Dogfood of the new /kaizen command. 11 consumed, 1 kept open.
- SYSTEMATIZE → docs/testing/gotchas.md (apply:{tags} propagation, Molecule
tag-isolation testing, API/templating render-only gap); CLAUDE.md
(item['key'] loop convention, TF module required_providers); public_dns
README (Gandi null-MX workaround).
- CHANGE → extend the Stop hook to also guard the brainstorming spec-review gate
(verified: blocks the gate, passes meta-discussion).
- SYSTEMATIZE → make new-role scaffolds the access__/backup__ noqa reminder;
ADR-004 documents the cross-role-naming convention.
- ALREADY-BUILT/ACCEPTED → exec-menu guard verified firing; ADR-023; ADR-024;
subagent-faithfulness now embodied in the two-stage subagent review.
- KEEP-OPEN → a repo-scan.py check for ADRs that over-claim reconciliation.
Nudge: OVERDUE (13 signals) → ok (1). make lint + 16 friction-scan tests green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
34 lines
1.6 KiB
Markdown
34 lines
1.6 KiB
Markdown
# public_dns
|
|
|
|
Manages boma's public DNS zone (**wingu.me**) at **Gandi LiveDNS** as code, via
|
|
`community.general.gandi_livedns` (PAT auth from `vault.gandi.pat`). Provider-agnostic
|
|
name on purpose. Run from the control node: `make check/deploy PLAYBOOK=dns`.
|
|
|
|
Mesh/LAN-only by default — only deliberate public records live in the zone (the
|
|
anti-spoof baseline plus `askari.wingu.me` + the `*.askari` wildcard, applied in M4a).
|
|
Everything else is reached over LAN/mesh and never appears here.
|
|
|
|
## Data (in `group_vars/all/public_dns.yml`)
|
|
|
|
| Var | Meaning |
|
|
|---|---|
|
|
| `public_dns__domain` | the zone (`wingu.me`) |
|
|
| `public_dns__records` | records to ensure **present** (`record`, `type`, `values`, optional `ttl`) |
|
|
| `public_dns__absent` | records to ensure **absent** (Gandi's auto-seeded defaults) |
|
|
|
|
## Behaviour knobs (`defaults/main.yml`)
|
|
|
|
| Var | Default | Meaning |
|
|
|---|---|---|
|
|
| `public_dns__apply` | `true` | set `false` to validate without calling the Gandi API (Molecule) |
|
|
| `public_dns__default_ttl` | `1800` | TTL when a record omits one |
|
|
|
|
## Notes
|
|
|
|
The zone is reconciled **additively** plus an explicit `absent` list (Gandi seeds 13
|
|
default records on a new `.me`; we purge the unwanted 11 and overwrite MX/SPF with the
|
|
anti-spoof baseline). Full-zone authoritative pruning is a future enhancement (TODO 8.3).
|
|
|
|
**Gandi rejects RFC-7505 null-MX (`0 .`)** with "invalid format for MX record" — so a
|
|
no-mail domain can't use the standard null-MX. We instead **remove the MX entirely** (no
|
|
MX + no apex A = no mail) and rely on SPF `-all` + DMARC `reject` to prevent spoofing.
|