From 817f75bb49ad868b1f9337a2c874decbc01340e5 Mon Sep 17 00:00:00 2001
From: Felix Nehrke <felix@nehrke.info>
Date: Tue, 4 Mar 2025 23:15:42 +0100
Subject: [PATCH] Refactor DNS-config to make it easier to maintain

---
 main.tf => _provider.tf |  0
 dns.tf                  | 97 ++++++++++++++++++++++-------------------
 dns/main.tf             |  4 +-
 dns/variables.tf        |  2 +-
 variables.tf            | 12 ++---
 5 files changed, 62 insertions(+), 53 deletions(-)
 rename main.tf => _provider.tf (100%)

diff --git a/main.tf b/_provider.tf
similarity index 100%
rename from main.tf
rename to _provider.tf
diff --git a/dns.tf b/dns.tf
index 24b4522..8974193 100644
--- a/dns.tf
+++ b/dns.tf
@@ -1,79 +1,88 @@
-locals {
-  // gmail had a different dns-setting in the past,
-  // but they claim it's still totally valid for old installations
-  // they even guarantee to keep it valid in future
-  // see: https://support.google.com/a/answer/174125?hl=en#zippy=%2Cgoogle-workspace-legacy-version-before
-  dns_gmail_until_april_2023 = [
-    { name = "@", ttl = var.gmail_dns_default_ttl, type = "MX", value = "1 aspmx.l.google.com." },
-    { name = "@", ttl = var.gmail_dns_default_ttl, type = "MX", value = "5 alt1.aspmx.l.google.com." },
-    { name = "@", ttl = var.gmail_dns_default_ttl, type = "MX", value = "5 alt2.aspmx.l.google.com." },
-    { name = "@", ttl = var.gmail_dns_default_ttl, type = "MX", value = "10 alt3.aspmx.l.google.com." },
-    { name = "@", ttl = var.gmail_dns_default_ttl, type = "MX", value = "10 alt1.aspmx.l.google.com." },
-    { name = "@", ttl = var.gmail_dns_default_ttl, type = "TXT", value = "v=spf1 include:_spf.google.com a mx ~all" },
-  ]
-  dns_gmail_starting_april_2023 = [
-    { name = "@", ttl = var.gmail_dns_default_ttl, type = "MX", value = "1 smtp.google.com." },
-    { name = "@", ttl = var.gmail_dns_default_ttl, type = "TXT", value = "v=spf1 include:_spf.google.com a mx ~all" },
-  ]
-  dns_website_default = [
-    { name = "@", ttl = 900, type = "A", value = "62.138.6.205" },
-    { name = "*", ttl = 900, type = "A", value = "62.138.6.205" },
-  ]
-}
-
 module "dns_goperte_de" {
   source   = "./dns"
   zone     = "goperte.de"
-  records  = local.dns_website_default
+  zone_ttl = 900
+  records  = [
+    { name = "@", type = "A", value = "62.138.6.205" },
+    { name = "*", type = "A", value = "62.138.6.205" },
+  ]
 }
 
 module "dns_nehrke_info" {
   source   = "./dns"
   zone     = "nehrke.info"
-  records  = concat(
-    local.dns_website_default,
-    [
-      { name = "_dmarc", ttl = var.gmail_dns_default_ttl, type = "TXT", value = "v=DMARC1; p=none;" },
-      { name = "google._domainkey", ttl = var.gmail_dns_default_ttl, type = "TXT", value = var.google_dkim["nehrke.info"] }
-    ],
-    local.dns_gmail_until_april_2023,
-  )
+  zone_ttl = 3600
+  records  = [
+    { name = "@", ttl = 900, type = "A", value = "62.138.6.205" },
+    { name = "*", ttl = 900, type = "A", value = "62.138.6.205" },
+    # TODO: update smtp-config, see https://support.google.com/a/answer/174125?hl=en#zippy=%2Cgoogle-workspace-legacy-version-before
+    { name = "@", type = "MX", value = "1 aspmx.l.google.com." },
+    { name = "@", type = "MX", value = "5 alt1.aspmx.l.google.com." },
+    { name = "@", type = "MX", value = "5 alt2.aspmx.l.google.com." },
+    { name = "@", type = "MX", value = "10 alt3.aspmx.l.google.com." },
+    { name = "@", type = "MX", value = "10 alt1.aspmx.l.google.com." },
+    { name = "@", type = "TXT", value = "v=spf1 include:_spf.google.com a mx ~all" },
+    { name = "_dmarc", type = "TXT", value = "v=DMARC1; p=none;" },
+    { name = "google._domainkey", type = "TXT", value = var.nehrke_info_dkim },
+  ]
 }
 
