From 931196836352cd7b3b4c286e6fd4e96bd8cac9c8 Mon Sep 17 00:00:00 2001 From: sjat Date: Sun, 14 Jun 2026 10:33:07 +0200 Subject: [PATCH] feat(public_dns): wingu.me record data + validation test Co-Authored-By: Claude Opus 4.8 (1M context) --- .../production/group_vars/all/public_dns.yml | 27 ++++++++++ tests/test_public_dns.py | 53 +++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 inventories/production/group_vars/all/public_dns.yml create mode 100644 tests/test_public_dns.py diff --git a/inventories/production/group_vars/all/public_dns.yml b/inventories/production/group_vars/all/public_dns.yml new file mode 100644 index 0000000..e03ea43 --- /dev/null +++ b/inventories/production/group_vars/all/public_dns.yml @@ -0,0 +1,27 @@ +--- +# Public DNS — wingu.me at Gandi LiveDNS, managed by the public_dns role (M1). +# Mesh/LAN-only by default: only deliberate public records live here. PAT in +# vault.gandi.pat. See docs/decisions/007-network.md and the M1 spec. +public_dns__domain: wingu.me + +# Present — anti-spoof baseline for a no-mail domain (overwrites Gandi's seeded mail set). +public_dns__records: + - {record: "@", type: MX, values: ["0 ."], ttl: 3600} + - {record: "@", type: TXT, values: ['"v=spf1 -all"'], ttl: 3600} + - {record: _dmarc, type: TXT, values: ['"v=DMARC1; p=reject;"'], ttl: 3600} + # Service records appear as public-tier needs arise (askari A in M4). + # Mesh/LAN-only services never appear here. + +# Absent — Gandi's auto-seeded defaults we don't want (purged once, idempotent thereafter). +public_dns__absent: + - {record: "@", type: A} # Gandi parking IP + - {record: www, type: CNAME} # Gandi web-redirect + - {record: webmail, type: CNAME} # Gandi webmail + - {record: gm1._domainkey, type: CNAME} # Gandi DKIM + - {record: gm2._domainkey, type: CNAME} + - {record: gm3._domainkey, type: CNAME} + - {record: _imap._tcp, type: SRV} # Gandi mail autodiscovery + - {record: _imaps._tcp, type: SRV} + - {record: _pop3._tcp, type: SRV} + - {record: _pop3s._tcp, type: SRV} + - {record: _submission._tcp, type: SRV} diff --git a/tests/test_public_dns.py b/tests/test_public_dns.py new file mode 100644 index 0000000..0d498af --- /dev/null +++ b/tests/test_public_dns.py @@ -0,0 +1,53 @@ +import pathlib + +import yaml + +_DATA = ( + pathlib.Path(__file__).resolve().parent.parent + / "inventories" / "production" / "group_vars" / "all" / "public_dns.yml" +) + +# Gandi auto-seeds these on a fresh .me zone; boma purges them (verified 2026-06-14). +GANDI_DEFAULTS_ABSENT = { + ("@", "A"), ("www", "CNAME"), ("webmail", "CNAME"), + ("gm1._domainkey", "CNAME"), ("gm2._domainkey", "CNAME"), ("gm3._domainkey", "CNAME"), + ("_imap._tcp", "SRV"), ("_imaps._tcp", "SRV"), ("_pop3._tcp", "SRV"), + ("_pop3s._tcp", "SRV"), ("_submission._tcp", "SRV"), +} + + +def _load(): + return yaml.safe_load(_DATA.read_text()) + + +def test_domain_is_wingu(): + assert _load()["public_dns__domain"] == "wingu.me" + + +def test_present_records_well_formed(): + for r in _load()["public_dns__records"]: + assert r["record"] and r["type"] + assert isinstance(r["values"], list) and r["values"] + + +def test_anti_spoof_baseline_present(): + recs = {(r["record"], r["type"]): r["values"] for r in _load()["public_dns__records"]} + assert recs[("@", "MX")] == ["0 ."] # null MX + assert recs[("@", "TXT")] == ['"v=spf1 -all"'] # SPF deny-all + assert recs[("_dmarc", "TXT")] == ['"v=DMARC1; p=reject;"'] + + +def test_gandi_defaults_marked_absent(): + absent = {(r["record"], r["type"]) for r in _load()["public_dns__absent"]} + assert GANDI_DEFAULTS_ABSENT <= absent + + +def test_no_record_both_present_and_absent(): + present = {(r["record"], r["type"]) for r in _load()["public_dns__records"]} + absent = {(r["record"], r["type"]) for r in _load()["public_dns__absent"]} + assert present.isdisjoint(absent) + + +def test_no_duplicate_present_records(): + keys = [(r["record"], r["type"]) for r in _load()["public_dns__records"]] + assert len(keys) == len(set(keys))