blumeops/pulumi/gandi/__main__.py

"""Pulumi program to manage eblu.me DNS via Gandi LiveDNS.

This program manages DNS records for blumeops infrastructure:
- Wildcard record for *.ops.eblu.me pointing to indri's Tailscale IP
- indri hosts Caddy as the reverse proxy for all services
- This allows services to be accessed via real DNS names while remaining
  tailnet-only (Tailscale IPs are not publicly routable)

Authentication:
  Set GANDI_PERSONAL_ACCESS_TOKEN environment variable.
  See docs/how-to/gandi-operations.md for PAT management instructions.
"""

import os
import socket

import pulumi
import pulumiverse_gandi as gandi

# Get configuration
config = pulumi.Config()
domain = config.require("domain")  # eblu.me
subdomain = config.require("subdomain")  # ops

# Resolve indri's Tailscale IP dynamically via MagicDNS
# This script runs on the tailnet, so we can resolve the hostname directly.
# indri hosts Caddy, which reverse-proxies all services.
# Break-glass: set BLUMEOPS_REVERSE_PROXY_IP env var to override DNS resolution
REVERSE_PROXY_HOST = "indri.tail8d86e.ts.net"
tailscale_ip = os.environ.get("BLUMEOPS_REVERSE_PROXY_IP") or socket.gethostbyname(
    REVERSE_PROXY_HOST
)

# Wildcard A record for *.ops.eblu.me
# Points to indri's Tailscale IP, which is only routable within the tailnet.
# This allows containers and other systems to resolve real DNS names
# while keeping services private to the tailnet.
wildcard_record = gandi.livedns.Record(
    "ops-wildcard",
    zone=domain,
    name=f"*.{subdomain}",
    type="A",
    ttl=300,
    values=[tailscale_ip],
)

# Base subdomain record (ops.eblu.me) - same IP
base_record = gandi.livedns.Record(
    "ops-base",
    zone=domain,
    name=subdomain,
    type="A",
    ttl=300,
    values=[tailscale_ip],
)

# ============== Public Services (Fly.io proxy) ==============
# CNAME records pointing public subdomains to Fly.io for reverse proxying
# back to the tailnet. See docs/how-to/expose-service-publicly.md

docs_public = gandi.livedns.Record(
    "docs-public",
    zone=domain,
    name="docs",
    type="CNAME",
    ttl=300,
    values=["blumeops-proxy.fly.dev."],
)

cv_public = gandi.livedns.Record(
    "cv-public",
    zone=domain,
    name="cv",
    type="CNAME",
    ttl=300,
    values=["blumeops-proxy.fly.dev."],
)

forge_public = gandi.livedns.Record(
    "forge-public",
    zone=domain,
    name="forge",
    type="CNAME",
    ttl=300,
    values=["blumeops-proxy.fly.dev."],
)

# ============== Exports ==============
pulumi.export("domain", domain)
pulumi.export("wildcard_fqdn", f"*.{subdomain}.{domain}")
pulumi.export("base_fqdn", f"{subdomain}.{domain}")
pulumi.export("target_ip", tailscale_ip)
pulumi.export("docs_public_fqdn", f"docs.{domain}")
pulumi.export("cv_public_fqdn", f"cv.{domain}")
pulumi.export("forge_public_fqdn", f"forge.{domain}")
Add Gandi DNS management via Pulumi (#54) ## Summary - Restructure Pulumi into separate projects: `pulumi/tailscale/` and `pulumi/gandi/` - Add Gandi LiveDNS management for `eblu.me` domain - Create wildcard DNS record `.ops.eblu.me` → indri's Tailscale IP (100.98.163.89) - Add mise tasks: `dns-up`, `dns-preview` - Update `tailnet-up` to pass `--yes` by default - Document PAT cycling process (expires every 30 days) ## Background This enables using real DNS names (`.ops.eblu.me`) that resolve to Tailscale IPs, which allows containers and other systems to resolve services without depending on MagicDNS. Since Tailscale IPs (100.x.x.x) are not publicly routable, services remain tailnet-only while using standard DNS. ## Deployment and Testing - [ ] Run `cd pulumi/gandi && uv sync` to install dependencies - [ ] Run `cd pulumi/gandi && pulumi stack init eblu-me` to create stack - [ ] Run `mise run dns-preview` to verify configuration - [ ] Run `mise run dns-up` to apply DNS records - [ ] Verify with `dig +short test.ops.eblu.me` returns `100.98.163.89` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/54 2026-01-25 08:15:46 -08:00			`"""Pulumi program to manage eblu.me DNS via Gandi LiveDNS.`

