prepare DNS migration

2023-11-04 21:33:51 +01:00 · 2023-11-04 21:33:51 +01:00 · 4e9155e0db
commit 4e9155e0db
parent b54420c0d9
30 changed files with 510 additions and 104 deletions
--- a/ansible/group_vars/database/database
+++ b/ansible/group_vars/database/database
@ -18,6 +18,10 @@ postgresql_databases:
    owner: vikunja
  - name: ghostfolio
    owner: ghostfolio
  - name: pdns-auth
    owner: pdns-auth
  - name: pdns-admin
    owner: pdns-admin
 postgres_consul_service: true
 postgres_consul_service_name: db
--- a/ansible/group_vars/database/vault_database
+++ b/ansible/group_vars/database/vault_database
@ -1,38 +1,45 @@
 $ANSIBLE_VAULT;1.1;AES256
-31336239306162353439323635633133393530396161656139303031323330366431653665623032
+64656332666561346439636331396439333566646361333031613764376634363061623635356630
-3133326132353635336331353236396334623736383461310a633931616636396665363931393432
+3832326235316435316264653637396130383465323234630a653138393161316232323236323366
-34663535363362363030323439646134653163656538306230323739653739316464363232623264
+32363661633631623132323864663366633766396266623630636135396165663062353434613231
-3638643737316132640a316461316335336432383066356134356231323964383861313465373765
+6363646665626439610a313233313639333232393035633139326561316431393837616231313933
-39393536636531663136346461383530343233346233613562336633353934353861313135643239
+38646532613665666136316635376533653161616630313532333330393364636662653331336637
-36303930363663633936626361623835633932633863653230313532336239653931303530623536
+39353462336130333933383033656634633461333461393730633333343330306432623466623062
-36626631363662346661313664303866343165303337376131656663373266383261643331386263
+32353962623338356630393935646537313335313335323464666265303732653633396332363965
-64333137653134613365383538646463653336663637623163666365646439383636376238643131
+36356338386330653863646134623234623230356232643535643763303162626132333530626639
-35373965326561666238656363333266633262373431653837623562633436386132376239363461
+39316166613862356264336362303833343236616635613136356433663766383861333832656261
-37376631336265326137626138653063353766346264663632366266636635313364303432363731
+35613662653266396461383162303230613865373232353437646131633063633634346633383563
-32323938386430653238303834636465333865383962623066356430396531353463393133653730
+31323736303537643433633235613464376230373332613331623439643462313362356437623463
-33383364373130366437393938616431646536623635356464356438323664383635363665323561
+65326335653938626461353332356434303962376630626666666631386334316261653639623633
-65613463636633643033396232386437373532663338346437656562333536333863306538386563
+34326633393330313064326562363838316366316361626662393435363262333264626333396136
-34326138646331663165323061336139323963666632626635643931363330316136353262306637
+66353936623763323865656632373763303365316131663064343830663330323566346535316436
-65343432643136383136636335313038343963383937663865303430623466383465623332373764
+63623931383461363364613632363661613734306535373536643236656161393634633435653862
-66366232646132653632366530643362323131616333333534616264326136636363386138623463
+34316666353234646633633635653934373335396635343035663238323636323662346632303865
-61323562303261363331653363326137313966323563373331356362373431313735613937313239
+35326333366439646661303437626238326435313032373031636535353963666263636635366234
