; Zone file for {{ base_domain }} ; Managed by Ansible — do not edit manually. ; Serial: {{ dns_zone_serial }} (YYYYMMDDHH — increment on manual edits) $ORIGIN {{ base_domain }}. $TTL {{ dns_ttl | default(3600) }} ; --------------------------------------------------------------------------- ; SOA record ; --------------------------------------------------------------------------- @ IN SOA {{ dns_ns_hostname | default('ns1.' + base_domain) }}. hostmaster.{{ base_domain }}. ( {{ dns_zone_serial }} ; Serial 3600 ; Refresh (1 hour) 900 ; Retry (15 min) 604800 ; Expire (7 days) 300 ; Negative TTL (5 min) ) ; --------------------------------------------------------------------------- ; Name servers ; --------------------------------------------------------------------------- @ IN NS {{ dns_ns_hostname | default('ns1.' + base_domain) }}. ns1 IN A {{ dns_server_ip }} ; --------------------------------------------------------------------------- ; Root domain ; --------------------------------------------------------------------------- @ IN A {{ dns_server_ip }} ; --------------------------------------------------------------------------- ; Service A records ; --------------------------------------------------------------------------- traefik IN A {{ dns_server_ip }} logs IN A {{ dns_server_ip }} auth IN A {{ dns_server_ip }} s3 IN A {{ dns_server_ip }} minio IN A {{ dns_server_ip }} cloud IN A {{ dns_server_ip }} mail IN A {{ dns_server_ip }} webmail IN A {{ dns_server_ip }} matrix IN A {{ dns_server_ip }} chat IN A {{ dns_server_ip }} meet IN A {{ dns_server_ip }} headscale IN A {{ dns_server_ip }} wazuh IN A {{ dns_server_ip }} vault IN A {{ dns_server_ip }} git IN A {{ dns_server_ip }} ; --------------------------------------------------------------------------- ; Mail exchange ; --------------------------------------------------------------------------- @ IN MX 10 mail.{{ base_domain }}. ; --------------------------------------------------------------------------- ; SPF — authorise the mail server to send on behalf of the domain ; --------------------------------------------------------------------------- @ IN TXT "v=spf1 mx ~all" ; --------------------------------------------------------------------------- ; DMARC — policy: {{ dmarc_policy | default('quarantine') }} ; --------------------------------------------------------------------------- _dmarc IN TXT "v=DMARC1; p={{ dmarc_policy | default('quarantine') }}; rua={{ dmarc_rua | default('mailto:dmarc-reports@' + base_domain) }}; ruf={{ dmarc_ruf | default('mailto:dmarc-forensics@' + base_domain) }}; fo=1; adkim=r; aspf=r" ; --------------------------------------------------------------------------- ; DKIM — public key from the Stalwart mail server ; Set stalwart_dkim_public_key in group_vars/all.yml (retrieve from the ; Stalwart admin UI at mail.{{ base_domain }} → Settings → DKIM keys). ; RSA-2048 keys exceed the 255-byte TXT string limit so they are split into ; multiple quoted strings, which compliant resolvers concatenate. ; --------------------------------------------------------------------------- {% if stalwart_dkim_public_key | default('') != '' %} {% set dkim_full = "v=DKIM1; k=rsa; p=" + stalwart_dkim_public_key %} {% set dkim_chunks = dkim_full | regex_findall('.{1,255}') %} {{ stalwart_dkim_selector | default('default') }}._domainkey IN TXT ( {% for chunk in dkim_chunks %}"{{ chunk }}" {% endfor %}) {% else %} ; DKIM record not configured — set stalwart_dkim_public_key to enable. {% endif %}