refactor(dns): unify Cloudflare + Hetzner handling across roles

- replaced CERTBOT_DNS_API_TOKEN with CLOUDFLARE_API_TOKEN everywhere - introduced generic sys-dns-cloudflare-records role for managing DNS records - added sys-dns-hetzner-rdns role with both Cloud (hcloud) and Robot API flavors - updated Mailu role to: - generate DKIM before DNS setup - delegate DNS + rDNS records to the new generic roles - removed legacy per-role Cloudflare vars (MAILU_CLOUDFLARE_API_TOKEN) - extended group vars with HOSTING_PROVIDER for rDNS flavor decision - added hetzner.hcloud collection to requirements This consolidates DNS management into reusable roles, supports both Cloudflare and Hetzner providers, and standardizes variable naming across the project.
2025-08-29 15:06:26 +02:00 · 2025-08-16 21:43:01 +02:00
parent 838a55ea94
commit 2620ee088e
28 changed files with 437 additions and 159 deletions
--- a/roles/sys-dns-hetzner-rdns/README.md
+++ b/roles/sys-dns-hetzner-rdns/README.md
--- a/roles/sys-dns-hetzner-rdns/defaults/main.yml
+++ b/roles/sys-dns-hetzner-rdns/defaults/main.yml
@@ -0,0 +1,20 @@
+# Cloud (hcloud) token
+# @see https://docs.hetzner.com/cloud/api/getting-started/generating-api-token/
+HETZNER_API_TOKEN:      ""
+
+# Robot (dedicated) credentials
+# You can create an user here: https://robot.hetzner.com/preferences/index
+HETZNER_ROBOT_USER:     ""
+HETZNER_ROBOT_PASSWORD: ""
+
+HETZNER_ROBOT_BASE_URL: "https://robot-ws.your-server.de"
+
+hetzner_async_enabled:  "{{ ASYNC_ENABLED | bool }}"
+hetzner_async_time:     "{{ ASYNC_TIME }}"
+hetzner_async_poll:     "{{ ASYNC_POLL }}"
+hetzner_no_log:         "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+rdns_records:           []
+# Example:
+# rdns_records:
+#   - { resource: "server", ip_address: "1.2.3.4", dns_ptr: "mail.example.com" }
+#   - { resource: "primary_ip", identifier: "12345", ip_address: "2001:db8::1", dns_ptr: "mail.example.com" }
--- a/roles/sys-dns-hetzner-rdns/meta/main.yml
+++ b/roles/sys-dns-hetzner-rdns/meta/main.yml
@@ -0,0 +1,24 @@
+
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Generic role to manage reverse DNS (PTR) for Hetzner Cloud resources (server, primary_ip, floating_ip, load_balancer)."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  galaxy_tags:
+    - hetzner
+    - dns
+    - rdns
+    - ptr
+    - mail
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://docs.infinito.nexus"
+  logo:
+    class: "fa-solid fa-server"
+  run_after: []
+dependencies: []
--- a/roles/sys-dns-hetzner-rdns/tasks/flavors/cloud.yml
+++ b/roles/sys-dns-hetzner-rdns/tasks/flavors/cloud.yml
@@ -0,0 +1,93 @@
+---
+# Cloud flavor (hcloud API)
+- name: Resolve effective hcloud token
+  set_fact:
+    _hz_token: >-
+      {{ HETZNER_API_TOKEN
+         | default(lookup('env','HETZNER_API_TOKEN'), true)
+         | default('', true)
+      }}
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Assert hcloud token present
+  ansible.builtin.assert:
+    that: [ "_hz_token | length > 0" ]
+    fail_msg: "HETZNER_API_TOKEN is required for the Cloud flavor."
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Collect hcloud servers if needed (server records without identifier)
+  hetzner.hcloud.server_info:
+    api_token: "{{ _hz_token }}"
+  register: _servers_info
+  when: rdns_records | selectattr('resource','equalto','server') | selectattr('identifier','undefined') | list | length > 0
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Init normalized records list
+  set_fact:
+    _rdns_records: []
+
+- name: Normalize records (autofill server.identifier by IPv4)
+  vars:
+    _match_name: >-
+      {{
+        (_servers_info.servers | default([]))
+        | selectattr('public_net.ipv4.ip','equalto', rec.ip_address | default(''))
+        | map(attribute='name') | list | first | default('')
+      }}
+    _needs_autofill: >-
+      {{
+        rec.resource == 'server'
+        and (rec.identifier is not defined)
+        and (rec.ip_address | default('') | length > 0)
+      }}
+    _normalized: >-
+      {{
+        rec if (not _needs_autofill or _match_name == '')
+        else (rec | combine({'identifier': _match_name}))
+      }}
+  set_fact:
+    _rdns_records: "{{ _rdns_records + [ _normalized ] }}"
+  loop: "{{ rdns_records }}"
+  loop_control: { loop_var: rec }
+
+- name: Ensure server identifiers are resolved when required
+  assert:
+    that:
+      - >
+        (
+          (_rdns_records | selectattr('resource','equalto','server') | selectattr('identifier','defined') | list | length)
+          ==
+          (_rdns_records | selectattr('resource','equalto','server') | list | length)
+        )
+    fail_msg: "Could not resolve hcloud server by IPv4 for one or more records."