 module "dns_sozpaedil_net" {
   source   = "./dns"
   zone     = "sozpaedil.net"
-  records  = concat(
-    local.dns_website_default,
-    [
-      { name = "_dmarc", ttl = var.gmail_dns_default_ttl, type = "TXT", value = "v=DMARC1; p=none;" },
-      { name = "google._domainkey", ttl = var.gmail_dns_default_ttl, type = "TXT", value = var.google_dkim["sozpaedil.net"] }
-    ],
-    local.dns_gmail_until_april_2023,
-  )
+  zone_ttl = 3600
+  records  = [
+    { name = "@", ttl = 900, type = "A", value = "62.138.6.205" },
+    { name = "*", ttl = 900, type = "A", value = "62.138.6.205" },
+    # TODO: update smtp-config, see https://support.google.com/a/answer/174125?hl=en#zippy=%2Cgoogle-workspace-legacy-version-before
+    { name = "@", type = "MX", value = "1 aspmx.l.google.com." },
+    { name = "@", type = "MX", value = "5 alt1.aspmx.l.google.com." },
+    { name = "@", type = "MX", value = "5 alt2.aspmx.l.google.com." },
+    { name = "@", type = "MX", value = "10 alt3.aspmx.l.google.com." },
+    { name = "@", type = "MX", value = "10 alt1.aspmx.l.google.com." },
+    { name = "@", type = "TXT", value = "v=spf1 include:_spf.google.com a mx ~all" },
+    { name = "_dmarc", type = "TXT", value = "v=DMARC1; p=none;" },
+    { name = "google._domainkey", type = "TXT", value = var.sozpaedil_net_dkim },
+  ]
 }
 
 module "dns_tovot_de" {
   source   = "./dns"
   zone     = "tovot.de"
-  records  = local.dns_website_default
+  zone_ttl = 900
+  records  = [
+    { name = "@", type = "A", value = "62.138.6.205" },
+    { name = "*", type = "A", value = "62.138.6.205" },
+  ]
 }
 
 module "dns_tovot_net" {
   source   = "./dns"
   zone     = "tovot.net"
-  records  = local.dns_website_default
+  zone_ttl = 900
+  records  = [
+    { name = "@", type = "A", value = "62.138.6.205" },
+    { name = "*", type = "A", value = "62.138.6.205" },
+  ]
 }
 
 module "dns_tovot_org" {
   source   = "./dns"
   zone     = "tovot.org"
-  records  = local.dns_website_default
+  zone_ttl = 900
+  records  = [
+    { name = "@", type = "A", value = "62.138.6.205" },
+    { name = "*", type = "A", value = "62.138.6.205" },
+  ]
 }
 
 module "dns_xn--alleingnger-r8a_de" {
   source   = "./dns"
   zone     = "xn--alleingnger-r8a.de"
-  records  = local.dns_website_default
+  zone_ttl = 900
+  records  = [
+    { name = "@", type = "A", value = "62.138.6.205" },
+    { name = "*", type = "A", value = "62.138.6.205" },
+  ]
 }
 
diff --git a/dns/main.tf b/dns/main.tf
index 6c49849..565f6c8 100644
--- a/dns/main.tf
+++ b/dns/main.tf
@@ -4,11 +4,11 @@ resource "hetznerdns_zone" "this" {
 }
 
 locals {
-  records = {
+  records = nonsensitive({
     for record in var.records : "${record.type}#${record.name}#${md5(record.value)}" => {
       for key, value in record : key => value
     }
-  }
+  })
 }
 
 resource "hetznerdns_record" "this" {
diff --git a/dns/variables.tf b/dns/variables.tf
index 2397198..4d3fffb 100644
--- a/dns/variables.tf
+++ b/dns/variables.tf
@@ -12,7 +12,7 @@ variable "records" {
     name = string
     value = string
     type = string
-    ttl = optional(number, 3600)
+    ttl = optional(number, null)
   }))
   default = []
 }
diff --git a/variables.tf b/variables.tf
index 0c35df8..a6f2900 100644
--- a/variables.tf
+++ b/variables.tf
@@ -2,12 +2,12 @@ variable "hetzner_apitoken" {
   type = string
 }
 
-variable "google_dkim" {
-  type = map(string)
+variable "nehrke_info_dkim" {
+  type      = string
+  sensitive = true
 }
 
-variable "gmail_dns_default_ttl" {
-  type    = number
-  default = 3600
+variable "sozpaedil_net_dkim" {
+  type      = string
+  sensitive = true
 }
-