debops.rspamd default variables

Packages and installation

rspamd__packages

List of additional APT packages that should be installed with rspamd.

rspamd__packages: []
rspamd__base_packages

APT packages required for the rspamd installation.

rspamd__base_packages:
  - 'rspamd'
  - '{{ "bind9-dnsutils" if rspamd__dkim_update_method is search("nsupdate") else [] }}'
  - '{{ "krb5-user" if rspamd__dkim_update_method == "nsupdate_gsstsig" else [] }}'

DKIM configuration

rspamd__dkim_enabled

Whether to enable DKIM signing of messages. Note that this defaults to false because DKIM requires some manual configuration, see DKIM for more details.

rspamd__dkim_enabled: False
rspamd__dkim_domains

DKIM domains to generate, manage and use signing keys for.

rspamd__dkim_domains: [ '{{ ansible_domain }}' ]
rspamd__dkim_log_dir

Absolute path to the directory which contains DKIM logs.

rspamd__dkim_log_dir: '/var/log/rspamd'
rspamd__dkim_keygen_default_configuration

The default configuration for the rspamd-dkim-keygen script.

rspamd__dkim_keygen_default_configuration:
  - name: 'key_directory'
    value: '/var/lib/rspamd/dkim/'

  - name: 'key_archive'
    value: '/var/lib/rspamd/dkim-archive/'

  - name: 'update_script'
    value: '/usr/local/sbin/rspamd-dkim-update'

  - name: 'future_config'
    value: 'dkim-future.conf'

  - name: 'active_config'
    value: 'dkim-active.conf'

  - name: 'expired_config'
    value: 'dkim-expired.conf'

  - name: 'future_period'
    value: 1

  - name: 'active_period'
    value: 3

  - name: 'expired_period'
    value: 1

  - name: 'domains'
    value: '{{ rspamd__dkim_domains }}'

  - name: 'key_types'
    value:
      - { type: 'ed25519' }
      - { type: 'rsa', extra_args: [ '--bits', '2048' ] }
rspamd__dkim_keygen_configuration

The rspamd configuration options defined for all hosts in the Ansible inventory.

rspamd__dkim_keygen_configuration: []
rspamd__dkim_keygen_group_configuration

The rspamd configuration options defined for all hosts in a specific Ansible inventory group.

rspamd__dkim_keygen_group_configuration: []
rspamd__dkim_keygen_host_configuration

The rspamd configuration options defined for a specific host in the Ansible inventory.

rspamd__dkim_keygen_host_configuration: []
rspamd__dkim_keygen_combined_configuration

This variable combines other rspamd configuration options and is used by the role template to generate the configuration snippets in /etc/rspamd/local.d.

rspamd__dkim_keygen_combined_configuration: '{{
  rspamd__dkim_keygen_default_configuration
   + rspamd__dkim_keygen_configuration
   + rspamd__dkim_keygen_group_configuration
   + rspamd__dkim_keygen_host_configuration }}'
rspamd__dkim_update_method

The method to use to publish/remove DKIM keys as DNS RRs.

Supported values are:

log

Key updates will simply be logged to a file.

email

Emails will be sent to the admin email address for manual handling.

nsupdate

The nsupdate tool will be used to update DNS RRs as necessary.

nsupdate_tsig

Same as nsupdate, but a TSIG or SIG(0) key will be used to authenticate the update requests.

nsupdate_gsstsig

Same as nsupdate, but GSS-TSIG (Kerberos credentials) will be used to authenticate the update requests.

Note that the various nsupdate methods most likely require some manual configuration of the DNS server to trust this host to make the required updates and/or to create suitable key material/keytabs on the Ansible controller. See rspamd__configuration for more details.

rspamd__dkim_update_method: 'email'
rspamd__dkim_update_default_configuration

The default configuration for the rspamd-dkim-update script.

rspamd__dkim_update_default_configuration:
  - name: 'method'
    value: '{{ rspamd__dkim_update_method }}'

  - name: 'log_file'
    value: '{{ rspamd__dkim_log_dir + "/rspamd-dkim-update.log" }}'

  - name: 'email_to'
    value: '{{ ansible_local.core.admin_public_email[0]
               | d("root@" + ansible_domain) }}'

  - name: 'email_from'
    value: '{{ "noreply@" + ansible_domain }}'

  - name: 'email_host'
    value: 'localhost'

  - name: 'email_port'
    value: 25

  - name: 'email_subject'
    value: 'Rspamd DKIM DNS updates'

  - name: 'nsupdate_keyfile'
    value: '{{ "" if rspamd__dkim_update_method in ["email", "nsupdate"]
               else "/etc/rspamd/dkim_dns_key" }}'

  - name: 'nsupdate_gsstsig_princ'
    value: '{{ "" if rspamd__dkim_update_method != "nsupdate_gsstsig"
               else "rspamd@" + ansible_domain|upper }}'

  - name: 'nsupdate_ttl'
    value: 3600

  - name: 'nsupdate_server'
    value: '{{ ansible_dns.nameservers[0] | d("") }}'
rspamd__dkim_update_configuration

The rspamd configuration options defined for all hosts in the Ansible inventory.

rspamd__dkim_update_configuration: []
rspamd__dkim_update_group_configuration

The rspamd configuration options defined for all hosts in a specific Ansible inventory group.

rspamd__dkim_update_group_configuration: []
rspamd__dkim_update_host_configuration

The rspamd configuration options defined for a specific host in the Ansible inventory.

rspamd__dkim_update_host_configuration: []
rspamd__dkim_update_combined_configuration

This variable combines other rspamd configuration options and is used by the role template to generate the configuration snippets in /etc/rspamd/local.d.

rspamd__dkim_update_combined_configuration: '{{
  rspamd__dkim_update_default_configuration
   + rspamd__dkim_update_configuration
   + rspamd__dkim_update_group_configuration
   + rspamd__dkim_update_host_configuration }}'

Redis configuration

rspamd__redis_host

The hostname of the Redis server.

rspamd__redis_host: '{{ ansible_local.redis_server.host|d("127.0.0.1") }}'
rspamd__redis_port

The port which the Redis server is listening to.

rspamd__redis_port: '{{ ansible_local.redis_server.port|d("6379") }}'
rspamd__redis_password

The Redis authentication password.

rspamd__redis_password: '{{ ansible_local.redis_server.password|d("") }}'
rspamd__redis_db

The Redis db to use.

rspamd__redis_db: '0'

Service configuration

These variables define the contents of the /etc/rspamd/local.d and /etc/rspamd/override.d configuration directories. See rspamd__configuration and the Rspamd configuration documentation for further details.

rspamd__default_local_configuration

The default rspamd local.d configuration.

rspamd__default_local_configuration:

  - file: 'worker-proxy.inc'
    comment: |
      Proxy worker configuration
      https://rspamd.com/doc/workers/rspamd_proxy.html
    options:

      - name: 'bind_socket'
        value: 'localhost:11332'

      - name: 'milter'
        value: True

      - name: 'timeout'
        value: 120

      - name: 'upstream "local"'
        options:

          - name: 'default'
            value: True

          - name: 'self_scan'
            value: True

  - file: 'worker-controller.inc'
    comment: |
      Controller worker configuration
      https://rspamd.com/doc/workers/controller.html
    options:

      - name: 'password'
        value: '{{ rspamd__controller_password_hash }}'

  - file: 'redis.conf'
    comment: |
      Redis configuration
      https://rspamd.com/doc/configuration/redis.html
    options:

      - name: 'servers'
        value: '{{ rspamd__redis_host }}:{{ rspamd__redis_port }}'

      - name: 'db'
        value: '{{ rspamd__redis_db }}'

      - name: 'password'
        value: '{{ rspamd__redis_password }}'

  - file: 'milter_headers.conf'
    comment: |
      Milter headers configuration
      https://rspamd.com/doc/modules/milter_headers.html
    options:

      - name: 'use'
        value: [ 'x-spamd-bar', 'x-spam-level', 'authentication-results' ]

      - name: 'authenticated_headers'
        value: [ 'authentication-results' ]

  - file: 'dkim_signing.conf'
    comment: |
      DKIM signing configuration
      https://rspamd.com/doc/modules/dkim_signing.html
    state: '{{ "present" if rspamd__dkim_enabled|d(False) else "absent" }}'
    options:

      - name: 'allow_username_mismatch'
        value: True

      - name: 'include_dkim_keys'
        raw: '.include(try=true,priority=1,duplicate=merge) "/var/lib/rspamd/dkim/dkim-active.conf"'

