Update mariadb Docker tag to v11

.yamllint.yml

@@ -5,6 +5,7 @@ ignore: |
   ansible/galaxy_collections
   ansible/group_vars/all/vps-hosts.yml
   ansible/roles/traefik/files/traefik.yml
+  ansible/roles/nebula/files/nebula.yml
   env
 
 rules:

ansible/.ansible-lint

@@ -12,4 +12,5 @@ exclude_paths:
   - galaxy_roles/
   - galaxy_collections/
   - ~/.ansible
+  - roles/nebula/files/nebula.yml
   - roles/traefik/files/traefik.yml

ansible/group_vars/all/nebula.yml

@@ -0,0 +1,9 @@
+nebula:
+  cidr: 10.23.2.0/24
+  clients:
+    casey:
+      ip: 10.23.2.1
+    walker:
+      ip: 10.23.2.4
+    ingress:
+      ip: 10.23.2.5

ansible/group_vars/all/network.yml

@@ -1 +1,2 @@
+private_ip: "{{ nebula.clients[hostname_slug].ip }}"
 ssh_port: 7743

ansible/group_vars/all/tailscale.yml

@@ -5,7 +5,3 @@ tailscale_cidr: 100.64.0.0/24  # It's really /10, but I don't use that many IPs
 tailscale_cidr_ipv6: fd7a:115c:a1e0::/120  # It's really /48, but I don't use that many IPs
 
 tailscale_port: 41641
-
-tailscale_nodes:
-  casey:
-    ip: 100.64.0.1

ansible/host_vars/casey/main.yml

@@ -1,3 +1,6 @@
+nebula_is_lighthouse: true
+nebula_listen_port: "{{ nebula_lighthouse_port }}"
+
 nginx_https_redirect: true
 
 certbot_certs:

ansible/host_vars/ingress.yml

@@ -1 +1,4 @@
+# Listen on a static port so it can be opened in the firewall
+nebula_listen_port: "{{ nebula_lighthouse_port }}"
+
 nginx_https_redirect: true

ansible/host_vars/walker/main.yml

@@ -1,5 +1,3 @@
-private_ip: "{{ ansible_tailscale0.ipv4.address }}"
-
 restic_backup_locations:
   - /opt
 
@@ -8,6 +6,8 @@ nginx_https_redirect: true
 certbot_certs:
   - domains:
       - theorangeone.net
+  - domains:
+      - commento.theorangeone.net
   - domains:
       - plausible.theorangeone.net
       - elbisualp.theorangeone.net

ansible/main.yml

@@ -12,6 +12,7 @@
     - role: geerlingguy.certbot
       become: true
     - gateway
+    - nebula
     - headscale
     - restic
     - artis3n.tailscale
@@ -57,11 +58,12 @@
   roles:
     - pve_docker
     - yourls
+    - pve_nebula_route
     - privatebin
     - vaultwarden
     - tandoor
     - mastodon
-    - forgejo
+    - gitea
     - vikunja
     - authentik
     - minio
@@ -71,6 +73,7 @@
   roles:
     - nginx
     - ingress
+    - nebula
     - artis3n.tailscale
 
 - hosts: pve
@@ -78,6 +81,7 @@
     - role: ironicbadger.proxmox_nag_removal
       become: true
     - zfs
+    - pve_nebula_route
     - role: ironicbadger.snapraid
       become: true
     - role: prometheus.prometheus.node_exporter
@@ -87,6 +91,7 @@
   roles:
     - prometheus
     - uptime_kuma
+    - pve_nebula_route
     - pve_tailscale_route
 
 - hosts: qbittorrent
@@ -100,9 +105,11 @@
     - nginx
     - role: geerlingguy.certbot
       become: true
+    - nebula
     - coredns_docker_proxy
     - plausible
     - restic
+    - commento
     - website
     - artis3n.tailscale
     - slides
@@ -119,7 +126,7 @@
 
 - hosts: gitea-runner
   roles:
-    - forgejo_runner
+    - gitea_runner
 
 - hosts: renovate
   roles:

ansible/roles/base/files/ssh-jail.conf

@@ -4,4 +4,4 @@ bantime  = 600
 findtime = 30
 maxretry = 5
 port     = {{ ssh_port }},ssh
-ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}

ansible/roles/base/files/sshd_config

@@ -2,7 +2,7 @@
 # Change to a high/odd port if this server is exposed to the internet directly
 Port {{ ssh_port }}
 
-AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }}
+AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }}
 
 # Bind to all interfaces (change to specific interface if needed)
 ListenAddress 0.0.0.0

ansible/roles/commento/files/docker-compose.yml

@@ -0,0 +1,36 @@
+services:
+  commento:
+    image: ghcr.io/souramoo/commentoplusplus:latest
+    restart: unless-stopped
+    depends_on:
+      - db
+    networks:
+      - default
+      - coredns
+    environment:
+      - COMMENTO_POSTGRES=postgres://commento:commento@db:5432/commento?sslmode=disable
+      - COMMENTO_ORIGIN=https://commento.theorangeone.net
+      - COMMENTO_GZIP_STATIC=true
+      - COMMENTO_FORBID_NEW_OWNERS=true
+      - COMMENTO_GITHUB_KEY={{ vault_commento_github_client_id }}
+      - COMMENTO_GITHUB_SECRET={{ vault_commento_github_client_secret }}
+      - COMMENTO_SMTP_HOST=smtp.eu.mailgun.org
+      - COMMENTO_SMTP_PORT=587
+      - COMMENTO_SMTP_USERNAME={{ vault_commento_smtp_username }}
+      - COMMENTO_SMTP_PASSWORD={{ vault_commento_smtp_password }}
+      - COMMENTO_SMTP_FROM_ADDRESS={{ vault_commento_from_email }}
+      - COMMENTO_GITLAB_KEY={{ vault_commento_gitlab_application_id }}
+      - COMMENTO_GITLAB_SECRET={{ vault_commento_gitlab_application_secret }}
+
+  db:
+    image: postgres:14-alpine
+    restart: unless-stopped
+    volumes:
+      - ./postgres:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=commento
+      - POSTGRES_USER=commento
+
+networks:
+  coredns:
+    external: true

ansible/roles/commento/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart commento
+  shell:
+    chdir: /opt/commento
+    cmd: "{{ docker_update_command }}"

ansible/roles/commento/tasks/main.yml

@@ -0,0 +1,32 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Create install directory
+  file:
+    path: /opt/commento
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/commento/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart commento
+  become: true
+
+- name: Install nginx config
+  template:
+    src: files/nginx-docker.conf
+    dest: /etc/nginx/http.d/commento.conf
+    mode: "0644"
+  notify: reload nginx
+  become: true
+  vars:
+    server_name: commento.theorangeone.net
+    upstream: commento-commento-1.docker:8080
+    ssl_cert_path: /etc/letsencrypt/live/commento.theorangeone.net

