From d9305b275096db83180f4306a0f962fd0785b823 Mon Sep 17 00:00:00 2001
From: Matthew Fennell <matthew@fennell.dev>
Date: Fri, 2 Jan 2026 13:38:09 +0000
Subject: Store stdout as DANE hash instead of full command

I only want to store the actual hash in dane_hash and not a full python object
corresponding to the execution of the command.
---
 playbook.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/playbook.yaml b/playbook.yaml
index 2a85ba1..9cc207d 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -82,10 +82,14 @@
        ~/.lego/certificates/{{ virtual_host }}.crt -noout -pubkey | openssl
        pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve
        '/1 "%02x"'
-     register: dane_hash
+     register: dane_result
      changed_when: false
      delegate_to: localhost
 
+   - name: Take note of DANE hash
+     ansible.builtin.set_fact:
+      dane_hash: "{{ dane_result.stdout }}"
+
    # We allow status code 400 here as this is returned by deSEC if the domain
    # already exists. Ideally, we should filter out genuinely good/bad requests
    # here using the response.
-- 
cgit v1.2.3