Erich Blume
005e2a03ed
Splits the nebulous gandi-operations how-to into two single-topic cards (manage-eblu-me-dns, rotate-gandi-pat) and adds a mise task for the recurring _acme-challenge TXT cleanup needed due to a value-comparison bug in libdns/gandi v1.1.0 that prevents certmagic's cleanup phase from removing presented TXT values. The gandi reference card is updated to drop the false "different credential from Pulumi PAT" claim — verified during the 2026-04-27 incident that Caddy and Pulumi share a single PAT. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1.7 KiB
1.7 KiB
| title | modified | last-reviewed | tags | |||
|---|---|---|---|---|---|---|
| Pulumi | 2026-04-02 | 2026-04-02 |
|
Pulumi
Infrastructure-as-Code for DNS and Tailscale ACL management. Two independent projects, both using the Python SDK with uv toolchain.
Projects
| Project | Stack | Source | Manages |
|---|---|---|---|
blumeops-dns |
eblu-me |
pulumi/gandi/ |
DNS records for eblu.me via Gandi LiveDNS |
blumeops-tailnet |
tail8d86e |
pulumi/tailscale/ |
ACL policy, device tags, auth keys |
DNS (blumeops-dns)
Manages *.ops.eblu.me wildcard and base records pointing to indri's Tailscale IP, plus public CNAME records for services routed via flyio-proxy.
Tailnet (blumeops-tailnet)
Manages the ACL policy (policy.hujson), device tags for indri and sifaka, and auth keys for the Fly.io proxy.
CLI Patterns
All operations use mise tasks that wrap pulumi with the correct stack and working directory:
# DNS
mise run dns-preview # Preview DNS changes
mise run dns-up # Apply DNS changes
# Tailscale
mise run tailnet-preview # Preview ACL/tag changes
mise run tailnet-up # Apply ACL/tag changes
Authentication
- Gandi:
GANDI_PERSONAL_ACCESS_TOKEN(fetched from 1Password by the mise task) - Tailscale:
TAILSCALE_OAUTH_CLIENT_ID+TAILSCALE_OAUTH_CLIENT_SECRET(fetched from 1Password by the mise task) - Pulumi state: Local backend (no Pulumi Cloud)
Related
- manage-eblu-me-dns — DNS records workflow
- rotate-gandi-pat — Rotate the Gandi PAT
- update-tailscale-acls — ACL editing and Pulumi workflow
- gandi — DNS hosting
- tailscale — Tailnet configuration
- routing — How DNS records map to services