- dev_env .zshrc: drop the rclone alias (not installed) and guard the direnv
hook with `command -v direnv` so a missing direnv doesn't error every shell (O16)
- dev_env oh-my-posh: tag the zen.toml theme deploy `config` (it renders config to
disk like the per_user dotfiles); the include now carries packages+config so a
`--tags config` run re-renders the theme while the binary install stays packages
only (O17). Verified via `molecule converge -- --tags config`.
- drop the non-vocabulary `tags: [verify]` from molecule verify playbooks across
base/docker_host/public_dns/reverse_proxy (check-tags exempts molecule anyway) (O25)
- reverse_proxy templates: add the `{{ ansible_managed }}` header (ADR-024 §1.2) (O26)
make lint green; dev_env + reverse_proxy molecule green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| defaults | ||
| handlers | ||
| meta | ||
| molecule/default | ||
| tasks | ||
| README.md | ||
public_dns
Manages boma's public DNS zone (wingu.me) at Gandi LiveDNS as code, via
community.general.gandi_livedns (PAT auth from vault.gandi.pat). Provider-agnostic
name on purpose. Run from the control node: make check/deploy PLAYBOOK=dns.
Mesh/LAN-only by default — only deliberate public records live in the zone (the
anti-spoof baseline plus askari.wingu.me + the *.askari wildcard, applied in M4a).
Everything else is reached over LAN/mesh and never appears here.
Data (in group_vars/all/public_dns.yml)
| Var | Meaning |
|---|---|
public_dns__domain |
the zone (wingu.me) |
public_dns__records |
records to ensure present (record, type, values, optional ttl) |
public_dns__absent |
records to ensure absent (Gandi's auto-seeded defaults) |
Behaviour knobs (defaults/main.yml)
| Var | Default | Meaning |
|---|---|---|
public_dns__apply |
true |
set false to validate without calling the Gandi API (Molecule) |
public_dns__default_ttl |
1800 |
TTL when a record omits one |
Notes
The zone is reconciled additively plus an explicit absent list (Gandi seeds 13
default records on a new .me; we purge the unwanted 11 and overwrite MX/SPF with the
anti-spoof baseline). Full-zone authoritative pruning is a future enhancement (TODO 8.3).