blumeops/docs/how-to/configuration/manage-eblu-me-dns.md

---
title: Manage eblu.me DNS Records
modified: 2026-04-27
last-reviewed: 2026-04-27
tags:
  - how-to
  - dns
  - pulumi
---

# Manage eblu.me DNS Records

How to add, change, and apply DNS records for `eblu.me` via [[pulumi]].

## Prerequisites

- Pulumi CLI installed (`brew install pulumi`)
- 1Password access (`blumeops` vault) — Pulumi reads the Gandi PAT from there
- On the tailnet — Pulumi resolves [[indri]]'s IP via MagicDNS at apply time

## Preview and apply

```bash
mise run dns-preview     # always do this first
mise run dns-up          # apply
```

Both fetch the PAT from 1Password automatically. The Pulumi program is in `pulumi/gandi/`; stack is `eblu-me`.

## Adding a record

Edit `pulumi/gandi/__main__.py` and add a `gandi.livedns.Record(...)`. The stack config (`Pulumi.eblu-me.yaml`) only holds `domain` and `subdomain`; everything else is in the program.

After editing, preview, then apply.

## Break-glass: override the indri target IP

The wildcard `*.ops.eblu.me` is computed from `indri.tail8d86e.ts.net` via MagicDNS at apply time. If MagicDNS is unavailable:

```bash
export BLUMEOPS_REVERSE_PROXY_IP=<indri-tailscale-ip>
mise run dns-up
```

Find the IP via `tailscale status` or the Tailscale admin console.

## Related

- [[gandi]] — Gandi reference card
- [[rotate-gandi-pat]] — Rotate the PAT shared with [[caddy]]
- [[pulumi]] — Pulumi tooling reference
- [[routing]] — Service URLs and routing architecture
C0: split gandi-operations docs; add dns-acme-cleanup mise task Splits the nebulous gandi-operations how-to into two single-topic cards (manage-eblu-me-dns, rotate-gandi-pat) and adds a mise task for the recurring _acme-challenge TXT cleanup needed due to a value-comparison bug in libdns/gandi v1.1.0 that prevents certmagic's cleanup phase from removing presented TXT values. The gandi reference card is updated to drop the false "different credential from Pulumi PAT" claim — verified during the 2026-04-27 incident that Caddy and Pulumi share a single PAT. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-27 09:48:46 -07:00			`---`
			`title: Manage eblu.me DNS Records`
			`modified: 2026-04-27`
			`last-reviewed: 2026-04-27`
			`tags:`
			`- how-to`
			`- dns`
			`- pulumi`
			`---`

			`# Manage eblu.me DNS Records`

			How to add, change, and apply DNS records for `eblu.me` via [[pulumi]].

			`## Prerequisites`

			- Pulumi CLI installed (`brew install pulumi`)
			- 1Password access (`blumeops` vault) — Pulumi reads the Gandi PAT from there
			`- On the tailnet — Pulumi resolves [[indri]]'s IP via MagicDNS at apply time`

			`## Preview and apply`

			```bash
			`mise run dns-preview # always do this first`
			`mise run dns-up # apply`
			```

			Both fetch the PAT from 1Password automatically. The Pulumi program is in `pulumi/gandi/`; stack is `eblu-me`.

			`## Adding a record`

			Edit `pulumi/gandi/__main__.py` and add a `gandi.livedns.Record(...)`. The stack config (`Pulumi.eblu-me.yaml`) only holds `domain` and `subdomain`; everything else is in the program.

			`After editing, preview, then apply.`

			`## Break-glass: override the indri target IP`

			The wildcard `*.ops.eblu.me` is computed from `indri.tail8d86e.ts.net` via MagicDNS at apply time. If MagicDNS is unavailable:

			```bash
			`export BLUMEOPS_REVERSE_PROXY_IP=<indri-tailscale-ip>`
			`mise run dns-up`
			```

			Find the IP via `tailscale status` or the Tailscale admin console.

			`## Related`

			`- [[gandi]] — Gandi reference card`
			`- [[rotate-gandi-pat]] — Rotate the PAT shared with [[caddy]]`
			`- [[pulumi]] — Pulumi tooling reference`
			`- [[routing]] — Service URLs and routing architecture`