Sanitized mirror from private repository - 2026-04-20 01:32:01 UTC

hosts/synology/atlantis/dynamicdnsupdater.yaml

@@ -0,0 +1,74 @@
+# Dynamic DNS Updater
+# Updates DNS records when public IP changes
+# Deployed on Atlantis - updates all homelab domains
+version: '3.8'
+
+services:
+  # vish.gg (proxied domains - all public services)
+  ddns-vish-proxied:
+    image: favonia/cloudflare-ddns:latest
+    network_mode: host
+    restart: unless-stopped
+    user: "1026:100"
+    read_only: true
+    cap_drop: [all]
+    security_opt: [no-new-privileges:true]
+    environment:
+      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
+      # Main domains + Calypso services (sf, dav, actual, docs, ost, retro)
+      # NOTE: mx.vish.gg intentionally excluded — MX/mail records must NOT be CF-proxied
+      # NOTE: reddit.vish.gg and vp.vish.gg removed — obsolete services
+      # NOTE: pt.vish.gg added 2026-04-18 — Portainer (behind Authentik SSO, CF-proxied)
+      - DOMAINS=vish.gg,www.vish.gg,cal.vish.gg,dash.vish.gg,gf.vish.gg,git.vish.gg,kuma.vish.gg,mastodon.vish.gg,nb.vish.gg,npm.vish.gg,ntfy.vish.gg,ollama.vish.gg,paperless.vish.gg,pw.vish.gg,pt.vish.gg,rackula.vish.gg,rx.vish.gg,rxdl.vish.gg,rxv4access.vish.gg,rxv4download.vish.gg,scrutiny.vish.gg,sso.vish.gg,sf.vish.gg,dav.vish.gg,actual.vish.gg,docs.vish.gg,ost.vish.gg,retro.vish.gg,wizarr.vish.gg
+      - PROXIED=true
+
+  # thevish.io (proxied domains)
+  ddns-thevish-proxied:
+    image: favonia/cloudflare-ddns:latest
+    network_mode: host
+    restart: unless-stopped
+    user: "1026:100"
+    read_only: true
+    cap_drop: [all]
+    security_opt: [no-new-privileges:true]
+    environment:
+      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
+      # Removed: documenso.thevish.io, *.vps.thevish.io (deleted)
+      # Added: binterest, hoarder (now proxied)
+      # meet.thevish.io moved here: CF proxy enabled Jan 2026 (NPM migration)
+      - DOMAINS=www.thevish.io,joplin.thevish.io,matrix.thevish.io,binterest.thevish.io,hoarder.thevish.io,meet.thevish.io
+      - PROXIED=true
+
+  # vish.gg (unproxied domains - special protocols requiring direct IP)
+  ddns-vish-unproxied:
+    image: favonia/cloudflare-ddns:latest
+    network_mode: host
+    restart: unless-stopped
+    user: "1026:100"
+    read_only: true
+    cap_drop: [all]
+    security_opt: [no-new-privileges:true]
+    environment:
+      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
+      # mx.vish.gg - Matrix homeserver; CF proxy breaks federation (port 8448)
+      # derp.vish.gg - Headscale built-in DERP relay; CF proxy breaks DERP protocol
+      # derp-atl.vish.gg - Atlantis DERP relay (region 902); CF proxy breaks DERP protocol
+      # headscale.vish.gg - Headscale VPN server; CF proxy breaks Tailscale client connections
+      # livekit.mx.vish.gg - Matrix LiveKit SFU; needs direct WebRTC (UDP 50000-50100), CF proxy breaks it
+      - DOMAINS=mx.vish.gg,derp.vish.gg,derp-atl.vish.gg,headscale.vish.gg,livekit.mx.vish.gg
+      - PROXIED=false
+
+  # thevish.io (unproxied domains - special protocols)
+  ddns-thevish-unproxied:
+    image: favonia/cloudflare-ddns:latest
+    network_mode: host
+    restart: unless-stopped
+    user: "1026:100"
+    read_only: true
+    cap_drop: [all]
+    security_opt: [no-new-privileges:true]
+    environment:
+      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
+      # turn.thevish.io - TURN/STUN protocol needs direct connection
+      - DOMAINS=turn.thevish.io
+      - PROXIED=false