			`This program manages DNS records for blumeops infrastructure:`
			`- Wildcard record for *.ops.eblu.me pointing to indri's Tailscale IP`
			`- indri hosts Caddy as the reverse proxy for all services`
			`- This allows services to be accessed via real DNS names while remaining`
			`tailnet-only (Tailscale IPs are not publicly routable)`

			`Authentication:`
			`Set GANDI_PERSONAL_ACCESS_TOKEN environment variable.`
Review gandi-operations doc and reorganize how-to guides (#200) ## Summary - Doc review: Reviewed `gandi-operations.md` — added `last-reviewed` frontmatter, verified all wiki-links, confirmed Pulumi state has no drift - Gandi reference fix: Added missing `cv.eblu.me` CNAME row to `gandi.md` DNS records table (was present in Pulumi but undocumented) - Pulumi comment fix: Updated stale `README.md` reference in `__main__.py` to point to `docs/how-to/gandi-operations.md` - How-to reorg: Moved 14 how-to guides into 3 subdirectories (`deployment/`, `configuration/`, `operations/`), collapsed the Documentation and Database index sections into Configuration and Operations respectively ## Verification - `docs-check-links` — all 180 wiki-links valid - `docs-check-filenames` — all 90 filenames unique - `dns-preview` — 5 resources unchanged, no drift - All pre-commit hooks pass ## Test plan - [ ] Verify docs site builds correctly with new paths - [ ] Spot-check a few wiki-links from other pages to moved how-to guides Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/200 2026-02-17 07:29:33 -08:00			`See docs/how-to/gandi-operations.md for PAT management instructions.`
Add Gandi DNS management via Pulumi (#54) ## Summary - Restructure Pulumi into separate projects: `pulumi/tailscale/` and `pulumi/gandi/` - Add Gandi LiveDNS management for `eblu.me` domain - Create wildcard DNS record `.ops.eblu.me` → indri's Tailscale IP (100.98.163.89) - Add mise tasks: `dns-up`, `dns-preview` - Update `tailnet-up` to pass `--yes` by default - Document PAT cycling process (expires every 30 days) ## Background This enables using real DNS names (`.ops.eblu.me`) that resolve to Tailscale IPs, which allows containers and other systems to resolve services without depending on MagicDNS. Since Tailscale IPs (100.x.x.x) are not publicly routable, services remain tailnet-only while using standard DNS. ## Deployment and Testing - [ ] Run `cd pulumi/gandi && uv sync` to install dependencies - [ ] Run `cd pulumi/gandi && pulumi stack init eblu-me` to create stack - [ ] Run `mise run dns-preview` to verify configuration - [ ] Run `mise run dns-up` to apply DNS records - [ ] Verify with `dig +short test.ops.eblu.me` returns `100.98.163.89` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/54 2026-01-25 08:15:46 -08:00			`"""`

			`import os`
			`import socket`

			`import pulumi`
			`import pulumiverse_gandi as gandi`

			`# Get configuration`
			`config = pulumi.Config()`
			`domain = config.require("domain") # eblu.me`
			`subdomain = config.require("subdomain") # ops`

			`# Resolve indri's Tailscale IP dynamically via MagicDNS`
			`# This script runs on the tailnet, so we can resolve the hostname directly.`
			`# indri hosts Caddy, which reverse-proxies all services.`
			`# Break-glass: set BLUMEOPS_REVERSE_PROXY_IP env var to override DNS resolution`
			`REVERSE_PROXY_HOST = "indri.tail8d86e.ts.net"`
			`tailscale_ip = os.environ.get("BLUMEOPS_REVERSE_PROXY_IP") or socket.gethostbyname(`
			`REVERSE_PROXY_HOST`
			`)`