-30373130336637623766393130646330366235373831336538376364376139396362326336396238
+36336562633666623932653465376237366232306262386565646631346432346631353566326535
-33353234323036333631343137323130303531616133363630633336633434363932386334333964
+32356337333762653161376439353035323633363833633862336134366132623963326231643461
-66396632616433643637306564656431663531353762356534663866613765376631356566626164
+35623863373730313935393631626266336465613261636364353533666233613831323031643035
-62646262616265313533666362653837373230303863313336656566623036396530346561313937
+32663630316264633932643132633061303438613339646264666334306630643038323632366330
-66376662353361653532616637666439653565383737636239396233613435373330653664323931
+31366365333039636434613537386436313539396632613766333136663638393462653263613165
-61333434346430623637653232363462336330386538646433303830373235333539326433333261
+33323937313031626233623237616464323939303131613465326362346632346538323161343362
-32306634396531626638366465646364393330653739393764623639396565653234376634366535
+65353839386133326233356561363864336261663135343865323861623330613736333835396261
-36303361613662353337333162343633313437316431336332646235636332653239366338623737
+64653361333530326630363633383836396565646463396239616261646635303535316135306537
-35643262316531623538626335343563636238363639373730333332393032396565643735383236
+64343830616566663633323531383464383834373539646637633465616533383238346565303337
-61383437336237363934626535343037353036343532646339393937316535623532633838373964
+34386561626266303833353665306335326264343533386263626562373633303135313735643733
-61633932626664353264653535373130346334626262373665666137663366663738656563393966
+37333766373465326133663663303166316134643732343938343930616631383137356137373564
-62313939643930353165356430363031613830383738333938386635333234636630313735613266
+31633831663264653762326534343635323364313632353661323330646638363062346137646337
-62373862306335383839656566386163333530626539353436623031303432643461623663303036
+61323334623434613333613038633637666131393338653839373835633062396661653537343138
-66313064323363623438316532386331313762343266323430303066643861653261363765623038
+61643961623366393735393438356461333731326265313937613066323038313163353835363135
-38613334356431323033653733363835616534316233383431303136623761333935343231626430
+33323932353264313536393865373232333930613636343661613033656165616237373439383531
-38353237333430633063303264653033316539353862336433366661303538653933373437346161
+38393932366633616639303964386333386462353935646432663330313137306465386634633931
-34313164346332336637653563336631313762333031333237326265663437666539306332396136
+33656533306665653836363830363164303039356463386130663536636330396138643363383838
-36323736313562636235353139663532333436363163383238643531336131386664636530336239
+35393966646630663535623836303262353739353063303763333530383630353838623939376535
-38336539363661333330643238326263333730663035313534643039376237313332363638663863
+34343239373831623232343530396561393730303066323236306539333263656133366363396534
-32643334343034333438383132666134386562643566643463346561313036363837
+30666662336435313561666536643231633562663037353837303936326164353366333032656431
 39303063343536336431336637323239356432616562656565306561666664663930303232313464
 34333236613239656562323037656137376135396636323361383565336636303338663138396238
 65396130303931393266636630656637333464346361303763653931383464326365333232623437
