kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-18 09:45:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

refactor(dns): unify Cloudflare + Hetzner handling across roles

Browse Source 
- replaced CERTBOT_DNS_API_TOKEN with CLOUDFLARE_API_TOKEN everywhere
- introduced generic sys-dns-cloudflare-records role for managing DNS records
- added sys-dns-hetzner-rdns role with both Cloud (hcloud) and Robot API flavors
- updated Mailu role to:
  - generate DKIM before DNS setup
  - delegate DNS + rDNS records to the new generic roles
- removed legacy per-role Cloudflare vars (MAILU_CLOUDFLARE_API_TOKEN)
- extended group vars with HOSTING_PROVIDER for rDNS flavor decision
- added hetzner.hcloud collection to requirements

This consolidates DNS management into reusable roles,
supports both Cloudflare and Hetzner providers,
and standardizes variable naming across the project.
This commit is contained in:
Kevin Veen-Birkenbach 2025-08-16 21:43:01 +02:00
parent 838a55ea94
commit 2620ee088e
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
28 changed files with 437 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
group_vars/all/00_general.yml
View File

@ -43,11 +43,12 @@ ACTIVATE_ALL_TIMERS: false # Activates all timers, indepe
DNS_PROVIDER: cloudflare # The DNS Provider\Registrar for the domain
HOSTING_PROVIDER: hetzner # Provider which hosts the server
# Which ACME method to use: webroot, cloudflare, or hetzner
CERTBOT_ACME_CHALLENGE_METHOD: "cloudflare"
CERTBOT_CREDENTIALS_DIR: /etc/certbot
CERTBOT_CREDENTIALS_FILE: "{{ CERTBOT_CREDENTIALS_DIR }}/{{ CERTBOT_ACME_CHALLENGE_METHOD }}.ini"
CERTBOT_DNS_API_TOKEN: "" # Define in inventory file: More information here: group_vars/all/docs/CLOUDFLARE_API_TOKEN.md
CERTBOT_DNS_PROPAGATION_WAIT_SECONDS: 300 # How long should the script wait for DNS propagation before continuing
CERTBOT_FLAVOR: san # Possible options: san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), dedicated

1
requirements.yml
View File

@ -1,5 +1,6 @@
collections:
- name: kewlfft.aur
- name: community.general
- name: hetzner.hcloud
yay:
- python-simpleaudio

2
roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml
View File

@ -16,7 +16,7 @@
url: "{{ cf_api_url }}?name={{ domain | to_primary_domain }}"
method: GET
headers:
Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
Content-Type: "application/json"
return_content: yes
register: cf_zone_lookup_dev

2
roles/srv-proxy-6-6-domain/tasks/cloudflare/01_cleanup.yml
View File

@ -3,7 +3,7 @@
url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/purge_cache"
method: POST
headers:
Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
Content-Type: "application/json"
body:
purge_everything: true

6
roles/srv-proxy-6-6-domain/tasks/cloudflare/02_enable_cf_dev_mode.yml
View File

@ -1,7 +1,7 @@
# roles/srv-proxy-6-6-domain/tasks/02_enable_cf_dev_mode.yml
---
# Enables Cloudflare Development Mode (bypasses cache for ~3 hours).
# Uses the same auth token as in 01_cleanup.yml: CERTBOT_DNS_API_TOKEN
# Uses the same auth token as in 01_cleanup.yml: CLOUDFLARE_API_TOKEN
# Assumes `domain` and (optionally) `cf_zone_id` are available.
# Safe to run repeatedly; only changes when the mode is not already "on".
@ -10,7 +10,7 @@
url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/settings/development_mode"
method: GET
headers:
Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
Content-Type: "application/json"
return_content: yes
register: cf_dev_mode_current
@ -21,7 +21,7 @@
url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/settings/development_mode"
method: PATCH
headers:
Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
Content-Type: "application/json"
body:
value: "on"

2
roles/srv-web-7-7-dns-records/tasks/main.yml
View File

@ -2,7 +2,7 @@
- name: Create or update Cloudflare A-record for {{ item }}
community.general.cloudflare_dns:
api_token: "{{ CERTBOT_DNS_API_TOKEN }}"
api_token: "{{ CLOUDFLARE_API_TOKEN }}"
zone: "{{ item.split('.')[-2:] | join('.') }}"
state: present
type: A

