debops.rspamd default variables¶
Sections
Packages and installation¶
-
rspamd__packages¶
List of additional APT packages that should be installed with rspamd.
rspamd__packages: []
-
rspamd__base_packages¶
APT packages required for the rspamd installation.
rspamd__base_packages:
- 'rspamd'
- '{{ "bind9-dnsutils" if rspamd__dkim_update_method is search("nsupdate") else [] }}'
- '{{ "krb5-user" if rspamd__dkim_update_method == "nsupdate_gsstsig" else [] }}'
DKIM configuration¶
-
rspamd__dkim_enabled¶
Whether to enable DKIM signing of messages. Note that this defaults to false because DKIM requires some manual configuration, see DKIM for more details.
rspamd__dkim_enabled: False
-
rspamd__dkim_domains¶
DKIM domains to generate, manage and use signing keys for.
rspamd__dkim_domains: [ '{{ ansible_domain }}' ]
-
rspamd__dkim_log_dir¶
Absolute path to the directory which contains DKIM logs.
rspamd__dkim_log_dir: '/var/log/rspamd'
-
rspamd__dkim_keygen_default_configuration¶
The default configuration for the rspamd-dkim-keygen script.
rspamd__dkim_keygen_default_configuration:
- name: 'key_directory'
value: '/var/lib/rspamd/dkim/'
- name: 'key_archive'
value: '/var/lib/rspamd/dkim-archive/'
- name: 'update_script'
value: '/usr/local/sbin/rspamd-dkim-update'
- name: 'future_config'
value: 'dkim-future.conf'
- name: 'active_config'
value: 'dkim-active.conf'
- name: 'expired_config'
value: 'dkim-expired.conf'
- name: 'future_period'
value: 1
- name: 'active_period'
value: 3
- name: 'expired_period'
value: 1
- name: 'domains'
value: '{{ rspamd__dkim_domains }}'
- name: 'key_types'
value:
- { type: 'ed25519' }
- { type: 'rsa', extra_args: [ '--bits', '2048' ] }
-
rspamd__dkim_keygen_configuration¶
The rspamd configuration options defined for all hosts in the Ansible inventory.
rspamd__dkim_keygen_configuration: []
-
rspamd__dkim_keygen_group_configuration¶
The rspamd configuration options defined for all hosts in a specific Ansible inventory group.
rspamd__dkim_keygen_group_configuration: []
-
rspamd__dkim_keygen_host_configuration¶
The rspamd configuration options defined for a specific host in the Ansible inventory.
rspamd__dkim_keygen_host_configuration: []
-
rspamd__dkim_keygen_combined_configuration¶
This variable combines other rspamd configuration options and
is used by the role template to generate the configuration snippets in
/etc/rspamd/local.d.
rspamd__dkim_keygen_combined_configuration: '{{
rspamd__dkim_keygen_default_configuration
+ rspamd__dkim_keygen_configuration
+ rspamd__dkim_keygen_group_configuration
+ rspamd__dkim_keygen_host_configuration }}'
-
rspamd__dkim_update_method¶
The method to use to publish/remove DKIM keys as DNS RRs.
Supported values are:
- log
- Key updates will simply be logged to a file.
- Emails will be sent to the admin email address for manual handling.
- nsupdate
- The nsupdate tool will be used to update DNS RRs as necessary.
- nsupdate_tsig
- Same as
nsupdate, but aTSIGorSIG(0)key will be used to authenticate the update requests. - nsupdate_gsstsig
- Same as
nsupdate, butGSS-TSIG(Kerberos credentials) will be used to authenticate the update requests.
Note that the various nsupdate methods most likely require some manual
configuration of the DNS server to trust this host to make the required
updates and/or to create suitable key material/keytabs on the Ansible
controller. See rspamd__configuration for more details.
rspamd__dkim_update_method: 'email'
-
rspamd__dkim_update_default_configuration¶
The default configuration for the rspamd-dkim-update script.
