Fix variable definition test to detect set_fact and ansible.builtin.set_fact (both block and inline forms)

- Support fully qualified ansible.builtin.set_fact - Parse inline set_fact mappings (e.g. set_fact: { a: 1, b: 2 }) - Continue scanning inside vars/set_fact blocks for Jinja {% set %}, {% for %}, and {% macro %} - Ensures variables defined by set_fact are correctly recognized as defined
refactor(dns): unify Cloudflare + Hetzner handling across roles
2025-09-08 03:07:14 +02:00 · 2025-08-16 23:51:27 +02:00 · 2025-08-16 21:43:01 +02:00 · 2025-08-16 18:38:22 +02:00 · 2025-08-16 18:17:09 +02:00 · 2025-08-16 18:03:44 +02:00
40 changed files with 531 additions and 215 deletions
--- a/Todo.md
+++ b/Todo.md
@@ -1,4 +1,5 @@
 # Todos
 - Implement multi language
 - Implement rbac administration interface
- Implement ``MASK_CREDENTIALS_IN_LOGS`` for all sensible tasks
+- Implement ``MASK_CREDENTIALS_IN_LOGS`` for all sensible tasks
+- [Enable IP6 for docker](https://chatgpt.com/share/68a0acb8-db20-800f-9d2c-b34e38b5cdee). 
--- a/group_vars/all/00_general.yml
+++ b/group_vars/all/00_general.yml
@@ -43,11 +43,12 @@ ACTIVATE_ALL_TIMERS:                      false   # Activates all timers, indepe

 DNS_PROVIDER:                             cloudflare              # The DNS Provider\Registrar for the domain

+HOSTING_PROVIDER:                         hetzner                 # Provider which hosts the server
+
 # Which ACME method to use: webroot, cloudflare, or hetzner
 CERTBOT_ACME_CHALLENGE_METHOD:            "cloudflare"
 CERTBOT_CREDENTIALS_DIR:                  /etc/certbot
 CERTBOT_CREDENTIALS_FILE:                 "{{ CERTBOT_CREDENTIALS_DIR }}/{{ CERTBOT_ACME_CHALLENGE_METHOD }}.ini"
-CERTBOT_DNS_API_TOKEN:                    ""                      # Define in inventory file: More information here: group_vars/all/docs/CLOUDFLARE_API_TOKEN.md
 CERTBOT_DNS_PROPAGATION_WAIT_SECONDS:     300                     # How long should the script wait for DNS propagation before continuing
 CERTBOT_FLAVOR:                           san                     # Possible options: san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), dedicated

--- a/group_vars/all/12_oidc.yml
+++ b/group_vars/all/12_oidc.yml
@@ -8,14 +8,14 @@
 # @see https://en.wikipedia.org/wiki/OpenID_Connect

 ## Helper Variables:
-_oidc_client_realm:         "{{ OIDC.CLIENT.ISSUER_URL if OIDC.CLIENT is defined and OIDC.CLIENT.ISSUER_URL is defined else SOFTWARE_NAME | lower }}"
+_oidc_client_realm:         "{{ OIDC.CLIENT.REALM if OIDC.CLIENT is defined and OIDC.CLIENT.REALM is defined else SOFTWARE_NAME | lower }}"
 _oidc_url:                  "{{ 
                                (OIDC.URL 
                                  if (oidc is defined and OIDC.URL is defined) 
                                  else WEB_PROTOCOL ~ '://' ~ (domains | get_domain('web-app-keycloak'))
                                ) 
                            }}"
-_oidc_client_issuer_url:    "{{ _oidc_url }}/realms/{{_oidc_client_realm}}"
+_oidc_client_issuer_url:    "{{ _oidc_url }}/realms/{{_oidc_client_realm}}/"
 _oidc_client_id:            "{{ OIDC.CLIENT.ID if OIDC.CLIENT is defined and OIDC.CLIENT.ID is defined else SOFTWARE_NAME | lower }}"

 defaults_oidc:
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,5 +1,6 @@
 collections:
  - name: kewlfft.aur
  - name: community.general
+  - name: hetzner.hcloud
 yay:
  - python-simpleaudio
--- a/roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml
+++ b/roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml
@@ -16,13 +16,14 @@
    url: "{{ cf_api_url }}?name={{ domain | to_primary_domain }}"
    method: GET
    headers:
-      Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
+      Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
      Content-Type: "application/json"
    return_content: yes
  register: cf_zone_lookup_dev
  changed_when: false
  when:
    - not cf_zone_id
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

 - name: "Set fact cf_zone_id and update cache dict"
  set_fact:
--- a/roles/srv-proxy-6-6-domain/tasks/cloudflare/01_cleanup.yml
+++ b/roles/srv-proxy-6-6-domain/tasks/cloudflare/01_cleanup.yml
@@ -3,7 +3,7 @@
    url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/purge_cache"
    method: POST
    headers:
-      Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
+      Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
      Content-Type: "application/json"
    body:
      purge_everything: true
--- a/roles/srv-proxy-6-6-domain/tasks/cloudflare/02_enable_cf_dev_mode.yml
+++ b/roles/srv-proxy-6-6-domain/tasks/cloudflare/02_enable_cf_dev_mode.yml
@@ -1,7 +1,7 @@
 # roles/srv-proxy-6-6-domain/tasks/02_enable_cf_dev_mode.yml
 ---
 # Enables Cloudflare Development Mode (bypasses cache for ~3 hours).
-# Uses the same auth token as in 01_cleanup.yml: CERTBOT_DNS_API_TOKEN
+# Uses the same auth token as in 01_cleanup.yml: CLOUDFLARE_API_TOKEN
 # Assumes `domain` and (optionally) `cf_zone_id` are available.
 # Safe to run repeatedly; only changes when the mode is not already "on".

@@ -10,7 +10,7 @@
    url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/settings/development_mode"
    method: GET
    headers:
-      Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
+      Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
      Content-Type: "application/json"
    return_content: yes
  register: cf_dev_mode_current
@@ -21,7 +21,7 @@
    url: "https://api.cloudflare.com/client/v4/zones/{{ cf_zone_id }}/settings/development_mode"
    method: PATCH
    headers:
-      Authorization: "Bearer {{ CERTBOT_DNS_API_TOKEN }}"
+      Authorization: "Bearer {{ CLOUDFLARE_API_TOKEN }}"
      Content-Type: "application/json"
    body:
      value: "on"
--- a/roles/srv-web-7-7-dns-records/tasks/main.yml
+++ b/roles/srv-web-7-7-dns-records/tasks/main.yml
@@ -2,7 +2,7 @@

 - name: Create or update Cloudflare A-record for {{ item }}
  community.general.cloudflare_dns:
-    api_token: "{{ CERTBOT_DNS_API_TOKEN }}"
+    api_token: "{{ CLOUDFLARE_API_TOKEN }}"
    zone: "{{ item.split('.')[-2:] | join('.') }}"
    state: present
    type: A
--- a/roles/srv-web-7-7-letsencrypt/tasks/01_set-caa-records.yml
+++ b/roles/srv-web-7-7-letsencrypt/tasks/01_set-caa-records.yml
@@ -1,14 +1,14 @@
 ---

