Erich Blume
b08faa50cc
## Summary - Restructure Pulumi into separate projects: `pulumi/tailscale/` and `pulumi/gandi/` - Add Gandi LiveDNS management for `eblu.me` domain - Create wildcard DNS record `*.ops.eblu.me` → indri's Tailscale IP (100.98.163.89) - Add mise tasks: `dns-up`, `dns-preview` - Update `tailnet-up` to pass `--yes` by default - Document PAT cycling process (expires every 30 days) ## Background This enables using real DNS names (`*.ops.eblu.me`) that resolve to Tailscale IPs, which allows containers and other systems to resolve services without depending on MagicDNS. Since Tailscale IPs (100.x.x.x) are not publicly routable, services remain tailnet-only while using standard DNS. ## Deployment and Testing - [ ] Run `cd pulumi/gandi && uv sync` to install dependencies - [ ] Run `cd pulumi/gandi && pulumi stack init eblu-me` to create stack - [ ] Run `mise run dns-preview` to verify configuration - [ ] Run `mise run dns-up` to apply DNS records - [ ] Verify with `dig +short test.ops.eblu.me` returns `100.98.163.89` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/54 |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| __main__.py | ||
| Pulumi.eblu-me.yaml | ||
| Pulumi.yaml | ||
| pyproject.toml | ||
| README.md | ||
| uv.lock | ||
Gandi DNS Management
This Pulumi project manages DNS records for eblu.me via Gandi LiveDNS.
What It Does
Creates DNS records that point *.ops.eblu.me to indri's Tailscale IP.
Why indri? indri hosts Caddy, the reverse proxy for all blumeops services.
All *.ops.eblu.me requests route through Caddy, which proxies to the appropriate
backend service (either on indri itself or in the k8s cluster).
Since Tailscale IPs (100.x.x.x) are not routable on the public internet, these DNS records effectively make services accessible only from within the tailnet, while still using real, resolvable DNS names.
The target IP is resolved dynamically from indri.tail8d86e.ts.net at deploy time,
so if indri's Tailscale IP changes, just re-run the deployment.
Setup
cd pulumi/gandi
uv sync
pulumi stack select eblu-me # or: pulumi stack init eblu-me
Authentication
This project requires a Gandi Personal Access Token (PAT) with LiveDNS permissions.
The PAT expires every 30 days and must be cycled manually.
Cycling the PAT
-
Go to Gandi PAT Management
-
Create a new PAT:
- Name:
blumeops-pulumi(or similar) - Expiration: 30 days (maximum)
- Permissions required:
- Manage domain name technical configurations (required for DNS records)
- See and renew domain names
- Optional permissions (enabled but not strictly required):
- See & download SSL certificates
- Manage Cloud resources
- See Cloud resources
- View Organization
- Deploy Web Hosting instances
- Manage Web Hosting instances
- See and renew Web Hosting instances
- Name:
-
Update 1Password:
# Update the existing item with the new PAT value op item edit mco6ka3dc3rmw7zkg2dhia5d2m pat="<NEW_PAT_VALUE>" --vault vg6xf6vvfmoh5hqjjhlhbeoaie -
Delete the old PAT from Gandi admin console
Running with Authentication
The mise task handles fetching the PAT from 1Password:
mise run dns-up # Preview and apply changes
mise run dns-preview # Preview only
Or manually:
export GANDI_PERSONAL_ACCESS_TOKEN=$(op item get mco6ka3dc3rmw7zkg2dhia5d2m --field pat --reveal --vault vg6xf6vvfmoh5hqjjhlhbeoaie)
pulumi up
DNS Records Created
| Record | Type | Value | Purpose |
|---|---|---|---|
*.ops.eblu.me |
A | (indri's Tailscale IP) | Wildcard for all services |
ops.eblu.me |
A | (indri's Tailscale IP) | Base subdomain |
Service Hostnames
Once Caddy is configured on indri, services will be accessible at:
forge.ops.eblu.me- Forgejo git serverregistry.ops.eblu.me- Zot container registrygrafana.ops.eblu.me- Grafana dashboardsargocd.ops.eblu.me- ArgoCDfeed.ops.eblu.me- Miniflux RSS readerpypi.ops.eblu.me- DevPI Python indexkiwix.ops.eblu.me- Kiwix offline contenttesla.ops.eblu.me- TeslaMatetorrent.ops.eblu.me- Transmissionprometheus.ops.eblu.me- Prometheus metricsloki.ops.eblu.me- Loki logs