			`# Wildcard A record for *.ops.eblu.me`
			`# Points to indri's Tailscale IP, which is only routable within the tailnet.`
			`# This allows containers and other systems to resolve real DNS names`
			`# while keeping services private to the tailnet.`
			`wildcard_record = gandi.livedns.Record(`
			`"ops-wildcard",`
			`zone=domain,`
			`name=f"*.{subdomain}",`
			`type="A",`
			`ttl=300,`
			`values=[tailscale_ip],`
			`)`

			`# Base subdomain record (ops.eblu.me) - same IP`
			`base_record = gandi.livedns.Record(`
			`"ops-base",`
			`zone=domain,`
			`name=subdomain,`
			`type="A",`
			`ttl=300,`
			`values=[tailscale_ip],`
			`)`

Add Fly.io public reverse proxy for docs.eblu.me (#120) ## Summary - Adds a Fly.io reverse proxy (`blumeops-proxy`) that tunnels public traffic to homelab services over Tailscale - First service exposed: `docs.eblu.me` — the Quartz static docs site - Includes Pulumi IaC for Tailscale auth key/ACLs and Gandi DNS CNAME - Adds mise tasks (`fly-deploy`, `fly-setup`, `fly-shutoff`) and Forgejo CI workflow ## Key details - Fly.io Firecracker VMs support TUN devices natively — no userspace networking needed - Tailscale auth key is `preauthorized=True` to avoid device approval hangs on container restarts - nginx caches aggressively for the static site; health check is on the default_server block - ACLs restrict `tag:flyio-proxy` to `tag:k8s` on port 443 only - DNS CNAME deployed and verified: `docs.eblu.me` → `blumeops-proxy.fly.dev` ## Test plan - [x] `curl -sf https://blumeops-proxy.fly.dev/healthz` returns `ok` - [x] `curl -I -H "Host: docs.eblu.me" https://blumeops-proxy.fly.dev/` returns 200 with `X-Cache-Status` - [x] `curl -I https://docs.eblu.me/` returns 200 with valid Let's Encrypt cert - [x] `dig forge.ops.eblu.me` still resolves to 100.98.163.89 (private services unaffected) - [x] Set `FLY_DEPLOY_TOKEN` Forgejo Actions secret for CI auto-deploy 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/120 2026-02-08 02:36:19 -08:00			`# ============== Public Services (Fly.io proxy) ==============`
			`# CNAME records pointing public subdomains to Fly.io for reverse proxying`
			`# back to the tailnet. See docs/how-to/expose-service-publicly.md`

			`docs_public = gandi.livedns.Record(`
			`"docs-public",`
			`zone=domain,`
			`name="docs",`
			`type="CNAME",`
			`ttl=300,`
			`values=["blumeops-proxy.fly.dev."],`
			`)`

Expose CV publicly at cv.eblu.me (#173) ## Summary - Add nginx server block for `cv.eblu.me` (static site, same pattern as docs) - Add DNS CNAME record in Pulumi (`cv.eblu.me` → `blumeops-proxy.fly.dev`) - Add `cv.eblu.me` cert to `fly-setup` mise task - Tag CV Tailscale ingress with `tag:flyio-target` for ACL access - Remove `/_error` test endpoint from docs proxy ## Deployment and Testing - [ ] `argocd app set cv --revision cv/public-cv-eblu-me && argocd app sync cv` - [ ] `fly certs add cv.eblu.me -a blumeops-proxy` - [ ] `mise run fly-deploy` - [ ] Verify proxy: `curl -I -H "Host: cv.eblu.me" https://blumeops-proxy.fly.dev/` - [ ] `mise run dns-preview` then `mise run dns-up` - [ ] Verify live: `curl -I https://cv.eblu.me` - [ ] Merge, then `argocd app set cv --revision main && argocd app sync cv` Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/173 2026-02-12 14:05:00 -08:00			`cv_public = gandi.livedns.Record(`
			`"cv-public",`
			`zone=domain,`
			`name="cv",`
			`type="CNAME",`
			`ttl=300,`
			`values=["blumeops-proxy.fly.dev."],`
			`)`

