dns.tf
1 data "cloudflare_zones" "mulatta_io" { 2 name = "mulatta.io" 3 } 4 5 data "terraform_remote_state" "vultr" { 6 backend = "s3" 7 config = { 8 bucket = "dots-tfstate" 9 key = "vultr/terraform.tfstate" 10 region = "auto" 11 access_key = local.r2_access_key_id 12 secret_key = local.r2_secret_access_key 13 skip_credentials_validation = true 14 skip_metadata_api_check = true 15 skip_region_validation = true 16 skip_requesting_account_id = true 17 skip_s3_checksum = true 18 use_path_style = true 19 endpoints = { 20 s3 = "https://${local.account_id}.r2.cloudflarestorage.com" 21 } 22 } 23 } 24 25 locals { 26 zone_id = data.cloudflare_zones.mulatta_io.result[0].id 27 taps_ip = data.terraform_remote_state.vultr.outputs.network_info.main_ip 28 mail_domain = "mail.mulatta.io" 29 base_domain = "mulatta.io" 30 } 31 32 resource "cloudflare_dns_record" "mail_a" { 33 zone_id = local.zone_id 34 name = "mail" 35 content = local.taps_ip 36 type = "A" 37 ttl = 300 38 proxied = false 39 } 40 41 resource "cloudflare_dns_record" "mta_sts_a" { 42 zone_id = local.zone_id 43 name = "mta-sts" 44 content = local.taps_ip 45 type = "A" 46 ttl = 300 47 proxied = false 48 } 49 50 resource "cloudflare_dns_record" "idm_a" { 51 zone_id = local.zone_id 52 name = "idm" 53 content = local.taps_ip 54 type = "A" 55 ttl = 300 56 proxied = false 57 } 58 59 resource "cloudflare_dns_record" "vaultwarden_a" { 60 zone_id = local.zone_id 61 name = "vaultwarden" 62 content = local.taps_ip 63 type = "A" 64 ttl = 300 65 proxied = false 66 } 67 68 resource "cloudflare_dns_record" "n8n_a" { 69 zone_id = local.zone_id 70 name = "n8n" 71 content = local.taps_ip 72 type = "A" 73 ttl = 300 74 proxied = false 75 } 76 77 resource "cloudflare_dns_record" "n8n_api_a" { 78 zone_id = local.zone_id 79 name = "n8n-api" 80 content = local.taps_ip 81 type = "A" 82 ttl = 300 83 proxied = false 84 } 85 86 resource "cloudflare_dns_record" "cloud_a" { 87 zone_id = local.zone_id 88 name = "cloud" 89 content = local.taps_ip 90 type = "A" 91 ttl = 300 92 proxied = false 93 } 94 95 resource "cloudflare_dns_record" "immich_a" { 96 zone_id = local.zone_id 97 name = "immich" 98 content = local.taps_ip 99 type = "A" 100 ttl = 300 101 proxied = false 102 } 103 104 # cache.mulatta.io - managed by cloudflare_r2_custom_domain in r2.tf 105 106 resource "cloudflare_dns_record" "niks3_a" { 107 zone_id = local.zone_id 108 name = "niks3" 109 content = local.taps_ip 110 type = "A" 111 ttl = 300 112 proxied = false 113 } 114 115 resource "cloudflare_dns_record" "atuin_a" { 116 zone_id = local.zone_id 117 name = "atuin" 118 content = local.taps_ip 119 type = "A" 120 ttl = 300 121 proxied = false 122 } 123 124 resource "cloudflare_dns_record" "rad_a" { 125 zone_id = local.zone_id 126 name = "rad" 127 content = local.taps_ip 128 type = "A" 129 ttl = 300 130 proxied = false 131 } 132 133 resource "cloudflare_dns_record" "links_a" { 134 zone_id = local.zone_id 135 name = "links" 136 content = local.taps_ip 137 type = "A" 138 ttl = 300 139 proxied = false 140 } 141 142 # ============================================================================= 143 # Mail DNS Records (migrated from cloudflare-dns.nix) 144 # ============================================================================= 145 146 # MX record 147 resource "cloudflare_dns_record" "mx" { 148 zone_id = local.zone_id 149 name = "@" 150 content = local.mail_domain 151 type = "MX" 152 priority = 10 153 ttl = 300 154 } 155 156 # SPF record - allows mail server and AWS SES 157 resource "cloudflare_dns_record" "spf" { 158 zone_id = local.zone_id 159 name = "@" 160 content = "v=spf1 include:amazonses.com mx ~all" 161 type = "TXT" 162 ttl = 300 163 } 164 165 # DMARC record 166 resource "cloudflare_dns_record" "dmarc" { 167 zone_id = local.zone_id 168 name = "_dmarc" 169 content = "v=DMARC1; p=quarantine; rua=mailto:dmarc@${local.base_domain}" 170 type = "TXT" 171 ttl = 300 172 } 173 174 # MTA-STS record 175 resource "cloudflare_dns_record" "mta_sts_txt" { 176 zone_id = local.zone_id 177 name = "_mta-sts" 178 content = "v=STSv1; id=20250106" 179 type = "TXT" 180 ttl = 300 181 } 182 183 # TLS-RPT record 184 resource "cloudflare_dns_record" "tlsrpt" { 185 zone_id = local.zone_id 186 name = "_smtp._tls" 187 content = "v=TLSRPTv1; rua=mailto:tls-reports@${local.base_domain}" 188 type = "TXT" 189 ttl = 300 190 } 191 192 # Autodiscover (Outlook) 193 resource "cloudflare_dns_record" "autodiscover" { 194 zone_id = local.zone_id 195 name = "autodiscover" 196 content = local.mail_domain 197 type = "CNAME" 198 ttl = 300 199 proxied = false 200 } 201 202 # Autoconfig (Thunderbird) 203 resource "cloudflare_dns_record" "autoconfig" { 204 zone_id = local.zone_id 205 name = "autoconfig" 206 content = local.mail_domain 207 type = "CNAME" 208 ttl = 300 209 proxied = false 210 } 211 212 # CalDAV SRV record 213 resource "cloudflare_dns_record" "caldav_srv" { 214 zone_id = local.zone_id 215 name = "_caldavs._tcp" 216 type = "SRV" 217 ttl = 300 218 data = { 219 priority = 0 220 weight = 1 221 port = 443 222 target = local.mail_domain 223 } 224 lifecycle { 225 ignore_changes = [priority] 226 } 227 } 228 229 # CardDAV SRV record 230 resource "cloudflare_dns_record" "carddav_srv" { 231 zone_id = local.zone_id 232 name = "_carddavs._tcp" 233 type = "SRV" 234 ttl = 300 235 data = { 236 priority = 0 237 weight = 1 238 port = 443 239 target = local.mail_domain 240 } 241 lifecycle { 242 ignore_changes = [priority] 243 } 244 } 245 246 output "mail_dns" { 247 value = { 248 mail_server = local.mail_domain 249 ip = local.taps_ip 250 } 251 }