8
roles/srv-web-7-7-letsencrypt/tasks/01_set-caa-records.yml
View File

@ -1,14 +1,14 @@
---
- name: "Validate CERTBOT_DNS_API_TOKEN"
- name: "Validate CLOUDFLARE_API_TOKEN"
fail:
msg: >
The variable "CERTBOT_DNS_API_TOKEN" must be defined and cannot be empty!
when: (CERTBOT_DNS_API_TOKEN|default('')|trim) == ''
The variable "CLOUDFLARE_API_TOKEN" must be defined and cannot be empty!
when: (CLOUDFLARE_API_TOKEN|default('')|trim) == ''
- name: "Ensure all CAA records are present"
community.general.cloudflare_dns:
api_token: "{{ CERTBOT_DNS_API_TOKEN }}"
api_token: "{{ CLOUDFLARE_API_TOKEN }}"
zone: "{{ item.0 }}"
record: "@"
type: CAA

24
roles/sys-dns-cloudflare-records/README.md Normal file
View File

@ -0,0 +1,24 @@
# 🌐 Cloudflare DNS Records
## Description
Generic, data-driven role to manage DNS records on Cloudflare (A/AAAA, CNAME, MX, TXT, SRV).
Designed for reuse across apps (e.g., Mailu) and environments.
## Overview
This role wraps `community.general.cloudflare_dns` and applies records from a single
structured variable (`cloudflare_records`). It supports async operations and
can be used to provision all required records for a service in one task.
## Features
- Data-driven input for multiple record types
- Supports A/AAAA, CNAME, MX, TXT, SRV
- Optional async execution
- Minimal logging of secrets
## Further Resources
- [Cloudflare Dashboard → API Tokens](https://dash.cloudflare.com/profile/api-tokens)
- [Ansible Collection: community.general.cloudflare_dns](https://docs.ansible.com/ansible/latest/collections/community/general/cloudflare_dns_module.html)

12
roles/sys-dns-cloudflare-records/defaults/main.yml Normal file
View File

@ -0,0 +1,12 @@
# Cloudflare API Token
# More information here: group_vars/all/docs/CLOUDFLARE_API_TOKEN.md
CLOUDFLARE_API_TOKEN: ""
cloudflare_async_enabled: "{{ ASYNC_ENABLED | bool }}"
cloudflare_async_time: "{{ ASYNC_TIME }}"
cloudflare_async_poll: "{{ ASYNC_POLL }}"
cloudflare_no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
# Supported types:
# A/AAAA (content), CNAME/MX/TXT (value, MX hat priority), SRV (service/proto/…)
cloudflare_records: []

6
group_vars/all/docs/CLOUDFLARE_API_TOKEN.md → roles/sys-dns-cloudflare-records/docs/CLOUDFLARE_API_TOKEN.md
View File