Expose Forgejo publicly at forge.eblu.me (#278) ## Summary Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service. - Forgejo hardening: Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO) - Tailscale Ingress: ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint - Fly.io proxy: nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit - Authentik: OAuth callback updated to forge.eblu.me - DNS/TLS: CNAME record in Pulumi, cert in fly-setup - Rename: ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is) ## Deployment Order 1. `mise run provision-indri -- --tags forgejo` (config changes) 2. Verify forge.ops.eblu.me still works 3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator` 4. Verify `curl https://forge.tail8d86e.ts.net` 5. `cd fly && fly deploy` 6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/` 7. `fly certs add forge.eblu.me -a blumeops-proxy` 8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik` 9. `mise run dns-preview && mise run dns-up` 10. Full verification (see below) 11. Rehearse `mise run fly-shutoff` 12. After merge: reset ArgoCD revisions to main, re-sync ## Verification Checklist - [ ] forge.eblu.me loads, shows public repos - [ ] forge.ops.eblu.me still works from tailnet - [ ] SSH clone via forge.ops.eblu.me:2222 works - [ ] HTTPS clone via forge.eblu.me works - [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH - [ ] /swagger returns 403 - [ ] Rapid login attempts trigger 429 rate limit - [ ] fail2ban bans after 5 failed logins in 10 minutes - [ ] ArgoCD can still sync (SSH unaffected) - [ ] `mise run fly-shutoff` stops all public traffic - [ ] `mise run services-check` passes Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278 2026-03-03 08:40:41 -08:00			`forge_public = gandi.livedns.Record(`
			`"forge-public",`
			`zone=domain,`
			`name="forge",`
			`type="CNAME",`
			`ttl=300,`
			`values=["blumeops-proxy.fly.dev."],`
			`)`

