homelab-optimized/docs/infrastructure/domain-migration-synology.md

# Synology Domain Migration Guide

Migrating from `*.vishconcord.synology.me` to `*.vish.gg` domains.

## Why Migrate?

- **Consistency**: All services under your own domain
- **Control**: Full DNS control via Cloudflare
- **Security**: Can proxy through Cloudflare (orange cloud)
- **Professional**: Cleaner URLs for sharing
- **SSO**: Easier Authentik integration with single domain

## Current → New Domain Mapping

### Calypso Services (Stay at Location A)

| Current | New | Service | Expose? |
|---------|-----|---------|---------|
| `sf.vishconcord.synology.me` | `sf.vish.gg` | Seafile | Yes - sharing |
| `dav.vishconcord.synology.me` | `dav.vish.gg` | Seafile WebDAV | Internal |
| `actual.vishconcord.synology.me` | `actual.vish.gg` | Actual Budget | Internal |
| `paperlessngx.vishconcord.synology.me` | `docs.vish.gg` | Paperless-NGX | Internal |
| `ost.vishconcord.synology.me` | `ost.vish.gg` | OST | Internal |
| `retro.vishconcord.synology.me` | `retro.vish.gg` | Retro site | Maybe |
| `rackula.vishconcord.synology.me` | - | Rackula (broken) | Remove |

### Atlantis Services (Move to Location B)

| Current | New | Service | Expose? |
|---------|-----|---------|---------|
| `ollama.vishconcord.synology.me` | `ollama.vish.gg` | Ollama AI | Internal |
| `ssh.vishconcord.synology.me` | - | Termix SSH | Internal/VPN |
| `rxv4access.vishconcord.synology.me` | - | RXV4 Access | Internal |
| `rxv4download.vishconcord.synology.me` | - | RXV4 Download | Internal |

## Migration Steps

### Step 1: Create DNS Records

For each new domain, create an A record in Cloudflare:

```bash
# Example: sf.vish.gg
curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records" \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "A",
    "name": "sf.vish.gg",
    "content": "YOUR_WAN_IP",
    "ttl": 1,
    "proxied": true
  }'
```

### Step 2: Update Synology Reverse Proxy

For each service, add a new reverse proxy entry with the new domain:

1. DSM → Control Panel → Login Portal → Advanced → Reverse Proxy
2. Create new entry with same backend, new domain
3. Assign SSL certificate (Cloudflare origin cert)

### Step 3: Update SSL Certificates

The existing `*.vish.gg` Cloudflare origin certificate should cover new subdomains.

If needed, generate a new certificate covering:
- `*.vish.gg`
- `vish.gg`

### Step 4: Test New Domains

Test each new domain before removing old ones.

### Step 5: Remove Old Entries

Once confirmed working, remove the `*.synology.me` reverse proxy entries.

## Authentik Protection

### Services to Protect with SSO

| Domain | Service | Auth Required? |
|--------|---------|----------------|
| `sf.vish.gg` | Seafile | Yes (has share links) |
| `docs.vish.gg` | Paperless | Yes |
| `actual.vish.gg` | Actual Budget | Yes |
| `gf.vish.gg` | Grafana | Yes (already configured) |
| `git.vish.gg` | Gitea | Yes (already configured) |

### Services to Keep Public (or with built-in auth)

| Domain | Service | Reason |
|--------|---------|--------|
| `sso.vish.gg` | Authentik | Is the auth provider |
| `pw.vish.gg` | Vaultwarden | Has own auth |
| `mastodon.vish.gg` | Mastodon | Public social |
| `ntfy.vish.gg` | Ntfy | Notification endpoint |

### Forward Auth Setup

Use Authentik as a forward auth proxy:

```nginx
# In reverse proxy config
location / {
    auth_request /outpost.goauthentik.io/auth/nginx;
    # ... rest of config
}
```

See [Authentik Proxy Provider docs](https://docs.goauthentik.io/docs/providers/proxy/) for full setup.

## Implementation Order

1. **Phase 1**: Create DNS records for new domains
2. **Phase 2**: Add reverse proxy entries (keep old ones working)
3. **Phase 3**: Test new domains thoroughly
4. **Phase 4**: Add Authentik protection where needed
5. **Phase 5**: Remove old `*.synology.me` entries
6. **Phase 6**: Update any apps/configs using old URLs