@ -1,10 +1,10 @@
# Cloudflare API Token for Ansible (`CERTBOT_DNS_API_TOKEN`)
# Cloudflare API Token for Ansible (`CLOUDFLARE_API_TOKEN`)
This document explains how to generate and use a Cloudflare API Token for DNS automation and certificate operations in Ansible (e.g., with Certbot).
## Purpose
The `CERTBOT_DNS_API_TOKEN` variable must contain a valid Cloudflare API Token.
The `CLOUDFLARE_API_TOKEN` variable must contain a valid Cloudflare API Token.
This token is used for all DNS operations and ACME (SSL/TLS certificate) challenges that require access to your Cloudflare-managed domains.
**Never commit your API token to a public repository. Always keep it secure!**
@ -58,4 +58,4 @@ Add the following permissions:
Set the token in your Ansible inventory or secrets file:
```yaml
CERTBOT_DNS_API_TOKEN: "cf_your_generated_token_here"
CLOUDFLARE_API_TOKEN: "cf_your_generated_token_here"

23
roles/sys-dns-cloudflare-records/meta/main.yml Normal file
View File

@ -0,0 +1,23 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Generic role to manage Cloudflare DNS records (A/AAAA, CNAME, MX, TXT, SRV) in a data-driven way."
license: "Infinito.Nexus NonCommercial License"
license_url: "https://s.infinito.nexus/license"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
galaxy_tags:
- cloudflare
- dns
- records
- mail
- automation
repository: "https://s.infinito.nexus/code"
issue_tracker_url: "https://s.infinito.nexus/issues"
documentation: "https://docs.infinito.nexus"
logo:
class: "fa-solid fa-cloud"
run_after: []
dependencies: []

105
roles/sys-dns-cloudflare-records/tasks/main.yml Normal file
View File

@ -0,0 +1,105 @@
---
# run_once_sys_dns_cloudflare_records: deactivated
- name: Assert token
ansible.builtin.assert:
that: [ "CLOUDFLARE_API_TOKEN | length > 0" ]
no_log: "{{ cloudflare_no_log | bool }}"
- name: Apply A/AAAA
community.general.cloudflare_dns:
api_token: "{{ CLOUDFLARE_API_TOKEN }}"
zone: "{{ item.zone }}"
type: "{{ item.type }}"
name: "{{ item.name }}"
content: "{{ item.content }}"
proxied: "{{ item.proxied | default(false) }}"
ttl: "{{ item.ttl | default(1) }}"
state: "{{ item.state | default('present') }}"
loop: "{{ cloudflare_records | selectattr('type','in',['A','AAAA']) | list }}"
loop_control: { label: "{{ item.type }} {{ item.name }} -> {{ item.content }}" }
async: "{{ cloudflare_async_enabled | ternary(cloudflare_async_time, omit) }}"
poll: "{{ cloudflare_async_enabled | ternary(cloudflare_async_poll, omit) }}"
no_log: "{{ cloudflare_no_log | bool }}"
register: _cf_call
failed_when: >
_cf_call is failed and
(
('An identical record already exists' not in (_cf_call.msg | default('') | string))
and
('81058' not in (_cf_call.msg | default('') | string))
)
changed_when: >
(_cf_call.changed | default(false)) and
(
('An identical record already exists' not in (_cf_call.msg | default('') | string))
and
('81058' not in (_cf_call.msg | default('') | string))
)
- name: Apply CNAME/MX/TXT
community.general.cloudflare_dns:
api_token: "{{ CLOUDFLARE_API_TOKEN }}"
zone: "{{ item.zone }}"
type: "{{ item.type }}"
name: "{{ item.name }}"
value: "{{ item.value }}"
ttl: "{{ item.ttl | default(1) }}"
priority: "{{ (item.type == 'MX') | ternary(item.priority | default(10), omit) }}"
state: "{{ item.state | default('present') }}"
loop: "{{ cloudflare_records | selectattr('type','in',['CNAME','MX','TXT']) | list }}"
loop_control: { label: "{{ item.type }} {{ item.name }} -> {{ item.value }}" }
async: "{{ cloudflare_async_enabled | ternary(cloudflare_async_time, omit) }}"
poll: "{{ cloudflare_async_enabled | ternary(cloudflare_async_poll, omit) }}"
no_log: "{{ cloudflare_no_log | bool }}"
register: _cf_call
failed_when: >
_cf_call is failed and
(
('An identical record already exists' not in (_cf_call.msg | default('') | string))
and
('81058' not in (_cf_call.msg | default('') | string))
)
changed_when: >
(_cf_call.changed | default(false)) and
(