rspamd__dkim_update_default_configuration:
- name: 'method'
value: '{{ rspamd__dkim_update_method }}'
- name: 'log_file'
value: '{{ rspamd__dkim_log_dir + "/rspamd-dkim-update.log" }}'
- name: 'email_to'
value: '{{ ansible_local.core.admin_public_email[0]
| d("root@" + ansible_domain) }}'
- name: 'email_from'
value: '{{ "noreply@" + ansible_domain }}'
- name: 'email_host'
value: 'localhost'
- name: 'email_port'
value: 25
- name: 'email_subject'
value: 'Rspamd DKIM DNS updates'
- name: 'nsupdate_keyfile'
value: '{{ "" if rspamd__dkim_update_method in ["email", "nsupdate"]
else "/etc/rspamd/dkim_dns_key" }}'
- name: 'nsupdate_gsstsig_princ'
value: '{{ "" if rspamd__dkim_update_method != "nsupdate_gsstsig"
else "rspamd@" + ansible_domain|upper }}'
- name: 'nsupdate_ttl'
value: 3600
- name: 'nsupdate_server'
value: '{{ ansible_dns.nameservers[0] | d("") }}'
-
rspamd__dkim_update_configuration¶
The rspamd configuration options defined for all hosts in the Ansible inventory.
rspamd__dkim_update_configuration: []
-
rspamd__dkim_update_group_configuration¶
The rspamd configuration options defined for all hosts in a specific Ansible inventory group.
rspamd__dkim_update_group_configuration: []
-
rspamd__dkim_update_host_configuration¶
The rspamd configuration options defined for a specific host in the Ansible inventory.
rspamd__dkim_update_host_configuration: []
-
rspamd__dkim_update_combined_configuration¶
This variable combines other rspamd configuration options and
is used by the role template to generate the configuration snippets in
/etc/rspamd/local.d.
rspamd__dkim_update_combined_configuration: '{{
rspamd__dkim_update_default_configuration
+ rspamd__dkim_update_configuration
+ rspamd__dkim_update_group_configuration
+ rspamd__dkim_update_host_configuration }}'
Redis configuration¶
-
rspamd__redis_host¶
The hostname of the Redis server.
rspamd__redis_host: '{{ ansible_local.redis_server.host|d("127.0.0.1") }}'
-
rspamd__redis_port¶
The port which the Redis server is listening to.
rspamd__redis_port: '{{ ansible_local.redis_server.port|d("6379") }}'
-
rspamd__redis_password¶
The Redis authentication password.
rspamd__redis_password: '{{ ansible_local.redis_server.password|d("") }}'
-
rspamd__redis_db¶
The Redis db to use.
rspamd__redis_db: '0'
Service configuration¶
These variables define the contents of the /etc/rspamd/local.d and
/etc/rspamd/override.d configuration directories. See
rspamd__configuration and the Rspamd configuration documentation
for further details.
-
rspamd__default_local_configuration¶
The default rspamd local.d configuration.
rspamd__default_local_configuration:
- file: 'worker-proxy.inc'
comment: |
Proxy worker configuration
https://rspamd.com/doc/workers/rspamd_proxy.html
options:
- name: 'bind_socket'
value: 'localhost:11332'
- name: 'milter'
value: True
- name: 'timeout'
value: 120
- name: 'upstream "local"'
options:
- name: 'default'
value: True
- name: 'self_scan'
value: True
- file: 'worker-controller.inc'
comment: |
Controller worker configuration
https://rspamd.com/doc/workers/controller.html
options:
- name: 'password'
value: '{{ rspamd__controller_password_hash }}'
- file: 'redis.conf'
comment: |
Redis configuration
https://rspamd.com/doc/configuration/redis.html
options:
- name: 'servers'
value: '{{ rspamd__redis_host }}:{{ rspamd__redis_port }}'
- name: 'db'
value: '{{ rspamd__redis_db }}'
- name: 'password'
value: '{{ rspamd__redis_password }}'
- file: 'milter_headers.conf'
comment: |
Milter headers configuration
https://rspamd.com/doc/modules/milter_headers.html
options:
- name: 'use'
value: [ 'x-spamd-bar', 'x-spam-level', 'authentication-results' ]
- name: 'authenticated_headers'
value: [ 'authentication-results' ]
- file: 'dkim_signing.conf'
comment: |
DKIM signing configuration
https://rspamd.com/doc/modules/dkim_signing.html
state: '{{ "present" if rspamd__dkim_enabled|d(False) else "absent" }}'
options:
- name: 'allow_username_mismatch'
value: True
- name: 'include_dkim_keys'
raw: '.include(try=true,priority=1,duplicate=merge) "/var/lib/rspamd/dkim/dkim-active.conf"'
- file: 'arc.conf'
comment: |
ARC signature check configuration
https://rspamd.com/doc/modules/arc.html
state: '{{ "present" if rspamd__dkim_enabled|d(False) else "absent" }}'
options:
- name: 'allow_username_mismatch'
value: True
- name: 'include_dkim_keys'
raw: '.include(try=true,priority=1,duplicate=merge) "/var/lib/rspamd/dkim/dkim-active.conf"'
-
rspamd__local_configuration¶
The default rspamd local.d configuration defined for all
hosts in the Ansible inventory.