ansible/roles/commento/vars/vault.yml

@@ -0,0 +1,32 @@
+$ANSIBLE_VAULT;1.1;AES256
+35343736363532306236303339356634316461383639333836393761356165633662326332613666
+3830323961313939316336393566363163646538623532310a363165666238653535353236383839
+35363730353939656330346639323331393562393339393562383034663231396164333261646438
+6564336362306636300a613634336337326534626263386466626238343130633864623862336563
+66326262613330373035663863663532626437303435333432383839303331333538363139643633
+64633465383135653265393033656135356166323238356130353633363030396366613164303033
+63303832376462616464333031366337626564633135386230313538353166343532643035336636
+31336531643766346438653333376364316162313765656330666330643261653433363339323665
+30623164373931336238303265316665373361336338346336646439356538333266393934343139
+34643433326330386564653461626264626231353863333935313665663462323234666463306266
+38626538666262333934393733626562313432393566643435376163653432613363663035333165
+36616431363563663235646433343564346164393034613436666362383233646636373163616666
+36376133346634653738376137393265303261626562366666303137313338633237313834386432
+66643264643532306364366562333837366636616237653033306538663435316163613266343565
+31633437353963313733326339666331323061363963303132363262343966653433303835323337
+31313363366631313930633061346265633261643238313762353932623230353938656264323437
+39346634383135306135326338616664336435343235383863393830386662393036383161303465
+33353261613537666464313437613335643830343336343535646665356333616266666233353065
+64313131306663313064633631663536386531343733643534336631666266613165313330653962
+35346262373437623333333234383531633238343463653862663236666337363738303463373664
+62343363323465313561376232633630303965306238316161383139316133343233343033376262
+63303264366536346234383063653838353638313561626433616462383339326631643533356639
+39653762633733363237383762356134366264356437346430343830616233373732616261613231
+62646639353132653038303536613738373137623236616631643738323737383637313633396135
+37613037313437613836336332346162383832613938356638333564346237373032356438363464
+31343464306131393362343433316666366632633036653262633361333165643735393231623932
+31643261326266323232383630353534326662303965393161343938663131343263363461303430
+31376161393038376262616333333362323033313436396164313438613532663564623633303365
+32656630663834633039316561663231656131383535653766316138313138346363633537373164
+62333532316135303366386261613131333364383031346364303938356631393865396133386633
+636462653562653538636531356537353133

ansible/roles/forgejo_runner/files/config.yml

@@ -1,82 +0,0 @@
-# based on https://gitea.com/gitea/act_runner/src/tag/v0.2.6/internal/pkg/config/config.example.yaml
-
-log:
-  # The level of logging, can be trace, debug, info, warn, error, fatal
-  level: info
-
-runner:
-  # Where to store the registration result.
-  file: /data/.runner
-  # Execute how many tasks concurrently at the same time.
-  capacity: "{{ ansible_processor_nproc }}"
-  # Extra environment variables to run jobs.
-  envs: {}
-  # Extra environment variables to run jobs from a file.
-  # It will be ignored if it's empty or the file doesn't exist.
-  env_file: /data/.env
-  # The timeout for a job to be finished.
-  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
-  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
-  timeout: 3h
-  # Whether skip verifying the TLS certificate of the Gitea instance.
-  insecure: false
-  # The timeout for fetching the job from the Gitea instance.
-  fetch_timeout: 5s
-  # The interval for fetching the job from the Gitea instance.
-  fetch_interval: 5s
-  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
-  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
-  # If it's empty when registering, it will ask for inputting labels.
-  # If it's empty when execute `daemon`, will use labels in `.runner` file.
-  # labels: []
-
-cache:
-  # Enable cache server to use actions/cache.
-  enabled: true
-  # The directory to store the cache data.
-  # If it's empty, the cache data will be stored in /data/.cache/actcache.
-  dir: /data/cache/server
-  # The host of the cache server.
-  # It's not for the address to listen, but the address to connect from job containers.
-  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
-  host: ""
-  # The port of the cache server.
-  # 0 means to use a random available port.
-  port: 0
-  # The external cache server URL. Valid only when enable is true.
-  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
-  # The URL should generally end with "/".
-  external_server: ""
-
-container:
-  # Specifies the network to which the container will connect.
-  # Could be host, bridge or the name of a custom network.
-  # If it's empty, act_runner will create a network automatically.
-  network: bridge
-  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
-  privileged: false
-  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
-  options: ""
-  # The parent directory of a job's working directory.
-  # If it's empty, /workspace will be used.
-  workdir_parent: /workspace
-  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
-  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
-  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
-  # valid_volumes:
-  #   - data
-  #   - /src/*.json
-  # If you want to allow any volume, please use the following configuration:
-  # valid_volumes:
-  #   - '**'
-  # overrides the docker client host with the specified one.
-  # If it's empty, act_runner will find an available docker host automatically.
-  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
-  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
-  docker_host: ""
-  force_pull: false
-
-host:
-  # The parent directory of a job's working directory.
-  # If it's empty, /data/.cache/act/ will be used.
-  workdir_parent: /data/cache/actions

ansible/roles/forgejo_runner/files/docker-compose.yml

@@ -1,20 +0,0 @@
-services:
-  forgejo-runner:
-    image: code.forgejo.org/forgejo/runner:3.5.1
-    user: "{{ docker_user.id }}"
-    volumes:
-      - /mnt/data:/data
-    environment:
-      - TZ={{ timezone }}
-      - DOCKER_HOST=tcp://dind:2375
-    restart: unless-stopped
-    command: forgejo-runner daemon
-    depends_on:
-      dind:
-        condition: service_started
-
-  dind:
-    image: docker:dind
-    privileged: true
-    command: [dockerd, -H, tcp://0.0.0.0:2375, --tls=false]
-    restart: unless-stopped

ansible/roles/forgejo_runner/handlers/main.yml

@@ -1,4 +0,0 @@
-- name: restart forgejo-runner
-  shell:
-    chdir: /opt/forgejo-runner
-    cmd: "{{ docker_update_command }}"

ansible/roles/forgejo_runner/tasks/main.yml

@@ -1,34 +0,0 @@
-- name: Create install directory
-  file:
-    path: /opt/forgejo-runner
-    state: directory
-    owner: "{{ docker_user.name }}"
-    mode: "{{ docker_compose_directory_mask }}"
-  become: true
-
-- name: Create data directory
-  file:
-    path: /opt/forgejo-runner/data
-    state: directory
-    mode: "700"
-    owner: "{{ docker_user.name }}"
-  become: true
-
-- name: Install config file
-  template:
-    src: files/config.yml
-    dest: /opt/forgejo-runner/data/config.yml
-    mode: "600"
-    owner: "{{ docker_user.name }}"
-  notify: restart forgejo-runner
-  become: true
-
-- name: Install compose file
-  template:
-    src: files/docker-compose.yml
-    dest: /opt/forgejo-runner/docker-compose.yml
-    mode: "{{ docker_compose_file_mask }}"
-    owner: "{{ docker_user.name }}"
-    validate: docker-compose -f %s config
-  notify: restart forgejo-runner
-  become: true

ansible/roles/gateway/files/nginx-fail2ban-jail.conf

@@ -6,9 +6,9 @@ maxretry = 100
 filter   = nginx-tcp
 logpath  = /var/log/nginx/ips.log
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
 
 [traefik]
 enabled = true
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}

ansible/roles/gitea/files/app.ini

@@ -1,4 +1,4 @@
-APP_NAME = Forgejo
+APP_NAME = Gitea: Git with a cup of orange juice
 
 [repository]
 ROOT = /mnt/repositories
@@ -32,7 +32,7 @@ PASSWD   = gitea
 
 [session]
 PROVIDER        = db
-COOKIE_NAME     = forgejo_session
+COOKIE_NAME     = gitea_session
 
 [log]
 LEVEL = warn
@@ -42,8 +42,8 @@ INSTALL_LOCK                  = true
 SECRET_KEY                    = {{ vault_secret_key }}
 INTERNAL_TOKEN                = {{ vault_internal_token }}
 PASSWORD_HASH_ALGO            = pbkdf2
-COOKIE_USERNAME               = forgejo_username
+COOKIE_USERNAME               = gitea_username
-COOKIE_REMEMBER_NAME          = forgejo_remember
+COOKIE_REMEMBER_NAME          = gitea_remember
 LOGIN_REMEMBER_DAYS           = 30
 REVERSE_PROXY_TRUSTED_PROXIES = *
 