 61623263316562643636386637303531626238333131656130306236636230626362653935353331
 34366663303235653431616135343963643935303336313231343562376430343564393832343335
 36363130313533373137383738346438666634303537633232636535303835636333653636303937
 39356339656234303432
--- a/docs/ADR/004-DNS.md
+++ b/docs/ADR/004-DNS.md
@ -68,7 +68,7 @@ we have curently three authority domain on NAS:
 we could migrate authority DNS in cluster
 ducamps.win and ducamps.eu are only use for application access so no dependence with cluster build
-need to study cluster build dependance for lan.ducamps.eu
+need to study cluster build dependance for lan.ducamps.eu-> in every case in case of build from scratch need to use IP
 need keepalive IP and check if no conflict if store on same machine than pihole->ok don't need to listen on 53 only request by recursor
 DNS authority will dependant to storage (less problematic than recursor)
--- a/nomad-job/pdns-auth.nomad
+++ b/nomad-job/pdns-auth.nomad
@ -0,0 +1,162 @@
 job "pdns-auth" {
  datacenters = ["homelab"]
  priority    = 100
  meta {
    force = 2
  }
  type = "service"
  constraint {
    attribute = "${attr.cpu.arch}"
    value     = "amd64"
  }
  group "pdns-auth" {
    network {
      port "dns" {
        static=5300
      }
      port "http" {
        static = 8081
      }
      port "pdnsadmin"{
        to = 80
      }
    }
  vault {
    policies = ["pdns"]
  }
  task "pdns-auth" {
    driver = "docker"
    service {
        name = "pdns-auth"
        port = "dns"
        check {
          name     = "service: dns tcp check"
          type     = "tcp"
          interval = "10s"
          timeout  = "2s"
          success_before_passing   = "3"
          failures_before_critical = "3"
        }
      }
      config {
        image = "powerdns/pdns-auth-48:latest"        
        network_mode = "host"
        volumes = [
          "/mnt/diskstation/nomad/pdns-auth/var:/var/lib/powerdns/",
          "local/dnsupdate.conf:/etc/powerdns/pdns.d/dnsupdate.conf",
          "local/pdns.conf:/etc/powerdns/pdns.conf"
        ]
      }
      template {
        destination = "secrets/env"
        data = <<EOH
 {{ with secret "secrets/data/nomad/pdns"}}
          PDNS_AUTH_API_KEY="{{.Data.data.API_KEY}}"
 {{ end }}
        EOH
        env = true
      }
      template{
        destination = "local/dnsupdate.conf"
        data = <<EOH
 dnsupdate=yes
 allow-dnsupdate-from=192.168.1.41/24
 local-address=0.0.0.0:5300
 local-port=5300
        EOH
      }
      template{
        destination = "local/pdns.conf"
        data = <<EOH
 launch=gpgsql
 gpgsql-host=active.db.service.consul
 gpgsql-port=5432
 gpgsql-user=pdns-auth
 {{ with secret "secrets/data/database/pdns"}}
 gpgsql-password={{ .Data.data.pdnsauth }}
 {{ end }}
 include-dir=/etc/powerdns/pdns.d
        EOH
      }
      resources {
        memory = 100
      }
    }
  task "pnds-admin" {
    service {
      name = "pdns-admin"
      tags = [
        "homer.enable=true",
        "homer.name=PDNS-ADMIN",
        "homer.service=Application",
        "homer.target=_blank",
        "homer.url=http://${NOMAD_ADDR_pdnsadmin}",
      ]
      port = "pdnsadmin"
    }
    driver = "docker"
    config {
     image = "powerdnsadmin/pda-legacy:latest"        
     ports= ["pdnsadmin"]  
      volumes = [
        "/mnt/diskstation/nomad/pdns-admin/:/data/node_module/",
      ]
      }
      template{
        destination = "secrets/pdns-admin.env"
        env = true
