From 9668b6f84e4332b8a1e8a60955a13ac59559849b Mon Sep 17 00:00:00 2001 From: Jeremie Fraeys Date: Fri, 6 Mar 2026 10:32:08 -0500 Subject: [PATCH] chore(infra): add Postmark DNS records and update example secrets - Add DKIM, return-path (CNAME), and DMARC DNS records to Terraform - Add example variables for Postmark integration to vault.example.yml - Update .gitignore patterns --- .gitignore | 7 ++++++- playbooks/web.yml | 2 -- secrets/vault.example.yml | 24 +++++++++++++++++++----- terraform/main.tf | 30 ++++++++++++++++++++++++++++++ terraform/variables.tf | 25 +++++++++++++++++++++++++ 5 files changed, 80 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index f69bfa3..7474fcc 100644 --- a/.gitignore +++ b/.gitignore @@ -13,10 +13,15 @@ terraform/tfplan .DS_Store **/.DS_Store +__pycache__/ +*.pyc + .vault_pass secrets/.vault_pass inventory/hosts.yml inventory/host_vars/web.yml secrets/* -!secrets/vault.example.yml \ No newline at end of file +!secrets/vault.example.yml + +.windsurf/ \ No newline at end of file diff --git a/playbooks/web.yml b/playbooks/web.yml index 050825c..5e1d9f1 100644 --- a/playbooks/web.yml +++ b/playbooks/web.yml @@ -14,5 +14,3 @@ tags: [app_deployer] - role: app_core tags: [app_core] - - role: forgejo_runner - tags: [forgejo_runner] diff --git a/secrets/vault.example.yml b/secrets/vault.example.yml index 285c886..1310185 100644 --- a/secrets/vault.example.yml +++ b/secrets/vault.example.yml @@ -25,23 +25,37 @@ AUTHELIA_SMTP_PASSWORD: AUTHELIA_SMTP_SENDER: AUTHELIA_SMTP_IDENTIFIER: AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS: -# POSTFIX_RELAYHOST: -# POSTFIX_RELAYHOST_USERNAME: -# POSTFIX_RELAYHOST_PASSWORD: +POSTFIX_RELAYHOST: "smtp.postmarkapp.com" +# POSTFIX_RELAYHOST_PORT: "2525" +# POSTFIX_RELAYHOST_USERNAME: "your-postmark-server-token" +# POSTFIX_RELAYHOST_PASSWORD: "your-postmark-server-token" FORGEJO_RUNNER_REGISTRATION_TOKEN: FORGEJO_API_TOKEN: FORGEJO_BASE_URL: -FORGEJO_RUNNER_REGISTRATION_TOKEN: + SERVICE_SSH_REGISTER_PUBLIC_KEY: SERVICE_SSH_DEREGISTER_PUBLIC_KEY: RESTIC_PASSWORD: RESTIC_AWS_ACCESS_KEY_ID: RESTIC_AWS_SECRET_ACCESS_KEY: -RESTIC_AWS_DEFAULT_REGION: +# RESTIC_REPOSITORY: "s3:https://us-east-1.linodeobjects.com/bucket-name/infra" ALERTMANAGER_SLACK_WEBHOOK_URL: ALERTMANAGER_DISCORD_WEBHOOK_URL: +# Alertmanager Email Settings (uses Postfix on localhost:25 by default) +# ALERTMANAGER_SMTP_HOST: "localhost:25" +# ALERTMANAGER_SMTP_FROM: "no-reply@yourdomain.com" +# ALERTMANAGER_EMAIL_TO: "admin@yourdomain.com" + +# Authelia SMTP Settings (uses Postfix container on proxy network) +# AUTHELIA_SMTP_ADDRESS: "postfix:25" +# AUTHELIA_SMTP_SENDER: "no-reply@yourdomain.com" +# AUTHELIA_SMTP_IDENTIFIER: "yourdomain.com" +# AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS: "test@yourdomain.com" +# AUTHELIA_SMTP_USERNAME: "" # Leave empty for no auth (Postfix on local network) +# AUTHELIA_SMTP_PASSWORD: "" # Leave empty for no auth + # Deployment token for webhook authentication (must match DEPLOY_TOKEN secret in app repos) VAULT_DEPLOY_TOKEN: diff --git a/terraform/main.tf b/terraform/main.tf index 63ef69e..599c2ae 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -333,3 +333,33 @@ resource "cloudflare_record" "blizzard_cname" { ttl = var.cloudflare_ttl proxied = false } + +resource "cloudflare_record" "dkim" { + count = (var.enable_cloudflare_dns && length(var.dkim_hostname) > 0 && length(var.dkim_value) > 0) ? 1 : 0 + zone_id = var.cloudflare_zone_id + name = var.dkim_hostname + type = "TXT" + content = "v=DKIM1; ${var.dkim_value}" + ttl = var.cloudflare_ttl + proxied = false +} + +resource "cloudflare_record" "return_path" { + count = (var.enable_cloudflare_dns && length(var.return_path_target) > 0) ? 1 : 0 + zone_id = var.cloudflare_zone_id + name = "pm-bounces" + type = "CNAME" + content = var.return_path_target + ttl = var.cloudflare_ttl + proxied = false +} + +resource "cloudflare_record" "dmarc" { + count = var.enable_cloudflare_dns ? 1 : 0 + zone_id = var.cloudflare_zone_id + name = "_dmarc" + type = "TXT" + content = "v=DMARC1; p=reject; rua=mailto:dmarc@jfraeys.com; adkim=s; aspf=r" + ttl = var.cloudflare_ttl + proxied = false +} diff --git a/terraform/variables.tf b/terraform/variables.tf index d7a7143..734673e 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -107,3 +107,28 @@ variable "object_storage_region" { type = string default = "us-east-1" } + +variable "dkim_hostname" { + description = "DKIM record hostname including _domainkey suffix (e.g., 'default._domainkey')" + type = string + default = "" +} + +variable "dkim_value" { + description = "DKIM public key base64 value (without v=DKIM1; k=rsa; p= prefix)" + type = string + default = "" + sensitive = true +} + +variable "return_path_target" { + description = "Return path CNAME target for bounce handling" + type = string + default = "" +} + +variable "dmarc_rua_email" { + description = "Email address for DMARC aggregate reports" + type = string + default = "" +}