@@ -64,8 +64,9 @@ REPO_PAGING_NUM = 100
 [ui]
 SITEMAP_PAGING_NUM   = 100
 FEED_PAGING_NUM      = 100
-DEFAULT_THEME        = forgejo-auto
+DEFAULT_THEME        = gitea-auto
 ISSUE_PAGING_NUM     = 100
+THEME_COLOR_META_TAG = "#ff7f00"
 FEED_MAX_COMMIT_NUM  = 30
 SHOW_USER_EMAIL      = false
 EXPLORE_PAGING_NUM   = 100

ansible/roles/gitea/files/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
-  forgejo:
+  gitea:
-    image: code.forgejo.org/forgejo/forgejo:8-rootless
+    image: gitea/gitea:1.22-rootless
     user: "{{ docker_user.id }}:{{ docker_user.id }}"
     environment:
       - TZ={{ timezone }}
@@ -22,8 +22,8 @@ services:
       - redis
     labels:
       - traefik.enable=true
-      - traefik.http.routers.forgejo.rule=Host(`git.theorangeone.net`)
+      - traefik.http.routers.gitea.rule=Host(`git.theorangeone.net`)
-      - traefik.http.services.forgejo-forgejo.loadbalancer.server.port=3000
+      - traefik.http.services.gitea-gitea.loadbalancer.server.port=3000
     networks:
       - default
       - traefik

ansible/roles/gitea/files/footer.html

@@ -1,3 +1,3 @@
-{{ if not .IsSigned }}
+{{ if not .SignedUserName}}
   <script defer data-domain="git.theorangeone.net" src="https://elbisualp.theorangeone.net/js/script.js"></script>
 {{ end }}

ansible/roles/gitea/tasks/main.yml

@@ -28,6 +28,14 @@
   notify: restart gitea
   become: true
 
+- name: Create public images directory
+  file:
+    path: "{{ app_data_dir }}/gitea/data/custom/public/assets/img"
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
 - name: Create custom templates directory
   file:
     path: "{{ app_data_dir }}/gitea/data/custom/templates/custom"
@@ -37,6 +45,14 @@
     recurse: true
   become: true
 
+- name: Install custom branding
+  unarchive:
+    src: https://git.theorangeone.net/api/packages/sys/generic/gitea-branding/latest/branding.zip
+    dest: "{{ app_data_dir }}/gitea/data/custom/public/assets/img"
+    remote_src: true
+    owner: "{{ docker_user.name }}"
+  become: true
+
 - name: Install custom footer
   copy:
     src: files/footer.html

ansible/roles/gitea_runner/files/docker-compose.yml

@@ -0,0 +1,17 @@
+services:
+  act-runner:
+    image: vegardit/gitea-act-runner:latest
+    network_mode: host
+    volumes:
+      - /mnt/data:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - TZ={{ timezone }}
+      - GITEA_INSTANCE_URL=https://git.theorangeone.net
+      - GITEA_RUNNER_REGISTRATION_TOKEN={{ vault_gitea_runner_registration_token }}
+      - GITEA_RUNNER_NAME={{ ansible_hostname }}
+      - GITEA_RUNNER_FETCH_INTERVAL=5s
+      - GITEA_RUNNER_MAX_PARALLEL_JOBS={{ ansible_processor_nproc }}
+      - GITEA_RUNNER_UID={{ docker_user.id }}
+      - GITEA_RUNNER_GID={{ docker_user.id }}
+    restart: unless-stopped

ansible/roles/gitea_runner/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart act-runner
+  shell:
+    chdir: /opt/act-runner
+    cmd: "{{ docker_update_command }}"

ansible/roles/gitea_runner/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Create install directory
+  file:
+    path: /opt/act-runner
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/act-runner/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart act-runner
+  become: true

ansible/roles/gitea_runner/vars/vault.yml

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+39356636363738343339633132326666373534646563366335363336356362343438313030353466
+6564373739333030393666333438386533316332626136350a626439316537343030323761383863
+33666632636132386335393833636232373662626562326531666330373438613738613634643061
+3864336432626338320a373866356363613166366239356630663534646566636131353530623266
+66326334636361386338663739333134333761376239373133396534376139633364336433663362
+30313736303539663839313830336164346536383066393635323366363433616264373165356431
+35663832323132356538666333653135383332653232336336646265356665313165623035363561
+65306666393331383661353961306531636266393765626363616265326566316163396531373638
+3735

ansible/roles/headscale/files/headscale.yml

@@ -262,12 +262,12 @@ unix_socket_permission: "0770"
 # headscale supports experimental OpenID connect support,
 # it is still being tested and might have some bugs, please
 # help us test it.
-# oidc:
+oidc:
-#   only_start_if_oidc_is_available: true
+  only_start_if_oidc_is_available: true
-#   issuer: "{{ vault_oidc_issuer }}"
+  issuer: "{{ vault_oidc_issuer }}"
-#   client_id: "{{ vault_oidc_client_id }}"
+  client_id: "{{ vault_oidc_client_id }}"
-#   client_secret: "{{ vault_oidc_client_secret }}"
+  client_secret: "{{ vault_oidc_client_secret }}"
-#   expiry: 0
+  expiry: 0
 
 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel

ansible/roles/http_proxy/files/squid.conf

@@ -2,7 +2,7 @@
 # Recommended minimum configuration:
 #
 
-acl hide_internal dst {{ wireguard.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }}
+acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }}
 
 # Example rule allowing access from your local networks.
 # Adapt to list your (internal) IP networks from where browsing

ansible/roles/ingress/files/nftables.conf

@@ -17,6 +17,9 @@ table inet filter {
 
         tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept
 
+        # Allow nebula
+        udp dport {{ nebula_listen_port }} accept;
+
         # Allow Tailscale
         udp dport {{ tailscale_port }} accept;
     }
@@ -26,6 +29,7 @@ table inet filter {
         policy accept
 
         # NAT - because the proxmox machines may not have routes back
+        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
         ip saddr {{ tailscale_cidr }} counter masquerade
     }
 
@@ -33,8 +37,12 @@ table inet filter {
         type filter hook forward priority mangle
         policy drop
 
-        # Allow monitoring of Tailscale network
+        # Allow traffic from nebula to proxmox network
-        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ tailscale_cidr }} accept
+        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
+        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept
+
+        # Allow monitoring of nebula network
+        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
 
         # Allow Tailscale exit node
         ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop

ansible/roles/mastodon/files/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   mastodon:
-    image: lscr.io/linuxserver/mastodon:4.2.12
+    image: lscr.io/linuxserver/mastodon:4.2.10
     environment:
       - TZ={{ timezone }}
       - PUID={{ docker_user.id }}

ansible/roles/nebula/defaults/main.yml

@@ -0,0 +1,2 @@
+nebula_is_lighthouse: false
+nebula_listen_port: 0

ansible/roles/nebula/files/ca.crt

@@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.1;AES256
+35346565636566303064316339396339363831623963306131303331366338643338326261626137
+3031333365383139383466323931353339346534366136350a353034373561653238643039373766
+37316638363166303162373739393934653936373639323038663639656138313035666132646136
+6339386166383137320a363536336166343539633238336364663633306562313965636536303663
+35376234336566626232383231326362393664386464346363643262393932316130623936383366
+63313539653035383665373962376165336533396565643263666634333434663432386635663434
+31613064653739363637643433653639343930623038626539353534393861646165366166616638
+38313036303261336635666161383135353637633966646462376439313539383962343564626336
+37343566306638626337316135663763343961653065616531396332303966643638646163393461
+63353630393364666336633630653765613331386233386130366636393965323231373561333163
+38613165623533396531383031316631346434333239616335373162333637363830636263613338
+38316165343632313361633362383934653832306332663732303061333135393234306232636464
+36346465633166303335363365336336383333636165633230626263633663356336366662313263
+36353231623930653361313466643064356234656639616332326534306133396338363538366136
+30643633626230613364353434323262333335363132303865646130653733623032346166653031
+63653761393935333430636230353966353765626235336439383331333436623061373835616462
+3661