Add Gandi DNS management via Pulumi (#54) ## Summary - Restructure Pulumi into separate projects: `pulumi/tailscale/` and `pulumi/gandi/` - Add Gandi LiveDNS management for `eblu.me` domain - Create wildcard DNS record `.ops.eblu.me` → indri's Tailscale IP (100.98.163.89) - Add mise tasks: `dns-up`, `dns-preview` - Update `tailnet-up` to pass `--yes` by default - Document PAT cycling process (expires every 30 days) ## Background This enables using real DNS names (`.ops.eblu.me`) that resolve to Tailscale IPs, which allows containers and other systems to resolve services without depending on MagicDNS. Since Tailscale IPs (100.x.x.x) are not publicly routable, services remain tailnet-only while using standard DNS. ## Deployment and Testing - [ ] Run `cd pulumi/gandi && uv sync` to install dependencies - [ ] Run `cd pulumi/gandi && pulumi stack init eblu-me` to create stack - [ ] Run `mise run dns-preview` to verify configuration - [ ] Run `mise run dns-up` to apply DNS records - [ ] Verify with `dig +short test.ops.eblu.me` returns `100.98.163.89` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/54 2026-01-25 08:15:46 -08:00			`# ============== Exports ==============`
			`pulumi.export("domain", domain)`
			`pulumi.export("wildcard_fqdn", f"*.{subdomain}.{domain}")`
			`pulumi.export("base_fqdn", f"{subdomain}.{domain}")`
			`pulumi.export("target_ip", tailscale_ip)`
Add Fly.io public reverse proxy for docs.eblu.me (#120) ## Summary - Adds a Fly.io reverse proxy (`blumeops-proxy`) that tunnels public traffic to homelab services over Tailscale - First service exposed: `docs.eblu.me` — the Quartz static docs site - Includes Pulumi IaC for Tailscale auth key/ACLs and Gandi DNS CNAME - Adds mise tasks (`fly-deploy`, `fly-setup`, `fly-shutoff`) and Forgejo CI workflow ## Key details - Fly.io Firecracker VMs support TUN devices natively — no userspace networking needed - Tailscale auth key is `preauthorized=True` to avoid device approval hangs on container restarts - nginx caches aggressively for the static site; health check is on the default_server block - ACLs restrict `tag:flyio-proxy` to `tag:k8s` on port 443 only - DNS CNAME deployed and verified: `docs.eblu.me` → `blumeops-proxy.fly.dev` ## Test plan - [x] `curl -sf https://blumeops-proxy.fly.dev/healthz` returns `ok` - [x] `curl -I -H "Host: docs.eblu.me" https://blumeops-proxy.fly.dev/` returns 200 with `X-Cache-Status` - [x] `curl -I https://docs.eblu.me/` returns 200 with valid Let's Encrypt cert - [x] `dig forge.ops.eblu.me` still resolves to 100.98.163.89 (private services unaffected) - [x] Set `FLY_DEPLOY_TOKEN` Forgejo Actions secret for CI auto-deploy 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/120 2026-02-08 02:36:19 -08:00			`pulumi.export("docs_public_fqdn", f"docs.{domain}")`
Expose CV publicly at cv.eblu.me (#173) ## Summary - Add nginx server block for `cv.eblu.me` (static site, same pattern as docs) - Add DNS CNAME record in Pulumi (`cv.eblu.me` → `blumeops-proxy.fly.dev`) - Add `cv.eblu.me` cert to `fly-setup` mise task - Tag CV Tailscale ingress with `tag:flyio-target` for ACL access - Remove `/_error` test endpoint from docs proxy ## Deployment and Testing - [ ] `argocd app set cv --revision cv/public-cv-eblu-me && argocd app sync cv` - [ ] `fly certs add cv.eblu.me -a blumeops-proxy` - [ ] `mise run fly-deploy` - [ ] Verify proxy: `curl -I -H "Host: cv.eblu.me" https://blumeops-proxy.fly.dev/` - [ ] `mise run dns-preview` then `mise run dns-up` - [ ] Verify live: `curl -I https://cv.eblu.me` - [ ] Merge, then `argocd app set cv --revision main && argocd app sync cv` Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/173 2026-02-12 14:05:00 -08:00			`pulumi.export("cv_public_fqdn", f"cv.{domain}")`
Expose Forgejo publicly at forge.eblu.me (#278) ## Summary Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service. - Forgejo hardening: Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO) - Tailscale Ingress: ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint - Fly.io proxy: nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit - Authentik: OAuth callback updated to forge.eblu.me - DNS/TLS: CNAME record in Pulumi, cert in fly-setup - Rename: ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is) ## Deployment Order 1. `mise run provision-indri -- --tags forgejo` (config changes) 2. Verify forge.ops.eblu.me still works 3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator` 4. Verify `curl https://forge.tail8d86e.ts.net` 5. `cd fly && fly deploy` 6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/` 7. `fly certs add forge.eblu.me -a blumeops-proxy` 8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik` 9. `mise run dns-preview && mise run dns-up` 10. Full verification (see below) 11. Rehearse `mise run fly-shutoff` 12. After merge: reset ArgoCD revisions to main, re-sync ## Verification Checklist - [ ] forge.eblu.me loads, shows public repos - [ ] forge.ops.eblu.me still works from tailnet - [ ] SSH clone via forge.ops.eblu.me:2222 works - [ ] HTTPS clone via forge.eblu.me works - [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH - [ ] /swagger returns 403 - [ ] Rapid login attempts trigger 429 rate limit - [ ] fail2ban bans after 5 failed logins in 10 minutes - [ ] ArgoCD can still sync (SSH unaffected) - [ ] `mise run fly-shutoff` stops all public traffic - [ ] `mise run services-check` passes Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/278 2026-03-03 08:40:41 -08:00			`pulumi.export("forge_public_fqdn", f"forge.{domain}")`