        data = <<EOH
 {{ with secret "secrets/data/nomad/pdns"}}
 SECRET_KEY="{{ .Data.data.SECRET_KEY }}"
 GUNICORN_WORKERS=2
 {{ end }}
 {{ with secret "secrets/data/database/pdns"}}
 SQLALCHEMY_DATABASE_URI=postgresql://pdns-admin:{{ .Data.data.pdnsadmin }}@active.db.service.consul/pdns-admin
 {{end}}
        EOH
      }
  }
  task "keepalived" {
    driver = "docker"
      lifecycle {
        hook    = "poststart"
        sidecar = true
      }
      env {
        KEEPALIVED_ROUTER_ID     = "52"
        KEEPALIVED_STATE         = "MASTER"
        KEEPALIVED_VIRTUAL_IPS   = "192.168.1.5"
      }
      template{
        destination = "local/env.yaml"
        change_mode = "restart"
        env= true
        data = <<EOH
        KEEPALIVED_INTERFACE= {{ sockaddr "GetPrivateInterfaces | include \"network\" \"192.168.1.0/24\" | attr \"name\"" }}
        EOH
      }
      config {
        image        = "osixia/keepalived:2.0.20"
        network_mode = "host"
        cap_add = [
          "NET_ADMIN",
          "NET_BROADCAST",
          "NET_RAW"
        ]
      }
      resources {
        cpu    = 20
        memory = 20
      }
    }
  }
 }
--- a/terraform/cloud/.terraform.lock.hcl
+++ b/terraform/cloud/.terraform.lock.hcl
--- a/terraform/cloud/dns.tf
+++ b/terraform/cloud/dns.tf
@ -7,71 +7,7 @@ resource "hetznerdns_zone" "externalZone" {
  ttl  = 1700
 }
 resource "hetznerdns_zone" "externalZoneEU" {
    name = "ducamps.eu"
    ttl  = 1700
 }
 resource "hetznerdns_record" "MX1Eu" {
    zone_id = hetznerdns_zone.externalZoneEU.id
    name    = "@"
    value   = "20 mail"
    type    = "MX"
 }
 resource "hetznerdns_record" "mailEu" {
      zone_id = hetznerdns_zone.externalZoneEU.id
      name    = "mail"
      value    = local.defaultCname
      type= "CNAME"
 }
 resource "hetznerdns_record" "serverEU" {
  zone_id = hetznerdns_zone.externalZoneEU.id
  name    = local.defaultCname
  value   = hcloud_server.HomeLab2[0].ipv4_address
  type    = "A"
 }
 resource "hetznerdns_record" "spfEu" {
  zone_id = hetznerdns_zone.externalZoneEU.id
  name    = "@"
  value   = "\"v=spf1 ip4:${hcloud_server.HomeLab2[0].ipv4_address} ~all\""
  type    = "TXT"
 }
 resource "hetznerdns_record" "dkimRecordEu" {
  zone_id = hetznerdns_zone.externalZoneEU.id
  name    = "mail._domainkey"
  value   = "\"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0GadPljh+zM+Hf8MAf2wyj+h9p72aBFeFaiDhnswxO68fM9Uk6XhN4s1BkHLY5AWQh0SP1JDBaFWDfJiOV/27E3qJIa4KDHPZcgxgvo+SbfgNZq5qGIhKyqAAtyg/dI8IMKVOZ5Cevdv9VFrSF84xnTmDBCrWydPyV8D5+xA/bVna/AVCAVUeXVppyMPpC0s1HpRNJ0YaY23RH1KwChxvZY+BkanELSzTA8K0ATbIzwgQaK10/lc1S6EFvaSNG8sy6EIoondl6t+uiqU3bHgAW68r8snzl2gclG+uMkjXkH7YGPJzL9Co1o1MlKOHIONz89CCe0puIH4qaCo1G6EDwIDAQAB\""
  type    = "TXT"
 }
 resource "hetznerdns_record" "dmarcEU" {
  zone_id = hetznerdns_zone.externalZoneEU.id
  name = "_dmarc"
  value = "\"v=DMARC1; p=none; rua=mailto:vincent@ducamps.eu; ruf=mailto:vincent@ducamps.eu; sp=none; ri=86400\""
  type  = "TXT"
 }
 resource "hetznerdns_record" "imapsAutodiscoverEU" {
  zone_id = hetznerdns_zone.externalZoneEU.id
  name = "_imaps._tcp"
  value = "0 0 993 mail.ducamps.eu"
  type  = "SRV"
 }
 resource "hetznerdns_record" "submissionAutodiscoverEU" {
  zone_id = hetznerdns_zone.externalZoneEU.id
  name = "_submission._tcp"
  value = "0 0 465 mail.ducamps.eu"
  type  = "SRV"
 }
 resource "hetznerdns_record" "NSEU" {
    zone_id = hetznerdns_zone.externalZoneEU.id
    name    = "@"
    value   = "hydrogen.ns.hetzner.com."