ansible/roles/nebula/files/certs/casey.crt

@@ -0,0 +1,20 @@
+$ANSIBLE_VAULT;1.1;AES256
+63636434323163343761373034626236333037376261336634366531393035356435653037326238
+3839323731623165633234613132376534646266373466310a356635313261333263366632336664
+39326533333462373831663132633733666136623938313164313265326637333332616463386363
+6634333536313132310a613766363630313933343365333633333663613035313362343437383534
+32636433613365643633643536633862376231316135376437333835353164613839323562333430
+39323331353639333539356165616661663262386363386239346664643364653137633332626661
+35393332653530373162666365326135663633663265313634643135373562663763376530623038
+63343231333933616237666465306461663634363261656237383236383663336235363161623265
+30343366643637326135356636626564343436396635613566393636643264333933656265346333
+61363335303737666238393665633265393835633838636561393534343437366639636361373761
+34366334366236373633613037346463373632323265343034343335333436373733613465663464
+65643863303037643338366537336562613232313331323366663835316437376535623635383463
+38386539353834383236663766393563393063333233623661303335396534353166316230396566
+34393034333864346534383665616666633836376439646632303566613633376138313961636637
+37313635393739656161313466633231396539393666663635623034613765393438633735636666
+33326635373966353633356166313138656462373962663666653961366438383936626338663439
+36643039613061646531366462623064623837666633326532663232616139623737343732346130
+64646337356266353261363438326237313833323765663336346635353236396638376530663033
+306365363634643665646230366332653632

ansible/roles/nebula/files/certs/casey.key

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+31646561316237653338613966616162363239323863393862376136623639613730633339396230
+3830343834383934333236633462663734366432666331620a393739313230656636653432646532
+65386466633832623663386131393866666664303439613738303933656239393761653263386466
+3561656162343632350a383737343661663037306461636264353239373865613861393034626237
+37633134636638633539346534346365346332643939653737626136393961343864386438323731
+39353663353362623563326230643961623231646361396561623431376139626236313362343938
+38336138376133656130633161363766393861656466363565646264653963396539386266616631
+66333965383862633061623961316334326134326630623064323562373937323338313838353066
+38343830316665326663313331613561393238373161326637396630383030666137623633616365
+6461333239666365363339613533323536613839356332373530

ansible/roles/nebula/files/certs/ingress.crt

@@ -0,0 +1,21 @@
+$ANSIBLE_VAULT;1.1;AES256
+62613762323836666136313634353965643132326439656165623938326130633631623939336434
+3931613737633935363439316362613663363335626134340a306631376131363635326337333234
+34373262383861626564383834306462306633376332353630666265303766333731613839333231
+6666343965353866320a313930383762646431656433393433336436623064643864343639393465
+37613062336430646130653833363130343266303833353739393839376235646433663236636532
+31303439663030353934383862396234663633343932646234353566313833613038366262373862
+62646262393431343638373936333339373230346134313661303138656563613463613836643634
+33343236633235316364336438613932316431383839393136343662333365396639313931663461
+33363336323532376566316532373832306662373538343361336239346163626330333736636566
+33306435306136643563643465373964383336376566383539613530313830353961623861323936
+64633336323438353238616663323338396536386161326132633466643135636162363536656665
+39653734653839366362383034366437613734373830386533363138373036323231363764633335
+34633163353237656266663035616463383165623634353062636464373361376438653230343661
+35343434656335623533623836313335616162666665313064653730356537633666336163616132
+31663432396564613538303662396538643131656137343434646333666634653938353363316363
+38623730623532663133343937643663633961353034316234663931646331656636303739383464
+37623264663038656632343262336165343635633566393535343663393163313234396463373766
+35313337353833306262363532616265656461356536633430383234633464613839303562356565
+39643738616262383734656535636566323831373035306166343039666334633264303435663865
+39623533653333323766

ansible/roles/nebula/files/certs/ingress.key

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+37626435646463663062363233393732353239386231366436653663623035656339633136346138
+3963626465363538653430343733663965373865376263330a373638663731656435646438646134
+38663334363137666530653934356337326264356664343633623432613265643139353464666136
+6236383631366130310a386265373334663831333137303538303737663062656239663839326338
+35613739313935373362333933653636383033343164363964353935633061636635353464643831
+64626363646136663166373632343830333634356565336138393436313864646333386561396663
+65636436663830633661396531643838333938366236633762323231363966643035643539383438
+30396136633264396561353034653161343536313461623532303265663531323937363737353566
+32363564333536306166346165393662353234363131383733396338633839333439373538623362
+3738616565663331353362633939343832323238383930643263

ansible/roles/nebula/files/certs/walker.crt

@@ -0,0 +1,20 @@
+$ANSIBLE_VAULT;1.1;AES256
+32636232306462356330643137616236306261373438653332326239343662363234313765356563
+6361383264626665636130373539613936373036343061350a316438383266306538303836636138
+39643434323831303337336230623463633138633436386539363531626633633364663031376131
+3162363530393734380a303162386436396338383864333439313365383665666361313666373538
+35666262616466663061383463653361303230653036643033376434303236656638343134316262
+31303663396231623065316261353938613934303934613331393836663061653731316163663230
+39653337373230386337383665303638346136353031373931616166663437313431353832633239
+62343063323765636466353031353930636132373263306631616365623332646639333265653235
+61636237326561613364303538323861393061303839383532323136306134633437363731616464
+32633538376130613164646264666332303762386436383566663563346536663935323165323939
+65666333363163373165316633383430653066663938303562613739303835316661623437613863
+32383330336261356364353163666432353130343564366333626336306332643936623166386261
+35656431366431663830336631346164333362376262663365623635376161373864303831306462
+61326462343039376363663139636638663239306362353232366166623030376464336634643130
+65373532393034623730663431373763636261393035346639653137383235633265386365613063
+37303435363136613365633139316133386332373665626566346161343665626365656639346661
+30396133366566306238303564633662306561303830613937666264303731666230356633373662
+33656133323364313461353562373337356232666536643633336663326334353231613336646461
+376435366338383534623436353434623334

ansible/roles/nebula/files/certs/walker.key

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+65626437643961386636343536313832353663373863313963383430363465333965363031653635
+3038636237383665653135313962643434386135346630360a666239663139353063623436633038
+38613062393337373232343338626334353033633738306138373464313739323334373637366334
+3335623465633164310a646162376139373838643731326361373366623765323263643934616432
+66626333653335343234393936653931306132333933616138616665626139396164386437633338
+36653637346532376564306537643330343135313331343163326331363664663761616533353563
+66643964313736653263666466643134656532643536343464356464663465313438643466643130
+35643738313337663663343466353232396264356163343234653032333032336134666437306139
+63653239363132396465376565306666363131366131376466356530386438653433613063646365
+6432616539316163376162613630623066626539666135366664

ansible/roles/nebula/files/nebula.yml

@@ -0,0 +1,59 @@
+pki:
+  ca: /etc/nebula/ca.crt
+  cert: /etc/nebula/{{ ansible_hostname }}.crt
+  key: /etc/nebula/{{ ansible_hostname }}.key
+
+static_host_map:
+  "{{ nebula_lighthouse_ip }}": ["{{ nebula_lighthouse_public_ip }}:{{ nebula_lighthouse_port }}"]
+
+
+lighthouse:
+  am_lighthouse: "{{ nebula_is_lighthouse | lower }}"
+  interval: 60
+  hosts:
+{% if not nebula_is_lighthouse %}
+    - "{{ nebula_lighthouse_ip }}"
+{% endif %}
+
+listen:
+  host: 0.0.0.0
+  port: "{{ nebula_listen_port }}"
+
+punchy:
+  punch: true
+
+tun:
+  disabled: false
+  dev: nebula1
+  drop_local_broadcast: false
+  drop_multicast: false
+  tx_queue: 500
+  mtu: 1300
+  routes:
+  unsafe_routes:
+{% if ansible_hostname != "ingress" %}
+    - route: "{{ pve_hosts.internal_cidr }}"
+      via: "{{ nebula.clients.ingress.ip }}"
+{% endif %}
+
+
+logging:
+  level: info
+  format: text
+
+firewall:
+  conntrack:
+    tcp_timeout: 12m
+    udp_timeout: 3m
+    default_timeout: 10m
+    max_connections: 100000
+
+  outbound:
+    - port: any
+      proto: any
+      host: any
+
+  inbound:
+    - port: any
+      proto: any
+      host: any

