wip: dns stub

README.md

@@ -127,7 +127,7 @@ nixos-rebuild build --flake .#asusmini
 
 ### DNS Management
 
-DNS is managed with dnscontrol (available in dev shell).
+DNS is managed with dnscontrol (available in dev shell). See [dns/README.md](dns/README.md) for details.
 
 ## Architecture
 

dns/.gitignore

@@ -0,0 +1,3 @@
+# Don't commit decrypted credentials
+creds.json.local
+*.local

dns/README.md

@@ -0,0 +1,56 @@
+# DNS Configuration
+
+DNS records are managed with [dnscontrol](https://docs.dnscontrol.org/).
+
+## Setup
+
+1. Create/edit DNS credentials in agenix:
+   ```bash
+   cd secrets
+   agenix -e dns-creds.age
+   ```
+   
+   Format the JSON like `creds.json` example:
+   ```json
+   {
+     "cloudflare": {
+       "TYPE": "CLOUDFLAREAPI",
+       "accountid": "your-account-id",
+       "apitoken": "your-api-token"
+     }
+   }
+   ```
+
+2. Update `dnscontrol.js` with your static IP address (replace `TODO_STATIC_IP`)
+
+3. If using a different DNS provider, update the provider in `dnscontrol.js`
+
+## Commands
+
+On the server, credentials are auto-decrypted to `/run/agenix/dns-creds`.
+
+**Preview changes:**
+```bash
+cd /etc/nixos/dns
+dnscontrol preview --config dnscontrol.js --creds /run/agenix/dns-creds
+```
+
+**Apply changes:**
+```bash
+dnscontrol push --config dnscontrol.js --creds /run/agenix/dns-creds
+```
+
+**Validate config:**
+```bash
+dnscontrol check --config dnscontrol.js
+```
+
+## DNS Records
+
+All subdomains point to the same static IP:
+
+- `pds.commonscomputer.com` → PDS (port 5556, proxied via Caddy)
+- `knot.commonscomputer.com` → Tangled Knot (port 5555, proxied via Caddy)
+- `spindle.commonscomputer.com` → Tangled Spindle (port 6555, proxied via Caddy)
+
+Caddy handles HTTPS termination and reverse proxying to the internal services.

dns/creds.json

@@ -0,0 +1,7 @@
+{
+  "cloudflare": {
+    "TYPE": "CLOUDFLAREAPI",
+    "accountid": "TODO_CLOUDFLARE_ACCOUNT_ID",
+    "apitoken": "TODO_CLOUDFLARE_API_TOKEN"
+  }
+}

dns/dnscontrol.js

@@ -0,0 +1,21 @@
+var REG_NONE = NewRegistrar("none");
+var DNS_PROVIDER = NewDnsProvider("cloudflare"); // Change to your DNS provider
+
+// TODO: Replace with actual static IP address once configured
+var SERVER_IP = "TODO_STATIC_IP";
+
+D("commonscomputer.com", REG_NONE, DnsProvider(DNS_PROVIDER),
+  // PDS - Personal Data Server
+  A("pds", SERVER_IP),
+  
+  // Knot - Git forge
+  A("knot", SERVER_IP),
+  
+  // Spindle - CI runner
+  A("spindle", SERVER_IP),
+  
+  // Optional: Wildcard for future services
+  // A("*", SERVER_IP),
+  
+  END
+);

hosts/asusmini/default.nix

@@ -9,6 +9,7 @@
       ./hardware-configuration.nix
       # ./atproto.nix
       ./auto-update.nix
+      ./dns.nix
     ];
 
   # Bootloader.

hosts/asusmini/dns.nix

@@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  age.secrets.dns-creds = {
+    file = ../../secrets/dns-creds.age;
+    mode = "0400";
+    owner = "root";
+  };
+  
+  # DNS credentials are available at: config.age.secrets.dns-creds.path
+  # which resolves to /run/agenix/dns-creds
+}

secrets/secrets.nix

@@ -10,4 +10,5 @@ let
 in
 {
   "pds-env.age".publicKeys = allKeys;
+  "dns-creds.age".publicKeys = allKeys;
 }