1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
---
non_free_packages:
elefant:
- firmware-bnx2
# Virtual (non-routable) IPv4 subnet for IPsec. It is always nullrouted
# in the absence of xfrm lookup (i.e., when there is no matching IPsec
# Security Association) to avoid data leaks.
ipsec_subnet: 172.16.0.0/24
ipsec:
# Virtual (non-routable) addresses for IPsec. They all need to be
# distinct and belong to the above subnet 'ipsec_subnet'.
antilop: 172.16.0.1
benjamin: 172.16.0.2
civett: 172.16.0.3
elefant: 172.16.0.4
giraff: 172.16.0.5
mistral: 172.16.0.6
calima: 172.16.0.7
postfix_instance:
# The keys are the group names associated with a Postfix role, and the
# values are the name and group (optional) of the instance dedicated
# to that role.
# For internal services, we also specify its (non-routable) IP address
# and port.
# XXX it's unfortunate that we can only specify a single address, and
# therefore have to limit the number of outgoing SMTP proxy and
# IMAP server to one. Since hosts(5) files cannot map and IP
# address to multiple hostnames, a workaround would be to use
# round-robin DNS, but we can't rely on DNS as long as our zone is
# unsigned.
IMAP: { name: mda
, addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.IMAP[0]].inventory_hostname_short ], '127.0.0.1') }}"
, port: 2526 }
MX: { name: mx, group: mta }
out: { name: out, group: mta
, addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.out[0]].inventory_hostname_short ], '127.0.0.1') }}"
, port: 2525 }
MSA: { name: msa
, addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.MSA[0]].inventory_hostname_short ], '127.0.0.1') }}"
, port: 2587 }
lists: { name: lists
, addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.lists[0]].inventory_hostname_short ], '127.0.0.1') }}"
, port: 2527 }
imapsvr_addr: "{{ postfix_instance.IMAP.addr | ipaddr }}"
dkim_keys:
giraff:
# match key
"fripost.org":
# domain of the entity signing the message (should be unique accross match keys)
d: fripost.org
# selector (randomly generated with `xxd -p -l16 </dev/urandom`)
s: 8f00fb94ec6c37aacb48bd43e073f9b7
"lists.fripost.org":
d: lists.fripost.org
s: d3df4ddda85e3c927621b1b02a9cbb85
"guilhem@debian.org":
d: debian.org
s: 5d30c523ff3622ed454230a16a11ddf6.guilhem.user
"guilhem.org":
d: guilhem.org
s: d32231afe345182ae1a9b376fa912dca
"~": # catch-all, for our virtual domains
d: x.fripost.org
s: 9df9cdc7e101629b5003b587945afa70
|