Adding DNS role

roles/dns/templates/docker-compose.yml.j2

@@ -0,0 +1,25 @@
+services:
+  bind9:
+    image: ubuntu/bind9:{{ bind_version }}
+    container_name: bind9
+    restart: unless-stopped
+    environment:
+      TZ: UTC
+    ports:
+      - "53:53/tcp"
+      - "53:53/udp"
+    volumes:
+      - {{ dns_data_dir }}/config/named.conf:/etc/bind/named.conf:ro
+      - {{ dns_data_dir }}/zones:/var/lib/bind:ro
+      - {{ dns_data_dir }}/cache:/var/cache/bind
+    networks:
+      - {{ sovereign_network_name }}
+    logging:
+      driver: gelf
+      options:
+        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
+        tag: "bind9"
+
+networks:
+  {{ sovereign_network_name }}:
+    external: true

roles/dns/templates/named.conf.j2

@@ -0,0 +1,29 @@
+// named.conf — authoritative-only configuration for {{ base_domain }}
+// Managed by Ansible — do not edit manually.
+
+options {
+    directory "/var/cache/bind";
+
+    // Authoritative only — no recursion to prevent DNS amplification attacks
+    recursion no;
+    allow-recursion { none; };
+
+    // Accept queries from any source
+    allow-query { any; };
+
+    // Only allow zone transfers to trusted hosts (none by default)
+    allow-transfer { none; };
+
+    // Listen on all interfaces
+    listen-on { any; };
+    listen-on-v6 { any; };
+
+    dnssec-validation no;
+};
+
+// Authoritative zone for the base domain
+zone "{{ base_domain }}" IN {
+    type master;
+    file "/var/lib/bind/{{ base_domain }}.zone";
+    allow-update { none; };
+};

roles/dns/templates/zone.j2

@@ -0,0 +1,77 @@
+; Zone file for {{ base_domain }}
+; Managed by Ansible — do not edit manually.
+; Serial: {{ dns_zone_serial }} (YYYYMMDDHH — increment on manual edits)
+
+$ORIGIN {{ base_domain }}.
+$TTL {{ dns_ttl | default(3600) }}
+
+; ---------------------------------------------------------------------------
+; SOA record
+; ---------------------------------------------------------------------------
+@       IN      SOA     {{ dns_ns_hostname | default('ns1.' + base_domain) }}. hostmaster.{{ base_domain }}. (
+                        {{ dns_zone_serial }} ; Serial
+                        3600                  ; Refresh (1 hour)
+                        900                   ; Retry (15 min)
+                        604800                ; Expire (7 days)
+                        300                   ; Negative TTL (5 min)
+                        )
+
+; ---------------------------------------------------------------------------
+; Name servers
+; ---------------------------------------------------------------------------
+@       IN      NS      {{ dns_ns_hostname | default('ns1.' + base_domain) }}.
+ns1     IN      A       {{ dns_server_ip }}
+
+; ---------------------------------------------------------------------------
+; Root domain
+; ---------------------------------------------------------------------------
+@       IN      A       {{ dns_server_ip }}
+
+; ---------------------------------------------------------------------------
+; Service A records
+; ---------------------------------------------------------------------------
+traefik         IN      A       {{ dns_server_ip }}
+logs            IN      A       {{ dns_server_ip }}
+auth            IN      A       {{ dns_server_ip }}
+s3              IN      A       {{ dns_server_ip }}
+minio           IN      A       {{ dns_server_ip }}
+cloud           IN      A       {{ dns_server_ip }}
+mail            IN      A       {{ dns_server_ip }}
+webmail         IN      A       {{ dns_server_ip }}
+matrix          IN      A       {{ dns_server_ip }}
+chat            IN      A       {{ dns_server_ip }}
+meet            IN      A       {{ dns_server_ip }}
+headscale       IN      A       {{ dns_server_ip }}
+wazuh           IN      A       {{ dns_server_ip }}
+vault           IN      A       {{ dns_server_ip }}
+git             IN      A       {{ dns_server_ip }}
+
+; ---------------------------------------------------------------------------
+; Mail exchange
+; ---------------------------------------------------------------------------
+@       IN      MX      10      mail.{{ base_domain }}.
+
+; ---------------------------------------------------------------------------
+; SPF — authorise the mail server to send on behalf of the domain
+; ---------------------------------------------------------------------------
+@       IN      TXT     "v=spf1 mx ~all"
+
+; ---------------------------------------------------------------------------
+; DMARC — policy: {{ dmarc_policy | default('quarantine') }}
+; ---------------------------------------------------------------------------
+_dmarc  IN      TXT     "v=DMARC1; p={{ dmarc_policy | default('quarantine') }}; rua={{ dmarc_rua | default('mailto:dmarc-reports@' + base_domain) }}; ruf={{ dmarc_ruf | default('mailto:dmarc-forensics@' + base_domain) }}; fo=1; adkim=r; aspf=r"
+
+; ---------------------------------------------------------------------------
+; DKIM — public key from the Stalwart mail server
+; Set stalwart_dkim_public_key in group_vars/all.yml (retrieve from the
+; Stalwart admin UI at mail.{{ base_domain }} → Settings → DKIM keys).
+; RSA-2048 keys exceed the 255-byte TXT string limit so they are split into
+; multiple quoted strings, which compliant resolvers concatenate.
+; ---------------------------------------------------------------------------
+{% if stalwart_dkim_public_key | default('') != '' %}
+{% set dkim_full = "v=DKIM1; k=rsa; p=" + stalwart_dkim_public_key %}
+{% set dkim_chunks = dkim_full | regex_findall('.{1,255}') %}
+{{ stalwart_dkim_selector | default('default') }}._domainkey  IN  TXT  ( {% for chunk in dkim_chunks %}"{{ chunk }}" {% endfor %})
+{% else %}
+; DKIM record not configured — set stalwart_dkim_public_key to enable.
+{% endif %}