B4L/cnx-network-clan
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add web01 public reverse proxy with DNS-01 wildcard TLS

Browse Source 
web01 terminates TLS for grafana.cnx.network and proxies to Grafana on
control over the mesh. Caddy serves a *.cnx.network wildcard cert obtained
via ACME DNS-01, using a dedicated acme_web01 TSIG key scoped on ns1 to
_acme-challenge on the cnx.network zone only. Ports 80/443 are the only
public exposure (80 just redirects); admin and the backend ride ZeroTier.

Also reload Caddy on cert renewal for both web01 and mx1, since both
reference the cert via explicit tls file paths and would otherwise keep
serving a stale cert after a silent renewal.
This commit is contained in:
Berwn
2026-06-21 03:05:54 +07:00
parent 86a2928825
commit 48bf7fb250
10 changed files with 182 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/dns/zones/cnx.network.zone
+7
View File
@@ -25,3 +25,10 @@ control IN AAAA fd06:1bad:ece2:92ad:ba99:9306:1bad:ece2
;@ IN A <web-ipv4>
;www IN CNAME cnx.network.
monitor IN A 5.223.66.36
; ---- web01 (public reverse proxy / TLS termination) ----
; Serves a wildcard *.cnx.network TLS cert (ACME DNS-01) and forwards to internal
; services over the mesh. Add a vhost in modules/web-proxy.nix and a CNAME here.
web01 IN A 5.223.55.246
web01 IN AAAA 2a01:4ff:2f0:2d8f::1
grafana IN CNAME web01.cnx.network.