('An identical record already exists' not in (_cf_call.msg | default('') | string))
and
('81058' not in (_cf_call.msg | default('') | string))
)
- name: Apply SRV
community.general.cloudflare_dns:
api_token: "{{ CLOUDFLARE_API_TOKEN }}"
zone: "{{ item.zone }}"
type: SRV
service: "{{ item.service }}"
proto: "{{ item.proto }}"
name: "{{ item.name }}"
priority: "{{ item.priority }}"
weight: "{{ item.weight }}"
port: "{{ item.port }}"
value: "{{ item.value }}"
ttl: "{{ item.ttl | default(1) }}"
state: "{{ item.state | default('present') }}"
loop: "{{ cloudflare_records | selectattr('type','equalto','SRV') | list }}"
loop_control: { label: "SRV {{ item.service }}.{{ item.proto }} {{ item.name }} -> {{ item.value }}:{{ item.port }}" }
ignore_errors: "{{ item.ignore_errors | default(true) }}"
async: "{{ cloudflare_async_enabled | ternary(cloudflare_async_time, omit) }}"
poll: "{{ cloudflare_async_enabled | ternary(cloudflare_async_poll, omit) }}"
no_log: "{{ cloudflare_no_log | bool }}"
register: _cf_call
failed_when: >
_cf_call is failed and
(
('An identical record already exists' not in (_cf_call.msg | default('') | string))
and
('81058' not in (_cf_call.msg | default('') | string))
)
changed_when: >
(_cf_call.changed | default(false)) and
(
('An identical record already exists' not in (_cf_call.msg | default('') | string))
and
('81058' not in (_cf_call.msg | default('') | string))
)

0
roles/sys-dns-hetzner-rdns/README.md Normal file
View File

20
roles/sys-dns-hetzner-rdns/defaults/main.yml Normal file
View File

@ -0,0 +1,20 @@
# Cloud (hcloud) token
# @see https://docs.hetzner.com/cloud/api/getting-started/generating-api-token/
HETZNER_API_TOKEN: ""
# Robot (dedicated) credentials
# You can create an user here: https://robot.hetzner.com/preferences/index
HETZNER_ROBOT_USER: ""
HETZNER_ROBOT_PASSWORD: ""
HETZNER_ROBOT_BASE_URL: "https://robot-ws.your-server.de"
hetzner_async_enabled: "{{ ASYNC_ENABLED | bool }}"
hetzner_async_time: "{{ ASYNC_TIME }}"
hetzner_async_poll: "{{ ASYNC_POLL }}"
hetzner_no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
rdns_records: []
# Example:
# rdns_records:
# - { resource: "server", ip_address: "1.2.3.4", dns_ptr: "mail.example.com" }
# - { resource: "primary_ip", identifier: "12345", ip_address: "2001:db8::1", dns_ptr: "mail.example.com" }

24
roles/sys-dns-hetzner-rdns/meta/main.yml Normal file
View File

@ -0,0 +1,24 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Generic role to manage reverse DNS (PTR) for Hetzner Cloud resources (server, primary_ip, floating_ip, load_balancer)."
license: "Infinito.Nexus NonCommercial License"
license_url: "https://s.infinito.nexus/license"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
galaxy_tags:
- hetzner
- dns
- rdns
- ptr
- mail
repository: "https://s.infinito.nexus/code"
issue_tracker_url: "https://s.infinito.nexus/issues"
documentation: "https://docs.infinito.nexus"
logo:
class: "fa-solid fa-server"
run_after: []
dependencies: []

93
roles/sys-dns-hetzner-rdns/tasks/flavors/cloud.yml Normal file
View File

@ -0,0 +1,93 @@
---
# Cloud flavor (hcloud API)
- name: Resolve effective hcloud token
set_fact:
_hz_token: >-
{{ HETZNER_API_TOKEN
| default(lookup('env','HETZNER_API_TOKEN'), true)
| default('', true)
}}
no_log: "{{ hetzner_no_log | bool }}"
- name: Assert hcloud token present
ansible.builtin.assert:
that: [ "_hz_token | length > 0" ]
fail_msg: "HETZNER_API_TOKEN is required for the Cloud flavor."
no_log: "{{ hetzner_no_log | bool }}"
- name: Collect hcloud servers if needed (server records without identifier)
hetzner.hcloud.server_info:
api_token: "{{ _hz_token }}"
register: _servers_info
when: rdns_records | selectattr('resource','equalto','server') | selectattr('identifier','undefined') | list | length > 0
no_log: "{{ hetzner_no_log | bool }}"
- name: Init normalized records list
set_fact:
_rdns_records: []
- name: Normalize records (autofill server.identifier by IPv4)
vars:
