eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

C0: split gandi-operations docs; add dns-acme-cleanup mise task

Browse source 
Splits the nebulous gandi-operations how-to into two single-topic cards
(manage-eblu-me-dns, rotate-gandi-pat) and adds a mise task for the
recurring _acme-challenge TXT cleanup needed due to a value-comparison
bug in libdns/gandi v1.1.0 that prevents certmagic's cleanup phase from
removing presented TXT values.

The gandi reference card is updated to drop the false "different
credential from Pulumi PAT" claim — verified during the 2026-04-27
incident that Caddy and Pulumi share a single PAT.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-04-27 09:48:46 -07:00
commit 005e2a03ed
10 changed files with 315 additions and 159 deletions
Download patch file Download diff file Expand all files Collapse all files

39
pulumi/gandi/README.md
View file

@ -27,50 +27,19 @@ pulumi stack select eblu-me # or: pulumi stack init eblu-me
## Authentication
This project requires a Gandi Personal Access Token (PAT) with LiveDNS permissions.
This project uses a Gandi Personal Access Token (PAT) shared with Caddy. See the [Gandi reference card](../../docs/reference/infrastructure/gandi.md) and [Rotate the Gandi PAT](../../docs/how-to/configuration/rotate-gandi-pat.md).
**The PAT expires every 30 days and must be cycled manually.**
### Cycling the PAT
1. Go to [Gandi PAT Management](https://admin.gandi.net/organizations/1db8d76a-f729-11ed-b8d1-00163e94b645/account/pat)
2. Create a new PAT:
- Name: `blumeops-pulumi` (or similar)
- Expiration: 30 days (maximum is 90; shorter is fine if used rarely)
- Permissions required:
- **Manage domain name technical configurations** (required for DNS records)
- See and renew domain names
- Optional permissions (enabled but not strictly required):
- See & download SSL certificates
- Manage Cloud resources
- See Cloud resources
- View Organization
- Deploy Web Hosting instances
- Manage Web Hosting instances
- See and renew Web Hosting instances
3. Update 1Password:
```bash
# Update the existing item with the new PAT value
op item edit mco6ka3dc3rmw7zkg2dhia5d2m pat="<NEW_PAT_VALUE>" --vault vg6xf6vvfmoh5hqjjhlhbeoaie
```
4. Delete the old PAT from Gandi admin console
### Running with Authentication
The mise task handles fetching the PAT from 1Password:
The mise tasks handle fetching the PAT from 1Password:
```bash
mise run dns-up # Preview and apply changes
mise run dns-preview # Preview only
mise run dns-up # Preview and apply
```
Or manually:
```bash
export GANDI_PERSONAL_ACCESS_TOKEN=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat")
export GANDI_PERSONAL_ACCESS_TOKEN=$(op read "op://blumeops/gandi - blumeops/pat")
pulumi up
```

2
pulumi/gandi/__main__.py
View file

@ -8,7 +8,7 @@ This program manages DNS records for blumeops infrastructure:
Authentication:
Set GANDI_PERSONAL_ACCESS_TOKEN environment variable.
See docs/how-to/gandi-operations.md for PAT management instructions.
See docs/how-to/configuration/rotate-gandi-pat.md for PAT management.
"""
import os