linderhof/inventory/group_vars/all/dns.yml.setup

---
# ============================================================
# Linderhof DNS Zones
# ============================================================
# Generated by setup.sh — edit to match your DNS needs.
# This file is loaded automatically by Ansible as part of group_vars.
#
# After first mail deployment, retrieve DKIM keys with:
#   docker exec mailserver cat /tmp/docker-mailserver/rspamd/dkim/$domain/mail.pub
# Then add them to vault.yml under dkim_keys:
#   dkim_keys:
#     $domain: "v=DKIM1; k=rsa; p=..."
# The mail._domainkey record will be created automatically on next dns.yml run.
# ============================================================

dns_zones:
  - zone: $domain
    records:
      # Root domain
      - name: "@"
        type: A
        records:
          - value: "{{ server_ip }}"

      - name: "@"
        type: MX
        when: "{{ enable_mail | default(false) }}"
        records:
          - value: "10 {{ mail_hostname }}."

      - name: "@"
        type: TXT
        when: "{{ enable_mail | default(false) }}"
        records:
          - value: "{{ 'v=spf1 mx -all' | hetzner.hcloud.txt_record }}"

      # Server A record
      - name: $server_name
        type: A
        records:
          - value: "{{ server_ip }}"

      - name: www
        type: A
        records:
          - value: "{{ server_ip }}"

      # Mail subdomain A record
      - name: "{{ mail_hostname.split('.')[0] }}"
        type: A
        when: "{{ enable_mail | default(false) }}"
        records:
          - value: "{{ server_ip }}"

      # Service CNAMEs
      - name: webmail
        type: CNAME
        when: "{{ enable_mail | default(false) }}"
        records:
          - value: $server_name.$domain.

      - name: code
        type: CNAME
        when: "{{ enable_forgejo | default(false) }}"
        records:
          - value: $server_name.$domain.

      - name: watch
        type: CNAME
        when: "{{ enable_monitoring | default(false) }}"
        records:
          - value: $server_name.$domain.

      - name: rspamd
        type: CNAME
        when: "{{ enable_mail | default(false) }}"
        records:
          - value: $server_name.$domain.

      - name: stats
        type: CNAME
        when: "{{ enable_goaccess | default(false) }}"
        records:
          - value: $server_name.$domain.

      - name: chat
        type: CNAME
        when: "{{ enable_tuwunel | default(false) }}"
        records:
          - value: $server_name.$domain.

      - name: cal
        type: CNAME
        when: "{{ enable_radicale | default(false) }}"
        records:
          - value: $server_name.$domain.

      # DMARC
      - name: _dmarc
        type: TXT
        when: "{{ enable_mail | default(false) }}"
        records:
          - value: "{{ 'v=DMARC1; p=none; rua=mailto:dmarc@$domain' | hetzner.hcloud.txt_record }}"
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`---`
			`# ============================================================`
			`# Linderhof DNS Zones`
			`# ============================================================`
			`# Generated by setup.sh — edit to match your DNS needs.`
			`# This file is loaded automatically by Ansible as part of group_vars.`
			`#`
			`# After first mail deployment, retrieve DKIM keys with:`
			`# docker exec mailserver cat /tmp/docker-mailserver/rspamd/dkim/$domain/mail.pub`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`# Then add them to vault.yml under dkim_keys:`
			`# dkim_keys:`
			`# $domain: "v=DKIM1; k=rsa; p=..."`
			`# The mail._domainkey record will be created automatically on next dns.yml run.`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`# ============================================================`

			`dns_zones:`
			`- zone: $domain`
			`records:`
			`# Root domain`
			`- name: "@"`
			`type: A`
			`records:`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`- value: "{{ server_ip }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00
			`- name: "@"`
			`type: MX`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`when: "{{ enable_mail \| default(false) }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`records:`
			`- value: "10 {{ mail_hostname }}."`

			`- name: "@"`
			`type: TXT`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`when: "{{ enable_mail \| default(false) }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`records:`
			`- value: "{{ 'v=spf1 mx -all' \| hetzner.hcloud.txt_record }}"`

			`# Server A record`
			`- name: $server_name`
			`type: A`
			`records:`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`- value: "{{ server_ip }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00
			`- name: www`
			`type: A`
			`records:`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`- value: "{{ server_ip }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`# Mail subdomain A record`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`- name: "{{ mail_hostname.split('.')[0] }}"`
			`type: A`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`when: "{{ enable_mail \| default(false) }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`records:`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`- value: "{{ server_ip }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00
			`# Service CNAMEs`
			`- name: webmail`
			`type: CNAME`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`when: "{{ enable_mail \| default(false) }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`records:`
			`- value: $server_name.$domain.`

			`- name: code`
			`type: CNAME`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`when: "{{ enable_forgejo \| default(false) }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`records:`
			`- value: $server_name.$domain.`

			`- name: watch`
			`type: CNAME`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`when: "{{ enable_monitoring \| default(false) }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`records:`
			`- value: $server_name.$domain.`

			`- name: rspamd`
			`type: CNAME`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`when: "{{ enable_mail \| default(false) }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`records:`
			`- value: $server_name.$domain.`

			`- name: stats`
			`type: CNAME`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`when: "{{ enable_goaccess \| default(false) }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`records:`
			`- value: $server_name.$domain.`

			`- name: chat`
			`type: CNAME`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`when: "{{ enable_tuwunel \| default(false) }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`records:`
			`- value: $server_name.$domain.`

			`- name: cal`
			`type: CNAME`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`when: "{{ enable_radicale \| default(false) }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`records:`
			`- value: $server_name.$domain.`

			`# DMARC`
			`- name: _dmarc`
			`type: TXT`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`when: "{{ enable_mail \| default(false) }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`records:`
			`- value: "{{ 'v=DMARC1; p=none; rua=mailto:dmarc@$domain' \| hetzner.hcloud.txt_record }}"`