summaryrefslogtreecommitdiffstats
path: root/group_vars/all.yml
blob: f3593fe8982ea72d8c7f7a5a59d9e7ed4741be9f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
---
non_free_packages:
  elefant:
    - firmware-bnx2

# Virtual (non-routable) IPv4 subnet for IPsec.  It is always nullrouted
# in the absence of xfrm lookup (i.e., when there is no matching IPsec
# Security Association) to avoid data leaks.
ipsec_subnet: 172.16.0.0/24
ipsec:
  # Virtual (non-routable) addresses for IPsec.  They all need to be
  # distinct and belong to the above subnet 'ipsec_subnet'.
  antilop:  172.16.0.1
  benjamin: 172.16.0.2
  civett:   172.16.0.3
  elefant:  172.16.0.4
  giraff:   172.16.0.5
  mistral:  172.16.0.6
  calima:   172.16.0.7


postfix_instance:
  # The keys are the group names associated with a Postfix role, and the
  # values are the name and group (optional) of the instance dedicated
  # to that role.
  # For internal services, we also specify its (non-routable) IP address
  # and port.
  # XXX it's unfortunate that we can only specify a single address, and
  #     therefore have to limit the number of outgoing SMTP proxy and
  #     IMAP server to one. Since hosts(5) files cannot map and IP
  #     address to multiple hostnames, a workaround would be to use
  #     round-robin DNS, but we can't rely on DNS as long as our zone is
  #     unsigned.
  IMAP:    { name: mda
           , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.IMAP[0]].inventory_hostname_short ], '127.0.0.1') }}"
           , port: 2526 }
  MX:      { name: mx,  group: mta }
  out:     { name: out, group: mta
           , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.out[0]].inventory_hostname_short ], '127.0.0.1') }}"
           , port: 2525 }
  MSA:     { name: msa
           , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.MSA[0]].inventory_hostname_short ], '127.0.0.1') }}"
           , port: 2587 }
  lists:   { name: lists
           , addr: "{{ (groups.all | length > 1) | ternary( ipsec[ hostvars[groups.lists[0]].inventory_hostname_short ], '127.0.0.1') }}"
           , port: 2527 }

imapsvr_addr: "{{ postfix_instance.IMAP.addr | ipaddr }}"

dkim_keys:
  giraff:
    # match key
    "fripost.org":
      # domain of the entity signing the message (should be unique accross match keys)
      d: fripost.org
      # selector (randomly generated with `xxd -p -l16 </dev/urandom`)
      s: 8f00fb94ec6c37aacb48bd43e073f9b7
    "lists.fripost.org":
      d: lists.fripost.org
      s: d3df4ddda85e3c927621b1b02a9cbb85
    "guilhem@debian.org":
      d: debian.org
      s: 5d30c523ff3622ed454230a16a11ddf6.guilhem.user
    "guilhem.org":
      d: guilhem.org
      s: d32231afe345182ae1a9b376fa912dca
    "~": # catch-all, for our virtual domains
      d: x.fripost.org
      s: 9df9cdc7e101629b5003b587945afa70