_match_name: >-
{{
(_servers_info.servers | default([]))
| selectattr('public_net.ipv4.ip','equalto', rec.ip_address | default(''))
| map(attribute='name') | list | first | default('')
}}
_needs_autofill: >-
{{
rec.resource == 'server'
and (rec.identifier is not defined)
and (rec.ip_address | default('') | length > 0)
}}
_normalized: >-
{{
rec if (not _needs_autofill or _match_name == '')
else (rec | combine({'identifier': _match_name}))
}}
set_fact:
_rdns_records: "{{ _rdns_records + [ _normalized ] }}"
loop: "{{ rdns_records }}"
loop_control: { loop_var: rec }
- name: Ensure server identifiers are resolved when required
assert:
that:
- >
(
(_rdns_records | selectattr('resource','equalto','server') | selectattr('identifier','defined') | list | length)
==
(_rdns_records | selectattr('resource','equalto','server') | list | length)
)
fail_msg: "Could not resolve hcloud server by IPv4 for one or more records."
no_log: "{{ hetzner_no_log | bool }}"
- name: Validate records (cloud)
ansible.builtin.assert:
that:
- (_rdns_records | default(rdns_records)) | length > 0
- (_rdns_records | default(rdns_records)) | selectattr('dns_ptr','defined') | list | length == ((_rdns_records | default(rdns_records)) | length)
- (_rdns_records | default(rdns_records)) | selectattr('ip_address','defined') | list | length == ((_rdns_records | default(rdns_records)) | length)
- (_rdns_records | default(rdns_records)) | selectattr('resource','defined') | list | length == ((_rdns_records | default(rdns_records)) | length)
- (
(_rdns_records | default(rdns_records)) | selectattr('resource','equalto','server') | selectattr('identifier','defined') | list | length
+ ((_rdns_records | default(rdns_records)) | rejectattr('resource','equalto','server') | list | length)
) == ((_rdns_records | default(rdns_records)) | length)
no_log: "{{ hetzner_no_log | bool }}"
- name: Apply rDNS via hcloud
hetzner.hcloud.hcloud_rdns:
api_token: "{{ _hz_token }}"
server: "{{ (item.resource == 'server') | ternary(item.identifier, omit) }}"
primary_ip: "{{ (item.resource == 'primary_ip') | ternary(item.identifier, omit) }}"
floating_ip: "{{ (item.resource == 'floating_ip') | ternary(item.identifier, omit) }}"
load_balancer: "{{ (item.resource == 'load_balancer') | ternary(item.identifier, omit) }}"
ip_address: "{{ item.ip_address }}"
dns_ptr: "{{ item.dns_ptr }}"
state: present
loop: "{{ _rdns_records | default(rdns_records) }}"
loop_control:
label: "{{ item.resource }}[{{ item.identifier | default('auto-by-ipv4') }}] {{ item.ip_address }} -> {{ item.dns_ptr }}"
async: "{{ hetzner_async_enabled | ternary(hetzner_async_time, omit) }}"
poll: "{{ hetzner_async_enabled | ternary(hetzner_async_poll, omit) }}"
no_log: "{{ hetzner_no_log | bool }}"

42
roles/sys-dns-hetzner-rdns/tasks/flavors/robot.yml Normal file
View File

@ -0,0 +1,42 @@
---
# Robot flavor (Robot Webservice API)
- name: Assert Robot credentials present
ansible.builtin.assert:
that:
- (HETZNER_ROBOT_USER | default('') | length) > 0
- (HETZNER_ROBOT_PASSWORD | default('') | length) > 0
fail_msg: "Robot credentials required: HETZNER_ROBOT_USER / HETZNER_ROBOT_PASSWORD."
no_log: "{{ hetzner_no_log | bool }}"
- name: Validate records (robot)
ansible.builtin.assert:
that:
- rdns_records | length > 0
- (rdns_records | selectattr('ip_address','defined') | list | length) == (rdns_records | length)
- (rdns_records | selectattr('dns_ptr','defined') | list | length) == (rdns_records | length)
fail_msg: "Each record must have ip_address and dns_ptr for Robot rDNS."
no_log: "{{ hetzner_no_log | bool }}"
- name: Apply rDNS via Hetzner Robot API
vars:
hetzner_robot_base_url: "{{ HETZNER_ROBOT_BASE_URL }}"
ip_path: "{{ item.ip_address | urlencode }}"
ansible.builtin.uri:
url: "{{ hetzner_robot_base_url }}/rdns/{{ ip_path }}"
method: POST
user: "{{ HETZNER_ROBOT_USER }}"
password: "{{ HETZNER_ROBOT_PASSWORD }}"
force_basic_auth: true
headers:
Accept: application/json