    type    = "NS"
 }
 resource "hetznerdns_record" "rootalias" {
  zone_id = hetznerdns_zone.externalZone.id
  name    = "@"
--- a/terraform/cloud/firewall.tf
+++ b/terraform/cloud/firewall.tf
--- a/terraform/cloud/output.tf
+++ b/terraform/cloud/output.tf
--- a/terraform/cloud/providers.tf
+++ b/terraform/cloud/providers.tf
--- a/terraform/cloud/server.tf
+++ b/terraform/cloud/server.tf
--- a/terraform/cloud/ssh.tf
+++ b/terraform/cloud/ssh.tf
--- a/terraform/cloud/variable.tf
+++ b/terraform/cloud/variable.tf
@ -16,7 +16,7 @@ variable "instances" {
 variable "server_type" {
  type=string
-  default = "cpx21"
+  default = "CPX21"
 }
 variable "os_type" {
--- a/terraform/dns/.terraform.lock.hcl
+++ b/terraform/dns/.terraform.lock.hcl
@ -0,0 +1,56 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/hashicorp/vault" {
  version = "3.22.0"
  hashes = [
    "h1:AyHIjPpd3CMimsJiwRCpi3Jo9SF8MhWkWHj7TjmUyvc=",
    "zh:2ebe83a6d3c03c69610899408c3b9fcc6eb7a47e62a5c50126a20244fe2e0e2e",
    "zh:46985c7bc1070f4cbb7241063046c165112aed47b0ef3d323197d11525a7c3e1",
    "zh:4f3b1cc0eb4990b02a30d366e4c0b77e56e70610f283fb223f60171ab8ba4ee1",
    "zh:6b445c90130201f6babb83b3d68969c7fc8936ddb29bd62597782b973a204a67",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
    "zh:9097ca5bc78c701126c610b34127f58aeeba446ae2e03e94d8a42b4fb7ed6e4c",
    "zh:98a81d03a45ada9a10a4d3cfdf4a7c223e5da3251aa0aaa6e24a48cea475903f",
    "zh:b878afb67d3aa57413071321cc293cd67ab064fc1d6b3747b8702aef2351327d",
    "zh:c546747894fd1ca8108c00bfed8888d0f2cbd60e4bdc2122b1652fb4f0f8b9d4",
    "zh:cd6cc39872ed1439897e3f63d4251f31e5758b303ff8f471aac3dff32fb53e54",
    "zh:d149c68271db77344b278e7e6c40db5dcf35a83642a60d588fbe72822bb40977",
    "zh:fe29e024658c6ae9306c0847469508e835f86c961c998efc298aa1a5b928f72c",
  ]
 }
 provider "registry.terraform.io/pan-net/powerdns" {
  version = "1.5.0"
  hashes = [
    "h1:bsz18KLloevlTZkXwZr8u0sFCZKcOYyts2RaWkV6YNc=",
    "zh:02d1a87c28635779f66d1dcf165b5f16530f809deb6c71c35c3e58d715a88bf4",
    "zh:1285a419c7fd2947f891771bd77d2f6e7dd0cb00621c547b6993947085616009",
    "zh:340faecd0a0036e721480564acbad2ba0da6a9c0c0cd633957dcde76a4ba3798",
    "zh:5646f78d9980038c4ae70e09828da01c7cc6ba2b3b1e9ea8a1988efafaba1b75",
    "zh:66fef65aede775d9972be163a2bd25d8fda5a8ad2235ceef30d515bf35e2e5d4",
    "zh:7130faa5dd892b1d41b9b3ebd1b2d7854bf780193073de58806e088311bb554c",
    "zh:9f47b66ce7f4b23d25c4a726ffc5e504f797f247912cfa5dff23b3da0ba18982",
