diff options
Diffstat (limited to 'group_vars/all.yml')
| -rw-r--r-- | group_vars/all.yml | 105 |
1 files changed, 100 insertions, 5 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index 25356bf..f780262 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,10 +1,105 @@ --- +non_free_packages: + elefant: + - firmware-bnx2 + +# Virtual (non-routable) IPv4 subnet for IPsec. It is always nullrouted +# in the absence of xfrm lookup (i.e., when there is no matching IPsec +# Security Association) to avoid data leaks. +ipsec_subnet: 172.16.0.0/24 +ipsec: + # Virtual (non-routable) addresses for IPsec. They all need to be + # distinct and belong to the above subnet 'ipsec_subnet'. + antilop: 172.16.0.1 + levante: 172.16.0.2 + civett: 172.16.0.3 + elefant: 172.16.0.4 + giraff: 172.16.0.5 + mistral: 172.16.0.6 + calima: 172.16.0.7 + + postfix_instance: # The keys are the group names associated with a Postfix role, and the # values are the name and group (optional) of the instance dedicated # to that role. - IMAP: { name: mda, port: 2526 } - MX: { name: mx, group: mta } - out: { name: out, group: mta, port: 2525 } - MSA: { name: msa } - lists: { name: lists, port: 2527 } + # For internal services, we also specify its (non-routable) IP address + # and port. + # XXX it's unfortunate that we can only specify a single address, and + # therefore have to limit the number of outgoing SMTP proxy and + # IMAP server to one. Since hosts(5) files cannot map and IP + # address to multiple hostnames, a workaround would be to use + # round-robin DNS, but we can't rely on DNS as long as our zone is + # unsigned. + IMAP: { name: mda + , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.IMAP[0]].inventory_hostname_short ], '127.0.0.1') }}" + , port: 2526 } + MX: { name: mx, group: mta } + out: { name: out, group: mta + , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.out[0]].inventory_hostname_short ], '127.0.0.1') }}" + , port: 2525 } + MSA: { name: msa + , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.MSA[0]].inventory_hostname_short ], '127.0.0.1') }}" + , port: 2587 } + lists: { name: lists + , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.lists[0]].inventory_hostname_short ], '127.0.0.1') }}" + , port: 2527 } + +imapsvr_addr: "{{ postfix_instance.IMAP.addr | ansible.utils.ipaddr }}" + +dkim_keys: + giraff: + # match key + "fripost.org": + # domain of the entity signing the message (should be unique accross match keys) + d: fripost.org + # selector (randomly generated with `xxd -p -l16 </dev/urandom`) + s: 8f00fb94ec6c37aacb48bd43e073f9b7 + "lists.fripost.org": + d: lists.fripost.org + s: d3df4ddda85e3c927621b1b02a9cbb85 + "guilhem@debian.org": + d: debian.org + s: 5d30c523ff3622ed454230a16a11ddf6.guilhem.user + "guilhem.org": + d: guilhem.org + s: d32231afe345182ae1a9b376fa912dca + "guilhem.se": + d: guilhem.se + s: 138abf7e73c88d8dc67ca2d26881bc81 + "hemdal.se": + d: hemdal.se + s: f032227401564da2cee5d5d0965969c4 + "tevs.net": + d: tevs.net + s: 5fd8ba74ecb12069964e21a0ba90a516 + "jakmedlem.se": + d: jakmedlem.se + s: 0ef2a7235861d65c872faf4e72b29a29 + "gbg.cmsmarx.org": + d: gbg.cmsmarx.org + s: a4b2e822cfcf594acd24f44587590eb1 + "r0x.se": + d: r0x.se + s: 79992d8659ce1c2d3f5a9ad20d167c15 + "ljhms.se": + d: ljhms.se + s: 9552b222c0c258daf13bd410f6b5a159 + "dubre.me": + d: dubre.me + s: aa813339234ce48d3b3bbfa334fbf48e + "himmelkanten.se": + d: himmelkanten.se + s: caf0355abffeda8264045c3730362147 + "vimmelkanten.se": + d: vimmelkanten.se + s: ccb92aa8f79aa6d76b2a9d6ecf6b30e6 + "hemskaklubben.se": + d: hemskaklubben.se + s: 564736f16aac6a05b50ea67fd6259e16 + "kodafritt.se": + d: kodafritt.se + s: ce3283cc9129cb6692174bd2ec480b88 + "~": # catch-all, for our virtual domains + d: x.fripost.org + s: 9df9cdc7e101629b5003b587945afa70 |