Berwn
48bf7fb250
web01 terminates TLS for grafana.cnx.network and proxies to Grafana on control over the mesh. Caddy serves a *.cnx.network wildcard cert obtained via ACME DNS-01, using a dedicated acme_web01 TSIG key scoped on ns1 to _acme-challenge on the cnx.network zone only. Ports 80/443 are the only public exposure (80 just redirects); admin and the backend ride ZeroTier. Also reload Caddy on cert renewal for both web01 and mx1, since both reference the cert via explicit tls file paths and would otherwise keep serving a stale cert after a silent renewal.
35 lines
1.2 KiB
Dns
35 lines
1.2 KiB
Dns
$ORIGIN cnx.network.
|
|
$TTL 3600
|
|
|
|
@ IN SOA ns1.cnx.network. hostmaster.cnx.network. (
|
|
2026061402 ; serial (ignored: Knot auto-assigns a dateserial on signing)
|
|
3600 ; refresh
|
|
900 ; retry
|
|
604800 ; expire
|
|
300 ) ; negative-cache TTL
|
|
|
|
; ---- Nameservers (used by every zone we serve) ----
|
|
@ IN NS ns1.cnx.network.
|
|
@ IN NS ns2.cnx.network.
|
|
|
|
; ---- Glue for the nameservers ----
|
|
ns1 IN A 46.224.170.206
|
|
ns1 IN AAAA 2a01:4f8:c014:b5c5::1
|
|
ns2 IN A 157.180.70.82
|
|
ns2 IN AAAA 2a01:4f9:c014:6d87::1
|
|
|
|
; ---- control (ZeroTier controller) ----
|
|
control IN AAAA fd06:1bad:ece2:92ad:ba99:9306:1bad:ece2
|
|
|
|
; ---- Web / apex (fill in once you have a web host) ----
|
|
;@ IN A <web-ipv4>
|
|
;www IN CNAME cnx.network.
|
|
monitor IN A 5.223.66.36
|
|
|
|
; ---- web01 (public reverse proxy / TLS termination) ----
|
|
; Serves a wildcard *.cnx.network TLS cert (ACME DNS-01) and forwards to internal
|
|
; services over the mesh. Add a vhost in modules/web-proxy.nix and a CNAME here.
|
|
web01 IN A 5.223.55.246
|
|
web01 IN AAAA 2a01:4ff:2f0:2d8f::1
|
|
grafana IN CNAME web01.cnx.network.
|