refactor(dns): unify Cloudflare + Hetzner handling across roles

- replaced CERTBOT_DNS_API_TOKEN with CLOUDFLARE_API_TOKEN everywhere - introduced generic sys-dns-cloudflare-records role for managing DNS records - added sys-dns-hetzner-rdns role with both Cloud (hcloud) and Robot API flavors - updated Mailu role to: - generate DKIM before DNS setup - delegate DNS + rDNS records to the new generic roles - removed legacy per-role Cloudflare vars (MAILU_CLOUDFLARE_API_TOKEN) - extended group vars with HOSTING_PROVIDER for rDNS flavor decision - added hetzner.hcloud collection to requirements This consolidates DNS management into reusable roles, supports both Cloudflare and Hetzner providers, and standardizes variable naming across the project.
2025-10-31 18:29:21 +00:00 · 2025-08-16 21:43:01 +02:00
parent 838a55ea94
commit 2620ee088e
28 changed files with 437 additions and 159 deletions
--- a/roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml
+++ b/roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml
@@ -16,7 +16,7 @@
    url: "{{ cf_api_url }}?name={{ domain | to_primary_domain }}"
    method: GET
    headers:
-      Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
+      Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
      Content-Type: "application/json"
    return_content: yes
  register: cf_zone_lookup_dev
--- a/roles/srv-proxy-6-6-domain/tasks/cloudflare/01_cleanup.yml
+++ b/roles/srv-proxy-6-6-domain/tasks/cloudflare/01_cleanup.yml
@@ -3,7 +3,7 @@
    url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/purge_cache"
    method: POST
    headers:
-      Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
+      Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
      Content-Type: "application/json"
    body:
      purge_everything: true
--- a/roles/srv-proxy-6-6-domain/tasks/cloudflare/02_enable_cf_dev_mode.yml
+++ b/roles/srv-proxy-6-6-domain/tasks/cloudflare/02_enable_cf_dev_mode.yml
@@ -1,7 +1,7 @@
 # roles/srv-proxy-6-6-domain/tasks/02_enable_cf_dev_mode.yml
 ---
 # Enables Cloudflare Development Mode (bypasses cache for ~3 hours).
-# Uses the same auth token as in 01_cleanup.yml: CERTBOT_DNS_API_TOKEN
+# Uses the same auth token as in 01_cleanup.yml: CLOUDFLARE_API_TOKEN
 # Assumes `domain` and (optionally) `cf_zone_id` are available.
 # Safe to run repeatedly; only changes when the mode is not already "on".

@@ -10,7 +10,7 @@
    url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/settings/development_mode"
    method: GET
    headers:
-      Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
+      Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
      Content-Type: "application/json"
    return_content: yes
  register: cf_dev_mode_current
@@ -21,7 +21,7 @@
    url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/settings/development_mode"
    method: PATCH
    headers:
-      Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
+      Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
      Content-Type: "application/json"
    body:
      value: "on"