rspamd__local_configuration: []
-
rspamd__group_local_configuration¶
The default rspamd local.d configuration defined for all
hosts in a specific Ansible inventory group.
rspamd__group_local_configuration: []
-
rspamd__host_local_configuration¶
The default rspamd local.d configuration defined for a
specific host in the Ansible inventory.
rspamd__host_local_configuration: []
-
rspamd__combined_local_configuration¶
This variable combines other rspamd configuration options and
is used by the role template to generate the configuration snippets in
/etc/rspamd/local.d.
rspamd__combined_local_configuration: '{{ rspamd__default_local_configuration
+ rspamd__local_configuration
+ rspamd__group_local_configuration
+ rspamd__host_local_configuration }}'
-
rspamd__default_override_configuration¶
The default rspamd override.d configuration.
rspamd__default_override_configuration: []
-
rspamd__override_configuration¶
The default rspamd override.d configuration defined for
all hosts in the Ansible inventory.
rspamd__override_configuration: []
-
rspamd__group_override_configuration¶
The default rspamd override.d configuration defined for
all hosts in a specific Ansible inventory group.
rspamd__group_override_configuration: []
-
rspamd__host_override_configuration¶
The default rspamd override.d configuration defined for a
specific host in the Ansible inventory.
rspamd__host_override_configuration: []
-
rspamd__combined_override_configuration¶
This variable combines other rspamd configuration options and
is used by the role template to generate the configuration snippets in
/etc/rspamd/override.d.
rspamd__combined_override_configuration: '{{ rspamd__default_override_configuration
+ rspamd__override_configuration
+ rspamd__group_override_configuration
+ rspamd__host_override_configuration }}'
-
rspamd__controller_password¶
This variable controls the password necessary to access e.g. the web-based
user interface of rspamd. Note that the WebUI is only accessible
via http://localhost:11334/, so for remote access, a ssh
tunnel or local proxy server is necessary. The latter can be configured
automatically by this role (see rspamd__nginx_enabled below).
rspamd__controller_password: '{{ lookup("password",
secret
+ "/credentials/"
+ inventory_hostname
+ "/rspamd/controller_password"
+ " chars=ascii_letters,digits"
+ " length=32") }}'
-
rspamd__controller_password_salt¶
The salt used to hash the rspamd__controller_password.
The default might look complicated, but it's a workaround for
Ansible issue #36129.
rspamd__controller_password_salt: '{{ (lookup("password",
secret
+ "/credentials/"
+ inventory_hostname
+ "/rspamd/salt"
+ " chars=ascii_letters,digits"
+ " length=21"))[:21]
+ ("Oeu"
| shuffle(seed=inventory_hostname)
| join)[1] }}'
-
rspamd__controller_password_hash¶
The hashed version of rspamd__controller_password. If you want to
set a password manually, you probably want to change that variable instead.
rspamd__controller_password_hash: '{{ rspamd__controller_password
| password_hash("bcrypt",
salt=rspamd__controller_password_salt) }}'
-
rspamd__nginx_enabled¶
If enabled, nginx will be setup to provide remote access to the WebUI of rspamd.
rspamd__nginx_enabled: False
-
rspamd__nginx_fqdns¶
List of FQDNs which nginx should use to make the WebUI available.
rspamd__nginx_fqdns:
- 'rspamd.{{ ansible_domain }}'
- '{{ ansible_hostname }}-rspamd.{{ ansible_domain }}'
-
rspamd__nginx_access_policy¶
The nginx access policy, by default none.
