boma/roles/public_dns
sjat 078d1ad9d9 fix(public_dns): drop null-MX (Gandi rejects '0 .'); remove MX instead
Gandi LiveDNS rejects the RFC-7505 null-MX value '0 .' ('invalid format for MX
record'), which failed the live apply. No MX + no apex A = no mail delivery, and
SPF -all + DMARC reject still prevent spoofing — so remove Gandi's seeded MX (add
@/MX to absent) rather than declare a null-MX present. Assert now requires an SPF
@/TXT record; tests + Molecule sample updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 10:53:54 +02:00
..
defaults feat(public_dns): role tasks, defaults, meta, README 2026-06-14 10:34:42 +02:00
handlers scaffold(public_dns): empty role structure 2026-06-14 10:30:02 +02:00
meta feat(public_dns): role tasks, defaults, meta, README 2026-06-14 10:34:42 +02:00
molecule/default fix(public_dns): drop null-MX (Gandi rejects '0 .'); remove MX instead 2026-06-14 10:53:54 +02:00
tasks fix(public_dns): drop null-MX (Gandi rejects '0 .'); remove MX instead 2026-06-14 10:53:54 +02:00
README.md feat(public_dns): role tasks, defaults, meta, README 2026-06-14 10:34:42 +02:00

public_dns

Manages boma's public DNS zone (wingu.me) at Gandi LiveDNS as code, via community.general.gandi_livedns (PAT auth from vault.gandi.pat). Provider-agnostic name on purpose. Run from the control node: make check/deploy PLAYBOOK=dns.

Mesh/LAN-only by default — only deliberate public records live in the zone (the anti-spoof baseline now; askari in M4). Everything else is reached over LAN/mesh and never appears here.

Data (in group_vars/all/public_dns.yml)

Var Meaning
public_dns__domain the zone (wingu.me)
public_dns__records records to ensure present (record, type, values, optional ttl)
public_dns__absent records to ensure absent (Gandi's auto-seeded defaults)

Behaviour knobs (defaults/main.yml)

Var Default Meaning
public_dns__apply true set false to validate without calling the Gandi API (Molecule)
public_dns__default_ttl 1800 TTL when a record omits one

Notes

The zone is reconciled additively plus an explicit absent list (Gandi seeds 13 default records on a new .me; we purge the unwanted 11 and overwrite MX/SPF with the anti-spoof baseline). Full-zone authoritative pruning is a future enhancement (TODO 8.3).