diff --git a/README.md b/README.md index 41c5985..3703c13 100644 --- a/README.md +++ b/README.md @@ -127,7 +127,7 @@ nixos-rebuild build --flake .#asusmini ### DNS Management -DNS is managed with dnscontrol (available in dev shell). +DNS is managed with dnscontrol (available in dev shell). See [dns/README.md](dns/README.md) for details. ## Architecture diff --git a/dns/.gitignore b/dns/.gitignore new file mode 100644 index 0000000..641df08 --- /dev/null +++ b/dns/.gitignore @@ -0,0 +1,3 @@ +# Don't commit decrypted credentials +creds.json.local +*.local diff --git a/dns/README.md b/dns/README.md new file mode 100644 index 0000000..6b8eff3 --- /dev/null +++ b/dns/README.md @@ -0,0 +1,56 @@ +# DNS Configuration + +DNS records are managed with [dnscontrol](https://docs.dnscontrol.org/). + +## Setup + +1. Create/edit DNS credentials in agenix: + ```bash + cd secrets + agenix -e dns-creds.age + ``` + + Format the JSON like `creds.json` example: + ```json + { + "cloudflare": { + "TYPE": "CLOUDFLAREAPI", + "accountid": "your-account-id", + "apitoken": "your-api-token" + } + } + ``` + +2. Update `dnscontrol.js` with your static IP address (replace `TODO_STATIC_IP`) + +3. If using a different DNS provider, update the provider in `dnscontrol.js` + +## Commands + +On the server, credentials are auto-decrypted to `/run/agenix/dns-creds`. + +**Preview changes:** +```bash +cd /etc/nixos/dns +dnscontrol preview --config dnscontrol.js --creds /run/agenix/dns-creds +``` + +**Apply changes:** +```bash +dnscontrol push --config dnscontrol.js --creds /run/agenix/dns-creds +``` + +**Validate config:** +```bash +dnscontrol check --config dnscontrol.js +``` + +## DNS Records + +All subdomains point to the same static IP: + +- `pds.commonscomputer.com` → PDS (port 5556, proxied via Caddy) +- `knot.commonscomputer.com` → Tangled Knot (port 5555, proxied via Caddy) +- `spindle.commonscomputer.com` → Tangled Spindle (port 6555, proxied via Caddy) + +Caddy handles HTTPS termination and reverse proxying to the internal services. diff --git a/dns/creds.json b/dns/creds.json new file mode 100644 index 0000000..1ced1cc --- /dev/null +++ b/dns/creds.json @@ -0,0 +1,7 @@ +{ + "cloudflare": { + "TYPE": "CLOUDFLAREAPI", + "accountid": "TODO_CLOUDFLARE_ACCOUNT_ID", + "apitoken": "TODO_CLOUDFLARE_API_TOKEN" + } +} diff --git a/dns/dnscontrol.js b/dns/dnscontrol.js new file mode 100644 index 0000000..8c6d87d --- /dev/null +++ b/dns/dnscontrol.js @@ -0,0 +1,21 @@ +var REG_NONE = NewRegistrar("none"); +var DNS_PROVIDER = NewDnsProvider("cloudflare"); // Change to your DNS provider + +// TODO: Replace with actual static IP address once configured +var SERVER_IP = "TODO_STATIC_IP"; + +D("commonscomputer.com", REG_NONE, DnsProvider(DNS_PROVIDER), + // PDS - Personal Data Server + A("pds", SERVER_IP), + + // Knot - Git forge + A("knot", SERVER_IP), + + // Spindle - CI runner + A("spindle", SERVER_IP), + + // Optional: Wildcard for future services + // A("*", SERVER_IP), + + END +); diff --git a/hosts/asusmini/default.nix b/hosts/asusmini/default.nix index d79b294..74bb4f8 100644 --- a/hosts/asusmini/default.nix +++ b/hosts/asusmini/default.nix @@ -9,6 +9,7 @@ ./hardware-configuration.nix # ./atproto.nix ./auto-update.nix + ./dns.nix ]; # Bootloader. diff --git a/hosts/asusmini/dns.nix b/hosts/asusmini/dns.nix new file mode 100644 index 0000000..64f1132 --- /dev/null +++ b/hosts/asusmini/dns.nix @@ -0,0 +1,11 @@ +{ config, ... }: +{ + age.secrets.dns-creds = { + file = ../../secrets/dns-creds.age; + mode = "0400"; + owner = "root"; + }; + + # DNS credentials are available at: config.age.secrets.dns-creds.path + # which resolves to /run/agenix/dns-creds +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index eef9f81..e60fdbc 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -10,4 +10,5 @@ let in { "pds-env.age".publicKeys = allKeys; + "dns-creds.age".publicKeys = allKeys; }