- name: "Validate CERTBOT_DNS_API_TOKEN"
+- name: "Validate CLOUDFLARE_API_TOKEN"
  fail:
    msg: >
-      The variable "CERTBOT_DNS_API_TOKEN" must be defined and cannot be empty!
-  when: (CERTBOT_DNS_API_TOKEN | default('') | trim) == ''
+      The variable "CLOUDFLARE_API_TOKEN" must be defined and cannot be empty!
+  when: (CLOUDFLARE_API_TOKEN | default('') | trim) == ''

 - name: "Ensure all CAA records are present"
  community.general.cloudflare_dns:
-    api_token: "{{ CERTBOT_DNS_API_TOKEN }}"
+    api_token: "{{ CLOUDFLARE_API_TOKEN }}"
    zone:     "{{ item.0 }}"
    record:   "@"
    type:     CAA
--- a/roles/sys-dns-cloudflare-records/README.md
+++ b/roles/sys-dns-cloudflare-records/README.md
@@ -0,0 +1,24 @@
+# 🌐 Cloudflare DNS Records
+
+## Description
+
+Generic, data-driven role to manage DNS records on Cloudflare (A/AAAA, CNAME, MX, TXT, SRV).  
+Designed for reuse across apps (e.g., Mailu) and environments.
+
+## Overview
+
+This role wraps `community.general.cloudflare_dns` and applies records from a single
+structured variable (`cloudflare_records`). It supports async operations and
+can be used to provision all required records for a service in one task.
+
+## Features
+
+- Data-driven input for multiple record types
+- Supports A/AAAA, CNAME, MX, TXT, SRV
+- Optional async execution
+- Minimal logging of secrets
+
+## Further Resources
+
+- [Cloudflare Dashboard → API Tokens](https://dash.cloudflare.com/profile/api-tokens)
+- [Ansible Collection: community.general.cloudflare_dns](https://docs.ansible.com/ansible/latest/collections/community/general/cloudflare_dns_module.html)
--- a/roles/sys-dns-cloudflare-records/defaults/main.yml
+++ b/roles/sys-dns-cloudflare-records/defaults/main.yml
@@ -0,0 +1,12 @@
+# Cloudflare API Token
+# More information here: group_vars/all/docs/CLOUDFLARE_API_TOKEN.md
+CLOUDFLARE_API_TOKEN:     ""
+
+cloudflare_async_enabled: "{{ ASYNC_ENABLED | bool }}"
+cloudflare_async_time:    "{{ ASYNC_TIME }}"
+cloudflare_async_poll:    "{{ ASYNC_POLL }}"
+cloudflare_no_log:        "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
+# Supported types:
+#  A/AAAA (content), CNAME/MX/TXT (value, MX hat priority), SRV (service/proto/…)
+cloudflare_records: []
--- a/roles/sys-dns-cloudflare-records/docs/CLOUDFLARE_API_TOKEN.md
+++ b/roles/sys-dns-cloudflare-records/docs/CLOUDFLARE_API_TOKEN.md
@@ -1,10 +1,10 @@
-# Cloudflare API Token for Ansible (`CERTBOT_DNS_API_TOKEN`)
+# Cloudflare API Token for Ansible (`CLOUDFLARE_API_TOKEN`)

 This document explains how to generate and use a Cloudflare API Token for DNS automation and certificate operations in Ansible (e.g., with Certbot).

 ## Purpose

-The `CERTBOT_DNS_API_TOKEN` variable must contain a valid Cloudflare API Token.  
+The `CLOUDFLARE_API_TOKEN` variable must contain a valid Cloudflare API Token.  
 This token is used for all DNS operations and ACME (SSL/TLS certificate) challenges that require access to your Cloudflare-managed domains.