ansible/roles/nebula/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart nebula
+  service:
+    name: nebula
+    state: restarted
+  become: true

ansible/roles/nebula/tasks/main.yml

@@ -0,0 +1,65 @@
+- name: Create config directory
+  file:
+    path: /etc/nebula
+    state: directory
+    mode: "0700"
+  become: true
+
+- name: Install nebula
+  package:
+    name: nebula
+  when: ansible_os_family == 'Archlinux'
+  become: true
+
+- name: Manually install nebula
+  block:
+    - name: Install binaries
+      unarchive:
+        src: https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz
+        dest: /usr/bin
+        remote_src: true
+        mode: "0755"
+
+    - name: Install service
+      get_url:
+        url: https://raw.githubusercontent.com/slackhq/nebula/v{{ nebula_version }}/dist/arch/nebula.service
+        dest: /usr/lib/systemd/system/nebula.service
+        mode: "0644"
+  when: ansible_os_family != 'Archlinux'
+  tags:
+    - skip_ansible_lint
+  notify: restart nebula
+  become: true
+
+- name: Install config
+  template:
+    src: files/nebula.yml
+    dest: /etc/nebula/config.yml
+    mode: "0600"
+  become: true
+  notify: restart nebula
+
+- name: Install CA certificate
+  template:
+    src: files/ca.crt
+    dest: /etc/nebula/ca.crt
+    mode: "0600"
+  become: true
+  notify: restart nebula
+
+- name: Install client certificates
+  template:
+    src: files/certs/{{ item }}
+    dest: /etc/nebula/{{ item }}
+    mode: "0600"
+  loop:
+    - "{{ ansible_hostname }}.key"
+    - "{{ ansible_hostname }}.crt"
+  become: true
+  notify: restart nebula
+
+- name: Enable service
+  service:
+    name: nebula
+    enabled: true
+  become: true

ansible/roles/nebula/vars/main.yml

@@ -0,0 +1,5 @@
+nebula_lighthouse_public_ip: "{{ vps_hosts.casey_ip }}"
+nebula_lighthouse_ip: "{{ nebula.clients.casey.ip }}"
+nebula_lighthouse_port: 6328
+
+nebula_version: 1.8.1

ansible/roles/prometheus/files/prometheus/prometheus.yml

@@ -120,7 +120,7 @@ scrape_configs:
     metrics_path: /metrics
     static_configs:
       - targets:
-          - "{{ tailscale_nodes.casey.ip }}:9090"
+          - "{{ nebula.clients.casey.ip }}:9090"
     metric_relabel_configs:
       - source_labels: [__name__]
         regex: go_.+

ansible/roles/pve_docker/files/nextcloud/docker-compose.yml

@@ -45,7 +45,7 @@ services:
       - /tmp
 
   mariadb:
-    image: mariadb:10.6
+    image: mariadb:11.5
     restart: unless-stopped
     volumes:
       - /mnt/speed/dbs/mariadb/nextcloud:/var/lib/mysql

ansible/roles/pve_docker/files/synapse/docker-compose.yml

@@ -1,4 +1,5 @@
 services:
+
   synapse:
     image: ghcr.io/element-hq/synapse:latest
     restart: unless-stopped
@@ -16,7 +17,7 @@ services:
       - db
     labels:
       - traefik.enable=true
-      - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`) || Host(`matrix.theorangeone.net`)
+      - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`)
     networks:
       - default
       - traefik

ansible/roles/pve_nebula_route/tasks/main.yml

@@ -0,0 +1,22 @@
+- name: Get routes
+  command:
+    argv:
+      - ip
+      - route
+      - show
+      - "{{ nebula.cidr }}"
+  register: routes
+  changed_when: false
+  become: true
+
+- name: Add route to nebula hosts via ingress
+  command:
+    argv:
+      - ip
+      - route
+      - add
+      - "{{ nebula.cidr }}"
+      - via
+      - "{{ pve_hosts.ingress.ip }}"
+  become: true
+  when: nebula.cidr not in routes.stdout

ansible/roles/traefik/files/docker-compose.yml

@@ -3,7 +3,8 @@ services:
     image: traefik:v2.11
     user: "{{ docker_user.id }}"
     environment:
-      - GANDIV5_PERSONAL_ACCESS_TOKEN={{ vault_gandi_personal_access_token }}
+      - CF_DNS_API_TOKEN={{ vault_cloudflare_api_token }}
+      - GANDIV5_API_KEY={{ vault_gandi_api_key }}
     volumes:
       - ./traefik:/etc/traefik
     restart: unless-stopped

ansible/roles/traefik/files/file-provider-main.yml

@@ -22,5 +22,6 @@ http:
         sourceRange:
           - "{{ tailscale_cidr }}"
           - "{{ tailscale_cidr_ipv6 }}"
+          - "{{ nebula.cidr }}"
           - "{{ pve_hosts.internal_cidr }}"
           - "{{ pve_hosts.internal_cidr_ipv6 }}"

ansible/roles/traefik/files/traefik.yml

@@ -10,6 +10,7 @@ entryPoints:
       trustedIPs:
         - "{{ wireguard.cidr }}"
         - "{{ pve_hosts.internal_cidr }}"
+        - "{{ nebula.cidr }}"
         - "{{ tailscale_cidr }}"
   web-secure:
     address: :443
@@ -50,6 +51,17 @@ api:
 
 certificatesResolvers:
   le:
+    acme:
+      email: "{{ vault_letsencrypt_email }}"
+      storage: /etc/traefik/acme.json
+      dnsChallenge:
+        provider: cloudflare
+        delayBeforeCheck: 0
+        resolvers:
+          - 1.1.1.1:53
+          - 1.0.0.1:53
+
+  gandi:
     acme:
       email: "{{ vault_letsencrypt_email }}"
       storage: /etc/traefik/acme.json
@@ -57,8 +69,8 @@ certificatesResolvers:
         provider: gandiv5
         delayBeforeCheck: 0
         resolvers:
-          - 9.9.9.9:53
+          - 1.1.1.1:53
-          - 149.112.112.112:53
+          - 1.0.0.1:53
 
 serversTransport:
   insecureSkipVerify: true

ansible/roles/traefik/vars/vault.yml

@@ -1,11 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
-30393461663462666434333462386264383831333936633961636237616338303335393861626336
+63373634636339343234383662613339643138346430336463613834363661376334303131656565
-3566306338633735613431393736653061636536353335620a366335623630643137343863636161
+6439633136396264356263663961383565636138333135660a366239313136663331386139386566
-37383436323439393965623436393465626362633134346239356463633936396236666164333762
+61653432613237656635316336313064396433393939306330353739343439336165653866343030
-3565623930353964620a303965626164396536646336313438346464663236633465353036303935
+6432366565396639640a636662356238636130326237613632643738643639313664393639323561
-30373230393432643330663434313637396234306563336137653861333839623530636465653532
+39633939353663386566396534366166646631353461643062373363393566306538653730306362
-37363239663939303834633332656365363437356236633933313339656563343130383262626539
+36306532343933643830643564313166366530363139623564633061623238303866633037383032
-61363762663630366430326635386163613936653938303366636363363334643035396233646430
+31313765393134326561626264323336356539376263333765366162613363313138633932396136
-32636431616335326264343931343064646363393736303263633038623562623965393763636562
+35663737366132613133376431643333663466363737386664663036623839616333653231366536
-35316264636264366161326463343730613232663539306532303838656338343535376439343834
+38356566653933316462333462616362623535643866636332356563326136356563616632323034
-3234663334333866376233336538343264623930653662303835
+39303437363535636433353961353964313733333164396538643563343338633432343232346235
+39626331376163356466313435616362613334346132666461633566393662363039393363613366
+63613333643039626161653962353636366364353730383534336662336138643231333864633536
+3232

ansible/roles/yourls/files/docker-compose.yml

@@ -16,12 +16,13 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.yourls.rule=Host(`0rng.one`)
+      - traefik.http.routers.yourls.tls.certresolver=gandi
     networks:
       - default
       - traefik
 
   mariadb:
-    image: mariadb:10.10
+    image: mariadb:11.5
     environment:
       - MYSQL_ROOT_PASSWORD=root
       - MYSQL_DATABASE=yourls

justfile

@@ -27,7 +27,6 @@ terraform +ARGS:
 