rspamd__nginx_access_policy: ''
-
rspamd__proxy_allow¶
List of IP addresses or CIDR subnets which are allowed to connect to
rspamd's proxy worker remotely. If the list is empty, remote
connections are denied. Note that this only influences the firewall settings,
further configuration is still necessary to make rspamd actually
listen for remote connections (see the bind_socket and secure_ip
options in the workers documentation).
rspamd__proxy_allow: []
-
rspamd__normal_allow¶
Same as rspamd__proxy_allow, but for the normal worker.
rspamd__normal_allow: []
-
rspamd__controller_allow¶
Same as rspamd__proxy_allow, but for the controller worker.
rspamd__controller_allow: []
-
rspamd__fuzzy_allow¶
Same as rspamd__proxy_allow, but for the fuzzy worker.
rspamd__fuzzy_allow: []
Configuration for other Ansible roles¶
-
rspamd__logrotate__dependent_config¶
Configuration for the debops.logrotate role.
rspamd__logrotate__dependent_config:
- filename: 'rspamd-dkim'
logs: '{{ rspamd__dkim_log_dir + "/rspamd-dkim-update.log" }}'
options: |
notifempty
missingok
yearly
maxsize 16M
rotate 10
compress
comment: 'Rspamd DKIM key rotation logs'
-
rspamd__etc_services__dependent_list¶
Configuration for the debops.etc_services role.
rspamd__etc_services__dependent_list:
- name: 'rspamd-proxy'
port: '11332'
protocols: [ 'tcp' ]
comment: 'Added by debops.rspamd Ansible role.'
- name: 'rspamd-normal'
port: '11333'
protocols: [ 'tcp' ]
comment: 'Added by debops.rspamd Ansible role.'
- name: 'rspamd-controller'
port: '11334'
protocols: [ 'tcp' ]
comment: 'Added by debops.rspamd Ansible role.'
- name: 'rspamd-fuzzy'
port: '11335'
protocols: [ 'udp' ]
comment: 'Added by debops.rspamd Ansible role.'
-
rspamd__nginx__dependent_servers¶
Configuration for the debops.nginx role.
rspamd__nginx__dependent_servers:
- name: '{{ rspamd__nginx_fqdns }}'
filename: 'debops.rspamd'
by_role: 'debops.rspamd'
access_policy: '{{ rspamd__nginx_access_policy }}'
webroot_create: False
type: 'proxy'
proxy_pass: 'http://localhost:11334'
-
rspamd__ferm__dependent_rules¶
Configuration for the debops.ferm role.
rspamd__ferm__dependent_rules:
- type: 'accept'
dport: [ 'rspamd-proxy' ]
protocol: [ 'tcp' ]
saddr: '{{ rspamd__proxy_allow }}'
accept_any: False
weight: '50'
role: 'rspamd'
- type: 'accept'
dport: [ 'rspamd-normal' ]
protocol: [ 'tcp' ]
saddr: '{{ rspamd__normal_allow }}'
accept_any: False
weight: '50'
role: 'rspamd'
- type: 'accept'
dport: [ 'rspamd-controller' ]
protocol: [ 'tcp' ]
saddr: '{{ rspamd__controller_allow }}'
accept_any: False
weight: '50'
role: 'rspamd'
- type: 'accept'
dport: [ 'rspamd-fuzzy' ]
protocol: [ 'udp' ]
saddr: '{{ rspamd__fuzzy_allow }}'
accept_any: False
weight: '50'
role: 'rspamd'
-
rspamd__postfix__dependent_maincf¶
The main.cf configuration for the debops.postfix role.
rspamd__postfix__dependent_maincf:
- name: 'smtpd_milters'
comment: 'Added by the rspamd role'
value:
- name: 'inet:localhost:11332'
weight: -400
state: 'present'
- name: 'non_smtpd_milters'
comment: 'Added by the rspamd role'
value:
- name: 'inet:localhost:11332'
weight: -400
state: 'present'
- name: 'milter_mail_macros'
comment: 'Added by the rspamd role'
value: '{{ "i {auth_type} {auth_authen} {auth_author} "
+ "{client_addr} {client_name} {mail_addr} "
+ "{mail_host} {mail_mailer}" }}'
state: 'present'
- name: 'milter_default_action'
comment: 'Added by the rspamd role'
value: 'accept'
state: 'comment'
- name: 'milter_protocol'
comment: 'Added by the rspamd role'
value: 6
state: 'comment'