    "zh:ada63a886bc5d7980eeb22b59b166713617847626627007d2e8429eeb4346327",
    "zh:c853237b7831942d3d0f0f7a7a334e8f9df8a12f217c5680a76db256e368230d",
    "zh:d2e8827d9d8662a892dbd1df6155823c8167db6f6762f38885037c7da87612b1",
    "zh:d6e1069bb9d9f368e5d55a8bdf55de23636a586d698515f0075733499d6b9ccc",
    "zh:dd224d521af2f72bfdc3498c5ccd54b09844cfaa347b3008f61faad465cc9769",
    "zh:e02960d79ccfeeaea64c07aa1ad88cdd3688f49b670c9b607ea188283cd519d6",
  ]
 }
 provider "registry.terraform.io/timohirt/hetznerdns" {
  version = "2.2.0"
  hashes = [
    "h1:HyskQAglrOueur79gSCBgx9MNDOs0tz39aNYQiFgxz8=",
    "zh:5bb0ab9f62be3ed92070235e507f3c290491d51391ef4edcc70df53b65a83019",
    "zh:5ccdfac7284f5515ac3cff748336b77f21c64760e429e811a1eeefa8ebb86e12",
    "zh:687c35665139ae37c291e99085be2e38071f6b355c4e1e8957c5a6a3bcdf9caf",
    "zh:6de27f0d0d1513b3a4b7e81923b4a8506c52759bd466e2b4f8156997b0478931",
    "zh:85770a9199a4c2d16ca41538d7a0f7a7bfc060678104a1faac19213e6f0a800c",
    "zh:a5ff723774a9ccfb27d5766c5e6713537f74dd94496048c89c5d64dba597e59e",
    "zh:bf9ab76fd37cb8aebb6868d73cbe8c08cee36fc25224cc1ef5949efa3c34b06c",
    "zh:db998fe3bdcd4902e99fa470bb3f355883170cf4c711c8da0b5f1f4510f1be41",
  ]
 }
--- a/terraform/dns/CnameReverse.tf
+++ b/terraform/dns/CnameReverse.tf
@ -0,0 +1,17 @@
 resource "powerdns_record" "Cname" {
  for_each = toset(var.cnameList)
    zone    = powerdns_zone.ducampseu.name
    name    = "${each.key}.${powerdns_zone.ducampseu.name}"
    type    = "CNAME"
    ttl     = 1700
    records = [var.localEndpoint]
 }
 resource "hetznerdns_record" "Cname" {
  for_each = var.enableHetzner ? toset(var.cnameList) : []
  zone_id = hetznerdns_zone.externalZoneEU[0].id
  name    = each.key
  value   = var.cloudEndpoint
  type    = "A"
 }
--- a/terraform/dns/main.tf
+++ b/terraform/dns/main.tf
@ -0,0 +1,25 @@
 terraform {
  backend "consul" {
    path  = "terraform/dns"
  }
  required_providers {
    powerdns = {
      source = "pan-net/powerdns"
    }   
    hetznerdns = {
      source="timohirt/hetznerdns"
    }
  }
 }
 provider vault {
 }
 provider "powerdns" {
  api_key    = var.powerDnsApiKey
  server_url = var.powerDnsURL
 }
 provider "hetznerdns" {
    apitoken = var.hetznerApiKey
 }
--- a/terraform/dns/makefile
+++ b/terraform/dns/makefile
@ -0,0 +1,12 @@
 setenv:
 	export TF_VAR_hetznerApiKey=`vault kv get -field=hdns_token secrets/hetzner`
 	export TF_VAR_powerDnsApiKey=`vault kv get -field=API_KEY secrets/nomad/pdns`
 apply: setenv
 	terraform apply
