# DNS Configuration

Required DNS records for the cryodev infrastructure.

## Primary Domain (cryodev.xyz)

### A/AAAA Records

| Hostname | Type | Value | Purpose |
|----------|------|-------|---------|
| `@` | A | `<SERVER_IP>` | Main server |
| `@` | AAAA | `<SERVER_IPV6>` | Main server (IPv6) |
| `www` | A | `<SERVER_IP>` | www redirect |
| `www` | AAAA | `<SERVER_IPV6>` | www redirect (IPv6) |
| `mail` | A | `<SERVER_IP>` | Mail server |
| `mail` | AAAA | `<SERVER_IPV6>` | Mail server (IPv6) |

### CNAME Records

| Hostname | Type | Value | Purpose |
|----------|------|-------|---------|
| `git` | CNAME | `@` | Forgejo |
| `headscale` | CNAME | `@` | Headscale |
| `headplane` | CNAME | `@` | Headplane |
| `netdata` | CNAME | `@` | Netdata Monitoring |

### Mail Records

| Hostname | Type | Value | Purpose |
|----------|------|-------|---------|
| `@` | MX | `10 mail.cryodev.xyz.` | Mail delivery |
| `@` | TXT | `"v=spf1 mx ~all"` | SPF |
| `_dmarc` | TXT | `"v=DMARC1; p=none"` | DMARC |
| `mail._domainkey` | TXT | *(siehe unten)* | DKIM |

### Reverse DNS (PTR)

Fuer zuverlaessige Mail-Zustellung muss ein **PTR Record** beim Hosting-Provider
konfiguriert werden (nicht im DNS-Panel der Domain):

| IP | PTR Value |
|----|-----------|
| `<SERVER_IP>` | `mail.cryodev.xyz` |
| `<SERVER_IPV6>` | `mail.cryodev.xyz` |

#### Hetzner Robot (Dedicated Server)

1. [robot.hetzner.com](https://robot.hetzner.com) > **Server** > Server auswaehlen
2. **IPs** Tab
3. Bei der IPv4-Adresse auf das **Stift-Symbol** klicken
4. `mail.cryodev.xyz` eintragen und speichern
5. Fuer IPv6: Unter **Subnets** dasselbe fuer die primaere IPv6-Adresse

#### Hetzner Cloud

1. [cloud.hetzner.com](https://cloud.hetzner.com) > Server auswaehlen
2. **Networking** Tab
3. Bei "Primary IP" auf die IP klicken > **Reverse DNS**
4. `mail.cryodev.xyz` eintragen (fuer IPv4 und IPv6)

## Getting the DKIM Key

After deploying the mailserver, retrieve the DKIM public key:

```bash
sudo cat /var/dkim/cryodev.xyz.mail.txt
```

Add this as a TXT record for `mail._domainkey.cryodev.xyz`.

## Complete Checklist

- [ ] A/AAAA fuer `@` (Root-Domain)
- [ ] A/AAAA fuer `www`
- [ ] A/AAAA fuer `mail`
- [ ] CNAME fuer `git`, `headscale`, `headplane`, `netdata`
- [ ] MX Record
- [ ] TXT fuer SPF (`v=spf1 mx ~all`)
- [ ] TXT fuer DMARC (`v=DMARC1; p=none`)
- [ ] TXT fuer DKIM (`mail._domainkey` -- nach erstem Deploy)
- [ ] PTR Record beim Hosting-Provider (Reverse DNS)

## Verification

### Check DNS Propagation

```bash
# A record
dig A cryodev.xyz

# MX record
dig MX cryodev.xyz

# SPF
dig TXT cryodev.xyz

# DKIM
dig TXT mail._domainkey.cryodev.xyz

# DMARC
dig TXT _dmarc.cryodev.xyz

# Reverse DNS
dig -x <SERVER_IP>
```

### Online Tools

- [MXToolbox](https://mxtoolbox.com/) - Comprehensive DNS/mail testing
- [Mail-tester](https://www.mail-tester.com/) - Email deliverability testing
- [DMARC Analyzer](https://dmarcanalyzer.com/) - DMARC record validation

## TTL Recommendations

For initial setup, use low TTLs (300 seconds) to allow quick changes.

After verification, increase to:
- A/AAAA records: 3600 (1 hour)
- CNAME records: 3600 (1 hour)
- MX records: 3600 (1 hour)
- TXT records: 3600 (1 hour)

## Firewall Requirements

Ensure these ports are open on `cryodev-main`:

| Port | Protocol | Service |
|------|----------|---------|
| 2299 | TCP | SSH |
| 80 | TCP | HTTP (ACME/redirect) |
| 443 | TCP | HTTPS |
| 25 | TCP | SMTP |
| 465 | TCP | SMTPS |
| 587 | TCP | SMTP Submission |
| 993 | TCP | IMAPS |