dns/zones: add zone aaronly.me; update zone liwt.net with mail records

3 files changed, 80 insertions, 4 deletions

diff --git a/host_vars/vultr b/host_vars/vultr
index 154ffac..0407938 100644
--- a/host_vars/vultr
+++ b/host_vars/vultr
@@ -1,3 +1,4 @@
+# -*- mode: yaml; -*-
 ---
 ansible_ssh_host: vultr.liwt.net
 ansible_ssh_port: 8864
@@ -42,6 +43,29 @@ nameservers:
       - ns1.1984.is
       - ns2.1984.is
 
+mail:
+  domains:
+    - liwt.net
+    - aaronly.me
+  dkim:
+    selector: mail
+    bits: 2048
+    port: 8901
+  dmarc:
+    p: none  # policy for the domain
+    sp: none  # policy for subdomains of this domain
+    aspf: r  # alignment mode for SPF (r: relaxed; s: strict)
+    pct: 100  # percent of messages subjected to filtering
+    # reporting URI of aggregate reports
+    # Free DMARC weekly digests by https://dmarc.postmarkapp.com/
+    rua:
+      liwt.net: ???
+      aaronly.me: re+f6lpmirefcg@dmarc.postmarkapp.com
+  # To avoid trashing by GMail
+  google-site-verification:
+    liwt.net: ???
+    aaronly.me: rSh99lenrfS-HnzvEahEDYTj9UvoKeX4NdWmDzD-pxo
+
 shadowsocks:
   port: 8989
   password: "???"
diff --git a/roles/dns/templates/zones/aaronly.me.zone.j2 b/roles/dns/templates/zones/aaronly.me.zone.j2
new file mode 100644
index 0000000..02b5e9b
--- /dev/null
+++ b/roles/dns/templates/zones/aaronly.me.zone.j2
@@ -0,0 +1,42 @@
+; -*- mode: dns; -*-
+; {{ ansible_managed }}
+{% set domain = "aaronly.me" %}
+{% set hostmaster = "hostmaster." + network.domain %}
+$ORIGIN     {{ domain }}.
+$TTL        1h
+
+@           IN  SOA     {{ nameservers[0].ns[0] }}.  {{ hostmaster }}.  (
+                        {{ domain | next_serial }}  ; serial number
+                        1d          ; refresh
+                        2h          ; retry
+                        4w          ; expire
+                        1h          ; minimum
+                        )
+
+; Name servers
+{% for server in nameservers %}
+{% for ns in server.ns %}
+@           IN  NS      {{ ns }}.  ; {{ server.name }}
+{% endfor %}
+{% endfor %}
+
+@           IN  A       {{ network.ipv4.address }}
+@           IN  AAAA    {{ network.ipv6.address }}
+dorm-x42    IN  A       58.196.142.84
+office      IN  A       202.120.52.45
+cluster     IN  A       202.120.52.63
+liteserver  IN  A       5.2.70.218
+
+www         IN  CNAME   @
+*           IN  CNAME   @
+
+; Mail server
+{% if domain != network.domain %}
+@           IN  MX      10  mail.{{ network.domain }}.
+{% endif %}
+@           IN  TXT     "v=spf1 mx -all"
+@           IN  TXT     "google-site-verification={{ mail['google-site-verification'][domain] }}"
+_dmarc      IN  TXT     "v=DMARC1; p={{ mail.dmarc.p }}; sp={{ mail.dmarc.sp }}; pct={{ mail.dmarc.pct }}; aspf={{ mail.dmarc.aspf }}; rua=mailto:{{ mail.dmarc.rua[domain] }};"
+{{ mail.dkim.selector }}._domainkey  IN  TXT  "v=DKIM1; k=rsa; s={{ mail.dkim.selector }}; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu7LZbXj5HBjT5yoMCnCd5eBLBZ1s/WP0hPQSignjEu4pCtOsPf7f/knhDDD7eMOSlOAa91Dq6e8B0aNKfV2m7e88SvHLnWVhH+kUNIdSQRTrTL6Pt1WAH0XjgDcd0f2MB+ho5GIeRJnLWHoRtrSUoBKgMxnvW8aco/Z/z0/qn5Tcsrz7wP/W7c/eX38SRuanrKUVnE8FqvvshZzaPfqe46WrqKDI6mfeYa0up/1ikUWgAHKVZEXTUCPVBUXxHbyK7a6MgZW+BYkYEeypMnYViq9k+TIHNNjlGbOLXqujn2j/L0r7ORjZX16C1qNf54qvMeklDK1+8KW872F6s+kVKwIDAQAB"
+
+; vim: set ft=bindzone:
diff --git a/roles/dns/templates/zones/liwt.net.zone.j2 b/roles/dns/templates/zones/liwt.net.zone.j2
index fc44279..02e649c 100644
--- a/roles/dns/templates/zones/liwt.net.zone.j2
+++ b/roles/dns/templates/zones/liwt.net.zone.j2
@@ -1,6 +1,7 @@
+; -*- mode: dns; -*-
+; {{ ansible_managed }}
 {% set domain = "liwt.net" %}
 {% set hostmaster = "hostmaster." + network.domain %}
-; {{ ansible_managed }}
 $ORIGIN     {{ domain }}.
 $TTL        1h
 
@@ -24,6 +25,7 @@ $TTL        1h
                         1h          ; minimum
                         )
 
+; Name servers
 {% for server in nameservers %}
 {% for ns in server.ns %}
 @           IN  NS      {{ ns }}.  ; {{ server.name }}
@@ -32,15 +34,23 @@ $TTL        1h
 
 @           IN  A       {{ network.ipv4.address }}
 @           IN  AAAA    {{ network.ipv6.address }}
-mail        IN  A       {{ network.ipv4.address }}
-mail        IN  AAAA    {{ network.ipv6.address }}
 
+vultr       IN  CNAME   @
 www         IN  CNAME   @
 git         IN  CNAME   @
-vultr       IN  CNAME   @
+carddav     IN  CNAME   @
+caldav      IN  CNAME   @
 *           IN  CNAME   @
 
+; Mail server
+{% if domain == network.domain %}
+mail        IN  A       {{ network.ipv4.address }}
+mail        IN  AAAA    {{ network.ipv6.address }}
 @           IN  MX      10  mail
+{% endif %}
 @           IN  TXT     "v=spf1 mx -all"
+@           IN  TXT     "google-site-verification={{ mail['google-site-verification'][domain] }}"
+_dmarc      IN  TXT     "v=DMARC1; p={{ mail.dmarc.p }}; sp={{ mail.dmarc.sp }}; pct={{ mail.dmarc.pct }}; aspf={{ mail.dmarc.aspf }}; rua=mailto:{{ mail.dmarc.rua[domain] }};"
+{{ mail.dkim.selector }}._domainkey  IN  TXT  "v=DKIM1; k=rsa; s={{ mail.dkim.selector }}; p=???"
 
 ; vim: set ft=bindzone: