cryodev/docs/deployment/dns.md

# DNS Configuration

Required DNS records for the cryodev infrastructure.

## Primary Domain (cryodev.xyz)

### A/AAAA Records

| Hostname | Type | Value | Purpose |
|----------|------|-------|---------|
| `@` | A | `<SERVER_IP>` | Main server |
| `@` | AAAA | `<SERVER_IPV6>` | Main server (IPv6) |
| `www` | A | `<SERVER_IP>` | www redirect |
| `www` | AAAA | `<SERVER_IPV6>` | www redirect (IPv6) |
| `mail` | A | `<SERVER_IP>` | Mail server |
| `mail` | AAAA | `<SERVER_IPV6>` | Mail server (IPv6) |

### CNAME Records

| Hostname | Type | Value | Purpose |
|----------|------|-------|---------|
| `git` | CNAME | `@` | Forgejo |
| `headscale` | CNAME | `@` | Headscale |
| `headplane` | CNAME | `@` | Headplane |
| `netdata` | CNAME | `@` | Netdata Monitoring |

### Mail Records

| Hostname | Type | Value | Purpose |
|----------|------|-------|---------|
| `@` | MX | `10 mail.cryodev.xyz.` | Mail delivery |
| `@` | TXT | `"v=spf1 mx ~all"` | SPF |
| `_dmarc` | TXT | `"v=DMARC1; p=none"` | DMARC |
| `mail._domainkey` | TXT | *(see below)* | DKIM |

### Reverse DNS (PTR)

For reliable mail delivery, a **PTR record** must be configured at the hosting
provider (not in the domain's DNS panel):

| IP | PTR Value |
|----|-----------|
| `<SERVER_IP>` | `mail.cryodev.xyz` |
| `<SERVER_IPV6>` | `mail.cryodev.xyz` |

#### Hetzner Robot (Dedicated Server)

1. [robot.hetzner.com](https://robot.hetzner.com) > **Server** > Select the server
2. **IPs** tab
3. Click the **pencil icon** next to the IPv4 address
4. Enter `mail.cryodev.xyz` and save
5. For IPv6: Under **Subnets**, repeat the same for the primary IPv6 address

#### Hetzner Cloud

1. [cloud.hetzner.com](https://cloud.hetzner.com) > Select the server
2. **Networking** tab
3. Under "Primary IP", click the IP > **Reverse DNS**
4. Enter `mail.cryodev.xyz` (for both IPv4 and IPv6)

## Getting the DKIM Key

After deploying the mailserver, retrieve the DKIM public key:

```bash
sudo cat /var/dkim/cryodev.xyz.mail.txt
```

Add this as a TXT record for `mail._domainkey.cryodev.xyz`.

## Complete Checklist

- [ ] A/AAAA for `@` (root domain)
- [ ] A/AAAA for `www`
- [ ] A/AAAA for `mail`
- [ ] CNAME for `git`, `headscale`, `headplane`, `netdata`
- [ ] MX record
- [ ] TXT for SPF (`v=spf1 mx ~all`)
- [ ] TXT for DMARC (`v=DMARC1; p=none`)
- [ ] TXT for DKIM (`mail._domainkey` -- after first deployment)
- [ ] PTR record at hosting provider (reverse DNS)

## Verification

### Check DNS Propagation

```bash
# A record
dig A cryodev.xyz

# MX record
dig MX cryodev.xyz

# SPF
dig TXT cryodev.xyz

# DKIM
dig TXT mail._domainkey.cryodev.xyz

# DMARC
dig TXT _dmarc.cryodev.xyz

# Reverse DNS
dig -x <SERVER_IP>
```

### Online Tools

- [MXToolbox](https://mxtoolbox.com/) - Comprehensive DNS/mail testing
- [Mail-tester](https://www.mail-tester.com/) - Email deliverability testing
- [DMARC Analyzer](https://dmarcanalyzer.com/) - DMARC record validation

## TTL Recommendations

For initial setup, use low TTLs (300 seconds) to allow quick changes.

After verification, increase to:
- A/AAAA records: 3600 (1 hour)
- CNAME records: 3600 (1 hour)
- MX records: 3600 (1 hour)
- TXT records: 3600 (1 hour)

## Firewall Requirements

Ensure these ports are open on `cryodev-main`:

| Port | Protocol | Service |
|------|----------|---------|
| 2299 | TCP | SSH |
| 80 | TCP | HTTP (ACME/redirect) |
| 443 | TCP | HTTPS |
| 25 | TCP | SMTP |
| 465 | TCP | SMTPS |
| 587 | TCP | SMTP Submission |
| 993 | TCP | IMAPS |