From 88661808abe13a93969fe43727bc61d737597ba0 Mon Sep 17 00:00:00 2001
From: Matthew Fennell <matthew@fennell.dev>
Date: Mon, 11 Aug 2025 08:10:37 +0100
Subject: Document domain_with_ds and ds_subname

I found these variables a bit confusing after having to interact with
them again. It is useful to have some context now I have forgotten all
about the DS record setup!
---
 playbook.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/playbook.yaml b/playbook.yaml
index 39e6e82..55d8851 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -460,12 +460,22 @@
 
    parent_host: "{{ virtual_host.split('.')[1:] | join('.') }}"
 
+   # When the virtual host is on a subdomain, we want a DS record on the parent
+   # domain. This is so we can manage the subdomain as a separate domain on
+   # deSEC, and enforce some separation between nonprod and prod.
+   #
+   # If virtual_host is "continuous.nonprod.example.org", then domain_with_ds
+   # is "example.org".
    domain_with_ds: >-
     {{- parent_domain.json
     | map(attribute='name')
     | first
     | default("") -}}
 
+   # To register the DS record, we need the subname to point to.
+   #
+   # If virtual_host is "continuous.nonprod.example.org", then ds_subname is
+   # "continuous.nonprod".
    ds_subname: "{{ virtual_host | regex_replace('.' + domain_with_ds, '') }}"
 
    delegate_host: >-
-- 
cgit v1.2.3