chore(infra): add Postmark DNS records and update example secrets

- Add DKIM, return-path (CNAME), and DMARC DNS records to Terraform
- Add example variables for Postmark integration to vault.example.yml
- Update .gitignore patterns

.gitignore

@@ -13,6 +13,9 @@ terraform/tfplan
 .DS_Store
 **/.DS_Store
 
+__pycache__/
+*.pyc
+
 .vault_pass
 secrets/.vault_pass
 inventory/hosts.yml
@@ -20,3 +23,5 @@ inventory/host_vars/web.yml
 
 secrets/*
 !secrets/vault.example.yml
+
+.windsurf/

playbooks/web.yml

@@ -14,5 +14,3 @@
       tags: [app_deployer]
     - role: app_core
       tags: [app_core]
-    - role: forgejo_runner
-      tags: [forgejo_runner]

secrets/vault.example.yml

@@ -25,23 +25,37 @@ AUTHELIA_SMTP_PASSWORD:
 AUTHELIA_SMTP_SENDER:
 AUTHELIA_SMTP_IDENTIFIER:
 AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS:
-# POSTFIX_RELAYHOST:
-# POSTFIX_RELAYHOST_USERNAME:
-# POSTFIX_RELAYHOST_PASSWORD:
+POSTFIX_RELAYHOST: "smtp.postmarkapp.com"
+# POSTFIX_RELAYHOST_PORT: "2525"
+# POSTFIX_RELAYHOST_USERNAME: "your-postmark-server-token"
+# POSTFIX_RELAYHOST_PASSWORD: "your-postmark-server-token"
 FORGEJO_RUNNER_REGISTRATION_TOKEN:
 FORGEJO_API_TOKEN:
 FORGEJO_BASE_URL:
-FORGEJO_RUNNER_REGISTRATION_TOKEN:
+
 SERVICE_SSH_REGISTER_PUBLIC_KEY:
 SERVICE_SSH_DEREGISTER_PUBLIC_KEY:
 
 RESTIC_PASSWORD:
 RESTIC_AWS_ACCESS_KEY_ID:
 RESTIC_AWS_SECRET_ACCESS_KEY:
-RESTIC_AWS_DEFAULT_REGION:
+# RESTIC_REPOSITORY: "s3:https://us-east-1.linodeobjects.com/bucket-name/infra"
 
 ALERTMANAGER_SLACK_WEBHOOK_URL:
 ALERTMANAGER_DISCORD_WEBHOOK_URL:
 
+# Alertmanager Email Settings (uses Postfix on localhost:25 by default)
+# ALERTMANAGER_SMTP_HOST: "localhost:25"
+# ALERTMANAGER_SMTP_FROM: "no-reply@yourdomain.com"
+# ALERTMANAGER_EMAIL_TO: "admin@yourdomain.com"
+
+# Authelia SMTP Settings (uses Postfix container on proxy network)
+# AUTHELIA_SMTP_ADDRESS: "postfix:25"
+# AUTHELIA_SMTP_SENDER: "no-reply@yourdomain.com"
+# AUTHELIA_SMTP_IDENTIFIER: "yourdomain.com"
+# AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS: "test@yourdomain.com"
+# AUTHELIA_SMTP_USERNAME: ""  # Leave empty for no auth (Postfix on local network)
+# AUTHELIA_SMTP_PASSWORD: ""  # Leave empty for no auth
+
 # Deployment token for webhook authentication (must match DEPLOY_TOKEN secret in app repos)
 VAULT_DEPLOY_TOKEN:

terraform/main.tf

@@ -333,3 +333,33 @@ resource "cloudflare_record" "blizzard_cname" {
   ttl     = var.cloudflare_ttl
   proxied = false
 }
+
+resource "cloudflare_record" "dkim" {
+  count   = (var.enable_cloudflare_dns && length(var.dkim_hostname) > 0 && length(var.dkim_value) > 0) ? 1 : 0
+  zone_id = var.cloudflare_zone_id
+  name    = var.dkim_hostname
+  type    = "TXT"
+  content = "v=DKIM1; ${var.dkim_value}"
+  ttl     = var.cloudflare_ttl
+  proxied = false
+}
+
+resource "cloudflare_record" "return_path" {
+  count   = (var.enable_cloudflare_dns && length(var.return_path_target) > 0) ? 1 : 0
+  zone_id = var.cloudflare_zone_id
+  name    = "pm-bounces"
+  type    = "CNAME"
+  content = var.return_path_target
+  ttl     = var.cloudflare_ttl
+  proxied = false
+}
+
+resource "cloudflare_record" "dmarc" {
+  count   = var.enable_cloudflare_dns ? 1 : 0
+  zone_id = var.cloudflare_zone_id
+  name    = "_dmarc"
+  type    = "TXT"
+  content = "v=DMARC1; p=reject; rua=mailto:dmarc@jfraeys.com; adkim=s; aspf=r"
+  ttl     = var.cloudflare_ttl
+  proxied = false
+}

terraform/variables.tf

@@ -107,3 +107,28 @@ variable "object_storage_region" {
   type    = string
   default = "us-east-1"
 }
+
+variable "dkim_hostname" {
+  description = "DKIM record hostname including _domainkey suffix (e.g., 'default._domainkey')"
+  type        = string
+  default     = ""
+}
+
+variable "dkim_value" {
+  description = "DKIM public key base64 value (without v=DKIM1; k=rsa; p= prefix)"
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+
+variable "return_path_target" {
+  description = "Return path CNAME target for bounce handling"
+  type        = string
+  default     = ""
+}
+
+variable "dmarc_rua_email" {
+  description = "Email address for DMARC aggregate reports"
+  type        = string
+  default     = ""
+}