 **Never commit your API token to a public repository. Always keep it secure!**
@@ -58,4 +58,4 @@ Add the following permissions:
 Set the token in your Ansible inventory or secrets file:

 ```yaml
-CERTBOT_DNS_API_TOKEN: "cf_your_generated_token_here"
+CLOUDFLARE_API_TOKEN: "cf_your_generated_token_here"
--- a/roles/sys-dns-cloudflare-records/meta/main.yml
+++ b/roles/sys-dns-cloudflare-records/meta/main.yml
@@ -0,0 +1,23 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Generic role to manage Cloudflare DNS records (A/AAAA, CNAME, MX, TXT, SRV) in a data-driven way."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  galaxy_tags:
+    - cloudflare
+    - dns
+    - records
+    - mail
+    - automation
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://docs.infinito.nexus"
+  logo:
+    class: "fa-solid fa-cloud"
+  run_after: []
+dependencies: []
--- a/roles/sys-dns-cloudflare-records/tasks/main.yml
+++ b/roles/sys-dns-cloudflare-records/tasks/main.yml
@@ -0,0 +1,105 @@
+---
+# run_once_sys_dns_cloudflare_records: deactivated
+
+- name: Assert token
+  ansible.builtin.assert:
+    that: [ "CLOUDFLARE_API_TOKEN | length > 0" ]
+  no_log: "{{ cloudflare_no_log | bool }}"
+
+- name: Apply A/AAAA
+  community.general.cloudflare_dns:
+    api_token: "{{ CLOUDFLARE_API_TOKEN }}"
+    zone: "{{ item.zone }}"
+    type: "{{ item.type }}"
+    name: "{{ item.name }}"
+    content: "{{ item.content }}"
+    proxied: "{{ item.proxied | default(false) }}"
+    ttl: "{{ item.ttl | default(1) }}"
+    state: "{{ item.state | default('present') }}"
+  loop: "{{ cloudflare_records | selectattr('type','in',['A','AAAA']) | list }}"
+  loop_control: { label: "{{ item.type }} {{ item.name }} -> {{ item.content }}" }
+  async: "{{ cloudflare_async_enabled | ternary(cloudflare_async_time, omit) }}"
+  poll: "{{ cloudflare_async_enabled | ternary(cloudflare_async_poll, omit) }}"
+  no_log: "{{ cloudflare_no_log | bool }}"
+  register: _cf_call
+  failed_when: >
+    _cf_call is failed and
+    (
+      ('An identical record already exists' not in (_cf_call.msg | default('') | string))
+      and
+      ('81058' not in (_cf_call.msg | default('') | string))
+    )
+  changed_when: >
+    (_cf_call.changed | default(false)) and
+    (
+      ('An identical record already exists' not in (_cf_call.msg | default('') | string))
+      and
+      ('81058' not in (_cf_call.msg | default('') | string))
+    )
+
+- name: Apply CNAME/MX/TXT
+  community.general.cloudflare_dns:
+    api_token: "{{ CLOUDFLARE_API_TOKEN }}"
+    zone: "{{ item.zone }}"
+    type: "{{ item.type }}"
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    ttl: "{{ item.ttl | default(1) }}"
+    priority: "{{ (item.type == 'MX') | ternary(item.priority | default(10), omit) }}"
+    state: "{{ item.state | default('present') }}"
+  loop: "{{ cloudflare_records | selectattr('type','in',['CNAME','MX','TXT']) | list }}"
+  loop_control: { label: "{{ item.type }} {{ item.name }} -> {{ item.value }}" }
+  async: "{{ cloudflare_async_enabled | ternary(cloudflare_async_time, omit) }}"
+  poll: "{{ cloudflare_async_enabled | ternary(cloudflare_async_poll, omit) }}"
+  no_log: "{{ cloudflare_no_log | bool }}"
+  register: _cf_call
+  failed_when: >
+    _cf_call is failed and
+    (
+      ('An identical record already exists' not in (_cf_call.msg | default('') | string))
+      and
+      ('81058' not in (_cf_call.msg | default('') | string))
+    )
+  changed_when: >
+    (_cf_call.changed | default(false)) and
+    (
+      ('An identical record already exists' not in (_cf_call.msg | default('') | string))
+      and
+      ('81058' not in (_cf_call.msg | default('') | string))
+    )
+
+- name: Apply SRV
+  community.general.cloudflare_dns:
+    api_token: "{{ CLOUDFLARE_API_TOKEN }}"
+    zone: "{{ item.zone }}"
+    type: SRV
+    service: "{{ item.service }}"
+    proto: "{{ item.proto }}"
+    name: "{{ item.name }}"
+    priority: "{{ item.priority }}"
+    weight: "{{ item.weight }}"
+    port: "{{ item.port }}"
+    value: "{{ item.value }}"
+    ttl: "{{ item.ttl | default(1) }}"
+    state: "{{ item.state | default('present') }}"
+  loop: "{{ cloudflare_records | selectattr('type','equalto','SRV') | list }}"
+  loop_control: { label: "SRV {{ item.service }}.{{ item.proto }} {{ item.name }} -> {{ item.value }}:{{ item.port }}" }
+  ignore_errors: "{{ item.ignore_errors | default(true) }}"
+  async: "{{ cloudflare_async_enabled | ternary(cloudflare_async_time, omit) }}"
+  poll: "{{ cloudflare_async_enabled | ternary(cloudflare_async_poll, omit) }}"
+  no_log: "{{ cloudflare_no_log | bool }}"
+  register: _cf_call
+  failed_when: >
+    _cf_call is failed and
+    (
+      ('An identical record already exists' not in (_cf_call.msg | default('') | string))
+      and
+      ('81058' not in (_cf_call.msg | default('') | string))
+    )
+  changed_when: >
+    (_cf_call.changed | default(false)) and
+    (
+      ('An identical record already exists' not in (_cf_call.msg | default('') | string))
+      and
+      ('81058' not in (_cf_call.msg | default('') | string))
+    )
--- a/roles/sys-dns-hetzner-rdns/README.md
+++ b/roles/sys-dns-hetzner-rdns/README.md
--- a/roles/sys-dns-hetzner-rdns/defaults/main.yml
+++ b/roles/sys-dns-hetzner-rdns/defaults/main.yml
@@ -0,0 +1,20 @@
+# Cloud (hcloud) token
+# @see https://docs.hetzner.com/cloud/api/getting-started/generating-api-token/
+HETZNER_API_TOKEN:      ""
+
+# Robot (dedicated) credentials
+# You can create an user here: https://robot.hetzner.com/preferences/index
+HETZNER_ROBOT_USER:     ""
+HETZNER_ROBOT_PASSWORD: ""
+
+HETZNER_ROBOT_BASE_URL: "https://robot-ws.your-server.de"
+
+hetzner_async_enabled:  "{{ ASYNC_ENABLED | bool }}"
+hetzner_async_time:     "{{ ASYNC_TIME }}"
+hetzner_async_poll:     "{{ ASYNC_POLL }}"
+hetzner_no_log:         "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+rdns_records:           []
+# Example:
+# rdns_records:
+#   - { resource: "server", ip_address: "1.2.3.4", dns_ptr: "mail.example.com" }
+#   - { resource: "primary_ip", identifier: "12345", ip_address: "2001:db8::1", dns_ptr: "mail.example.com" }
--- a/roles/sys-dns-hetzner-rdns/meta/main.yml
+++ b/roles/sys-dns-hetzner-rdns/meta/main.yml
@@ -0,0 +1,24 @@
+
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Generic role to manage reverse DNS (PTR) for Hetzner Cloud resources (server, primary_ip, floating_ip, load_balancer)."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  galaxy_tags:
+    - hetzner
+    - dns
+    - rdns
+    - ptr
+    - mail
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://docs.infinito.nexus"
+  logo:
+    class: "fa-solid fa-server"
+  run_after: []
+dependencies: []
--- a/roles/sys-dns-hetzner-rdns/tasks/flavors/cloud.yml
+++ b/roles/sys-dns-hetzner-rdns/tasks/flavors/cloud.yml
@@ -0,0 +1,93 @@
+---
+# Cloud flavor (hcloud API)
+- name: Resolve effective hcloud token
+  set_fact:
+    _hz_token: >-
+      {{ HETZNER_API_TOKEN
+         | default(lookup('env','HETZNER_API_TOKEN'), true)
+         | default('', true)
+      }}
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Assert hcloud token present