body_format: form-urlencoded
body:
ptr: "{{ item.dns_ptr }}"
status_code: [200, 201]
loop: "{{ rdns_records }}"
loop_control:
label: "{{ item.ip_address }} -> {{ item.dns_ptr }}"
async: "{{ hetzner_async_enabled | ternary(hetzner_async_time, omit) }}"
poll: "{{ hetzner_async_enabled | ternary(hetzner_async_poll, omit) }}"
no_log: "{{ hetzner_no_log | bool }}"

33
roles/sys-dns-hetzner-rdns/tasks/main.yml Normal file
View File

@ -0,0 +1,33 @@
# run_once_sys_dns_hetzner_rdns
# Decide flavor
- name: Decide which Hetzner flavor to use
set_fact:
_use_cloud: "{{ (HETZNER_API_TOKEN | length) > 0 }}"
_use_robot: >-
{{
(HETZNER_ROBOT_USER | length) > 0
and (HETZNER_ROBOT_PASSWORD | length) > 0
}}
no_log: "{{ hetzner_no_log | bool }}"
- name: "Note: both Cloud token and Robot creds provided; using Cloud flavor"
debug:
msg: "Both HETZNER_API_TOKEN and Robot credentials present → proceeding with Cloud (hcloud) flavor."
when: _use_cloud and _use_robot
- name: Include Cloud flavor (hcloud)
include_tasks: flavors/cloud.yml
when: _use_cloud
- name: Include Robot flavor (Robot Webservice)
include_tasks: flavors/robot.yml
when: (not _use_cloud) and _use_robot
- name: Fail if no credentials provided
fail:
msg: >-
Neither Cloud nor Robot credentials provided.
Set either HETZNER_API_TOKEN for Cloud (hcloud) or
HETZNER_ROBOT_USER/HETZNER_ROBOT_PASSWORD for Robot.
when: (not _use_cloud) and (not _use_robot)

2
roles/sys-svc-certbot/tasks/02_no_webroot.yml
View File

@ -15,7 +15,7 @@
copy:
dest: "{{ CERTBOT_CREDENTIALS_FILE }}"
content: |
dns_{{ CERTBOT_ACME_CHALLENGE_METHOD }}_api_token = {{ CERTBOT_DNS_API_TOKEN }}
dns_{{ CERTBOT_ACME_CHALLENGE_METHOD }}_api_token = {{ CLOUDFLARE_API_TOKEN }}
owner: root
group: root
mode: '0600'

2
roles/web-app-gitea/tasks/main.yml
View File

@ -60,7 +60,7 @@
include_role:
name: srv-web-7-7-dns-records
vars:
cloudflare_api_token: "{{ CERTBOT_DNS_API_TOKEN }}"
CLOUDFLARE_API_TOKEN: "{{ CLOUDFLARE_API_TOKEN }}"
cloudflare_domains: "{{ [ domains | get_domain(application_id) ] }}"
cloudflare_target_ip: "{{ networks.internet.ip4 }}"
cloudflare_proxied: false

8
roles/web-app-mailu/tasks/01_core.yml
View File

@ -25,7 +25,7 @@
meta: flush_handlers
- name: "Create Mailu accounts"
include_tasks: 02_create-mailu-user.yml
include_tasks: 02_create-user.yml
vars:
MAILU_DOCKER_DIR: "{{ docker_compose.directories.instance }}"
mailu_api_base_url: "http://127.0.0.1:8080/api/v1"
@ -45,6 +45,8 @@
loop_var: item
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
- name: Generate DKIM public key
include_tasks: 04_generate-and-read-dkim.yml
- name: Set Mailu DNS records
include_tasks: 04_set-mailu-dns-records.yml
when: DNS_PROVIDER == 'cloudflare'
include_tasks: 05_dns-records.yml

2
roles/web-app-mailu/tasks/02_create-mailu-user.yml → roles/web-app-mailu/tasks/02_create-user.yml
View File

@ -25,5 +25,5 @@
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
- name: "Create Mailu API Token for {{ mailu_user_name }}"
include_tasks: 03_create-mailu-token.yml
include_tasks: 03_create-token.yml
when: "{{ 'mail-bot' in item.value.roles }}"

0
roles/web-app-mailu/tasks/03_create-mailu-token.yml → roles/web-app-mailu/tasks/03_create-token.yml
View File

0
roles/web-app-mailu/tasks/05_generate-and-read-dkim.yml → roles/web-app-mailu/tasks/04_generate-and-read-dkim.yml
View File

125
roles/web-app-mailu/tasks/04_set-mailu-dns-records.yml
View File

@ -1,125 +0,0 @@
- name: Generate DKIM public key
include_tasks: 05_generate-and-read-dkim.yml
# A/AAAA record for the mail host in the **Hostname Zone**
- name: "Set A record for Mailu host"
community.general.cloudflare_dns:
api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
zone: "{{ MAILU_HOSTNAME_DNS_ZONE }}"
type: A
name: "{{ MAILU_HOSTNAME }}" # Fully Qualified Domain Name of the mail host
content: "{{ MAILU_IP4_PUBLIC }}"
proxied: false
ttl: 1
state: present
async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
