Kinesin/sovereign
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adding DNS role

Browse Source
This commit is contained in:
Ian Roddis
2026-04-21 10:07:06 -04:00
parent 3a873051e7
commit 043d315b80
14 changed files with 464 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
roles/dns/templates/zone.j2
+77
View File
@@ -0,0 +1,77 @@
; Zone file for {{ base_domain }}
; Managed by Ansible — do not edit manually.
; Serial: {{ dns_zone_serial }} (YYYYMMDDHH — increment on manual edits)
$ORIGIN {{ base_domain }}.
$TTL {{ dns_ttl | default(3600) }}
; ---------------------------------------------------------------------------
; SOA record
; ---------------------------------------------------------------------------
@ IN SOA {{ dns_ns_hostname | default('ns1.' + base_domain) }}. hostmaster.{{ base_domain }}. (
{{ dns_zone_serial }} ; Serial
3600 ; Refresh (1 hour)
900 ; Retry (15 min)
604800 ; Expire (7 days)
300 ; Negative TTL (5 min)
)
; ---------------------------------------------------------------------------
; Name servers
; ---------------------------------------------------------------------------
@ IN NS {{ dns_ns_hostname | default('ns1.' + base_domain) }}.
ns1 IN A {{ dns_server_ip }}
; ---------------------------------------------------------------------------
; Root domain
; ---------------------------------------------------------------------------
@ IN A {{ dns_server_ip }}
; ---------------------------------------------------------------------------
; Service A records
; ---------------------------------------------------------------------------
traefik IN A {{ dns_server_ip }}
logs IN A {{ dns_server_ip }}
auth IN A {{ dns_server_ip }}
s3 IN A {{ dns_server_ip }}
minio IN A {{ dns_server_ip }}
cloud IN A {{ dns_server_ip }}
mail IN A {{ dns_server_ip }}
webmail IN A {{ dns_server_ip }}
matrix IN A {{ dns_server_ip }}
chat IN A {{ dns_server_ip }}
meet IN A {{ dns_server_ip }}
headscale IN A {{ dns_server_ip }}
wazuh IN A {{ dns_server_ip }}
vault IN A {{ dns_server_ip }}
git IN A {{ dns_server_ip }}
; ---------------------------------------------------------------------------
; Mail exchange
; ---------------------------------------------------------------------------
@ IN MX 10 mail.{{ base_domain }}.
; ---------------------------------------------------------------------------
; SPF — authorise the mail server to send on behalf of the domain
; ---------------------------------------------------------------------------
@ IN TXT "v=spf1 mx ~all"
; ---------------------------------------------------------------------------
; DMARC — policy: {{ dmarc_policy | default('quarantine') }}
; ---------------------------------------------------------------------------
_dmarc IN TXT "v=DMARC1; p={{ dmarc_policy | default('quarantine') }}; rua={{ dmarc_rua | default('mailto:dmarc-reports@' + base_domain) }}; ruf={{ dmarc_ruf | default('mailto:dmarc-forensics@' + base_domain) }}; fo=1; adkim=r; aspf=r"
; ---------------------------------------------------------------------------
; DKIM — public key from the Stalwart mail server
; Set stalwart_dkim_public_key in group_vars/all.yml (retrieve from the
; Stalwart admin UI at mail.{{ base_domain }} → Settings → DKIM keys).
; RSA-2048 keys exceed the 255-byte TXT string limit so they are split into
; multiple quoted strings, which compliant resolvers concatenate.
; ---------------------------------------------------------------------------
{% if stalwart_dkim_public_key | default('') != '' %}
{% set dkim_full = "v=DKIM1; k=rsa; p=" + stalwart_dkim_public_key %}
{% set dkim_chunks = dkim_full | regex_findall('.{1,255}') %}
{{ stalwart_dkim_selector | default('default') }}._domainkey IN TXT ( {% for chunk in dkim_chunks %}"{{ chunk }}" {% endfor %})
{% else %}
; DKIM record not configured — set stalwart_dkim_public_key to enable.
{% endif %}