 # Download secrets
 update-secrets:
-    bw sync
     cd terraform/ && bw get attachment .env --itemid c4f8b44e-ae62-442d-a9e0-02d0621c2454
 
 ansible-deploy *ARGS:

terraform/0rng.one.tf

@@ -8,7 +8,7 @@ resource "gandi_livedns_record" "orngone_apex" {
   type = "ALIAS" # Gandi doesn't support CNAME-flattening
   ttl  = 3600
   values = [
-    gandi_livedns_record.sys_domain_pve.href
+    cloudflare_record.sys_domain_pve.hostname
   ]
 }
 

terraform/casey_vps.tf

@@ -66,6 +66,15 @@ resource "linode_firewall" "casey" {
     ipv6     = ["::/0"]
   }
 
+  inbound {
+    label    = "allow-inbound-nebula"
+    action   = "ACCEPT"
+    protocol = "UDP"
+    ports    = "6328"
+    ipv4     = ["0.0.0.0/0"]
+    ipv6     = ["::/0"]
+  }
+
   inbound {
     label    = "allow-inbound-matrix"
     action   = "ACCEPT"
@@ -96,10 +105,10 @@ resource "linode_firewall" "casey" {
 
 resource "linode_rdns" "casey_reverse_ipv4" {
   address = linode_instance.casey.ip_address
-  rdns    = gandi_livedns_record.sys_domain_casey.href
+  rdns    = cloudflare_record.sys_domain_casey.hostname
 }
 
 resource "linode_rdns" "casey_reverse_ipv6" {
   address = split("/", linode_instance.casey.ipv6)[0]
-  rdns    = gandi_livedns_record.sys_domain_casey.href
+  rdns    = cloudflare_record.sys_domain_casey.hostname
 }

terraform/jakehoward.tech.tf

@@ -1,335 +1,283 @@
-resource "gandi_livedns_domain" "jakehowardtech" {
+resource "cloudflare_zone" "jakehowardtech" {
-  name = "jakehoward.tech"
+  zone = "jakehoward.tech"
 }
 
-resource "gandi_livedns_record" "jakehowardtech_mx" {
+resource "cloudflare_record" "jakehowardtech_mx1" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id  = cloudflare_zone.jakehowardtech.id
   name     = "@"
+  value    = "in1-smtp.messagingengine.com"
   type     = "MX"
-  ttl  = 3600
+  priority = 10
-  values = [
+  ttl      = 1
-    "10 in1-smtp.messagingengine.com.",
-    "20 in2-smtp.messagingengine.com.",
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_spf" {
+resource "cloudflare_record" "jakehowardtech_mx2" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id  = cloudflare_zone.jakehowardtech.id
   name     = "@"
-  type = "TXT"
+  value    = "in2-smtp.messagingengine.com"
-  ttl  = 3600
+  type     = "MX"
-  values = [
+  priority = 20
-    "\"v=spf1 include:spf.messagingengine.com -all\""
+  ttl      = 1
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_dkim_fm1" {
+resource "cloudflare_record" "jakehowardtech_txt" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
+  name    = "@"
+  value   = "v=spf1 include:spf.messagingengine.com -all"
+  type    = "TXT"
+  ttl     = 1
+}
+
+resource "cloudflare_record" "jakehowardtech_dkim_fm1" {
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "fm1._domainkey"
+  value   = "fm1.jakehoward.tech.dkim.fmhosted.com"
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "fm1.jakehoward.tech.dkim.fmhosted.com."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_dkim_fm2" {
+resource "cloudflare_record" "jakehowardtech_dkim_fm2" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "fm2._domainkey"
+  value   = "fm2.jakehoward.tech.dkim.fmhosted.com"
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "fm2.jakehoward.tech.dkim.fmhosted.com."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_dkim_fm3" {
+resource "cloudflare_record" "jakehowardtech_dkim_fm3" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "fm3._domainkey"
+  value   = "fm3.jakehoward.tech.dkim.fmhosted.com"
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "fm3.jakehoward.tech.dkim.fmhosted.com."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_dmarc" {
+resource "cloudflare_record" "jakehowardtech_dmarc" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "_dmarc"
+  value   = "v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;"
   type    = "TXT"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "\"v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;\""
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_wallabag" {
+resource "cloudflare_record" "jakehowardtech_wallabag" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "wallabag"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_ttrss" {
+resource "cloudflare_record" "jakehowardtech_ttrss" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "tt-rss"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_speed" {
+resource "cloudflare_record" "jakehowardtech_speed" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "speed"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_quassel" {
+resource "cloudflare_record" "jakehowardtech_quassel" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "quassel"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_media" {
+resource "cloudflare_record" "jakehowardtech_media" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "media"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_matrix" {
+resource "cloudflare_record" "jakehowardtech_matrix" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "matrix"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_intersect" {
+resource "cloudflare_record" "jakehowardtech_intersect" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "intersect"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_calibre" {
+resource "cloudflare_record" "jakehowardtech_calibre" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "calibre"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_homeassistant" {
+resource "cloudflare_record" "jakehowardtech_homeassistant" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "homeassistant"
+  value   = cloudflare_record.sys_domain_pve_private.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve_private.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_grafana" {
+resource "cloudflare_record" "jakehowardtech_grafana" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "grafana"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_vaultwarden" {
+resource "cloudflare_record" "jakehowardtech_vaultwarden" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "vaultwarden"
+  value   = cloudflare_record.sys_domain_pve_private.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve_private.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_recipes" {
+resource "cloudflare_record" "jakehowardtech_tandoor" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "recipes"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_mailgun_spf" {
+resource "cloudflare_record" "jakehowardtech_mailgun_spf" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "mg"
+  value   = "v=spf1 include:mailgun.org -all"
   type    = "TXT"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "\"v=spf1 include:mailgun.org -all\""
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_mailgun_dkim" {
+resource "cloudflare_record" "jakehowardtech_mailgun_dkim" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "s1._domainkey.mg"
+  value   = "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4E4cv86U+sFUjgLys26ZLccTghzGfHiFpitWdFg68lGXG63aoG2/+9bgKVT0ZBG7bjPvj6Kyj4N3TIe4oCJo2saVvtsNK1pvZkOadaBPgjzKeRvBaw48ZatUGKoV7q1NCa0kXAfiJleF7bMvbt8rYDmBljr/BG6TtZYPt6XgoZyh8HHXjv/1L6WT3JBVQ8q5UtqVRVujXNHf57FmJTOJpvs0bKn/6TUaXYZmt5z3jpDhc/HfmkzVV22AwRf9jn7kgKkgaKpkvfSL8gtYNn5oyfS0Y9W9x9ntqb4g72RCbynMppQb1uwxbIuWRVOp0un0koQDm3C8ZzhOOYAwe58BYQIDAQAB"
   type    = "TXT"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "\"k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4E4cv86U+sFUjgLys26ZLccTghzGfHiFpitWdFg68lGXG63aoG2/+9bgKVT0ZBG7bjPvj6Kyj4N3TIe4oCJo2saVvtsNK1pvZkOadaBPgjzKeRvBaw48ZatUGKoV7q1NCa0kXAfiJleF7bMvbt8rYDmBljr/BG6TtZYPt6XgoZyh8HHXjv/1L6WT3JBVQ8q5UtqVRVujXNHf57FmJTOJpvs0bKn/6TUaXYZmt5z3jpDhc/HfmkzVV22AwRf9jn7kgKkgaKpkvfSL8gtYNn5oyfS0Y9W9x9ntqb4g72RCbynMppQb1uwxbIuWRVOp0un0koQDm3C8ZzhOOYAwe58BYQIDAQAB\""
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_mailgun_dmarc" {
+resource "cloudflare_record" "jakehowardtech_mailgun_dmarc" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "_dmarc.mg"
+  value   = "v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;"
   type    = "TXT"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "\"v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;\""
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_synapse_admin" {
+resource "cloudflare_record" "jakehowardtech_matrix_admin" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "synapse-admin"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_apex" {
+# Cloudflare supports CNAME flattening - so this is ok
-  zone = gandi_livedns_domain.jakehowardtech.id
+resource "cloudflare_record" "jakehowardtech_apex" {
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "@"
-  type = "ALIAS"
+  value   = cloudflare_record.sys_domain_walker.hostname
-  ttl  = 3600
+  type    = "CNAME"
-  values = [
+  ttl     = 1
-    "${gandi_livedns_record.sys_domain_walker.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_collabora" {
+resource "cloudflare_record" "jakehowardtech_collabora" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "collabora"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_tasks" {
+resource "cloudflare_record" "jakehowardtech_tasks" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "tasks"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_auth" {
+resource "cloudflare_record" "jakehowardtech_auth" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "auth"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_minio" {
+resource "cloudflare_record" "jakehowardtech_minio" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "minio"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_s3" {
+resource "cloudflare_record" "jakehowardtech_s3" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "s3"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_ntfy" {
+resource "cloudflare_record" "jakehowardtech_ntfy" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "ntfy"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_headscale" {
+resource "cloudflare_record" "jakehowardtech_headscale" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "headscale"
+  value   = cloudflare_record.sys_domain_casey.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_casey.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_slides" {
+resource "cloudflare_record" "jakehowardtech_slides" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "slides"
+  value   = cloudflare_record.sys_domain_walker.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_walker.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_uptime" {
+resource "cloudflare_record" "jakehowardtech_uptime" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "uptime"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "jakehowardtech_caa" {
+resource "cloudflare_record" "jakehowardtech_caa" {
-  zone = gandi_livedns_domain.jakehowardtech.id
+  zone_id = cloudflare_zone.jakehowardtech.id
   name    = "@"
   type    = "CAA"
-  ttl  = 3600
+  ttl     = 1
-  values = [
+
-    "0 issue \"letsencrypt.org\"",
+  data = {
-    "0 wildissue \"letsencrypt.org\"",
+    tag   = "issue"
-  ]
+    flags = 0
+    value = "letsencrypt.org"
+  }
 }