- name: "Set AAAA record for Mailu host"
community.general.cloudflare_dns:
api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
zone: "{{ MAILU_HOSTNAME_DNS_ZONE }}"
type: AAAA
name: "{{ MAILU_HOSTNAME }}"
content: "{{ MAILU_IP6_PUBLIC }}"
proxied: false
ttl: 1
state: present
when: MAILU_IP6_PUBLIC is defined and MAILU_IP6_PUBLIC | length > 0
async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
# Autoconfig CNAME record in the **Mail Domain Zone**
- name: "Set CNAME record for autoconfig"
community.general.cloudflare_dns:
api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
zone: "{{ MAILU_DOMAIN_DNS_ZONE }}"
type: CNAME
name: "autoconfig.{{ MAILU_DOMAIN_DNS_ZONE }}"
value: "{{ MAILU_HOSTNAME }}" # Points to the Mailu host FQDN
proxied: false
ttl: 1
state: present
async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
# MX record in the **Mail Domain Zone**
- name: "Set MX record"
community.general.cloudflare_dns:
api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
zone: "{{ MAILU_DOMAIN_DNS_ZONE }}"
type: MX
name: "{{ MAILU_DOMAIN }}" # Root mail domain
value: "{{ MAILU_HOSTNAME }}" # Points to the Mailu host
priority: 10
ttl: 1
state: present
async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
# SRV records in the **Mail Domain Zone**
- name: "Set SRV records"
community.general.cloudflare_dns:
api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
zone: "{{ MAILU_DOMAIN_DNS_ZONE }}"
type: SRV
service: "_{{ item.key }}"
proto: "_tcp"
priority: "{{ item.value.priority }}"
weight: "{{ item.value.weight }}"
port: "{{ item.value.port }}"
value: "{{ MAILU_HOSTNAME }}" # Target = Mailu host FQDN
ttl: 1
state: present
name: "{{ MAILU_DOMAIN }}"
loop: "{{ MAILU_DNS_SRV_RECORDS | dict2items }}"
ignore_errors: true
async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
# SPF TXT record in the **Mail Domain Zone**
- name: "Set SPF TXT record"
community.general.cloudflare_dns:
api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
zone: "{{ MAILU_DOMAIN_DNS_ZONE }}"
type: TXT
name: "{{ MAILU_DOMAIN }}"
value: "v=spf1 mx a:{{ MAILU_HOSTNAME }} ~all"
ttl: 1
state: present
async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
# DMARC TXT record in the **Mail Domain Zone**
- name: "Set DMARC TXT record"
community.general.cloudflare_dns:
api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
zone: "{{ MAILU_DOMAIN_DNS_ZONE }}"
type: TXT
name: "_dmarc.{{ MAILU_DOMAIN_DNS_ZONE }}"
value: "v=DMARC1; p=reject; ruf=mailto:{{ MAILU_DMARC_RUF }}; adkim=s; aspf=s"
ttl: 1
state: present
async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
# DKIM TXT record in the **Mail Domain Zone**
- name: "Set DKIM TXT record"
community.general.cloudflare_dns:
api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
zone: "{{ MAILU_DOMAIN_DNS_ZONE }}"
type: TXT
name: "dkim._domainkey.{{ MAILU_DOMAIN_DNS_ZONE }}"
value: "{{ mailu_dkim_public_key }}"
ttl: 1
state: present
async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

33
roles/web-app-mailu/tasks/05_dns-records.yml Normal file
View File

@ -0,0 +1,33 @@
- name: "DNS (Cloudflare) for Mailu"
include_role:
name: sys-dns-cloudflare-records
when: DNS_PROVIDER | lower == 'cloudflare'
vars:
cloudflare_async_enabled: "{{ ASYNC_ENABLED | default(false) | bool }}"
cloudflare_async_time: "{{ ASYNC_TIME | default(45) }}"
cloudflare_async_poll: "{{ ASYNC_POLL | default(5) }}"
cloudflare_no_log: "{{ MASK_CREDENTIALS_IN_LOGS | default(true) | bool }}"
cloudflare_records:
- { type: A, zone: "{{ MAILU_HOSTNAME_DNS_ZONE }}", name: "{{ MAILU_HOSTNAME }}", content: "{{ MAILU_IP4_PUBLIC }}", proxied: false }
# - { type: AAAA, zone: "{{ MAILU_HOSTNAME_DNS_ZONE }}", name: "{{ MAILU_HOSTNAME }}", content: "{{ MAILU_IP6_PUBLIC }}", proxied: false }
- { type: CNAME, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", name: "autoconfig.{{ MAILU_DOMAIN_DNS_ZONE }}", value: "{{ MAILU_HOSTNAME }}" }
