Optimized DKIM and DNS for mailu

roles/docker-mailu/tasks/TODO.md

@@ -0,0 +1,2 @@
+# Todos
+- Check if DKIM generation works on new setups

roles/docker-mailu/tasks/generate-and-read-dkim.yml

@@ -0,0 +1,13 @@
+- name: Generate DKIM key
+  command: >
+    docker compose exec -T antispam
+    rspamadm dkim_keygen -s dkim -d {{ applications[application_id].domain }} -k {{ applications[application_id].domain }}.dkim.key
+  register: dkim_keygen_output
+  chdir: "{{ docker_compose.directories.instance }}"
+
+- name: Extract DKIM record from parentheses
+  set_fact:
+    mailu_dkim_public_key: >-
+      {{ dkim_keygen_output.stdout
+         | regex_search('(?s)\((.*?)\)', '\\1')
+         | default('') }}

roles/docker-mailu/tasks/main.yml

@@ -42,7 +42,26 @@
     loop_var: item
   when: run_once_docker_mailu is not defined
 
-- name: Run the docker_mailu tasks once
+- name: "Load Mailu DNS variables"
+  include_vars: vars/mailu-dns.yml
+  when: dns_provider == 'cloudflare'
+
+- name: Generate DKIM public key
+  include_tasks: generate-and-read-dkim.yml
+  when:
+    - not applications[application_id].credentials.dkim_public_key is defined
+
+- name: Set DKIM public key
+  set_fact:
+    mailu_dkim_public_key: >-
+      {{ applications[application_id].credentials.dkim_public_key }}
+  when: applications[application_id].credentials.dkim_public_key is defined
+
+- name: Set Mailu DNS records
+  include_tasks: set-mailu-dns-records.yml
+  when: dns_provider == 'cloudflare'
+
+- name: Run the docker_mailu roles once
   set_fact:
     run_once_docker_mailu: true
   when: run_once_docker_mailu is not defined

roles/docker-mailu/tasks/set-mailu-dns-records.yml

@@ -0,0 +1,80 @@
+- name: "Set A record for mail server"
+  community.general.cloudflare_dns:
+    api_token: "{{ cloudflare_record_api_token }}"
+    zone: "{{ mailu_dns_zone }}"
+    type: A
+    name: "{{ domain }}"
+    content: "{{ mailu_dns_ip }}"
+    proxied: false
+    ttl: 3600
+    state: present
+
+- name: "Set CNAME record for autoconfig"
+  community.general.cloudflare_dns:
+    api_token: "{{ cloudflare_record_api_token }}"
+    zone: "{{ mailu_dns_zone }}"
+    type: CNAME
+    name: "autoconfig.{{ mailu_dns_zone }}"
+    value: "{{ domain }}"
+    proxied: false
+    ttl: 3600
+    state: present
+
+- name: "Set MX record"
+  community.general.cloudflare_dns:
+    api_token: "{{ cloudflare_record_api_token }}"
+    zone: "{{ mailu_dns_zone }}"
+    type: MX
+    name: "{{ mailu_dns_zone }}"
+    value: "{{ domain }}"
+    priority: 10
+    ttl: 3600
+    state: present
+
+- name: "Set SRV records"
+  community.general.cloudflare_dns:
+    api_token: "{{ cloudflare_record_api_token }}"
+    zone: "{{ mailu_dns_zone }}"
+    type: SRV
+    name: "_{{ item.key }}._tcp"
+    data:
+      service: "_{{ item.key }}"
+      proto: "_tcp"
+      name: "{{ mailu_dns_zone }}"
+      priority: "{{ item.value.priority }}"
+      weight: "{{ item.value.weight }}"
+      port: "{{ item.value.port }}"
+      target: "{{ domain }}"
+    ttl: 3600
+    state: present
+  loop: "{{ mailu_dns_srv_records | dict2items }}"
+
+- name: "Set SPF TXT record"
+  community.general.cloudflare_dns:
+    api_token: "{{ cloudflare_record_api_token }}"
+    zone: "{{ mailu_dns_zone }}"
+    type: TXT
+    name: "{{ mailu_dns_zone }}"
+    value: "v=spf1 mx a:{{ domain }} ~all"
+    ttl: 3600
+    state: present
+
+- name: "Set DMARC TXT record"
+  community.general.cloudflare_dns:
+    api_token: "{{ cloudflare_record_api_token }}"
+    zone: "{{ mailu_dns_zone }}"
+    type: TXT
+    name: "_dmarc.{{ mailu_dns_zone }}"
+    value: "v=DMARC1; p=reject; ruf=mailto:{{ mailu_dmarc_ruf }}; adkim=s; aspf=s"
+    ttl: 3600
+    state: present
+
+- name: "Set DKIM TXT record"
+  community.general.cloudflare_dns:
+    api_token: "{{ cloudflare_record_api_token }}"
+    zone: "{{ mailu_dns_zone }}"
+    type: TXT
+    name: "dkim._domainkey.{{ mailu_dns_zone }}"
+    value: "{{ mailu_dkim_public_key }}"
+    ttl: 3600
+    state: present