terraform/providers.tf

@@ -12,7 +12,7 @@ provider "linode" {
 }
 
 provider "gandi" {
-  personal_access_token = var.gandi_personal_access_token
+  key = var.gandi_api_key
 }
 
 provider "b2" {

terraform/sys_domains.tf

@@ -1,59 +1,47 @@
-resource "gandi_livedns_record" "sys_domain_casey" {
+resource "cloudflare_record" "sys_domain_casey" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "casey.sys"
+  value   = linode_instance.casey.ip_address
   type    = "A"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    linode_instance.casey.ip_address
-  ]
 }
 
-resource "gandi_livedns_record" "sys_domain_casey_v6" {
+resource "cloudflare_record" "sys_domain_walker" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
+  name    = "walker.sys"
+  value   = hcloud_server.walker.ipv4_address
+  type    = "A"
+  ttl     = 1
+}
+
+resource "cloudflare_record" "sys_domain_casey_v6" {
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "casey.sys"
+  value   = split("/", linode_instance.casey.ipv6)[0]
   type    = "AAAA"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    split("/", linode_instance.casey.ipv6)[0]
-  ]
 }
 
-resource "gandi_livedns_record" "sys_domain_walker" {
+resource "cloudflare_record" "sys_domain_walker_v6" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
-  name = "walker.sys"
-  type = "A"
-  ttl  = 3600
-  values = [
-    hcloud_server.walker.ipv4_address
-  ]
-}
-
-resource "gandi_livedns_record" "sys_domain_walker_v6" {
-  zone = gandi_livedns_domain.theorangeonenet.id
   name    = "walker.sys"
+  value   = hcloud_server.walker.ipv6_address
   type    = "AAAA"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    hcloud_server.walker.ipv6_address
-  ]
 }
 
-resource "gandi_livedns_record" "sys_domain_pve" {
+resource "cloudflare_record" "sys_domain_pve" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "pve.sys"
+  value   = linode_instance.casey.ip_address
   type    = "A"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    linode_instance.casey.ip_address
-  ]
 }
 
-resource "gandi_livedns_record" "sys_domain_pve_private" {
+resource "cloudflare_record" "sys_domain_pve_private" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "pve-private.sys"
+  value   = local.private_ipv6_marker
   type    = "AAAA"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    local.private_ipv6_marker
-  ]
 }

terraform/theorangeone.net.tf

@@ -1,262 +1,243 @@
-resource "gandi_livedns_domain" "theorangeonenet" {
+resource "cloudflare_zone" "theorangeonenet" {
-  name = "theorangeone.net"
+  zone = "theorangeone.net"
 }
 
-resource "gandi_livedns_record" "theorangeonenet_git" {
+resource "cloudflare_record" "theorangeonenet_git" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "git"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_whoami" {
+resource "cloudflare_record" "theorangeonenet_whoami" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "whoami"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_whoami_cdn" {
+resource "cloudflare_record" "theorangeonenet_whoami_cdn" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "whoami-cdn"
+  value   = cloudflare_record.sys_domain_casey.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_whoami_private" {
+resource "cloudflare_record" "theorangeonenet_whoami_private" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "whoami-private"
+  value   = cloudflare_record.sys_domain_pve_private.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_mx" {
+resource "cloudflare_record" "theorangeonenet_mx1" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id  = cloudflare_zone.theorangeonenet.id
   name     = "@"
+  value    = "in1-smtp.messagingengine.com"
   type     = "MX"
-  ttl  = 3600
+  priority = 10
-  values = [
+  ttl      = 1
-    "10 in1-smtp.messagingengine.com.",
-    "20 in2-smtp.messagingengine.com.",
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_spf" {
+resource "cloudflare_record" "theorangeonenet_mx2" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id  = cloudflare_zone.theorangeonenet.id
   name     = "@"
-  type = "TXT"
+  value    = "in2-smtp.messagingengine.com"
-  ttl  = 3600
+  type     = "MX"
-  values = [
+  priority = 20
-    "\"v=spf1 include:spf.messagingengine.com -all\""
+  ttl      = 1
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_dkim_fm1" {
+resource "cloudflare_record" "theorangeonenet_spf" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
+  name    = "@"
+  value   = "v=spf1 include:spf.messagingengine.com -all"
+  type    = "TXT"
+  ttl     = 1
+}
+
+resource "cloudflare_record" "theorangeonenet_dkim_fm1" {
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "fm1._domainkey"
+  value   = "fm1.theorangeone.net.dkim.fmhosted.com"
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "fm1.theorangeone.net.dkim.fmhosted.com."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_dkim_fm2" {
+resource "cloudflare_record" "theorangeonenet_dkim_fm2" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "fm2._domainkey"
+  value   = "fm2.theorangeone.net.dkim.fmhosted.com"
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "fm2.theorangeone.net.dkim.fmhosted.com."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_dkim_fm3" {
+resource "cloudflare_record" "theorangeonenet_dkim_fm3" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "fm3._domainkey"
+  value   = "fm3.theorangeone.net.dkim.fmhosted.com"
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "fm3.theorangeone.net.dkim.fmhosted.com."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_dmarc" {
+resource "cloudflare_record" "theorangeonenet_dmarc" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "_dmarc"
+  value   = "v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;"
   type    = "TXT"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "\"v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;\""
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_dmarc_report" {
+resource "cloudflare_record" "theorangeonenet_dmarc_report" {
   for_each = toset([
-    gandi_livedns_domain.theorangeonenet.name,
+    cloudflare_zone.theorangeonenet.zone,
-    gandi_livedns_domain.jakehowardtech.name,
+    cloudflare_zone.jakehowardtech.zone,
-    gandi_livedns_record.theorangeonenet_mailgun_spf.href,
+    cloudflare_record.theorangeonenet_mailgun_spf.hostname,
-    gandi_livedns_record.jakehowardtech_mailgun_spf.href,
+    cloudflare_record.jakehowardtech_mailgun_spf.hostname,
   ])
 