- { type: MX, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", name: "{{ MAILU_DOMAIN }}", value: "{{ MAILU_HOSTNAME }}", priority: 10 }
- { type: TXT, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", name: "{{ MAILU_DOMAIN }}", value: "v=spf1 mx a:{{ MAILU_HOSTNAME }} ~all" }
- { type: TXT, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", name: "_dmarc.{{ MAILU_DOMAIN_DNS_ZONE }}", value: "v=DMARC1; p=reject; ruf=mailto:{{ MAILU_DMARC_RUF }}; adkim=s; aspf=s" }
- { type: TXT, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", name: "dkim._domainkey.{{ MAILU_DOMAIN_DNS_ZONE }}", value: "{{ mailu_dkim_public_key }}" }
- { type: SRV, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_submission", proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 587, value: "{{ MAILU_HOSTNAME }}" }
- { type: SRV, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_submissions", proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 465, value: "{{ MAILU_HOSTNAME }}" }
- { type: SRV, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_imaps", proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 993, value: "{{ MAILU_HOSTNAME }}" }
- { type: SRV, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_imap", proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 143, value: "{{ MAILU_HOSTNAME }}" }
- { type: SRV, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_pop3s", proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 995, value: "{{ MAILU_HOSTNAME }}" }
- { type: SRV, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_pop3", proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 110, value: "{{ MAILU_HOSTNAME }}" }
- { type: SRV, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_autodiscover", proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 443, value: "{{ MAILU_HOSTNAME }}" }
- name: "rDNS (Hetzner Cloud) for Mailu"
include_role:
name: sys-dns-hetzner-rdns
when: HOSTING_PROVIDER | lower == 'hetzner'
vars:
rdns_records:
- { resource: "server", ip_address: "{{ MAILU_IP4_PUBLIC }}", dns_ptr: "{{ MAILU_HOSTNAME }}" }
# - { resource: "server", ip_address: "{{ MAILU_IP6_PUBLIC | default('') }}", dns_ptr: "{{ MAILU_HOSTNAME }}" }

16
roles/web-app-mailu/vars/main.yml
View File

@ -43,7 +43,6 @@ MAILU_SUBNET: "{{ networks.local['web-app-mailu'].subnet
## Credentials
MAILU_SECRET_KEY: "{{ applications | get_app_conf(application_id,'credentials.secret_key') }}"
MAILU_CLOUDFLARE_API_TOKEN: "{{ CERTBOT_DNS_API_TOKEN }}"
MAILU_API_TOKEN: "{{ applications | get_app_conf(application_id, 'credentials.api_token') }}"
## OIDC
@ -55,16 +54,7 @@ MAILU_OIDC_ENABLE_USER_CREATION: "{{ applications | get_app_conf(applicatio
# @see https://github.com/heviat/Mailu-OIDC/tree/2024.06
MAILU_DOCKER_FLAVOR: "{{ 'ghcr.io/heviat' if MAILU_OIDC_ENABLED | bool else 'ghcr.io/mailu' }}"
MAILU_DMARC_RUF: "{{ applications | get_app_conf(application_id, 'users.administrator.email') }}"
MAILU_DMARC_RUF: "{{ applications | get_app_conf(application_id, 'users.administrator.email') }}"
MAILU_DKIM_KEY_FILE: "{{ MAILU_DOMAIN }}.dkim.key"
MAILU_DKIM_KEY_PATH: "/dkim/{{ MAILU_DKIM_KEY_FILE }}"
MAILU_DNS_SRV_RECORDS:
submission: { port: 587, priority: 20, weight: 1 }
submissions: { port: 465, priority: 20, weight: 1 }
imaps: { port: 993, priority: 20, weight: 1 }
imap: { port: 143, priority: 20, weight: 1 }
pop3s: { port: 995, priority: 20, weight: 1 }
pop3: { port: 110, priority: 20, weight: 1 }
autodiscover: { port: 443, priority: 20, weight: 1 }
MAILU_DKIM_KEY_FILE: "{{ MAILU_DOMAIN }}.dkim.key"
MAILU_DKIM_KEY_PATH: "/dkim/{{ MAILU_DKIM_KEY_FILE }}"

2
roles/web-opt-rdr-www/tasks/main.yml
View File

@ -20,7 +20,7 @@
include_role:
name: srv-web-7-7-dns-records
vars:
cloudflare_api_token: "{{ CERTBOT_DNS_API_TOKEN }}"
CLOUDFLARE_API_TOKEN: "{{ CLOUDFLARE_API_TOKEN }}"
cloudflare_domains: "{{ www_domains }}"
cloudflare_target_ip: "{{ networks.internet.ip4 }}"
cloudflare_proxied: false