Release v0.4.1: SRV/AAAA records, Pi-hole/dnsmasq providers, native labels, cache fixes

Author: maxfield-allison

.gitlab-ci.yml

@@ -24,9 +24,12 @@ workflow:
   - if: $CI_COMMIT_TAG
   - if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "develop"
     changes: &code-files ["{**/*.go,go.mod,go.sum}"]
+  - if: $CI_COMMIT_BRANCH =~ /^(feature|bugfix|hotfix)\//
+    changes: *code-files
   - if: $CI_PIPELINE_SOURCE == "merge_request_event"
     changes: *code-files
 
+# Feature branches: run validate/test/security/build but NOT docker (no image push)
 .rules-docker: &rules-docker
   - if: $CI_COMMIT_TAG
   - if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "develop"
@@ -75,7 +78,7 @@ lint:
   stage: test
   script:
     - go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
-    - golangci-lint run --timeout 5m
+    - golangci-lint run --config .golangci.yml --timeout 5m
   rules: *rules-code-changes
   allow_failure: true
 
@@ -110,6 +113,16 @@ security:govulncheck:
   rules: *rules-code-changes
   allow_failure: true
 
+security:gitleaks:
+  stage: security
+  image:
+    name: zricethezav/gitleaks:latest
+    entrypoint: [""]
+  script:
+    - gitleaks detect --source . --verbose --no-git
+  rules: *rules-code-changes
+  allow_failure: false  # Block on secrets detection
+
 # ─────────────────────────────────────────────────────────────────────────────
 # Build
 # ─────────────────────────────────────────────────────────────────────────────

.golangci.yml

@@ -0,0 +1,177 @@
+# ===================================
+# golangci-lint configuration
+# ===================================
+# This file ensures reproducible linting across local development and CI.
+# Docs: https://golangci-lint.run/usage/configuration/
+
+run:
+  timeout: 5m
+  issues-exit-code: 1
+  tests: true
+  modules-download-mode: readonly
+
+output:
+  formats:
+    - format: colored-line-number
+  print-issued-lines: true
+  print-linter-name: true
+
+linters:
+  enable:
+    # Default linters
+    - errcheck      # Check for unchecked errors
+    - gosimple      # Simplify code
+    - govet         # Suspicious constructs
+    - ineffassign   # Detect ineffectual assignments
+    - staticcheck   # Static analysis
+    - unused        # Unused code
+
+    # Additional recommended
+    - bodyclose     # HTTP response body close
+    - dogsled       # Too many blank identifiers
+    - dupl          # Code duplication (threshold below)
+    - errorlint     # Error wrapping issues
+    - exhaustive    # Enum switch completeness
+    - gochecknoinits  # No init functions
+    - goconst       # Repeated strings → const
+    - gocritic      # Opinionated linter
+    - gofmt         # Formatting check
+    - goimports     # Import formatting
+    - gosec         # Security issues
+    - misspell      # Spelling mistakes
+    - nakedret      # Naked returns in long functions
+    - nilerr        # Return nil after error check
+    - noctx         # HTTP requests without context
+    - prealloc      # Slice preallocation
+    - predeclared   # Shadowing predeclared identifiers
+    - revive        # Replacement for golint
+    - unconvert     # Unnecessary conversions
+    - unparam       # Unused function parameters
+    - whitespace    # Unnecessary whitespace
+
+  disable:
+    - depguard      # Requires configuration for allowed packages
+    - funlen        # Often too restrictive for table-driven tests
+    - gocognit      # Cognitive complexity - use judiciously
+    - gocyclo       # Cyclomatic complexity - use judiciously
+    - lll           # Line length - gofmt handles wrapping
+
+linters-settings:
+  dupl:
+    threshold: 150  # Tokens before flagging duplication
+
+  errcheck:
+    check-type-assertions: true
+    check-blank: true
+    exclude-functions:
+      - io.Copy
+      - io.ReadAll
+      - (io.ReadCloser).Close
+
+  errorlint:
+    errorf: true
+    asserts: true
+    comparison: true
+
+  exhaustive:
+    default-signifies-exhaustive: true
+
+  goconst:
+    min-len: 3
+    min-occurrences: 3
+
+  gocritic:
+    enabled-tags:
+      - diagnostic
+      - style
+      - performance
+    disabled-checks:
+      - whyNoLint  # Sometimes we need nolint without explanation
+
+  goimports:
+    local-prefixes: gitlab.bluewillows.net
+
+  gosec:
+    excludes:
+      - G104  # Errors unhandled - errcheck covers this
+      - G304  # File path from variable - often intentional
+
+  govet:
+    enable-all: true
+    disable:
+      - fieldalignment  # Too noisy, minor optimization
+
+  misspell:
+    locale: US
+
+  nakedret:
+    max-func-lines: 30
+
+  prealloc:
+    simple: true
+    for-loops: true
+
+  revive:
+    rules:
+      - name: blank-imports
+      - name: context-as-argument
+      - name: context-keys-type
+      - name: dot-imports
+      - name: error-return
+      - name: error-strings
+      - name: error-naming
+      - name: exported
+      - name: increment-decrement
+      - name: indent-error-flow
+      - name: package-comments
+      - name: range
+      - name: receiver-naming
+      - name: time-naming
+      - name: unexported-return
+      - name: var-declaration
+      - name: var-naming
+
+  unparam:
+    check-exported: false  # Can cause issues with interfaces
+
+issues:
+  exclude-use-default: false
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
+  exclude-rules:
+    # Test files can have longer functions and more complexity
+    - path: _test\.go
+      linters:
+        - dupl
+        - gosec
+        - goconst
+
+    # Allow fmt.Print in main for CLI output
+    - path: cmd/
+      linters:
+        - forbidigo
+
+    # Generated code should be excluded
+    - path: ".*\\.gen\\.go$"
+      linters:
+        - dupl
+        - goconst
+        - gocritic
+
+    # Mock files often have unused parameters by design
+    - path: mock
+      linters:
+        - unparam
+
+    # Provider implementations may have similar patterns
+    - path: providers/
+      linters:
+        - dupl
+      text: "duplicate of"
+
+severity:
+  default-severity: warning
+  rules:
+    - linters: [gosec, errcheck]
+      severity: error

