Deploy: Auto-DNS über offizielle Hetzner Cloud DNS API (ein Token)

Hetzner hat DNS in die Cloud-API integriert → der hcloud-Provider (>=1.64) bringt
hcloud_zone/hcloud_zone_rrset mit. germanbrew/hetznerdns (separate API + eigener
Token) entfernt. dns.tf legt mit manage_dns=true Apex (@) + Wildcard (*) als
A-Records auf die caddy_ip; Zone wird per Name nachgeschlagen. Plan verifiziert
(12 to add). Kein separater DNS-Token mehr nötig.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

deploy/terraform/cloud-init-app.yaml.tftpl

@@ -59,6 +59,8 @@ write_files:
       sleep 20
       if [ "$RUN_MIGRATIONS" = "true" ]; then
         $COMPOSE exec -T php php bin/console doctrine:migrations:migrate --no-interaction || true
+        # Erst-Befüllung (idempotent: überspringt, wenn admin@vcard4reseller.de existiert)
+        $COMPOSE exec -T php php bin/console app:seed || true
       fi
       $COMPOSE exec -T php php bin/console cache:clear || true
 runcmd:

deploy/terraform/dns.tf

@@ -1,32 +1,28 @@
-# Optional: DNS-Records über die Hetzner DNS API anlegen (manage_dns = true).
+# DNS über die Hetzner Cloud DNS API (manage_dns = true) — gleicher Cloud-Token,
-# Voraussetzung: Zone liegt bei Hetzner DNS, separater DNS-API-Token.
+# DNS ist inzwischen in die Cloud-API integriert. Die Zone muss bereits in
+# Hetzner DNS existieren (Lookup per Name).
 
-data "hetznerdns_zone" "zone" {
+data "hcloud_zone" "zone" {
   count = var.manage_dns ? 1 : 0
   name  = var.dns_zone_name
 }
 
-locals {
+# Portal-Domain (Apex "@" wenn domain == zone, sonst Subdomain-Teil) → Caddy
-  # Relativer Record-Name: "@" wenn Portal == Zone, sonst der Subdomain-Teil
+resource "hcloud_zone_rrset" "portal" {
-  portal_record_name = var.domain == var.dns_zone_name ? "@" : replace(var.domain, ".${var.dns_zone_name}", "")
-}
-
-# Portal-Domain → Caddy
-resource "hetznerdns_record" "portal" {
   count   = var.manage_dns ? 1 : 0
-  zone_id = data.hetznerdns_zone.zone[0].id
+  zone    = data.hcloud_zone.zone[0].id
-  name    = local.portal_record_name
+  name    = var.domain == var.dns_zone_name ? "@" : replace(var.domain, ".${var.dns_zone_name}", "")
   type    = "A"
-  value   = hcloud_server.caddy.ipv4_address
   ttl     = 300
+  records = [{ value = hcloud_server.caddy.ipv4_address }]
 }
 
 # Wildcard für Firmen-Subdomains (KONZEPT §11) → Caddy (On-Demand-TLS)
-resource "hetznerdns_record" "wildcard" {
+resource "hcloud_zone_rrset" "wildcard" {
   count   = var.manage_dns ? 1 : 0
-  zone_id = data.hetznerdns_zone.zone[0].id
+  zone    = data.hcloud_zone.zone[0].id
   name    = "*"
   type    = "A"
-  value   = hcloud_server.caddy.ipv4_address
   ttl     = 300
+  records = [{ value = hcloud_server.caddy.ipv4_address }]
 }

deploy/terraform/versions.tf

@@ -3,11 +3,7 @@ terraform {
   required_providers {
     hcloud = {
       source  = "hetznercloud/hcloud"
-      version = "~> 1.48"
+      version = "~> 1.64" # >= 1.64 für integriertes DNS (hcloud_zone_rrset)
-    }
-    hetznerdns = {
-      source  = "germanbrew/hetznerdns"
-      version = "~> 3.0"
     }
   }
 }
@@ -15,7 +11,3 @@ terraform {
 provider "hcloud" {
   token = var.hcloud_token
 }
-
-provider "hetznerdns" {
-  api_token = var.hetzner_dns_token
-}