---
# ============================================================
# Linderhof DNS Zones
# ============================================================
# Generated by setup.sh — edit to match your DNS needs.
# This file is loaded automatically by Ansible as part of group_vars.
#
# After first mail deployment, retrieve DKIM keys with:
#   docker exec mailserver cat /tmp/docker-mailserver/rspamd/dkim/$domain/mail.pub
# Then add them to vault.yml under dkim_keys:
#   dkim_keys:
#     $domain: "v=DKIM1; k=rsa; p=..."
# The mail._domainkey record will be created automatically on next dns.yml run.
# ============================================================

dns_zones:
  - zone: $domain
    records:
      # Root domain
      - name: "@"
        type: A
        records:
          - value: "{{ server_ip }}"

      - name: "@"
        type: MX
        when: "{{ enable_mail | default(false) }}"
        records:
          - value: "10 {{ mail_hostname }}."

      - name: "@"
        type: TXT
        when: "{{ enable_mail | default(false) }}"
        records:
          - value: "{{ 'v=spf1 mx -all' | hetzner.hcloud.txt_record }}"

      # Server A record
      - name: $server_name
        type: A
        records:
          - value: "{{ server_ip }}"

      - name: www
        type: A
        records:
          - value: "{{ server_ip }}"

      # Mail subdomain A record
      - name: "{{ mail_hostname.split('.')[0] }}"
        type: A
        when: "{{ enable_mail | default(false) }}"
        records:
          - value: "{{ server_ip }}"

      # Service CNAMEs
      - name: webmail
        type: CNAME
        when: "{{ enable_mail | default(false) }}"
        records:
          - value: $server_name.$domain.

      - name: code
        type: CNAME
        when: "{{ enable_forgejo | default(false) }}"
        records:
          - value: $server_name.$domain.

      - name: watch
        type: CNAME
        when: "{{ enable_monitoring | default(false) }}"
        records:
          - value: $server_name.$domain.

      - name: rspamd
        type: CNAME
        when: "{{ enable_mail | default(false) }}"
        records:
          - value: $server_name.$domain.

      - name: stats
        type: CNAME
        when: "{{ enable_goaccess | default(false) }}"
        records:
          - value: $server_name.$domain.

      - name: chat
        type: CNAME
        when: "{{ enable_tuwunel | default(false) }}"
        records:
          - value: $server_name.$domain.

      - name: cal
        type: CNAME
        when: "{{ enable_radicale | default(false) }}"
        records:
          - value: $server_name.$domain.

      # DMARC
      - name: _dmarc
        type: TXT
        when: "{{ enable_mail | default(false) }}"
        records:
          - value: "{{ 'v=DMARC1; p=none; rua=mailto:dmarc@$domain' | hetzner.hcloud.txt_record }}"