+  ansible.builtin.assert:
+    that: [ "_hz_token | length > 0" ]
+    fail_msg: "HETZNER_API_TOKEN is required for the Cloud flavor."
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Collect hcloud servers if needed (server records without identifier)
+  hetzner.hcloud.server_info:
+    api_token: "{{ _hz_token }}"
+  register: _servers_info
+  when: rdns_records | selectattr('resource','equalto','server') | selectattr('identifier','undefined') | list | length > 0
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Init normalized records list
+  set_fact:
+    _rdns_records: []
+
+- name: Normalize records (autofill server.identifier by IPv4)
+  vars:
+    _match_name: >-
+      {{
+        (_servers_info.servers | default([]))
+        | selectattr('public_net.ipv4.ip','equalto', rec.ip_address | default(''))
+        | map(attribute='name') | list | first | default('')
+      }}
+    _needs_autofill: >-
+      {{
+        rec.resource == 'server'
+        and (rec.identifier is not defined)
+        and (rec.ip_address | default('') | length > 0)
+      }}
+    _normalized: >-
+      {{
+        rec if (not _needs_autofill or _match_name == '')
+        else (rec | combine({'identifier': _match_name}))
+      }}
+  set_fact:
+    _rdns_records: "{{ _rdns_records + [ _normalized ] }}"
+  loop: "{{ rdns_records }}"
+  loop_control: { loop_var: rec }
+
+- name: Ensure server identifiers are resolved when required
+  assert:
+    that:
+      - >
+        (
+          (_rdns_records | selectattr('resource','equalto','server') | selectattr('identifier','defined') | list | length)
+          ==
+          (_rdns_records | selectattr('resource','equalto','server') | list | length)
+        )
+    fail_msg: "Could not resolve hcloud server by IPv4 for one or more records."
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Validate records (cloud)
+  ansible.builtin.assert:
+    that:
+      - (_rdns_records | default(rdns_records)) | length > 0
+      - (_rdns_records | default(rdns_records)) | selectattr('dns_ptr','defined') | list | length == ((_rdns_records | default(rdns_records)) | length)
+      - (_rdns_records | default(rdns_records)) | selectattr('ip_address','defined') | list | length == ((_rdns_records | default(rdns_records)) | length)
+      - (_rdns_records | default(rdns_records)) | selectattr('resource','defined') | list | length == ((_rdns_records | default(rdns_records)) | length)
+      - (
+          (_rdns_records | default(rdns_records)) | selectattr('resource','equalto','server') | selectattr('identifier','defined') | list | length
+          + ((_rdns_records | default(rdns_records)) | rejectattr('resource','equalto','server') | list | length)
+        ) == ((_rdns_records | default(rdns_records)) | length)
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Apply rDNS via hcloud
+  hetzner.hcloud.hcloud_rdns:
+    api_token: "{{ _hz_token }}"
+    server: "{{ (item.resource == 'server') | ternary(item.identifier, omit) }}"
+    primary_ip: "{{ (item.resource == 'primary_ip') | ternary(item.identifier, omit) }}"
+    floating_ip: "{{ (item.resource == 'floating_ip') | ternary(item.identifier, omit) }}"
+    load_balancer: "{{ (item.resource == 'load_balancer') | ternary(item.identifier, omit) }}"
+    ip_address: "{{ item.ip_address }}"
+    dns_ptr: "{{ item.dns_ptr }}"
+    state: present
+  loop: "{{ _rdns_records | default(rdns_records) }}"
+  loop_control:
+    label: "{{ item.resource }}[{{ item.identifier | default('auto-by-ipv4') }}] {{ item.ip_address }} -> {{ item.dns_ptr }}"
+  async: "{{ hetzner_async_enabled | ternary(hetzner_async_time, omit) }}"
+  poll: "{{ hetzner_async_enabled | ternary(hetzner_async_poll, omit) }}"
+  no_log: "{{ hetzner_no_log | bool }}"
--- a/roles/sys-dns-hetzner-rdns/tasks/flavors/robot.yml
+++ b/roles/sys-dns-hetzner-rdns/tasks/flavors/robot.yml
@@ -0,0 +1,42 @@
+---
+# Robot flavor (Robot Webservice API)
+- name: Assert Robot credentials present
+  ansible.builtin.assert:
+    that:
+      - (HETZNER_ROBOT_USER | default('') | length) > 0
+      - (HETZNER_ROBOT_PASSWORD | default('') | length) > 0
+    fail_msg: "Robot credentials required: HETZNER_ROBOT_USER / HETZNER_ROBOT_PASSWORD."
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Validate records (robot)
+  ansible.builtin.assert:
+    that:
+      - rdns_records | length > 0
+      - (rdns_records | selectattr('ip_address','defined') | list | length) == (rdns_records | length)
+      - (rdns_records | selectattr('dns_ptr','defined') | list | length) == (rdns_records | length)
+    fail_msg: "Each record must have ip_address and dns_ptr for Robot rDNS."
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: Apply rDNS via Hetzner Robot API
+  vars:
+    hetzner_robot_base_url: "{{ HETZNER_ROBOT_BASE_URL }}"
+    ip_path: "{{ item.ip_address | urlencode }}"
+  ansible.builtin.uri:
+    url: "{{ hetzner_robot_base_url }}/rdns/{{ ip_path }}"
+    method: POST
+    user: "{{ HETZNER_ROBOT_USER }}"
+    password: "{{ HETZNER_ROBOT_PASSWORD }}"
+    force_basic_auth: true
+    headers:
+      Accept: application/json
+    body_format: form-urlencoded
+    body:
+      ptr: "{{ item.dns_ptr }}"
+    status_code: [200, 201]
+  loop: "{{ rdns_records }}"
+  loop_control:
+    label: "{{ item.ip_address }} -> {{ item.dns_ptr }}"
+  async: "{{ hetzner_async_enabled | ternary(hetzner_async_time, omit) }}"
+  poll: "{{ hetzner_async_enabled | ternary(hetzner_async_poll, omit) }}"
+  no_log: "{{ hetzner_no_log | bool }}"
+
--- a/roles/sys-dns-hetzner-rdns/tasks/main.yml
+++ b/roles/sys-dns-hetzner-rdns/tasks/main.yml
@@ -0,0 +1,33 @@
+# run_once_sys_dns_hetzner_rdns
+
+# Decide flavor
+- name: Decide which Hetzner flavor to use
+  set_fact:
+    _use_cloud: "{{ (HETZNER_API_TOKEN | length) > 0 }}"
+    _use_robot: >-
+      {{
+        (HETZNER_ROBOT_USER | length) > 0
+        and (HETZNER_ROBOT_PASSWORD | length) > 0
+      }}
+  no_log: "{{ hetzner_no_log | bool }}"
+
+- name: "Note: both Cloud token and Robot creds provided; using Cloud flavor"
+  debug:
+    msg: "Both HETZNER_API_TOKEN and Robot credentials present → proceeding with Cloud (hcloud) flavor."
+  when: _use_cloud and _use_robot
+
+- name: Include Cloud flavor (hcloud)
+  include_tasks: flavors/cloud.yml
+  when: _use_cloud
+
+- name: Include Robot flavor (Robot Webservice)
+  include_tasks: flavors/robot.yml
+  when: (not _use_cloud) and _use_robot
+
+- name: Fail if no credentials provided
+  fail:
+    msg: >-
+      Neither Cloud nor Robot credentials provided.
+      Set either HETZNER_API_TOKEN for Cloud (hcloud) or
+      HETZNER_ROBOT_USER/HETZNER_ROBOT_PASSWORD for Robot.
+  when: (not _use_cloud) and (not _use_robot)
--- a/roles/sys-hlth-csp/handlers/main.yml
+++ b/roles/sys-hlth-csp/handlers/main.yml
@@ -3,3 +3,10 @@
    name: sys-hlth-csp{{ SYS_SERVICE_SUFFIX }}
    enabled: yes
    daemon_reload: yes
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+
+- name: rebuild checkcsp docker image
+  shell: checkcsp build
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
--- a/roles/sys-hlth-csp/tasks/01_core.yml
