# public_dns

Manages boma's public DNS zone (**wingu.me**) at **Gandi LiveDNS** as code, via
`community.general.gandi_livedns` (PAT auth from `vault.gandi.pat`). Provider-agnostic
name on purpose. Run from the control node: `make check/deploy PLAYBOOK=dns`.

Mesh/LAN-only by default — only deliberate public records live in the zone (the
anti-spoof baseline plus `askari.wingu.me` + the `*.askari` wildcard, applied in M4a).
Everything else is reached over LAN/mesh and never appears here.

## Data (in `group_vars/all/public_dns.yml`)

| Var | Meaning |
|---|---|
| `public_dns__domain` | the zone (`wingu.me`) |
| `public_dns__records` | records to ensure **present** (`record`, `type`, `values`, optional `ttl`) |
| `public_dns__absent`  | records to ensure **absent** (Gandi's auto-seeded defaults) |

## Behaviour knobs (`defaults/main.yml`)

| Var | Default | Meaning |
|---|---|---|
| `public_dns__apply` | `true` | set `false` to validate without calling the Gandi API (Molecule) |
| `public_dns__default_ttl` | `1800` | TTL when a record omits one |

## Notes

The zone is reconciled **additively** plus an explicit `absent` list (Gandi seeds 13
default records on a new `.me`; we purge the unwanted 11 and overwrite MX/SPF with the
anti-spoof baseline). Full-zone authoritative pruning is a future enhancement (TODO 8.3).