Ian Roddis
78 lines
4.1 KiB
Django/Jinja
78 lines
4.1 KiB
Django/Jinja
; Zone file for {{ base_domain }}
|
|
; Managed by Ansible — do not edit manually.
|
|
; Serial: {{ dns_zone_serial }} (YYYYMMDDHH — increment on manual edits)
|
|
|
|
$ORIGIN {{ base_domain }}.
|
|
$TTL {{ dns_ttl | default(3600) }}
|
|
|
|
; ---------------------------------------------------------------------------
|
|
; SOA record
|
|
; ---------------------------------------------------------------------------
|
|
@ IN SOA {{ dns_ns_hostname | default('ns1.' + base_domain) }}. hostmaster.{{ base_domain }}. (
|
|
{{ dns_zone_serial }} ; Serial
|
|
3600 ; Refresh (1 hour)
|
|
900 ; Retry (15 min)
|
|
604800 ; Expire (7 days)
|
|
300 ; Negative TTL (5 min)
|
|
)
|
|
|
|
; ---------------------------------------------------------------------------
|
|
; Name servers
|
|
; ---------------------------------------------------------------------------
|
|
@ IN NS {{ dns_ns_hostname | default('ns1.' + base_domain) }}.
|
|
ns1 IN A {{ dns_server_ip }}
|
|
|
|
; ---------------------------------------------------------------------------
|
|
; Root domain
|
|
; ---------------------------------------------------------------------------
|
|
@ IN A {{ dns_server_ip }}
|
|
|
|
; ---------------------------------------------------------------------------
|
|
; Service A records
|
|
; ---------------------------------------------------------------------------
|
|
traefik IN A {{ dns_server_ip }}
|
|
logs IN A {{ dns_server_ip }}
|
|
auth IN A {{ dns_server_ip }}
|
|
s3 IN A {{ dns_server_ip }}
|
|
minio IN A {{ dns_server_ip }}
|
|
cloud IN A {{ dns_server_ip }}
|
|
mail IN A {{ dns_server_ip }}
|
|
webmail IN A {{ dns_server_ip }}
|
|
matrix IN A {{ dns_server_ip }}
|
|
chat IN A {{ dns_server_ip }}
|
|
meet IN A {{ dns_server_ip }}
|
|
headscale IN A {{ dns_server_ip }}
|
|
wazuh IN A {{ dns_server_ip }}
|
|
vault IN A {{ dns_server_ip }}
|
|
git IN A {{ dns_server_ip }}
|
|
|
|
; ---------------------------------------------------------------------------
|
|
; Mail exchange
|
|
; ---------------------------------------------------------------------------
|
|
@ IN MX 10 mail.{{ base_domain }}.
|
|
|
|
; ---------------------------------------------------------------------------
|
|
; SPF — authorise the mail server to send on behalf of the domain
|
|
; ---------------------------------------------------------------------------
|
|
@ IN TXT "v=spf1 mx ~all"
|
|
|
|
; ---------------------------------------------------------------------------
|
|
; DMARC — policy: {{ dmarc_policy | default('quarantine') }}
|
|
; ---------------------------------------------------------------------------
|
|
_dmarc IN TXT "v=DMARC1; p={{ dmarc_policy | default('quarantine') }}; rua={{ dmarc_rua | default('mailto:dmarc-reports@' + base_domain) }}; ruf={{ dmarc_ruf | default('mailto:dmarc-forensics@' + base_domain) }}; fo=1; adkim=r; aspf=r"
|
|
|
|
; ---------------------------------------------------------------------------
|
|
; DKIM — public key from the Stalwart mail server
|
|
; Set stalwart_dkim_public_key in group_vars/all.yml (retrieve from the
|
|
; Stalwart admin UI at mail.{{ base_domain }} → Settings → DKIM keys).
|
|
; RSA-2048 keys exceed the 255-byte TXT string limit so they are split into
|
|
; multiple quoted strings, which compliant resolvers concatenate.
|
|
; ---------------------------------------------------------------------------
|
|
{% if stalwart_dkim_public_key | default('') != '' %}
|
|
{% set dkim_full = "v=DKIM1; k=rsa; p=" + stalwart_dkim_public_key %}
|
|
{% set dkim_chunks = dkim_full | regex_findall('.{1,255}') %}
|
|
{{ stalwart_dkim_selector | default('default') }}._domainkey IN TXT ( {% for chunk in dkim_chunks %}"{{ chunk }}" {% endfor %})
|
|
{% else %}
|
|
; DKIM record not configured — set stalwart_dkim_public_key to enable.
|
|
{% endif %}
|