+++ b/roles/sys-hlth-csp/tasks/01_core.yml
@@ -8,10 +8,7 @@
    name: pkgmgr-install
  vars:
    package_name: checkcsp
-
- name: rebuild checkcsp docker image
-  shell: checkcsp build
-  # Todo this could be optimized in the future
+    package_notify: rebuild checkcsp docker image

 - name: "create {{ health_csp_crawler_folder }}"
  file:
--- a/roles/sys-svc-cert-sync-docker/files/sys-svc-cert-sync-docker.sh
+++ b/roles/sys-svc-cert-sync-docker/files/sys-svc-cert-sync-docker.sh
@@ -2,7 +2,7 @@

 # Check if the necessary parameters are provided
 if [ "$#" -ne 3 ]; then
-    echo "Usage: $0 <ssl_cert_folder> <docker_compose_instance_directory>"
+    echo "Usage: $0 <ssl_cert_folder> <docker_compose_instance_directory> <letsencrypt_live_path>"
    exit 1
 fi

--- a/roles/sys-svc-cert-sync-docker/handlers/main.yml
+++ b/roles/sys-svc-cert-sync-docker/handlers/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: "restart tls deploy to docker service"
  systemd:
-    name:           "{{ CERT_SYNC_DOCKER_SERVICE_NAME }}"
+    name:           "{{ CERT_SYNC_DOCKER_SERVICE_NAME_FULL }}"
    state:          restarted
    enabled:        yes
    daemon_reload:  yes
--- a/roles/sys-svc-cert-sync-docker/tasks/main.yml
+++ b/roles/sys-svc-cert-sync-docker/tasks/main.yml
@@ -11,17 +11,17 @@
    mode: "0755"
  notify: restart tls deploy to docker service

- name: configure sys-svc-cert-sync-docker service
+- name: Copy {{ CERT_SYNC_DOCKER_SERVICE_NAME_FULL }}
  template:
-    src: "sys-svc-cert-sync-docker.service.j2"
-    dest: "/etc/systemd/system/{{ CERT_SYNC_DOCKER_SERVICE_NAME }}"
+    src: "{{ CERT_SYNC_DOCKER_BASE }}.service.j2"
+    dest: "/etc/systemd/system/{{ CERT_SYNC_DOCKER_SERVICE_NAME_FULL }}"
  notify: restart tls deploy to docker service

- name: "include role for sys-timer for {{ service_name }}"
+- name: "include role for sys-timer for {{ CERT_SYNC_DOCKER_SERVICE_NAME_FULL }}"
  include_role:
    name: sys-timer
  vars:
    on_calendar: "{{ on_calendar_deploy_certificates }}"
-    service_name: "{{ CERT_SYNC_DOCKER_SERVICE_NAME }}"
+    service_name: "{{ CERT_SYNC_DOCKER_SERVICE_NAME_BASE }}"
    persistent: "true"

--- a/roles/sys-svc-cert-sync-docker/vars/main.yml
+++ b/roles/sys-svc-cert-sync-docker/vars/main.yml
@@ -1,3 +1,6 @@
-CERT_SYNC_DOCKER_SCRIPT_FILE:   "sys-svc-cert-sync-docker.sh"
-CERT_SYNC_DOCKER_SCRIPT_PATH:   "{{ PATH_ADMINISTRATOR_SCRIPTS }}{{ CERT_SYNC_DOCKER_SCRIPT_FILE }}"
-CERT_SYNC_DOCKER_SERVICE_NAME:  "sys-svc-cert-sync-docker.{{ application_id }}{{ SYS_SERVICE_SUFFIX }}"
+
+CERT_SYNC_DOCKER_BASE:               "sys-svc-cert-sync-docker"
+CERT_SYNC_DOCKER_SCRIPT_FILE:        "{{ CERT_SYNC_DOCKER_BASE }}.sh"
+CERT_SYNC_DOCKER_SCRIPT_PATH:        "{{ PATH_ADMINISTRATOR_SCRIPTS }}{{ CERT_SYNC_DOCKER_SCRIPT_FILE }}"
+CERT_SYNC_DOCKER_SERVICE_NAME_BASE:  "{{ application_id | get_entity_name }}.{{ CERT_SYNC_DOCKER_BASE }}"
+CERT_SYNC_DOCKER_SERVICE_NAME_FULL:  "{{ CERT_SYNC_DOCKER_SERVICE_NAME_BASE }}{{ SYS_SERVICE_SUFFIX }}"
--- a/roles/sys-svc-certbot/tasks/02_no_webroot.yml
+++ b/roles/sys-svc-certbot/tasks/02_no_webroot.yml
@@ -15,7 +15,7 @@
  copy:
    dest: "{{ CERTBOT_CREDENTIALS_FILE }}"
    content: |
-      dns_{{ CERTBOT_ACME_CHALLENGE_METHOD }}_api_token = {{ CERTBOT_DNS_API_TOKEN }}
+      dns_{{ CERTBOT_ACME_CHALLENGE_METHOD }}_api_token = {{ CLOUDFLARE_API_TOKEN }}
    owner: root
    group: root
    mode: '0600'
--- a/roles/sys-timer/tasks/main.yml
+++ b/roles/sys-timer/tasks/main.yml
@@ -19,4 +19,6 @@
    state: restarted
    enabled: yes
  when: dummy_timer.changed or ACTIVATE_ALL_TIMERS | bool
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"

--- a/roles/web-app-gitea/tasks/main.yml
+++ b/roles/web-app-gitea/tasks/main.yml
@@ -60,7 +60,7 @@
  include_role:
    name: srv-web-7-7-dns-records
  vars:
-    cloudflare_api_token:   "{{ CERTBOT_DNS_API_TOKEN }}"
+    CLOUDFLARE_API_TOKEN:   "{{ CLOUDFLARE_API_TOKEN }}"
    cloudflare_domains:     "{{ [ domains | get_domain(application_id) ] }}"
    cloudflare_target_ip:   "{{ networks.internet.ip4 }}"
    cloudflare_proxied:     false
--- a/roles/web-app-keycloak/vars/main.yml
+++ b/roles/web-app-keycloak/vars/main.yml
@@ -5,7 +5,7 @@ database_type:                    "postgres"
 # Keycloak
 keycloak_container:                 "{{ applications | get_app_conf(application_id, 'docker.services.keycloak.name') }}"      # Name of the keycloak docker container
 keycloak_docker_import_directory:   "/opt/keycloak/data/import/"                                                              # Directory in which keycloak import files are placed in the running docker container
-keycloak_realm:                     "{{ OIDC.CLIENT.ISSUER_URL }}"                                                                     # This is the name of the default realm which is used by the applications
+keycloak_realm:                     "{{ OIDC.CLIENT.REALM }}"                                                                     # This is the name of the default realm which is used by the applications
 keycloak_master_api_user:           "{{ applications | get_app_conf(application_id, 'users.administrator') }}"                # Master Administrator
 keycloak_master_api_user_name:      "{{ keycloak_master_api_user.username }}"                                                 # Master Administrator Username
 keycloak_master_api_user_password:  "{{ keycloak_master_api_user.password }}"                                                 # Master Administrator Password
--- a/roles/web-app-mailu/Todo.md
+++ b/roles/web-app-mailu/Todo.md
@@ -1,8 +1,5 @@
 # Todos
 - Implement hard restart into Backup for mailu
-<<<<<<< HEAD
 - Check if DKIM generation works on new setups
 - Implement auto reverse DNS
-=======
- Implement auto reverse DNS
->>>>>>> 0b19d115 (Added todos)
+- Activate IP6
--- a/roles/web-app-mailu/tasks/01_core.yml
+++ b/roles/web-app-mailu/tasks/01_core.yml
@@ -12,8 +12,10 @@
  - name: "load docker, db and proxy for {{ application_id }}"
    include_role: 
      name: cmp-db-docker-proxy
+    vars:
+      docker_compose_flush_handlers: true

-  - name: "Include the sys-svc-cert-sync-docker role"
+  - name: "Include Cert deploy service for '{{ role_name }}'"
    include_role:
      name: sys-svc-cert-sync-docker
  vars:
@@ -23,7 +25,7 @@
  meta: flush_handlers

 - name: "Create Mailu accounts"
-  include_tasks: 02_create-mailu-user.yml
+  include_tasks: 02_create-user.yml
  vars:
    MAILU_DOCKER_DIR:        "{{ docker_compose.directories.instance }}"
    mailu_api_base_url:       "http://127.0.0.1:8080/api/v1"
@@ -41,7 +43,10 @@
  loop:                       "{{ users | dict2items }}"
  loop_control:
    loop_var: item
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+
+- name: Generate DKIM public key
+  include_tasks: 04_generate-and-read-dkim.yml

 - name: Set Mailu DNS records
-  include_tasks: 04_set-mailu-dns-records.yml
-  when: DNS_PROVIDER == 'cloudflare'
+  include_tasks: 05_dns-records.yml
--- a/roles/web-app-mailu/tasks/02_create-mailu-user.yml
+++ b/roles/web-app-mailu/tasks/02_create-mailu-user.yml
@@ -25,5 +25,5 @@
