Automate DKIM sync and add Hetzner resource labels

- Add dkim_sync.yml: generates DKIM keys for all mail_domains, writes keys to stack config (group_vars/all/dkim.yml), and publishes mail._domainkey TXT records via dns.yml — replaces manual vault editing - Remove dkim_keys from vault.yml.setup (public keys don't need encryption) - Add hcloud_labels to config.yml.setup and apply to server + SSH key in provision role, enabling project-level tagging of Hetzner resources - Fix setup.sh next steps: add missing bootstrap step, replace manual DKIM instructions with dkim_sync.yml - Update CLAUDE.md and README.md accordingly Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-28 19:06:24 -07:00 · 2026-02-28 19:06:24 -07:00 · bd90a7e16f
commit bd90a7e16f
parent b38cd94fc8
8 changed files with 89 additions and 30 deletions
--- a/README.md
+++ b/README.md
@ -213,24 +213,13 @@ ansible-vault edit $LINDERHOF_DIR/group_vars/all/vault.yml

 ## after first mail deployment — DKIM

-retrieve the generated DKIM public key and add it to the vault:
+run `dkim_sync.yml` once after the first mail deployment — it generates DKIM keys for all mail domains, writes them to your stack config, and publishes the `mail._domainkey` DNS records automatically:

 ```bash
-docker exec mailserver cat /tmp/docker-mailserver/rspamd/dkim/<domain>/mail.pub
-ansible-vault edit $LINDERHOF_DIR/group_vars/all/vault.yml
+ansible-playbook playbooks/dkim_sync.yml
 ```

-add under `dkim_keys`:
-```yaml
-dkim_keys:
-  example.com: "v=DKIM1; k=rsa; p=..."
-```
-
-then re-run DNS — the `mail._domainkey` record is created automatically:
-
-```bash
-ansible-playbook playbooks/dns.yml
-```
+keys are stored in `$LINDERHOF_DIR/group_vars/all/dkim.yml` (plain file — DKIM public keys are not secret). safe to re-run; only generates keys for domains that don't have one yet.


 ## common operations