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Validate records (cloud)
+  ansible.builtin.assert:
+    that:
+      - (_rdns_records | default(rdns_records)) | length > 0
+      - (_rdns_records | default(rdns_records)) | selectattr('dns_ptr','defined') | list | length == ((_rdns_records | default(rdns_records)) | length)
+      - (_rdns_records | default(rdns_records)) | selectattr('ip_address','defined') | list | length == ((_rdns_records | default(rdns_records)) | length)
+      - (_rdns_records | default(rdns_records)) | selectattr('resource','defined') | list | length == ((_rdns_records | default(rdns_records)) | length)
+      - (
+          (_rdns_records | default(rdns_records)) | selectattr('resource','equalto','server') | selectattr('identifier','defined') | list | length
+          + ((_rdns_records | default(rdns_records)) | rejectattr('resource','equalto','server') | list | length)
+        ) == ((_rdns_records | default(rdns_records)) | length)
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Apply rDNS via hcloud
+  hetzner.hcloud.hcloud_rdns:
+    api_token: "{{ _hz_token }}"
+    server: "{{ (item.resource == 'server') | ternary(item.identifier, omit) }}"
+    primary_ip: "{{ (item.resource == 'primary_ip') | ternary(item.identifier, omit) }}"
+    floating_ip: "{{ (item.resource == 'floating_ip') | ternary(item.identifier, omit) }}"
+    load_balancer: "{{ (item.resource == 'load_balancer') | ternary(item.identifier, omit) }}"
+    ip_address: "{{ item.ip_address }}"
+    dns_ptr: "{{ item.dns_ptr }}"
+    state: present
+  loop: "{{ _rdns_records | default(rdns_records) }}"
+  loop_control:
+    label: "{{ item.resource }}[{{ item.identifier | default('auto-by-ipv4') }}] {{ item.ip_address }} -> {{ item.dns_ptr }}"
+  async: "{{ hetzner_async_enabled | ternary(hetzner_async_time, omit) }}"
+  poll: "{{ hetzner_async_enabled | ternary(hetzner_async_poll, omit) }}"
+  no_log: "{{ hetzner_no_log | bool }}"
--- a/roles/sys-dns-hetzner-rdns/tasks/flavors/robot.yml
+++ b/roles/sys-dns-hetzner-rdns/tasks/flavors/robot.yml
@@ -0,0 +1,42 @@
+---
+# Robot flavor (Robot Webservice API)
+- name: Assert Robot credentials present
+  ansible.builtin.assert:
+    that:
+      - (HETZNER_ROBOT_USER | default('') | length) > 0
+      - (HETZNER_ROBOT_PASSWORD | default('') | length) > 0
+    fail_msg: "Robot credentials required: HETZNER_ROBOT_USER / HETZNER_ROBOT_PASSWORD."
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Validate records (robot)
+  ansible.builtin.assert:
+    that:
+      - rdns_records | length > 0
+      - (rdns_records | selectattr('ip_address','defined') | list | length) == (rdns_records | length)
+      - (rdns_records | selectattr('dns_ptr','defined') | list | length) == (rdns_records | length)
+    fail_msg: "Each record must have ip_address and dns_ptr for Robot rDNS."
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Apply rDNS via Hetzner Robot API
+  vars:
+    hetzner_robot_base_url: "{{ HETZNER_ROBOT_BASE_URL }}"
+    ip_path: "{{ item.ip_address | urlencode }}"
+  ansible.builtin.uri:
+    url: "{{ hetzner_robot_base_url }}/rdns/{{ ip_path }}"
+    method: POST
+    user: "{{ HETZNER_ROBOT_USER }}"
+    password: "{{ HETZNER_ROBOT_PASSWORD }}"
+    force_basic_auth: true
+    headers:
+      Accept: application/json
+    body_format: form-urlencoded
+    body:
+      ptr: "{{ item.dns_ptr }}"
+    status_code: [200, 201]
+  loop: "{{ rdns_records }}"
+  loop_control:
+    label: "{{ item.ip_address }} -> {{ item.dns_ptr }}"
+  async: "{{ hetzner_async_enabled | ternary(hetzner_async_time, omit) }}"
+  poll: "{{ hetzner_async_enabled | ternary(hetzner_async_poll, omit) }}"
+  no_log: "{{ hetzner_no_log | bool }}"
+
--- a/roles/sys-dns-hetzner-rdns/tasks/main.yml
+++ b/roles/sys-dns-hetzner-rdns/tasks/main.yml
@@ -0,0 +1,33 @@
+# run_once_sys_dns_hetzner_rdns
+
+# Decide flavor
+- name: Decide which Hetzner flavor to use
+  set_fact:
+    _use_cloud: "{{ (HETZNER_API_TOKEN | length) > 0 }}"
+    _use_robot: >-
+      {{
+        (HETZNER_ROBOT_USER | length) > 0
+        and (HETZNER_ROBOT_PASSWORD | length) > 0
+      }}
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: "Note: both Cloud token and Robot creds provided; using Cloud flavor"
+  debug:
+    msg: "Both HETZNER_API_TOKEN and Robot credentials present → proceeding with Cloud (hcloud) flavor."
+  when: _use_cloud and _use_robot
+
+- name: Include Cloud flavor (hcloud)
+  include_tasks: flavors/cloud.yml
+  when: _use_cloud
+
+- name: Include Robot flavor (Robot Webservice)
+  include_tasks: flavors/robot.yml
+  when: (not _use_cloud) and _use_robot
+
+- name: Fail if no credentials provided
+  fail:
+    msg: >-
+      Neither Cloud nor Robot credentials provided.
+      Set either HETZNER_API_TOKEN for Cloud (hcloud) or
+      HETZNER_ROBOT_USER/HETZNER_ROBOT_PASSWORD for Robot.
+  when: (not _use_cloud) and (not _use_robot)