#!/usr/bin/env bash # Bootstraps a domain for self-hosted ACME DNS-01 cert automation. # # Adds a single `_acme-challenge. CNAME .auth.supported.systems` # record to the zone file. After this one-time edit + push, all future cert # issuance and renewal for the domain happens via dynamic RFC 2136 UPDATEs # to the auth.supported.systems sub-zone (served by CoreDNS + rfc2136 plugin # on dell01) — no further zone-file churn. # # Usage: # scripts/acme-add-domain.sh example.com # # After running: # 1. Verify the line was added correctly: `tail -3 zones/example.com.zone` # 2. Commit: `git add zones/example.com.zone` # 3. Push: rsync to dell01, `make prep` # 4. Configure Caddy with the same UUID (see plan Phase 6). # # This script is SCAFFOLDING — the upstream rfc2136 plugin and the # auth.supported.systems delegation must be operational before the # generated CNAMEs actually do anything useful. set -euo pipefail DOMAIN="${1:?usage: $(basename "$0") }" ZONE_FILE="zones/${DOMAIN}.zone" # Must run from the repo root so the relative zone path resolves. if [[ ! -f "$ZONE_FILE" ]]; then echo "Zone file not found: $ZONE_FILE" >&2 echo "Run from the coredns repo root, and ensure the zone exists." >&2 exit 1 fi # Refuse to add a duplicate. if grep -qE "^_acme-challenge\b" "$ZONE_FILE"; then echo "_acme-challenge record already present in $ZONE_FILE — skipping." >&2 echo "Existing line(s):" >&2 grep -E "^_acme-challenge\b" "$ZONE_FILE" >&2 exit 1 fi UUID="$(cat /proc/sys/kernel/random/uuid)" LINE=$(printf "_acme-challenge\t300\tIN\tCNAME\t%s.auth.supported.systems" "$UUID") echo "$LINE" >> "$ZONE_FILE" echo "Added to $ZONE_FILE:" echo " $LINE" echo "" echo "Caddyfile snippet for ${DOMAIN}:" cat <