feat(public_dns): wingu.me record data + validation test
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
91ad629c02
commit
9311968363
2 changed files with 80 additions and 0 deletions
27
inventories/production/group_vars/all/public_dns.yml
Normal file
27
inventories/production/group_vars/all/public_dns.yml
Normal file
|
|
@ -0,0 +1,27 @@
|
||||||
|
---
|
||||||
|
# Public DNS — wingu.me at Gandi LiveDNS, managed by the public_dns role (M1).
|
||||||
|
# Mesh/LAN-only by default: only deliberate public records live here. PAT in
|
||||||
|
# vault.gandi.pat. See docs/decisions/007-network.md and the M1 spec.
|
||||||
|
public_dns__domain: wingu.me
|
||||||
|
|
||||||
|
# Present — anti-spoof baseline for a no-mail domain (overwrites Gandi's seeded mail set).
|
||||||
|
public_dns__records:
|
||||||
|
- {record: "@", type: MX, values: ["0 ."], ttl: 3600}
|
||||||
|
- {record: "@", type: TXT, values: ['"v=spf1 -all"'], ttl: 3600}
|
||||||
|
- {record: _dmarc, type: TXT, values: ['"v=DMARC1; p=reject;"'], ttl: 3600}
|
||||||
|
# Service records appear as public-tier needs arise (askari A in M4).
|
||||||
|
# Mesh/LAN-only services never appear here.
|
||||||
|
|
||||||
|
# Absent — Gandi's auto-seeded defaults we don't want (purged once, idempotent thereafter).
|
||||||
|
public_dns__absent:
|
||||||
|
- {record: "@", type: A} # Gandi parking IP
|
||||||
|
- {record: www, type: CNAME} # Gandi web-redirect
|
||||||
|
- {record: webmail, type: CNAME} # Gandi webmail
|
||||||
|
- {record: gm1._domainkey, type: CNAME} # Gandi DKIM
|
||||||
|
- {record: gm2._domainkey, type: CNAME}
|
||||||
|
- {record: gm3._domainkey, type: CNAME}
|
||||||
|
- {record: _imap._tcp, type: SRV} # Gandi mail autodiscovery
|
||||||
|
- {record: _imaps._tcp, type: SRV}
|
||||||
|
- {record: _pop3._tcp, type: SRV}
|
||||||
|
- {record: _pop3s._tcp, type: SRV}
|
||||||
|
- {record: _submission._tcp, type: SRV}
|
||||||
53
tests/test_public_dns.py
Normal file
53
tests/test_public_dns.py
Normal file
|
|
@ -0,0 +1,53 @@
|
||||||
|
import pathlib
|
||||||
|
|
||||||
|
import yaml
|
||||||
|
|
||||||
|
_DATA = (
|
||||||
|
pathlib.Path(__file__).resolve().parent.parent
|
||||||
|
/ "inventories" / "production" / "group_vars" / "all" / "public_dns.yml"
|
||||||
|
)
|
||||||
|
|
||||||
|
# Gandi auto-seeds these on a fresh .me zone; boma purges them (verified 2026-06-14).
|
||||||
|
GANDI_DEFAULTS_ABSENT = {
|
||||||
|
("@", "A"), ("www", "CNAME"), ("webmail", "CNAME"),
|
||||||
|
("gm1._domainkey", "CNAME"), ("gm2._domainkey", "CNAME"), ("gm3._domainkey", "CNAME"),
|
||||||
|
("_imap._tcp", "SRV"), ("_imaps._tcp", "SRV"), ("_pop3._tcp", "SRV"),
|
||||||
|
("_pop3s._tcp", "SRV"), ("_submission._tcp", "SRV"),
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
def _load():
|
||||||
|
return yaml.safe_load(_DATA.read_text())
|
||||||
|
|
||||||
|
|
||||||
|
def test_domain_is_wingu():
|
||||||
|
assert _load()["public_dns__domain"] == "wingu.me"
|
||||||
|
|
||||||
|
|
||||||
|
def test_present_records_well_formed():
|
||||||
|
for r in _load()["public_dns__records"]:
|
||||||
|
assert r["record"] and r["type"]
|
||||||
|
assert isinstance(r["values"], list) and r["values"]
|
||||||
|
|
||||||
|
|
||||||
|
def test_anti_spoof_baseline_present():
|
||||||
|
recs = {(r["record"], r["type"]): r["values"] for r in _load()["public_dns__records"]}
|
||||||
|
assert recs[("@", "MX")] == ["0 ."] # null MX
|
||||||
|
assert recs[("@", "TXT")] == ['"v=spf1 -all"'] # SPF deny-all
|
||||||
|
assert recs[("_dmarc", "TXT")] == ['"v=DMARC1; p=reject;"']
|
||||||
|
|
||||||
|
|
||||||
|
def test_gandi_defaults_marked_absent():
|
||||||
|
absent = {(r["record"], r["type"]) for r in _load()["public_dns__absent"]}
|
||||||
|
assert GANDI_DEFAULTS_ABSENT <= absent
|
||||||
|
|
||||||
|
|
||||||
|
def test_no_record_both_present_and_absent():
|
||||||
|
present = {(r["record"], r["type"]) for r in _load()["public_dns__records"]}
|
||||||
|
absent = {(r["record"], r["type"]) for r in _load()["public_dns__absent"]}
|
||||||
|
assert present.isdisjoint(absent)
|
||||||
|
|
||||||
|
|
||||||
|
def test_no_duplicate_present_records():
|
||||||
|
keys = [(r["record"], r["type"]) for r in _load()["public_dns__records"]]
|
||||||
|
assert len(keys) == len(set(keys))
|
||||||
Loading…
Add table
Reference in a new issue