homelab-optimized/docs/infrastructure/cloudflare-dns.md

# Cloudflare DNS Configuration

DNS management for vish.gg and thevish.io domains.

## Overview

All public-facing services use Cloudflare for:
- DNS management
- DDoS protection (orange cloud proxy)
- SSL/TLS termination
- Caching

## DNS Records - vish.gg

### 🟠 Proxied (Orange Cloud) - Protected

These domains route through Cloudflare's network, hiding your real IP:

| Domain | Service | Host |
|--------|---------|------|
| `vish.gg` | Main website | Atlantis |
| `www.vish.gg` | Main website | Atlantis |
| `sso.vish.gg` | Authentik SSO | Calypso |
| `gf.vish.gg` | Grafana | homelab-vm |
| `git.vish.gg` | Gitea | Calypso |
| `pw.vish.gg` | Vaultwarden | Atlantis |
| `ntfy.vish.gg` | Ntfy notifications | homelab-vm |
| `cal.vish.gg` | Calendar | Atlantis |
| `mastodon.vish.gg` | Mastodon | Atlantis |
| `vp.vish.gg` | Piped (YouTube) | Concord NUC |
| `mx.vish.gg` | Mail proxy | Atlantis |

### ⚪ DNS Only (Grey Cloud) - Direct Connection

These domains expose your real IP (use only when necessary):

| Domain | Reason for DNS-only |
|--------|---------------------|
| `*.vish.gg` | Wildcard fallback |
| `api.vish.gg` | API endpoints (Concord NUC) |
| `api.vp.vish.gg` | Piped API |
| `spotify.vish.gg` | Spotify API |
| `client.spotify.vish.gg` | Spotify client |
| `in.vish.gg` | Invidious |

## DDNS Updaters

Dynamic DNS is managed by `favonia/cloudflare-ddns` containers:

### Atlantis NAS
- **Stack**: `dynamicdnsupdater.yaml`
- **Proxied**: Most vish.gg and thevish.io domains
- Updates when Atlantis's public IP changes

### Calypso NAS
- **Stack**: `dynamic_dns.yaml`
- **Proxied**: `sso.vish.gg`, `git.vish.gg`, `gf.vish.gg`
- Updates when Calypso's public IP changes

### Concord NUC
- **Stack**: `dyndns_updater.yaml`
- **DNS Only**: API endpoints (require direct connection)

## Cloudflare API

API token for DDNS: `REDACTED_CLOUDFLARE_TOKEN`

### Query DNS Records
```bash
curl -s "https://api.cloudflare.com/client/v4/zones/4dbd15d096d71101b7c0c6362b307a66/dns_records" \
  -H "Authorization: Bearer $TOKEN" | jq '.result[] | {name, proxied}'
```

### Enable/Disable Proxy
```bash
# Get record ID
RECORD_ID=$(curl -s "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records?name=example.vish.gg" \
  -H "Authorization: Bearer $TOKEN" | jq -r '.result[0].id')

# Enable proxy (orange cloud)
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records/$RECORD_ID" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"proxied":true}'
```

## SSL/TLS Configuration

- **Mode**: Full (Strict)
- **Origin Certificate**: Cloudflare-issued for `*.vish.gg`
- **Certificate ID**: `lONWNn` (Synology reverse proxy)

## Adding New Subdomains

1. **Create DNS record** via Cloudflare dashboard or API
2. **Set proxy status**: Orange cloud for public services
3. **Update DDNS config** on appropriate host
4. **Configure reverse proxy** on Synology
5. **Test connectivity** and SSL

## IP Addresses

| IP | Location | Services |
|----|----------|----------|
| `YOUR_WAN_IP` | Home (Atlantis/Calypso) | Most services |
| `YOUR_WAN_IP` | Concord NUC | API endpoints |
| `YOUR_WAN_IP` | VPS | nx, obs, pp, wb |

## Troubleshooting

### DNS not resolving
- Check Cloudflare dashboard for propagation
- Verify DDNS container is running
- Check API token permissions

### SSL errors
- Ensure Cloudflare SSL mode is "Full (Strict)"
- Verify origin certificate is valid
- Check reverse proxy SSL settings

### Proxy issues
- Some services (SSH, non-HTTP) can't use orange cloud
- APIs may need direct connection for webhooks