 plan: setenv
 	export
 	terraform plan
--- a/terraform/dns/records.tf
+++ b/terraform/dns/records.tf
@ -0,0 +1,115 @@
 resource "hetznerdns_record" "MX1Eu" {
    count = var.enableHetzner ? 1 : 0
    zone_id = hetznerdns_zone.externalZoneEU[0].id
    name    = "@"
    value   = "20 mail"
    type    = "MX"
 }
 resource "hetznerdns_record" "spfEu" {
  count = var.enableHetzner ? 1 : 0
  zone_id = hetznerdns_zone.externalZoneEU[0].id
  name    = "@"
  value   = "\"v=spf1 ip4:${var.cloudEndpoint} ~all\""
  type    = "TXT"
 }
 resource "hetznerdns_record" "dkimRecordEu" {
  count = var.enableHetzner ? 1 : 0
  zone_id = hetznerdns_zone.externalZoneEU[0].id
  name    = "mail._domainkey"
  value   = "\"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0GadPljh+zM+Hf8MAf2wyj+h9p72aBFeFaiDhnswxO68fM9Uk6XhN4s1BkHLY5AWQh0SP1JDBaFWDfJiOV/27E3qJIa4KDHPZcgxgvo+SbfgNZq5qGIhKyqAAtyg/dI8IMKVOZ5Cevdv9VFrSF84xnTmDBCrWydPyV8D5+xA/bVna/AVCAVUeXVppyMPpC0s1HpRNJ0YaY23RH1KwChxvZY+BkanELSzTA8K0ATbIzwgQaK10/lc1S6EFvaSNG8sy6EIoondl6t+uiqU3bHgAW68r8snzl2gclG+uMkjXkH7YGPJzL9Co1o1MlKOHIONz89CCe0puIH4qaCo1G6EDwIDAQAB\""
  type    = "TXT"
 }
 resource "hetznerdns_record" "dmarcEU" {
  count = var.enableHetzner ? 1 : 0
  zone_id = hetznerdns_zone.externalZoneEU[0].id
  name = "_dmarc"
  value = "\"v=DMARC1; p=none; rua=mailto:vincent@ducamps.eu; ruf=mailto:vincent@ducamps.eu; sp=none; ri=86400\""
  type  = "TXT"
 }
 resource "hetznerdns_record" "imapsAutodiscoverEU" {
  count = var.enableHetzner ? 1 : 0
  zone_id = hetznerdns_zone.externalZoneEU[0].id
  name = "_imaps._tcp"
  value = "0 0 993 mail.ducamps.eu"
  type  = "SRV"
 }
 resource "hetznerdns_record" "submissionAutodiscoverEU" {
  count = var.enableHetzner ? 1 : 0
  zone_id = hetznerdns_zone.externalZoneEU[0].id
  name = "_submission._tcp"
  value = "0 0 465 mail.ducamps.eu"
  type  = "SRV"
 }
 resource "hetznerdns_record" "caldavs" {
    count = var.enableHetzner ? 1 : 0
    zone_id = hetznerdns_zone.externalZoneEU[0].id
    name = "_caldavs_tcp"
    value = "10 20 443 www.ducamps.eu"
    type  = "SRV"
 }
 resource "hetznerdns_record" "carddavs" {
      count = var.enableHetzner ? 1 : 0
      zone_id = hetznerdns_zone.externalZoneEU[0].id
      name = "_carddavs_tcp"
      value = "10 20 443 www.ducamps.eu"
      type  = "SRV"
 }
 resource "hetznerdns_record" "NSEU" {
    count = var.enableHetzner ? 1 : 0
    zone_id = hetznerdns_zone.externalZoneEU[0].id
    name    = "@"
    value   = "hydrogen.ns.hetzner.com."