  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

 - name: "Create Mailu API Token for {{ mailu_user_name }}"
-  include_tasks: 03_create-mailu-token.yml
+  include_tasks: 03_create-token.yml
  when: "{{ 'mail-bot' in item.value.roles }}"
--- a/roles/web-app-mailu/tasks/03_create-mailu-token.yml
+++ b/roles/web-app-mailu/tasks/03_create-mailu-token.yml
--- a/roles/web-app-mailu/tasks/04_generate-and-read-dkim.yml
+++ b/roles/web-app-mailu/tasks/04_generate-and-read-dkim.yml
--- a/roles/web-app-mailu/tasks/04_set-mailu-dns-records.yml
+++ b/roles/web-app-mailu/tasks/04_set-mailu-dns-records.yml
@@ -1,125 +0,0 @@
- name: Generate DKIM public key
-  include_tasks: 05_generate-and-read-dkim.yml
-
-# A/AAAA record for the mail host in the **Hostname Zone**
- name: "Set A record for Mailu host"
-  community.general.cloudflare_dns:
-    api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
-    zone: "{{ MAILU_HOSTNAME_DNS_ZONE }}"
-    type: A
-    name: "{{ MAILU_HOSTNAME }}"        # Fully Qualified Domain Name of the mail host
-    content: "{{ MAILU_IP4_PUBLIC }}"
-    proxied: false
-    ttl: 1
-    state: present
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-
- name: "Set AAAA record for Mailu host"
-  community.general.cloudflare_dns:
-    api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
-    zone: "{{ MAILU_HOSTNAME_DNS_ZONE }}"
-    type: AAAA
-    name: "{{ MAILU_HOSTNAME }}"
-    content: "{{ MAILU_IP6_PUBLIC }}"
-    proxied: false
-    ttl: 1
-    state: present
-  when: MAILU_IP6_PUBLIC is defined and MAILU_IP6_PUBLIC | length > 0
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-
-# Autoconfig CNAME record in the **Mail Domain Zone**
- name: "Set CNAME record for autoconfig"
-  community.general.cloudflare_dns:
-    api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
-    zone: "{{ MAILU_DOMAIN_DNS_ZONE }}"
-    type: CNAME
-    name: "autoconfig.{{ MAILU_DOMAIN_DNS_ZONE }}"
-    value: "{{ MAILU_HOSTNAME }}"       # Points to the Mailu host FQDN
-    proxied: false
-    ttl: 1
-    state: present
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-
-# MX record in the **Mail Domain Zone**
- name: "Set MX record"
-  community.general.cloudflare_dns:
-    api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
-    zone: "{{ MAILU_DOMAIN_DNS_ZONE }}"
-    type: MX
-    name: "{{ MAILU_DOMAIN }}"          # Root mail domain
-    value: "{{ MAILU_HOSTNAME }}"       # Points to the Mailu host
-    priority: 10
-    ttl: 1
-    state: present
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-
-# SRV records in the **Mail Domain Zone**
- name: "Set SRV records"
-  community.general.cloudflare_dns:
-    api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
-    zone: "{{ MAILU_DOMAIN_DNS_ZONE }}"
-    type: SRV
-    service: "_{{ item.key }}"
-    proto: "_tcp"
-    priority: "{{ item.value.priority }}"
-    weight: "{{ item.value.weight }}"
-    port: "{{ item.value.port }}"
-    value: "{{ MAILU_HOSTNAME }}"       # Target = Mailu host FQDN
-    ttl: 1
-    state: present
-    name: "{{ MAILU_DOMAIN }}"
-  loop: "{{ MAILU_DNS_SRV_RECORDS | dict2items }}"
-  ignore_errors: true
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-
-# SPF TXT record in the **Mail Domain Zone**
- name: "Set SPF TXT record"
-  community.general.cloudflare_dns:
-    api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
-    zone: "{{ MAILU_DOMAIN_DNS_ZONE }}"
-    type: TXT
-    name: "{{ MAILU_DOMAIN }}"
-    value: "v=spf1 mx a:{{ MAILU_HOSTNAME }} ~all"
-    ttl: 1
-    state: present
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-
-# DMARC TXT record in the **Mail Domain Zone**
- name: "Set DMARC TXT record"
-  community.general.cloudflare_dns:
-    api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
-    zone: "{{ MAILU_DOMAIN_DNS_ZONE }}"
-    type: TXT
-    name: "_dmarc.{{ MAILU_DOMAIN_DNS_ZONE }}"
-    value: "v=DMARC1; p=reject; ruf=mailto:{{ MAILU_DMARC_RUF }}; adkim=s; aspf=s"
-    ttl: 1
-    state: present
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
-
-# DKIM TXT record in the **Mail Domain Zone**
- name: "Set DKIM TXT record"
-  community.general.cloudflare_dns:
-    api_token: "{{ MAILU_CLOUDFLARE_API_TOKEN }}"
-    zone: "{{ MAILU_DOMAIN_DNS_ZONE }}"
-    type: TXT
-    name: "dkim._domainkey.{{ MAILU_DOMAIN_DNS_ZONE }}"
-    value: "{{ mailu_dkim_public_key }}"
-    ttl: 1
-    state: present
-  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
-  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
--- a/roles/web-app-mailu/tasks/05_dns-records.yml
+++ b/roles/web-app-mailu/tasks/05_dns-records.yml
@@ -0,0 +1,33 @@
+- name: "DNS (Cloudflare) for Mailu"
+  include_role:
+    name: sys-dns-cloudflare-records
+  when: DNS_PROVIDER | lower == 'cloudflare'
+  vars:
+    cloudflare_async_enabled: "{{ ASYNC_ENABLED | default(false) | bool }}"
+    cloudflare_async_time: "{{ ASYNC_TIME | default(45) }}"
+    cloudflare_async_poll: "{{ ASYNC_POLL | default(5) }}"
+    cloudflare_no_log: "{{ MASK_CREDENTIALS_IN_LOGS | default(true) | bool }}"
+    cloudflare_records:
+      - { type: A,     zone: "{{ MAILU_HOSTNAME_DNS_ZONE }}", name: "{{ MAILU_HOSTNAME }}", content: "{{ MAILU_IP4_PUBLIC }}", proxied: false }
+#      - { type: AAAA,  zone: "{{ MAILU_HOSTNAME_DNS_ZONE }}", name: "{{ MAILU_HOSTNAME }}", content: "{{ MAILU_IP6_PUBLIC }}", proxied: false }
+      - { type: CNAME, zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", name: "autoconfig.{{ MAILU_DOMAIN_DNS_ZONE }}", value: "{{ MAILU_HOSTNAME }}" }
+      - { type: MX,    zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", name: "{{ MAILU_DOMAIN }}", value: "{{ MAILU_HOSTNAME }}", priority: 10 }
+      - { type: TXT,   zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", name: "{{ MAILU_DOMAIN }}", value: "v=spf1 mx a:{{ MAILU_HOSTNAME }} ~all" }
+      - { type: TXT,   zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", name: "_dmarc.{{ MAILU_DOMAIN_DNS_ZONE }}", value: "v=DMARC1; p=reject; ruf=mailto:{{ MAILU_DMARC_RUF }}; adkim=s; aspf=s" }
+      - { type: TXT,   zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", name: "dkim._domainkey.{{ MAILU_DOMAIN_DNS_ZONE }}", value: "{{ mailu_dkim_public_key }}" }
+      - { type: SRV,   zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_submission",  proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 587, value: "{{ MAILU_HOSTNAME }}" }
+      - { type: SRV,   zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_submissions", proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 465, value: "{{ MAILU_HOSTNAME }}" }
+      - { type: SRV,   zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_imaps",      proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 993, value: "{{ MAILU_HOSTNAME }}" }
+      - { type: SRV,   zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_imap",       proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 143, value: "{{ MAILU_HOSTNAME }}" }
+      - { type: SRV,   zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_pop3s",      proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 995, value: "{{ MAILU_HOSTNAME }}" }
