Sanitized mirror from private repository - 2026-04-05 10:50:43 UTC

docs/infrastructure/cloudflare-dns.md

@@ -0,0 +1,123 @@
+# Cloudflare DNS Configuration
+
+DNS management for vish.gg and thevish.io domains.
+
+## Overview
+
+All public-facing services use Cloudflare for:
+- DNS management
+- DDoS protection (orange cloud proxy)
+- SSL/TLS termination
+- Caching
+
+## DNS Records - vish.gg
+
+### 🟠 Proxied (Orange Cloud) - Protected
+
+These domains route through Cloudflare's network, hiding your real IP:
+
+| Domain | Service | Host |
+|--------|---------|------|
+| `vish.gg` | Main website | Atlantis |
+| `www.vish.gg` | Main website | Atlantis |
+| `sso.vish.gg` | Authentik SSO | Calypso |
+| `gf.vish.gg` | Grafana | homelab-vm |
+| `git.vish.gg` | Gitea | Calypso |
+| `pw.vish.gg` | Vaultwarden | Atlantis |
+| `ntfy.vish.gg` | Ntfy notifications | homelab-vm |
+| `cal.vish.gg` | Calendar | Atlantis |
+| `mastodon.vish.gg` | Mastodon | Atlantis |
+| `vp.vish.gg` | Piped (YouTube) | Concord NUC |
+| `mx.vish.gg` | Mail proxy | Atlantis |
+
+### ⚪ DNS Only (Grey Cloud) - Direct Connection
+
+These domains expose your real IP (use only when necessary):
+
+| Domain | Reason for DNS-only |
+|--------|---------------------|
+| `*.vish.gg` | Wildcard fallback |
+| `api.vish.gg` | API endpoints (Concord NUC) |
+| `api.vp.vish.gg` | Piped API |
+| `spotify.vish.gg` | Spotify API |
+| `client.spotify.vish.gg` | Spotify client |
+| `in.vish.gg` | Invidious |
+
+## DDNS Updaters
+
+Dynamic DNS is managed by `favonia/cloudflare-ddns` containers:
+
+### Atlantis NAS
+- **Stack**: `dynamicdnsupdater.yaml`
+- **Proxied**: Most vish.gg and thevish.io domains
+- Updates when Atlantis's public IP changes
+
+### Calypso NAS
+- **Stack**: `dynamic_dns.yaml`
+- **Proxied**: `sso.vish.gg`, `git.vish.gg`, `gf.vish.gg`
+- Updates when Calypso's public IP changes
+
+### Concord NUC
+- **Stack**: `dyndns_updater.yaml`
+- **DNS Only**: API endpoints (require direct connection)
+
+## Cloudflare API
+
+API token for DDNS: `REDACTED_CLOUDFLARE_TOKEN`
+
+### Query DNS Records
+```bash
+curl -s "https://api.cloudflare.com/client/v4/zones/4dbd15d096d71101b7c0c6362b307a66/dns_records" \
+  -H "Authorization: Bearer $TOKEN" | jq '.result[] | {name, proxied}'
+```
+
+### Enable/Disable Proxy
+```bash
+# Get record ID
+RECORD_ID=$(curl -s "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records?name=example.vish.gg" \
+  -H "Authorization: Bearer $TOKEN" | jq -r '.result[0].id')
+
+# Enable proxy (orange cloud)
+curl -X PATCH "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records/$RECORD_ID" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  --data '{"proxied":true}'
+```
+
+## SSL/TLS Configuration
+
+- **Mode**: Full (Strict)
+- **Origin Certificate**: Cloudflare-issued for `*.vish.gg`
+- **Certificate ID**: `lONWNn` (Synology reverse proxy)
+
+## Adding New Subdomains
+
+1. **Create DNS record** via Cloudflare dashboard or API
+2. **Set proxy status**: Orange cloud for public services
+3. **Update DDNS config** on appropriate host
+4. **Configure reverse proxy** on Synology
+5. **Test connectivity** and SSL
+
+## IP Addresses
+
+| IP | Location | Services |
+|----|----------|----------|
+| `YOUR_WAN_IP` | Home (Atlantis/Calypso) | Most services |
+| `YOUR_WAN_IP` | Concord NUC | API endpoints |
+| `YOUR_WAN_IP` | VPS | nx, obs, pp, wb |
+
+## Troubleshooting
+
+### DNS not resolving
+- Check Cloudflare dashboard for propagation
+- Verify DDNS container is running
+- Check API token permissions
+
+### SSL errors
+- Ensure Cloudflare SSL mode is "Full (Strict)"
+- Verify origin certificate is valid
+- Check reverse proxy SSL settings
+
+### Proxy issues
+- Some services (SSH, non-HTTP) can't use orange cloud
+- APIs may need direct connection for webhooks