_allow: []
- rspamd__fuzzy_allow
Same as rspamd__proxy_allow
, but for the fuzzy
worker.
rspamd__fuzzy_allow: []
Configuration for other Ansible roles
- rspamd__logrotate__dependent_config
Configuration for the debops.logrotate role.
rspamd__logrotate__dependent_config:
- filename: 'rspamd-dkim'
logs: '{{ rspamd__dkim_log_dir + "/rspamd-dkim-update.log" }}'
options: |
notifempty
missingok
yearly
maxsize 16M
rotate 10
compress
comment: 'Rspamd DKIM key rotation logs'
- rspamd__etc_services__dependent_list
Configuration for the debops.etc_services role.
rspamd__etc_services__dependent_list:
- name: 'rspamd-proxy'
port: '11332'
protocols: [ 'tcp' ]
comment: 'Added by debops.rspamd Ansible role.'
- name: 'rspamd-normal'
port: '11333'
protocols: [ 'tcp' ]
comment: 'Added by debops.rspamd Ansible role.'
- name: 'rspamd-controller'
port: '11334'
protocols: [ 'tcp' ]
comment: 'Added by debops.rspamd Ansible role.'
- name: 'rspamd-fuzzy'
port: '11335'
protocols: [ 'udp' ]
comment: 'Added by debops.rspamd Ansible role.'
- rspamd__nginx__dependent_servers
Configuration for the debops.nginx role.
rspamd__nginx__dependent_servers:
- name: '{{ rspamd__nginx_fqdns }}'
filename: 'debops.rspamd'
by_role: 'debops.rspamd'
access_policy: '{{ rspamd__nginx_access_policy }}'
webroot_create: False
type: 'proxy'
proxy_pass: 'http://localhost:11334'
- rspamd__ferm__dependent_rules
Configuration for the debops.ferm role.
rspamd__ferm__dependent_rules:
- type: 'accept'
dport: [ 'rspamd-proxy' ]
protocol: [ 'tcp' ]
saddr: '{{ rspamd__proxy_allow }}'
accept_any: False
weight: '50'
role: 'rspamd'
- type: 'accept'
dport: [ 'rspamd-normal' ]
protocol: [ 'tcp' ]
saddr: '{{ rspamd__normal_allow }}'
accept_any: False
weight: '50'
role: 'rspamd'
- type: 'accept'
dport: [ 'rspamd-controller' ]
protocol: [ 'tcp' ]
saddr: '{{ rspamd__controller_allow }}'
accept_any: False
weight: '50'
role: 'rspamd'
- type: 'accept'
dport: [ 'rspamd-fuzzy' ]
protocol: [ 'udp' ]
saddr: '{{ rspamd__fuzzy_allow }}'
accept_any: False
weight: '50'
role: 'rspamd'
- rspamd__postfix__dependent_maincf
The main.cf
configuration for the debops.postfix role.
rspamd__postfix__dependent_maincf:
- name: 'smtpd_milters'
comment: 'Added by the rspamd role'
value:
- name: 'inet:localhost:11332'
weight: -400
state: 'present'
- name: 'non_smtpd_milters'
comment: 'Added by the rspamd role'
value:
- name: 'inet:localhost:11332'
weight: -400
state: 'present'
- name: 'milter_mail_macros'
comment: 'Added by the rspamd role'
value: '{{ "i {auth_type} {auth_authen} {auth_author} "
+ "{client_addr} {client_name} {mail_addr} "
+ "{mail_host} {mail_mailer}" }}'
state: 'present'
- name: 'milter_default_action'
comment: 'Added by the rspamd role'
value: 'accept'
state: 'comment'
- name: 'milter_protocol'
comment: 'Added by the rspamd role'
value: 6
state: 'comment'