boma/roles/public_dns/tasks/main.yml

---
- name: Assert public DNS data is sane
  ansible.builtin.assert:
    that:
      - public_dns__domain | length > 0
      - public_dns__records | selectattr('record', 'equalto', '@')
        | selectattr('type', 'equalto', 'TXT') | list | length > 0
    fail_msg: >-
      public_dns__domain must be set and an SPF record (@/TXT) declared in
      public_dns__records (group_vars/all/public_dns.yml).
  run_once: true

- name: Ensure desired records are present (Gandi LiveDNS)
  community.general.gandi_livedns:
    domain: "{{ public_dns__domain }}"
    record: "{{ item.record }}"
    type: "{{ item.type }}"
    values: "{{ item.values }}"
    ttl: "{{ item.ttl | default(public_dns__default_ttl) }}"
    state: present
    personal_access_token: "{{ vault.gandi.pat }}"
  loop: "{{ public_dns__records }}"
  loop_control:
    label: "{{ item.record }} {{ item.type }}"
  run_once: true
  when: public_dns__apply | bool

- name: Ensure unwanted records are absent (Gandi LiveDNS)
  community.general.gandi_livedns:
    domain: "{{ public_dns__domain }}"
    record: "{{ item.record }}"
    type: "{{ item.type }}"
    state: absent
    personal_access_token: "{{ vault.gandi.pat }}"
  loop: "{{ public_dns__absent }}"
  loop_control:
    label: "{{ item.record }} {{ item.type }}"
  run_once: true
  when: public_dns__apply | bool