+      - { type: SRV,   zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_pop3",       proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 110, value: "{{ MAILU_HOSTNAME }}" }
+      - { type: SRV,   zone: "{{ MAILU_DOMAIN_DNS_ZONE }}", service: "_autodiscover", proto: "_tcp", name: "{{ MAILU_DOMAIN }}", priority: 20, weight: 1, port: 443, value: "{{ MAILU_HOSTNAME }}" }
+
+- name: "rDNS (Hetzner Cloud) for Mailu"
+  include_role:
+    name: sys-dns-hetzner-rdns
+  when: HOSTING_PROVIDER | lower == 'hetzner'
+  vars:
+    rdns_records:
+      - { resource: "server", ip_address: "{{ MAILU_IP4_PUBLIC }}", dns_ptr: "{{ MAILU_HOSTNAME }}" }
+#      - { resource: "server", ip_address: "{{ MAILU_IP6_PUBLIC | default('') }}", dns_ptr: "{{ MAILU_HOSTNAME }}" }
--- a/roles/web-app-mailu/vars/main.yml
+++ b/roles/web-app-mailu/vars/main.yml
@@ -38,12 +38,11 @@ MAILU_DOVECOT_MAIL_VOLUME:            "mailu_dovecot_mail"
 ## Network
 MAILU_DNS_RESOLVER:                   "{{ networks.local['web-app-mailu'].dns_resolver }}"
 MAILU_IP4_PUBLIC:                     "{{ networks.internet.ip4 }}"
-MAILU_IP6_PUBLIC:                     false #Deactivated atm. but cloudflare logic present
+MAILU_IP6_PUBLIC:                     "" #Deactivated atm. but cloudflare logic present @todo activate it when it's configured for docker. See https://chatgpt.com/share/68a0acb8-db20-800f-9d2c-b34e38b5cdee
 MAILU_SUBNET:                         "{{ networks.local['web-app-mailu'].subnet }}"

 ## Credentials
 MAILU_SECRET_KEY:                     "{{ applications | get_app_conf(application_id,'credentials.secret_key') }}"
-MAILU_CLOUDFLARE_API_TOKEN:           "{{ CERTBOT_DNS_API_TOKEN }}"
 MAILU_API_TOKEN:                      "{{ applications | get_app_conf(application_id, 'credentials.api_token') }}"

 ## OIDC
@@ -55,16 +54,7 @@ MAILU_OIDC_ENABLE_USER_CREATION:      "{{ applications | get_app_conf(applicatio
 # @see https://github.com/heviat/Mailu-OIDC/tree/2024.06
 MAILU_DOCKER_FLAVOR:                  "{{ 'ghcr.io/heviat' if MAILU_OIDC_ENABLED | bool else 'ghcr.io/mailu' }}"

-MAILU_DMARC_RUF:     "{{ applications | get_app_conf(application_id, 'users.administrator.email') }}"
+MAILU_DMARC_RUF:                      "{{ applications | get_app_conf(application_id, 'users.administrator.email') }}"

-MAILU_DKIM_KEY_FILE: "{{ MAILU_DOMAIN }}.dkim.key"
-MAILU_DKIM_KEY_PATH: "/dkim/{{ MAILU_DKIM_KEY_FILE }}"
-
-MAILU_DNS_SRV_RECORDS:
-  submission:   { port: 587, priority: 20, weight: 1 }
-  submissions:  { port: 465, priority: 20, weight: 1 }
-  imaps:        { port: 993, priority: 20, weight: 1 }
-  imap:         { port: 143, priority: 20, weight: 1 }
-  pop3s:        { port: 995, priority: 20, weight: 1 }
-  pop3:         { port: 110, priority: 20, weight: 1 }
-  autodiscover: { port: 443, priority: 20, weight: 1 }
+MAILU_DKIM_KEY_FILE:                  "{{ MAILU_DOMAIN }}.dkim.key"
+MAILU_DKIM_KEY_PATH:                  "/dkim/{{ MAILU_DKIM_KEY_FILE }}"
--- a/roles/web-opt-rdr-www/tasks/main.yml
+++ b/roles/web-opt-rdr-www/tasks/main.yml
@@ -20,7 +20,7 @@
  include_role:
    name: srv-web-7-7-dns-records
  vars:
-    cloudflare_api_token: "{{ CERTBOT_DNS_API_TOKEN }}"
+    CLOUDFLARE_API_TOKEN: "{{ CLOUDFLARE_API_TOKEN }}"
    cloudflare_domains: "{{ www_domains }}"
    cloudflare_target_ip: "{{ networks.internet.ip4 }}"
    cloudflare_proxied: false
--- a/tests/integration/test_variable_definitions.py
+++ b/tests/integration/test_variable_definitions.py
@@ -41,24 +41,28 @@ class TestVariableDefinitions(unittest.TestCase):
        # Simple {{ var }} usage with optional Jinja filters after a pipe
        self.simple_var_pattern = re.compile(r"{{\s*([a-zA-Z_]\w*)\s*(?:\|[^}]*)?}}")

-        # {% set var = ... %}
+        # {% set var = ... %}   (allow trimmed variants)
        self.jinja_set_def = re.compile(r'{%\s*-?\s*set\s+([a-zA-Z_]\w*)\s*=')

-        # {% for x in ... %}  or  {% for k, v in ... %}
+        # {% for x in ... %}  or  {% for k, v in ... %}   (allow trimmed variants)
        self.jinja_for_def = re.compile(
            r'{%\s*-?\s*for\s+([a-zA-Z_]\w*)(?:\s*,\s*([a-zA-Z_]\w*))?\s+in'
        )

-        # {% macro name(param1, param2=..., *varargs, **kwargs) %}
+        # {% macro name(param1, param2=..., *varargs, **kwargs) %}   (allow trimmed variants)
        self.jinja_macro_def = re.compile(
            r'{%\s*-?\s*macro\s+[a-zA-Z_]\w*\s*\((.*?)\)\s*-?%}'
        )

        # Ansible YAML anchors for inline var declarations
-        self.ansible_set_fact = re.compile(r'^(?:\s*[-]\s*)?set_fact\s*:\s*$')
+        # Support short and FQCN forms, plus inline dict after colon
+        self.ansible_set_fact = re.compile(
+            r'^(?:\s*-\s*)?(?:ansible\.builtin\.)?set_fact\s*:\s*(\{[^}]*\})?\s*$'
+        )
        self.ansible_vars_block = re.compile(r'^(?:\s*[-]\s*)?vars\s*:\s*$')
        self.ansible_loop_var = re.compile(r'^\s*loop_var\s*:\s*([a-zA-Z_]\w*)')
        self.mapping_key = re.compile(r'^\s*([a-zA-Z_]\w*)\s*:\s*')
+        self.register_pat = re.compile(r'^\s*register\s*:\s*([a-zA-Z_]\w*)')

        # -----------------------
        # Collect "defined" names
@@ -85,6 +89,7 @@ class TestVariableDefinitions(unittest.TestCase):

                path = os.path.join(root, fn)

+                # Track when we're inside set_fact:/vars: blocks to also extract mapping keys.
                in_set_fact = False
                set_fact_indent = 0
                in_vars_block = False
@@ -96,63 +101,75 @@ class TestVariableDefinitions(unittest.TestCase):
                            stripped = line.lstrip()
                            indent = len(line) - len(stripped)

-                            # --- set_fact block keys
-                            if self.ansible_set_fact.match(stripped):
-                                in_set_fact = True
-                                set_fact_indent = indent
-                                continue
+                            # --- set_fact (short and FQCN), supports inline and block forms
+                            m_sf = self.ansible_set_fact.match(stripped)
+                            if m_sf:
+                                inline_map = m_sf.group(1)
+                                if inline_map:
+                                    # Inline mapping: set_fact: { a: 1, b: 2 }
+                                    try:
+                                        data = yaml.safe_load(inline_map)
+                                        if isinstance(data, dict):
+                                            self.defined.update(
+                                                k for k in data.keys() if isinstance(k, str)
+                                            )
+                                    except Exception:
+                                        pass
+                                    # do not enter block mode if inline present
+                                    in_set_fact = False
+                                else:
+                                    # Block mapping: keys on subsequent indented lines
