From 3720cd2885cb3f3ef04721d74cffd669325ad7c5 Mon Sep 17 00:00:00 2001 From: Ryan Malloy Date: Thu, 21 May 2026 12:17:20 -0600 Subject: [PATCH] deploy: enable rfc2136 plugin for all 84 production zones Wires the custom CoreDNS image (built via coredns/Dockerfile, source includes git.supported.systems/rsp2k/coredns-rfc2136) into production: - docker-compose.yml: switch coredns service from upstream image pin to a build target. New `image: coredns-rfc2136:${COREDNS_IMAGE_TAG}` is locally-built; `up -d coredns` triggers the build. - .env: COREDNS_IMAGE_TAG=2026.05.21 (CalVer). Old COREDNS_IMAGE kept as a comment for emergency rollback to upstream 1.11.3. - Corefile: new rfc2136 directive inside (common) snippet enumerating all 84 zones currently in zones/. Plugin is now in the chain for every server block (plain DNS, DoT, DoH). UPDATE opcode lands in the plugin handler; auto-commit on, CalVer SOA serial bumping on, zones-dir /zones matches the existing bind-mount. TSIG key is read from ${ACME_TSIG_SECRET} which lives in .env.local (gitignored). Production deployment needs that file synced to dell01 separately. This commit DOESN'T trigger the deployment by itself -- the image must be built on dell01 and the container recreated to apply. --- .env | 7 ++++++- Corefile | 13 +++++++++++++ docker-compose.yml | 9 ++++++++- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.env b/.env index 20f1fa9..e39613e 100644 --- a/.env +++ b/.env @@ -1,6 +1,11 @@ COMPOSE_PROJECT_NAME=coredns -# CoreDNS image pin — use a digest in real deploys +# Custom CoreDNS image tag (CalVer). Built locally via `docker compose +# build coredns` using ./coredns/Dockerfile; pulls plugins from the +# referenced git repos at build time. Bump this when re-rolling. +COREDNS_IMAGE_TAG=2026.05.21 +# Legacy pin (no longer the active image; kept for emergency rollback +# to upstream CoreDNS if the custom build needs to be reverted). COREDNS_IMAGE=coredns/coredns:1.11.3 # Host ports. systemd-resolved usually binds 53, so default to 5353. diff --git a/Corefile b/Corefile index ab05857..e313ef5 100644 --- a/Corefile +++ b/Corefile @@ -24,6 +24,19 @@ to * } + # RFC 2136 dynamic DNS updates (TSIG-authenticated). Accepts UPDATE + # opcode messages from authorised clients (e.g. caddy-dns/rfc2136 + # for ACME DNS-01) and applies them to the source zone files. + # SOA serial bumped automatically (CalVer); changes auto-committed + # to git. Plugin source: git.supported.systems/rsp2k/coredns-rfc2136 + rfc2136 acrazy.org automaton.global automaton.host blender.bet blender.cam blender.partners blender.quest blender.systems cloud-dine.com context.bet coopermalloy.com copper-springs.online cyberinsuranceapp.com demostar.app demostar.click demostar.io demostar.net demo-tube.com dignity.ink dope.team encom.cash encom.ink encom.website encom.wtf enls.us enls.video freemyradicals.com garage.ceo garage.christmas garage.doctor garage.dog garage.engineering garage.makeup garage.rocks garage.supply glennsferry.site home-inspector.app home-inspector.pics home-inspector.site home-inspector.store home-inspector.website homestar.ink inpect.pro inspect.monster inspect.pics inspects.homes inspect.systems jobsite.homes kg7q.cc log.doctor lukascrockett.com malloys.us mcpdash.wtf mcp.website myhood.us nielsen-inspections.com nielsens.world ourjob.site paigemalloy.com paythatway.com powdercoatedcabinents.com powdercoatedcabinet.com powdercotedcabinets.com prezhub.com reviewr.guru rsvp-for.de ryanmalloy.com screencast.systems septic.report sidejob.pro spencernewbolt.com supported.systems supportedsystems.com supportedsystems.net syslog.chat tatemalloy.com tateorrtot.games timber.ink trackfeeds.cloud tuckermalloy.com upc.llc warehack.ing westboise.org zmesh.systems { + zones-dir /zones + tsig-key acme-update-key. hmac-sha256 {$ACME_TSIG_SECRET} + ttl 60 + auto-commit true + git-author "coredns-rfc2136" "rfc2136@coredns.supported.systems" + } + forward . 1.1.1.1 1.0.0.1 9.9.9.9 { max_concurrent 1000 } diff --git a/docker-compose.yml b/docker-compose.yml index f150f38..be9f8f8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -43,7 +43,14 @@ services: start_period: 5s coredns: - image: ${COREDNS_IMAGE} + # Custom build with the rfc2136 plugin baked in. The image tag is + # CalVer (set in .env COREDNS_IMAGE_TAG) so we can pin specific + # builds; `docker compose build coredns` produces the locally-tagged + # image, then up -d picks it up. + build: + context: . + dockerfile: coredns/Dockerfile + image: coredns-rfc2136:${COREDNS_IMAGE_TAG} container_name: coredns restart: unless-stopped command: ["-conf", "/etc/coredns/Corefile"]