Erich Blume
005e2a03ed
Splits the nebulous gandi-operations how-to into two single-topic cards (manage-eblu-me-dns, rotate-gandi-pat) and adds a mise task for the recurring _acme-challenge TXT cleanup needed due to a value-comparison bug in libdns/gandi v1.1.0 that prevents certmagic's cleanup phase from removing presented TXT values. The gandi reference card is updated to drop the false "different credential from Pulumi PAT" claim — verified during the 2026-04-27 incident that Caddy and Pulumi share a single PAT. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1.4 KiB
1.4 KiB
| title | modified | last-reviewed | tags | |||
|---|---|---|---|---|---|---|
| Manage eblu.me DNS Records | 2026-04-27 | 2026-04-27 |
|
Manage eblu.me DNS Records
How to add, change, and apply DNS records for eblu.me via pulumi.
Prerequisites
- Pulumi CLI installed (
brew install pulumi) - 1Password access (
blumeopsvault) — Pulumi reads the Gandi PAT from there - On the tailnet — Pulumi resolves indri's IP via MagicDNS at apply time
Preview and apply
mise run dns-preview # always do this first
mise run dns-up # apply
Both fetch the PAT from 1Password automatically. The Pulumi program is in pulumi/gandi/; stack is eblu-me.
Adding a record
Edit pulumi/gandi/__main__.py and add a gandi.livedns.Record(...). The stack config (Pulumi.eblu-me.yaml) only holds domain and subdomain; everything else is in the program.
After editing, preview, then apply.
Break-glass: override the indri target IP
The wildcard *.ops.eblu.me is computed from indri.tail8d86e.ts.net via MagicDNS at apply time. If MagicDNS is unavailable:
export BLUMEOPS_REVERSE_PROXY_IP=<indri-tailscale-ip>
mise run dns-up
Find the IP via tailscale status or the Tailscale admin console.
Related
- gandi — Gandi reference card
- rotate-gandi-pat — Rotate the PAT shared with caddy
- pulumi — Pulumi tooling reference
- routing — Service URLs and routing architecture