sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/roles/public_dns/README.md
sjat 13ae674cc9 chore(kaizen): first /kaizen run — curate 12 friction signals 
Dogfood of the new /kaizen command. 11 consumed, 1 kept open.
- SYSTEMATIZE → docs/testing/gotchas.md (apply:{tags} propagation, Molecule
  tag-isolation testing, API/templating render-only gap); CLAUDE.md
  (item['key'] loop convention, TF module required_providers); public_dns
  README (Gandi null-MX workaround).
- CHANGE → extend the Stop hook to also guard the brainstorming spec-review gate
  (verified: blocks the gate, passes meta-discussion).
- SYSTEMATIZE → make new-role scaffolds the access__/backup__ noqa reminder;
  ADR-004 documents the cross-role-naming convention.
- ALREADY-BUILT/ACCEPTED → exec-menu guard verified firing; ADR-023; ADR-024;
  subagent-faithfulness now embodied in the two-stage subagent review.
- KEEP-OPEN → a repo-scan.py check for ADRs that over-claim reconciliation.

Nudge: OVERDUE (13 signals) → ok (1). make lint + 16 friction-scan tests green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 21:46:23 +02:00

1.6 KiB
Raw Permalink Blame History

public_dns

Manages boma's public DNS zone (wingu.me) at Gandi LiveDNS as code, via community.general.gandi_livedns (PAT auth from vault.gandi.pat). Provider-agnostic name on purpose. Run from the control node: make check/deploy PLAYBOOK=dns.

Mesh/LAN-only by default — only deliberate public records live in the zone (the anti-spoof baseline plus askari.wingu.me + the *.askari wildcard, applied in M4a). Everything else is reached over LAN/mesh and never appears here.

Data (in group_vars/all/public_dns.yml)

Var Meaning
public_dns__domain the zone (wingu.me)
public_dns__records records to ensure present (record, type, values, optional ttl)
public_dns__absent records to ensure absent (Gandi's auto-seeded defaults)

Behaviour knobs (defaults/main.yml)

Var Default Meaning
public_dns__apply true set false to validate without calling the Gandi API (Molecule)
public_dns__default_ttl 1800 TTL when a record omits one

Notes

The zone is reconciled additively plus an explicit absent list (Gandi seeds 13 default records on a new .me; we purge the unwanted 11 and overwrite MX/SPF with the anti-spoof baseline). Full-zone authoritative pruning is a future enhancement (TODO 8.3).

Gandi rejects RFC-7505 null-MX (0 .) with "invalid format for MX record" — so a no-mail domain can't use the standard null-MX. We instead remove the MX entirely (no MX + no apex A = no mail) and rely on SPF -all + DMARC reject to prevent spoofing.