Optimized DKIM and DNS for mailu

roles/letsencrypt/tasks/main.yml

@@ -5,6 +5,12 @@
   notify: restart nginx
   when: run_once_letsencrypt is not defined
 
+- name: "Set CAA records for all base domains"
+  include_tasks: set-caa-records.yml
+  when:
+    - dns_provider == 'cloudflare'
+    - run_once_letsencrypt is not defined
+
 - name: flush nginx service
   meta: flush_handlers
   when: run_once_letsencrypt is not defined

roles/letsencrypt/tasks/set-caa-records.yml

@@ -0,0 +1,28 @@
+---
+# tasks/main.yml
+# Creates and sets CAA records (issue, issuewild, iodef) for all base domains
+
+- name: "Define CAA entries"
+  set_fact:
+    caa_entries:
+      - tag: issue
+        value: "letsencrypt.org"
+      - tag: issuewild
+        value: "letsencrypt.org"
+      - tag: iodef
+        value: "mailto:{{ users.administrator.email }}"
+
+- name: "Ensure all CAA records are present"
+  community.general.cloudflare_dns:
+    api_token: "{{ certbot_dns_api_token }}"
+    zone:     "{{ item.0 }}"
+    record:   "@"
+    type:     CAA
+    flag:     0
+    tag:      "{{ item.1.tag }}"
+    value:    "{{ item.1.value }}"
+    ttl:      1
+    state:    present
+  loop: "{{ base_sld_domains | product(caa_entries) | list }}"
+  loop_control:
+    label: "{{ item.0 }} → {{ item.1.tag }}"