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "${each.value}._report._dmarc"
+  value   = "v=DMARC1"
   type    = "TXT"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "v=DMARC1"
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_apex" {
+# Cloudflare supports CNAME flattening - so this is ok
-  zone = gandi_livedns_domain.theorangeonenet.id
+resource "cloudflare_record" "theorangeonenet_apex" {
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "@"
-  type = "ALIAS"
+  value   = cloudflare_record.sys_domain_walker.hostname
-  ttl  = 3600
+  type    = "CNAME"
-  values = [
+  ttl     = 1
-    "${gandi_livedns_record.sys_domain_walker.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_srv_matrix" {
+resource "cloudflare_record" "theorangeonenet_srv_matrix" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "_matrix._tcp"
   type    = "SRV"
-  ttl  = 3600
+  ttl     = 1
-  values = [
+
-    "10 0 8448 ${gandi_livedns_record.theorangeonenet_matrix.href}."
+  data = {
-  ]
+    service  = "_matrix"
+    proto    = "_tcp"
+    name     = cloudflare_zone.theorangeonenet.zone
+    priority = 10
+    weight   = 0
+    port     = 8448
+    target   = cloudflare_record.jakehowardtech_matrix.hostname
+  }
 }
 
-resource "gandi_livedns_record" "theorangeonenet_matrix" {
+resource "cloudflare_record" "theorangeonenet_matrix" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "matrix"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_plausible" {
+resource "cloudflare_record" "theorangeonenet_plausible" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "plausible"
+  value   = cloudflare_record.sys_domain_walker.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_walker.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_plausible_bare" {
+resource "cloudflare_record" "theorangeonenet_plausible_bare" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "elbisualp"
+  value   = cloudflare_record.sys_domain_walker.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_walker.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_notes" {
+resource "cloudflare_record" "theorangeonenet_notes" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "notes"
+  value   = "realorangeone.github.io"
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "realorangeone.github.io."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_bin" {
+resource "cloudflare_record" "theorangeonenet_privatebin" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "bin"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_google_site_verification" {
+resource "cloudflare_record" "theorangeonenet_google_site_verification" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "@"
+  value   = "google-site-verification=IXY4iSBN_vOcM3cp_f-BgVvEI_shz1GzXuY_8dqY61o"
   type    = "TXT"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "google-site-verification=IXY4iSBN_vOcM3cp_f-BgVvEI_shz1GzXuY_8dqY61o"
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_mailgun_spf" {
+resource "cloudflare_record" "theorangeonenet_commento" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
+  name    = "commento"
+  value   = cloudflare_record.sys_domain_walker.hostname
+  type    = "CNAME"
+  ttl     = 1
+}
+
+resource "cloudflare_record" "theorangeonenet_mailgun_spf" {
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "mg"
+  value   = "v=spf1 include:mailgun.org -all"
   type    = "TXT"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "\"v=spf1 include:mailgun.org -all\""
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_mailgun_dkim" {
+resource "cloudflare_record" "theorangeonenet_mailgun_dkim" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "mta._domainkey.mg"
+  value   = "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Z/MHEzpbWm5EgMkyWb+Xkz44Xrzr4SA5i2u8M2H5yZ1PSb4DpGk3IAX+I05UWax02+WBW3CBb5wU9rH9flgxezBoCf/hiMS1Wjb9hKGIBa2jMCzpF+wa5fyqLkLoAJZF4bc/BJKyi/ET2c7+DAA/2KlWv/nv4MEjcUR4hNGLPEC9+6PhUp8z2PnUQLzPRWHpKc1oLrnROWaX3XxdDekCzwyOw7ygzZdThVevE+0CqXVOt5SUSUCnd2tjVbvblGi6DBiQY5Tl6+xLqkQHCRqks9187+EN4FdJXkjQodkFzzyiBH5cXVGiZLOhal4koEvxGirr596qM97bIXiJWArdQIDAQAB"
   type    = "TXT"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "\"k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Z/MHEzpbWm5EgMkyWb+Xkz44Xrzr4SA5i2u8M2H5yZ1PSb4DpGk3IAX+I05UWax02+WBW3CBb5wU9rH9flgxezBoCf/hiMS1Wjb9hKGIBa2jMCzpF+wa5fyqLkLoAJZF4bc/BJKyi/ET2c7+DAA/2KlWv/nv4MEjcUR4hNGLPEC9+6PhUp8z2PnUQLzPRWHpKc1oLrnROWaX3XxdDekCzwyOw7ygzZdThVevE+0CqXVOt5SUSUCnd2tjVbvblGi6DBiQY5Tl6+xLqkQHCRqks9187+EN4FdJXkjQodkFzzyiBH5cXVGiZLOhal4koEvxGirr596qM97bIXiJWArdQIDAQAB\""
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_mailgun_dmarc" {
+resource "cloudflare_record" "theorangeonenet_mailgun_dmarc" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "_dmarc.mg"
+  value   = "v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;"
   type    = "TXT"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "\"v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;\""
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_mastodon" {
+resource "cloudflare_record" "theorangeonenet_mastodon" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "mastodon"
+  value   = cloudflare_record.sys_domain_pve.hostname
   type    = "CNAME"
-  ttl  = 3600
+  ttl     = 1
-  values = [
-    "${gandi_livedns_record.sys_domain_pve.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_comentario" {
+resource "cloudflare_record" "theorangeonenet_comentario" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "comentario"
-  type = "CNAME"
+  value   = cloudflare_record.sys_domain_walker.value
-  ttl  = 3600
+  type    = "A"
-  values = [
+  ttl     = 1
-    "${gandi_livedns_record.sys_domain_walker.href}."
-  ]
 }
 
-resource "gandi_livedns_record" "theorangeonenet_caa" {
+resource "cloudflare_record" "theorangeonenet_caa" {
-  zone = gandi_livedns_domain.theorangeonenet.id
+  zone_id = cloudflare_zone.theorangeonenet.id
   name    = "@"
   type    = "CAA"
-  ttl  = 3600
+  ttl     = 1
-  values = [
+
-    "0 issue \"letsencrypt.org\"",
+  data = {
-    "0 wildissue \"letsencrypt.org\"",
+    tag   = "issue"
-  ]
+    flags = 0
+    value = "letsencrypt.org"
+  }
 }

terraform/variables.tf

@@ -10,7 +10,7 @@ variable "linode_personal_access_token" {
   sensitive = true
 }
 
-variable "gandi_personal_access_token" {
+variable "gandi_api_key" {
   sensitive = true
 }
 

terraform/walker_vps.tf

@@ -16,11 +16,11 @@ resource "hcloud_server" "walker" {
 resource "hcloud_rdns" "walker_reverse_ipv4" {
   server_id  = hcloud_server.walker.id
   ip_address = hcloud_server.walker.ipv4_address
-  dns_ptr    = gandi_livedns_record.sys_domain_walker.href
+  dns_ptr    = cloudflare_record.sys_domain_walker.hostname
 }
 
 resource "hcloud_rdns" "walker_reverse_ipv6" {
   server_id  = hcloud_server.walker.id
   ip_address = hcloud_server.walker.ipv6_address
-  dns_ptr    = gandi_livedns_record.sys_domain_walker.href
+  dns_ptr    = cloudflare_record.sys_domain_walker.hostname
 }