CHANGELOG.md

@@ -7,6 +7,60 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.1] - 2026-01-11
+
+### Added
+- **CLEANUP_ON_STOP Option**: New `DNSWEAVER_CLEANUP_ON_STOP` configuration option (default: `true`)
+  - When `true` (default): DNS records are deleted when containers stop or are removed
+  - When `false`: DNS records are only deleted when containers are removed, not when stopped
+  - Useful for containers that frequently stop/start and don't need DNS cleanup on stop
+- **Native dnsweaver Labels** (#27): Use dnsweaver without Traefik dependency
+  - New label format: `dnsweaver.hostname`, `dnsweaver.type`, `dnsweaver.target`
+  - Works alongside existing Traefik label parsing
+  - Enables DNS management for services that don't use Traefik
+- **Pi-hole Provider** (#15): Native Pi-hole DNS integration with two operation modes
+  - **API mode**: Uses Pi-hole's Admin API (recommended for Pi-hole v5)
+    - Manages Local DNS Records (A/AAAA) and Local CNAME Records
+    - Authentication via admin password (supports `_FILE` suffix for secrets)
+  - **File mode**: Direct file manipulation for containerized Pi-hole setups
+    - Uses dnsmasq config format internally
+    - Configurable config directory, filename, and reload command
+  - Supports A, AAAA, and CNAME record types
+  - Zone filtering for multi-zone environments
+  - **Note**: Pi-hole v6+ uses a different API; see #74 for v6 support
+- **dnsmasq Provider** (#28): File-based DNS provider for dnsmasq DNS server
+  - Manages records by writing to dnsmasq configuration files
+  - Supports `address=` directive for A/AAAA records
+  - Supports `cname=` directive for CNAME records
+  - Automatic dnsmasq reload after changes (configurable)
+  - Serves as foundation for Pi-hole integration
+  - Configurable config directory, filename, and reload command
+  - **Note**: Orphan cleanup limited due to lack of TXT ownership support; see #73
+- **SRV Record Support** (#62): Service discovery DNS records
+  - Added `SRV` record type for service discovery (Minecraft, SIP, LDAP, XMPP)
+  - SRV records include priority, weight, port, and target fields
+  - SRV naming convention: `_service._proto.name` (e.g., `_minecraft._tcp.example.com`)
+  - Full support across all providers: Technitium, Cloudflare, Webhook
+  - Updated README with SRV record type in reference table
+- **AAAA Record Support** (#63): IPv6 DNS record support
+  - Added `AAAA` record type for IPv6 addresses alongside existing `A` (IPv4) and `CNAME` types
+  - Strict validation: A records require IPv4, AAAA records require IPv6, CNAME requires hostname
+  - Full support across all providers: Technitium, Cloudflare, Webhook
+  - Updated README with IPv6 configuration examples
+
+### Fixed
+- **Cache includes all record types** (#63, #62): Record cache now properly includes AAAA and SRV records
+  - Previously, `getExistingRecords()` only cached A and CNAME records
+  - SRV and AAAA records were being missed during orphan cleanup
+- **Orphan cleanup uses correct record type** (#63, #62): Delete operations now use the actual record type
+  - Previously, orphan cleanup always used `A` record type for deletion regardless of actual type
+  - Now correctly deletes AAAA records as AAAA and SRV records as SRV
+- **SRV record data updates**: Fixed multiple issues with SRV record lifecycle
+  - Proper detection of SRV record data changes (priority, weight, port, target)
+  - Correct API parameter names for Technitium SRV records
+  - SRV data properly passed through reconciler to providers
+  - RFC 2782 validation for SRV record hostnames
+
 ## [0.3.3] - 2026-01-09
 
 ### Added