+                                    in_set_fact = True
+                                    set_fact_indent = indent
+                                    # continue to next iteration to avoid double-processing this line
+                                    continue
+
                            if in_set_fact:
                                # Still inside set_fact child mapping?
                                if indent > set_fact_indent and stripped.strip():
                                    m = self.mapping_key.match(stripped)
                                    if m:
                                        self.defined.add(m.group(1))
-                                    continue
+                                    # do not continue; still scan for Jinja defs below
                                else:
-                                    in_set_fact = False
+                                    # Leaving the block when indentation decreases or a new key at same level appears
+                                    if indent <= set_fact_indent and stripped:
+                                        in_set_fact = False

-                            # --- vars: block keys
+                            # --- vars: block (collect mapping keys)
                            if self.ansible_vars_block.match(stripped):
                                in_vars_block = True
                                vars_block_indent = indent
+                                # continue to next line to avoid double-processing this line
                                continue
+
                            if in_vars_block:
-                                # Ignore blank lines inside vars block
-                                if not stripped.strip():
-                                    continue
-                                # Still inside vars child mapping?
-                                if indent > vars_block_indent:
+                                # Inside vars: collect top-level mapping keys
+                                if indent > vars_block_indent and stripped.strip():
                                    m = self.mapping_key.match(stripped)
                                    if m:
                                        self.defined.add(m.group(1))
-                                    continue
+                                    # do not continue; still scan for Jinja defs below
                                else:
-                                    in_vars_block = False
+                                    # Leaving vars block
+                                    if indent <= vars_block_indent and stripped:
+                                        in_vars_block = False

-                            # --- loop_var
-                            m_loop = self.ansible_loop_var.match(stripped)
-                            if m_loop:
-                                self.defined.add(m_loop.group(1))
+                            # --- Always scan every line (including inside blocks) for Jinja definitions

-                            # --- register: name
-                            m_reg = re.match(r'^\s*register\s*:\s*([a-zA-Z_]\w*)', stripped)
-                            if m_reg:
-                                self.defined.add(m_reg.group(1))
-
-                            # --- {% set var = ... %}
+                            # {% set var = ... %}
                            for m in self.jinja_set_def.finditer(line):
                                self.defined.add(m.group(1))

-                            # --- {% for x [ , y ] in ... %}
+                            # {% for x [, y] in ... %}
                            for m in self.jinja_for_def.finditer(line):
                                self.defined.add(m.group(1))
                                if m.group(2):
                                    self.defined.add(m.group(2))

-                            # --- {% macro name(params...) %}  -> collect parameter names
+                            # {% macro name(params...) %}
                            for m in self.jinja_macro_def.finditer(line):
                                params_blob = m.group(1)
-                                # Split by comma at top level (macros don't support nested tuples in params)
                                params = [p.strip() for p in params_blob.split(',')]
                                for p in params:
                                    if not p:
@@ -163,6 +180,16 @@ class TestVariableDefinitions(unittest.TestCase):
                                    name = p.split('=', 1)[0].strip()
                                    if re.match(r'^[a-zA-Z_]\w*$', name):
                                        self.defined.add(name)
+
+                            # --- loop_var and register names
+                            m_loop = self.ansible_loop_var.match(stripped)
+                            if m_loop:
+                                self.defined.add(m_loop.group(1))
+
+                            m_reg = self.register_pat.match(stripped)
+                            if m_reg:
+                                self.defined.add(m_reg.group(1))
+
                except Exception:
                    # Ignore unreadable files
                    pass
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	1126765da2	Fix variable definition test to detect set_fact and ansible.builtin.set_fact (both block and inline forms) - Support fully qualified ansible.builtin.set_fact - Parse inline set_fact mappings (e.g. set_fact: { a: 1, b: 2 }) - Continue scanning inside vars/set_fact blocks for Jinja {% set %}, {% for %}, and {% macro %} - Ensures variables defined by set_fact are correctly recognized as defined	2025-08-16 23:51:27 +02:00
Kevin Veen-Birkenbach	2620ee088e	refactor(dns): unify Cloudflare + Hetzner handling across roles - replaced CERTBOT_DNS_API_TOKEN with CLOUDFLARE_API_TOKEN everywhere - introduced generic sys-dns-cloudflare-records role for managing DNS records - added sys-dns-hetzner-rdns role with both Cloud (hcloud) and Robot API flavors - updated Mailu role to: - generate DKIM before DNS setup - delegate DNS + rDNS records to the new generic roles - removed legacy per-role Cloudflare vars (MAILU_CLOUDFLARE_API_TOKEN) - extended group vars with HOSTING_PROVIDER for rDNS flavor decision - added hetzner.hcloud collection to requirements This consolidates DNS management into reusable roles, supports both Cloudflare and Hetzner providers, and standardizes variable naming across the project.	2025-08-16 21:43:01 +02:00
Kevin Veen-Birkenbach	838a55ea94	Solved realm bug which appeared due to refactoring	2025-08-16 18:38:22 +02:00
Kevin Veen-Birkenbach	1b26f1da8d	Deactivated IP6 for Mailu	2025-08-16 18:17:09 +02:00
Kevin Veen-Birkenbach	43362e1694	Optimized sys-hlth-csp performance	2025-08-16 18:03:44 +02:00
Kevin Veen-Birkenbach	14d3f65a70	Included docker compose handler flush for mailu	2025-08-16 18:02:40 +02:00
Kevin Veen-Birkenbach	b8ccd50ab2	Added async und logs	2025-08-16 17:29:16 +02:00
Kevin Veen-Birkenbach	4a39cc90c0	Solved variable bugs in sys-svc-cert-sync-docker	2025-08-16 17:27:56 +02:00