  - file: 'arc.conf'
    comment: |
      ARC signature check configuration
      https://rspamd.com/doc/modules/arc.html
    state: '{{ "present" if rspamd__dkim_enabled|d(False) else "absent" }}'
    options:

      - name: 'allow_username_mismatch'
        value: True

      - name: 'include_dkim_keys'
        raw: '.include(try=true,priority=1,duplicate=merge) "/var/lib/rspamd/dkim/dkim-active.conf"'
rspamd__local_configuration

The default rspamd local.d configuration defined for all hosts in the Ansible inventory.

rspamd__local_configuration: []
rspamd__group_local_configuration

The default rspamd local.d configuration defined for all hosts in a specific Ansible inventory group.

rspamd__group_local_configuration: []
rspamd__host_local_configuration

The default rspamd local.d configuration defined for a specific host in the Ansible inventory.

rspamd__host_local_configuration: []
rspamd__combined_local_configuration

This variable combines other rspamd configuration options and is used by the role template to generate the configuration snippets in /etc/rspamd/local.d.

rspamd__combined_local_configuration: '{{ rspamd__default_local_configuration
                                           + rspamd__local_configuration
                                           + rspamd__group_local_configuration
                                           + rspamd__host_local_configuration }}'
rspamd__default_override_configuration

The default rspamd override.d configuration.

rspamd__default_override_configuration: []
rspamd__override_configuration

The default rspamd override.d configuration defined for all hosts in the Ansible inventory.

rspamd__override_configuration: []
rspamd__group_override_configuration

The default rspamd override.d configuration defined for all hosts in a specific Ansible inventory group.

rspamd__group_override_configuration: []
rspamd__host_override_configuration

The default rspamd override.d configuration defined for a specific host in the Ansible inventory.

rspamd__host_override_configuration: []
rspamd__combined_override_configuration

This variable combines other rspamd configuration options and is used by the role template to generate the configuration snippets in /etc/rspamd/override.d.

rspamd__combined_override_configuration: '{{ rspamd__default_override_configuration
                                              + rspamd__override_configuration
                                              + rspamd__group_override_configuration
                                              + rspamd__host_override_configuration }}'
rspamd__controller_password

This variable controls the password necessary to access e.g. the web-based user interface of rspamd. Note that the WebUI is only accessible via http://localhost:11334/, so for remote access, a ssh tunnel or local proxy server is necessary. The latter can be configured automatically by this role (see rspamd__nginx_enabled below).

rspamd__controller_password: '{{ lookup("password",
                                        secret
                                         + "/credentials/"
                                         + inventory_hostname
                                         + "/rspamd/controller_password"
                                         + " chars=ascii_letters,digits"
                                         + " length=32") }}'
rspamd__controller_password_salt

The salt used to hash the rspamd__controller_password. The default might look complicated, but it's a workaround for Ansible issue #36129.

rspamd__controller_password_salt: '{{ (lookup("password",
                                              secret
                                               + "/credentials/"
                                               + inventory_hostname
                                               + "/rspamd/salt"
                                               + " chars=ascii_letters,digits"
                                               + " length=21"))[:21]
                                      + ("Oeu"
                                          | shuffle(seed=inventory_hostname)
                                          | join)[1] }}'
rspamd__controller_password_hash

The hashed version of rspamd__controller_password. If you want to set a password manually, you probably want to change that variable instead.

rspamd__controller_password_hash: '{{ rspamd__controller_password
                                      | password_hash("bcrypt",
                                                      salt=rspamd__controller_password_salt) }}'
rspamd__nginx_enabled

If enabled, nginx will be setup to provide remote access to the WebUI of rspamd.

rspamd__nginx_enabled: False
rspamd__nginx_fqdns

List of FQDNs which nginx should use to make the WebUI available.

rspamd__nginx_fqdns:
  - 'rspamd.{{ ansible_domain }}'
  - '{{ ansible_hostname }}-rspamd.{{ ansible_domain }}'
rspamd__nginx_access_policy

The nginx access policy, by default none.

rspamd__nginx_access_policy: ''
rspamd__proxy_allow

List of IP addresses or CIDR subnets which are allowed to connect to rspamd's proxy worker remotely. If the list is empty, remote connections are denied. Note that this only influences the firewall settings, further configuration is still necessary to make rspamd actually listen for remote connections (see the bind_socket and secure_ip options in the workers documentation).