    type    = "NS"
 }
 resource "hetznerdns_record" "rootalias" {
  count = var.enableHetzner ? 1 : 0
  zone_id = hetznerdns_zone.externalZoneEU[0].id
  name    = "@"
  value   = var.cloudEndpoint
  type    = "A"
 }
 resource "powerdns_record" "mail" {
  zone= powerdns_zone.ducampseu.name
  type= "MX"
  name= "mail.${powerdns_zone.ducampseu.name}"
  ttl= 1700
  records = ["10 ${var.localEndpoint}"]
 }
 resource "powerdns_record" "merlin" {
    zone= powerdns_zone.ducampseu.name
    type= "A"
    name= "merlin.lan.${powerdns_zone.ducampseu.name}"
    ttl= 1700
    records = ["10.0.0.4"]
 }
 resource "powerdns_record" "corwin" {
    zone= powerdns_zone.ducampseu.name
    type= "A"
    name= "corwin.lan.${powerdns_zone.ducampseu.name}"
    ttl= 1700
    records = ["10.0.0.1"]
 }
 resource "powerdns_record" "gerard" {
    zone= powerdns_zone.ducampseu.name
    type= "A"
    name= "gerard.lan.${powerdns_zone.ducampseu.name}"
    ttl= 1700
    records = ["192.168.1.41"]
 }
 resource "powerdns_record" "diskstation" {
      zone= powerdns_zone.ducampseu.name
      type= "A"
      name= "diskstation.lan.${powerdns_zone.ducampseu.name}"
      ttl= 1700
      records = ["192.168.1.10"]
 }
--- a/terraform/dns/variable.tf
+++ b/terraform/dns/variable.tf
@ -0,0 +1,47 @@
 variable powerDnsApiKey {
  type= string
  sensitive= true
 }
 variable hetznerApiKey {
  type= string
  sensitive= true
 }
 variable enableHetzner {
 type= bool
 default = true
 }
 variable powerDnsURL {
  type=string
  default="http://192.168.1.5:8081"
 }
 variable cnameList{
  type=list
  default= [
    "arch",
    "dashboard",
    "drone",
    "file",
    "ghostfolio",
    "git",
    "grafana",
    "hass",
    "jellyfin",
    "jellyfin-vue",
    "paperless-ng",
    "supysonic",
    "syno",
    "torrent",
    "vault",
    "vikunja",
    "www"
  ]
 }
 variable localEndpoint{
  type= string
  default= "traefik-local.service.consul."
 }
 variable cloudEndpoint{
  type= string
  default= "135.181.150.203"
 }
--- a/terraform/dns/zone.tf
+++ b/terraform/dns/zone.tf
@ -0,0 +1,20 @@
 resource "powerdns_zone" "ducampseu" {
  name        = "ducamps.eu."
  kind        = "Native"
 }
 resource "powerdns_zone" "landucampseu" {
  name        = "lan.ducamps.eu."
  kind        = "Native"
 }
 resource "powerdns_zone" "reversezone" {
  name        = "1.168.192.in-addr.arpa."
  kind        = "Native"
 }
 resource "hetznerdns_zone" "externalZoneEU" {
    count = var.enableHetzner ? 1 : 0
    name = "ducamps.eu"
    ttl  = 1700
 }
--- a/terraform/exportTFsecret.sh
+++ b/terraform/exportTFsecret.sh
@ -0,0 +1,3 @@
 	export TF_VAR_hetznerApiKey=`vault kv get -field=hdns_token secrets/hetzner`
 	export TF_VAR_powerDnsApiKey=`vault kv get -field=API_KEY secrets/nomad/pdns`
  export TF_VAR_hcloud_token=`vault kv get -field=hcloud_token secrets/hetzner`
--- a/terraform/vault/.terraform.lock.hcl
+++ b/terraform/vault/.terraform.lock.hcl
--- a/terraform/vault/drone-vault.tf
+++ b/terraform/vault/drone-vault.tf
--- a/terraform/vault/ldap.tf
+++ b/terraform/vault/ldap.tf
--- a/terraform/vault/main.tf
+++ b/terraform/vault/main.tf
--- a/terraform/vault/migrateBackend.hcl
+++ b/terraform/vault/migrateBackend.hcl
--- a/terraform/vault/nomad.tf
+++ b/terraform/vault/nomad.tf
@ -22,7 +22,9 @@ locals {
    "vikunja",
    "ghostfolio",
    "alertmanager",
-    "vault-backup"
+    "vault-backup",
    "pdns",
    "torrent"
  ]
 }
--- a/terraform/vault/policy.tf
+++ b/terraform/vault/policy.tf
--- a/terraform/vault/standalone_vault.sh
+++ b/terraform/vault/standalone_vault.sh
--- a/terraform/vault/variable.tf
+++ b/terraform/vault/variable.tf
--- a/terraform/vault/vault-snapshot.tf
+++ b/terraform/vault/vault-snapshot.tf