fix(mail-gateway): wire Brevo verified sender and DNS role 409 idempotency (#18)

- Add BREVO_FROM_EMAIL / BREVO_FROM_NAME env vars so the gateway uses a
  verified Brevo sender address instead of the per-profile address (which
  is not registered in Brevo). Profile sender_email becomes Reply-To so
  replies still land in the correct mailbox.
- Default mail_platform_brevo_sender_email to server@lv3.org (verified).
- Inject BREVO_FROM_EMAIL and BREVO_FROM_NAME in both env templates
  (mail-gateway.env.j2 and mail-gateway.env.ctmpl.j2).
- hetzner_dns_records: treat HTTP 409 Conflict as "record already exists"
  (no change needed) rather than a hard failure. Prevents converge aborts
  when DNS records are already present in the zone.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: baditaflorin

collections/ansible_collections/lv3/platform/roles/hetzner_dns_records/tasks/record.yml

@@ -128,6 +128,7 @@
     status_code:
       - 200
       - 201
+      - 409
       - 429
       - 500
       - 502
@@ -140,9 +141,10 @@
     - dns_provider_boundary_matching_records | length == 0
   retries: 5
   delay: 2
-  until: hetzner_dns_record_create_response.status in [200, 201]
-  failed_when: hetzner_dns_record_create_response.status not in [200, 201]
-  changed_when: true
+  until: hetzner_dns_record_create_response.status in [200, 201, 409]
+  failed_when: hetzner_dns_record_create_response.status not in [200, 201, 409]
+  # 409 = record already exists at provider; treat as no change needed
+  changed_when: hetzner_dns_record_create_response.status in [200, 201]
   no_log: true
 
 # Update path on the new Hetzner Console API:

collections/ansible_collections/lv3/platform/roles/mail_platform_runtime/defaults/main.yml

@@ -59,8 +59,8 @@ mail_platform_metrics_password_local_file: "{{ repo_shared_local_root }}/mail-pl
 mail_platform_gateway_api_key_local_file: "{{ repo_shared_local_root }}/mail-platform/gateway-api-key.txt"
 mail_platform_brevo_api_key_local_file: "{{ repo_shared_local_root }}/mail-platform/brevo-api-key.txt"
 mail_platform_brevo_api_url: https://api.brevo.com/v3/smtp/email
-mail_platform_brevo_sender_email: operator@example.com
-mail_platform_brevo_sender_name: Florin Mail Bridge
+mail_platform_brevo_sender_email: server@lv3.org
+mail_platform_brevo_sender_name: LV3 Platform
 mail_platform_reply_to_email: "{{ mail_platform_mailbox_address }}"
 mail_platform_gateway_bind_port: "{{ mail_platform_gateway_port }}"
 mail_platform_gateway_force_brevo_fallback: false

collections/ansible_collections/lv3/platform/roles/mail_platform_runtime/files/mail-gateway/app.py

@@ -26,6 +26,10 @@ def env_bool(name: str, default: bool) -> bool:
 PROFILES_FILE = Path(os.getenv("NOTIFICATION_PROFILES_FILE", "/config/notification-profiles.json"))
 BREVO_API_KEY = os.environ["BREVO_API_KEY"]
 BREVO_API_URL = os.getenv("BREVO_API_URL", "https://api.brevo.com/v3/smtp/email")
+# BREVO_FROM_EMAIL overrides the per-profile sender for Brevo sends.
+# Set this to a verified Brevo sender address; falls back to DEFAULT_FROM_EMAIL.
+BREVO_FROM_EMAIL = os.getenv("BREVO_FROM_EMAIL")
+BREVO_FROM_NAME = os.getenv("BREVO_FROM_NAME")
 DEFAULT_FROM_EMAIL = os.environ["DEFAULT_FROM_EMAIL"]
 DEFAULT_FROM_NAME = os.getenv("DEFAULT_FROM_NAME", "LV3 Mail Gateway")
 DEFAULT_REPLY_TO_EMAIL = os.getenv("DEFAULT_REPLY_TO_EMAIL")
@@ -387,10 +391,15 @@ def send_via_local_smtp(payload: SendRequest, profile: dict[str, Any]) -> None:
 
 
 async def send_via_brevo(payload: SendRequest, profile: dict[str, Any]) -> dict[str, Any]:
+    # When BREVO_FROM_EMAIL is set, use it as the Brevo sender (it must be a
+    # verified Brevo sender address).  The profile's sender_email becomes the
+    # Reply-To so replies still land in the right mailbox.
+    brevo_from_email = BREVO_FROM_EMAIL or profile["sender_email"] or DEFAULT_FROM_EMAIL
+    brevo_from_name = BREVO_FROM_NAME or profile["sender_name"] or DEFAULT_FROM_NAME
     body: dict[str, Any] = {
         "sender": {
-            "name": profile["sender_name"] or DEFAULT_FROM_NAME,
-            "email": profile["sender_email"] or DEFAULT_FROM_EMAIL,
+            "name": brevo_from_name,
+            "email": brevo_from_email,
         },
         "to": [{"email": address} for address in payload.to],
         "subject": payload.subject,
@@ -399,7 +408,9 @@ async def send_via_brevo(payload: SendRequest, profile: dict[str, Any]) -> dict[
         body["textContent"] = payload.text
     if payload.html:
         body["htmlContent"] = payload.html
-    reply_to = profile["reply_to"] or DEFAULT_REPLY_TO_EMAIL
+    # Use profile reply_to, or fall back to profile sender_email so replies
+    # reach the intended mailbox even when the From is the Brevo relay address.
+    reply_to = profile["reply_to"] or profile["sender_email"] or DEFAULT_REPLY_TO_EMAIL
     if reply_to:
         body["replyTo"] = {"email": reply_to}
 

collections/ansible_collections/lv3/platform/roles/mail_platform_runtime/templates/mail-gateway.env.ctmpl.j2

@@ -1,5 +1,7 @@
 BREVO_API_KEY=[[ with secret "kv/data/{{ mail_platform_openbao_secret_path }}" ]][[ .Data.data.brevo_api_key ]][[ end ]]
 BREVO_API_URL={{ mail_platform_brevo_api_url }}
+BREVO_FROM_EMAIL={{ mail_platform_brevo_sender_email }}
+BREVO_FROM_NAME={{ mail_platform_brevo_sender_name }}
 DEFAULT_FROM_EMAIL={{ mail_platform_brevo_sender_email }}
 DEFAULT_FROM_NAME={{ mail_platform_brevo_sender_name }}
 DEFAULT_REPLY_TO_EMAIL={{ mail_platform_reply_to_email }}

collections/ansible_collections/lv3/platform/roles/mail_platform_runtime/templates/mail-gateway.env.j2

@@ -1,5 +1,7 @@
 BREVO_API_KEY={{ lookup('file', mail_platform_brevo_api_key_local_file) | trim }}
 BREVO_API_URL={{ mail_platform_brevo_api_url }}
+BREVO_FROM_EMAIL={{ mail_platform_brevo_sender_email }}
+BREVO_FROM_NAME={{ mail_platform_brevo_sender_name }}
 DEFAULT_FROM_EMAIL={{ mail_platform_brevo_sender_email }}
 DEFAULT_FROM_NAME={{ mail_platform_brevo_sender_name }}
 DEFAULT_REPLY_TO_EMAIL={{ mail_platform_reply_to_email }}