kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-29 15:06:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

refactor(dns): unify Cloudflare + Hetzner handling across roles

Browse Source 
- replaced CERTBOT_DNS_API_TOKEN with CLOUDFLARE_API_TOKEN everywhere
- introduced generic sys-dns-cloudflare-records role for managing DNS records
- added sys-dns-hetzner-rdns role with both Cloud (hcloud) and Robot API flavors
- updated Mailu role to:
  - generate DKIM before DNS setup
  - delegate DNS + rDNS records to the new generic roles
- removed legacy per-role Cloudflare vars (MAILU_CLOUDFLARE_API_TOKEN)
- extended group vars with HOSTING_PROVIDER for rDNS flavor decision
- added hetzner.hcloud collection to requirements

This consolidates DNS management into reusable roles,
supports both Cloudflare and Hetzner providers,
and standardizes variable naming across the project.
This commit is contained in:
Kevin Veen-Birkenbach
2025-08-16 21:43:01 +02:00
parent 838a55ea94
commit 2620ee088e
28 changed files with 437 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
roles/sys-dns-cloudflare-records/docs/CLOUDFLARE_API_TOKEN.md Normal file
View File

@@ -0,0 +1,61 @@
# Cloudflare API Token for Ansible (`CLOUDFLARE_API_TOKEN`)
This document explains how to generate and use a Cloudflare API Token for DNS automation and certificate operations in Ansible (e.g., with Certbot).
## Purpose
The `CLOUDFLARE_API_TOKEN` variable must contain a valid Cloudflare API Token.
This token is used for all DNS operations and ACME (SSL/TLS certificate) challenges that require access to your Cloudflare-managed domains.
**Never commit your API token to a public repository. Always keep it secure!**
---
## How to Create a Cloudflare API Token
### 1. Log In to Cloudflare
- Go to: [https://dash.cloudflare.com/](https://dash.cloudflare.com/) and log in.
### 2. Open the API Tokens Page
- Click your profile icon (top right) → **My Profile**
- In the sidebar, choose **API Tokens**
Or use this direct link: [https://dash.cloudflare.com/profile/api-tokens](https://dash.cloudflare.com/profile/api-tokens)
### 3. Click **Create Token**
### 4. Select **Custom Token**
- Give your token a descriptive name (e.g., `Ansible Certbot Automation`).
### 5. Set Permissions
Add the following permissions:
| Category | Permission | Access |
| -------- | ------------ | -------- |
| Zone | Zone | Read |
| Zone | DNS | Edit |
| Zone | Cache Purge | Purge |
- These permissions are required for DNS record management, CAA/SPF/DKIM handling, cache purging, and certificate provisioning.
### 6. Zone Resources
- **Zone Resources:** Set to `Include → All zones`
(Or restrict to specific zones as needed for your environment.)
### 7. Create and Save the Token
- Click **Continue to summary** and then **Create Token**.
- Copy the API Token. **It will only be shown once!**
---
## Using the Token in Ansible
Set the token in your Ansible inventory or secrets file:
```yaml
CLOUDFLARE_API_TOKEN: "cf_your_generated_token_here"