rspamd__proxy_allow: []
rspamd__normal_allow

Same as rspamd__proxy_allow, but for the normal worker.

rspamd__normal_allow: []
rspamd__controller_allow

Same as rspamd__proxy_allow, but for the controller worker.

rspamd__controller_allow: []
rspamd__fuzzy_allow

Same as rspamd__proxy_allow, but for the fuzzy worker.

rspamd__fuzzy_allow: []

Configuration for other Ansible roles

rspamd__logrotate__dependent_config

Configuration for the debops.logrotate role.

rspamd__logrotate__dependent_config:

  - filename: 'rspamd-dkim'
    logs: '{{ rspamd__dkim_log_dir + "/rspamd-dkim-update.log" }}'
    options: |
      notifempty
      missingok
      yearly
      maxsize 16M
      rotate 10
      compress
    comment: 'Rspamd DKIM key rotation logs'
rspamd__etc_services__dependent_list

Configuration for the debops.etc_services role.

rspamd__etc_services__dependent_list:

  - name: 'rspamd-proxy'
    port: '11332'
    protocols: [ 'tcp' ]
    comment: 'Added by debops.rspamd Ansible role.'

  - name: 'rspamd-normal'
    port: '11333'
    protocols: [ 'tcp' ]
    comment: 'Added by debops.rspamd Ansible role.'

  - name: 'rspamd-controller'
    port: '11334'
    protocols: [ 'tcp' ]
    comment: 'Added by debops.rspamd Ansible role.'

  - name: 'rspamd-fuzzy'
    port: '11335'
    protocols: [ 'udp' ]
    comment: 'Added by debops.rspamd Ansible role.'
rspamd__nginx__dependent_servers

Configuration for the debops.nginx role.

rspamd__nginx__dependent_servers:

  - name: '{{ rspamd__nginx_fqdns }}'
    filename: 'debops.rspamd'
    by_role: 'debops.rspamd'
    access_policy: '{{ rspamd__nginx_access_policy }}'
    webroot_create: False
    type: 'proxy'
    proxy_pass: 'http://localhost:11334'
rspamd__ferm__dependent_rules

Configuration for the debops.ferm role.

rspamd__ferm__dependent_rules:

  - type: 'accept'
    dport: [ 'rspamd-proxy' ]
    protocol: [ 'tcp' ]
    saddr: '{{ rspamd__proxy_allow }}'
    accept_any: False
    weight: '50'
    role: 'rspamd'

  - type: 'accept'
    dport: [ 'rspamd-normal' ]
    protocol: [ 'tcp' ]
    saddr: '{{ rspamd__normal_allow }}'
    accept_any: False
    weight: '50'
    role: 'rspamd'

  - type: 'accept'
    dport: [ 'rspamd-controller' ]
    protocol: [ 'tcp' ]
    saddr: '{{ rspamd__controller_allow }}'
    accept_any: False
    weight: '50'
    role: 'rspamd'

  - type: 'accept'
    dport: [ 'rspamd-fuzzy' ]
    protocol: [ 'udp' ]
    saddr: '{{ rspamd__fuzzy_allow }}'
    accept_any: False
    weight: '50'
    role: 'rspamd'
rspamd__postfix__dependent_maincf

The main.cf configuration for the debops.postfix role.

rspamd__postfix__dependent_maincf:

  - name: 'smtpd_milters'
    comment: 'Added by the rspamd role'
    value:
      - name: 'inet:localhost:11332'
        weight: -400
    state: 'present'

  - name: 'non_smtpd_milters'
    comment: 'Added by the rspamd role'
    value:
      - name: 'inet:localhost:11332'
        weight: -400
    state: 'present'

  - name: 'milter_mail_macros'
    comment: 'Added by the rspamd role'
    value: '{{ "i {auth_type} {auth_authen} {auth_author} "
               + "{client_addr} {client_name} {mail_addr} "
               + "{mail_host} {mail_mailer}" }}'
    state: 'present'

  - name: 'milter_default_action'
    comment: 'Added by the rspamd role'
    value: 'accept'
    state: 'comment'

  - name: 'milter_protocol'
    comment: 'Added by the rspamd role'
    value: 6
    state: 'comment'