Fix fresh-deploy blockers and clean up architecture

- Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-28 00:51:16 -07:00 · 2026-02-28 00:51:16 -07:00 · b38cd94fc8
commit b38cd94fc8
parent 75891c3271
23 changed files with 400 additions and 307 deletions
--- a/roles/dns/tasks/extra_mail_domain.yml
+++ b/roles/dns/tasks/extra_mail_domain.yml
@ -0,0 +1,56 @@
+---
+- name: "{{ extra_domain }} A record"
+  hetzner.hcloud.zone_rrset:
+    zone: "{{ extra_domain }}"
+    name: "@"
+    type: A
+    ttl: 300
+    records:
+      - value: "{{ server_ip }}"
+    api_token: "{{ hcloud_token }}"
+    state: present
+
+- name: "{{ extra_domain }} MX record"
+  hetzner.hcloud.zone_rrset:
+    zone: "{{ extra_domain }}"
+    name: "@"
+    type: MX
+    ttl: 300
+    records:
+      - value: "10 {{ mail_hostname }}."
+    api_token: "{{ hcloud_token }}"
+    state: present
+
+- name: "{{ extra_domain }} SPF record"
+  hetzner.hcloud.zone_rrset:
+    zone: "{{ extra_domain }}"
+    name: "@"
+    type: TXT
+    ttl: 300
+    records:
+      - value: "{{ 'v=spf1 mx -all' | hetzner.hcloud.txt_record }}"
+    api_token: "{{ hcloud_token }}"
+    state: present
+
+- name: "{{ extra_domain }} DMARC record"
+  hetzner.hcloud.zone_rrset:
+    zone: "{{ extra_domain }}"
+    name: _dmarc
+    type: TXT
+    ttl: 300
+    records:
+      - value: "{{ ('v=DMARC1; p=none; rua=mailto:dmarc@' + extra_domain) | hetzner.hcloud.txt_record }}"
+    api_token: "{{ hcloud_token }}"
+    state: present
+
+- name: "{{ extra_domain }} DKIM record"
+  hetzner.hcloud.zone_rrset:
+    zone: "{{ extra_domain }}"
+    name: mail._domainkey
+    type: TXT
+    ttl: 300
+    records:
+      - value: "{{ dkim_keys[extra_domain] | hetzner.hcloud.txt_record }}"
+    api_token: "{{ hcloud_token }}"
+    state: present
+  when: dkim_keys is defined and extra_domain in dkim_keys
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@ -22,4 +22,39 @@
  loop: "{{ dns_zones | subelements('records') }}"
  loop_control:
    label: "{{ item.0.zone }} {{ item.1.name }} {{ item.1.type }}"
+  when: item.1.when | default(true) | bool
+  tags: dns
+
+- name: Ensure extra mail domain zones exist
+  hetzner.hcloud.zone:
+    name: "{{ item }}"
+    mode: primary
+    api_token: "{{ hcloud_token }}"
+    state: present
+  loop: "{{ mail_domains | difference([domain]) }}"
+  when: enable_mail
+  tags: dns
+
+- name: Configure extra mail domain DNS records
+  ansible.builtin.include_tasks: extra_mail_domain.yml
+  vars:
+    extra_domain: "{{ item }}"
+  loop: "{{ mail_domains | difference([domain]) }}"
+  when: enable_mail
+  tags: dns
+
+- name: Manage DKIM records
+  hetzner.hcloud.zone_rrset:
+    zone: "{{ item.key }}"
+    name: mail._domainkey
+    type: TXT
+    ttl: 300
+    records:
+      - value: "{{ item.value | hetzner.hcloud.txt_record }}"
+    api_token: "{{ hcloud_token }}"
+    state: present
+  loop: "{{ dkim_keys | default({}) | dict2items }}"
+  loop_control:
+    label: "{{ item.key }} mail._domainkey TXT"
+  when: enable_mail | default(false) and item.value | length > 0
  tags: dns