Ryan Malloy
18aa53bdc7
The final set of fixes to make the rfc2136 plugin truly operational
in production:
- coredns/Dockerfile: switch runtime stage from gcr.io/distroless to
alpine:3.20. Distroless has no package manager and no shell, so
`git commit` (called by the plugin's auto-commit code path) had no
way to execute. Alpine adds ~10 MB image size but gives us git +
a usable shell for debugging.
- docker-compose.yml: `user: "${COREDNS_UID:-1003}:${COREDNS_GID:-1004}"`.
The container runs as the host's rpm user (uid 1003/gid 1004 on
dell01) so zone files the plugin writes are owned by rpm:rpm on
the host -- not root. Without this the plugin would write
root-owned files we couldn't read or git-edit. Defaults match
dell01; override per-host via env if needed.
- .env.example: documents COREDNS_IMAGE_TAG (CalVer; bump per build).
Add COREDNS_UID/GID if you need to override on a host where rpm
has different numeric ids.
Combined with the bumped image tag (2026.05.21.2), the full
end-to-end flow works: caddy/nsupdate -> TSIG verify -> plugin
handler -> atomic file write -> git auto-commit -> auto plugin
reload -> query returns new record.
51 lines
2.2 KiB
Plaintext
51 lines
2.2 KiB
Plaintext
# Template for the operational .env file. Copy to .env and fill in real
|
|
# values. .env is gitignored (contains the active TSIG secret + any
|
|
# other host-specific overrides). Keeping this template in git lets
|
|
# new operators / fresh checkouts know what env vars are expected.
|
|
|
|
COMPOSE_PROJECT_NAME=coredns
|
|
|
|
# Custom CoreDNS image tag (CalVer). Built locally via `docker compose
|
|
# build coredns` using ./coredns/Dockerfile; pulls plugins from the
|
|
# referenced git repos at build time. Bump this when re-rolling.
|
|
COREDNS_IMAGE_TAG=2026.05.21.1
|
|
# Legacy pin (no longer the active image; kept for emergency rollback
|
|
# to upstream CoreDNS if the custom build needs to be reverted).
|
|
COREDNS_IMAGE=coredns/coredns:1.11.3
|
|
|
|
# Host ports. systemd-resolved usually binds 53, so default to 5353.
|
|
# Override to 53 if you actually want this to be the host's resolver.
|
|
DNS_PORT=5353
|
|
METRICS_PORT=9153
|
|
# 8080 is famously contested (dev servers, alternate HTTP). 8081 less so.
|
|
HEALTH_PORT=8081
|
|
|
|
# DoT (DNS-over-TLS, RFC 7858) — IANA port 853. Host port 8853 to
|
|
# stay unprivileged.
|
|
DOT_PORT=8853
|
|
|
|
# DoH (DNS-over-HTTPS, RFC 8484) — typically 443. Host port 8443
|
|
# because Caddy already owns 443 on this host.
|
|
DOH_PORT=8443
|
|
|
|
# --- Production cert provisioning (Caddy sidecar + Let's Encrypt) ---
|
|
# Hostname the cert is issued for. Must be a name you control and that
|
|
# resolves via the public DNS server holding the zone (Vultr's NS).
|
|
CADDY_HOSTNAME=dns.supported.systems
|
|
|
|
# Contact email registered with Let's Encrypt for expiry notifications.
|
|
ACME_EMAIL=rpm@malloys.us
|
|
|
|
# VULTR_API_KEY is intentionally NOT stored here. Caddy reads it from
|
|
# the shell environment via docker compose's variable interpolation —
|
|
# export it in your shell (or in ~/.zshenv) before `make tls-up`.
|
|
|
|
# TSIG shared secret for the rfc2136 plugin (RFC 2136 dynamic updates).
|
|
# Same secret is used by all authorised RFC 2136 clients (Caddy via
|
|
# caddy-dns/rfc2136, nsupdate, etc.). Rotate by regenerating with
|
|
# `openssl rand -base64 32` and updating this value + all clients.
|
|
# Lives in `.env` (tracked in our PRIVATE git) for operational
|
|
# simplicity; if you want a stricter convention, move to `.env.local`
|
|
# (gitignored) and pass `--env-file .env.local` at compose time.
|
|
ACME_TSIG_SECRET=GENERATE_VIA_openssl_rand_base64_32
|