Ryan Malloy
48cddc91cf
Lays the groundwork for a future CoreDNS rfc2136 plugin that will accept TSIG-authenticated dynamic DNS updates from Caddy (via caddy-dns/rfc2136), enabling self-hosted ACME DNS-01 cert automation without depending on registrar APIs. Nothing in this commit is active at runtime: - Corefile additions are commented out - coredns/Dockerfile references a plugin repo that doesn't exist yet - scripts/acme-add-domain.sh just appends CNAME glue but has nothing to talk to until the plugin is built Architecture and implementation plan: ~/.claude/plans/dood-does-coredns-offer-enumerated-piglet.md Secret management: TSIG key generated and stored in .env.local (gitignored). .env.local.example documents the expected shape.
67 lines
2.1 KiB
Bash
Executable File
67 lines
2.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Bootstraps a domain for self-hosted ACME DNS-01 cert automation.
|
|
#
|
|
# Adds a single `_acme-challenge.<domain> CNAME <uuid>.auth.supported.systems`
|
|
# record to the zone file. After this one-time edit + push, all future cert
|
|
# issuance and renewal for the domain happens via dynamic RFC 2136 UPDATEs
|
|
# to the auth.supported.systems sub-zone (served by CoreDNS + rfc2136 plugin
|
|
# on dell01) — no further zone-file churn.
|
|
#
|
|
# Usage:
|
|
# scripts/acme-add-domain.sh example.com
|
|
#
|
|
# After running:
|
|
# 1. Verify the line was added correctly: `tail -3 zones/example.com.zone`
|
|
# 2. Commit: `git add zones/example.com.zone`
|
|
# 3. Push: rsync to dell01, `make prep`
|
|
# 4. Configure Caddy with the same UUID (see plan Phase 6).
|
|
#
|
|
# This script is SCAFFOLDING — the upstream rfc2136 plugin and the
|
|
# auth.supported.systems delegation must be operational before the
|
|
# generated CNAMEs actually do anything useful.
|
|
|
|
set -euo pipefail
|
|
|
|
DOMAIN="${1:?usage: $(basename "$0") <domain>}"
|
|
ZONE_FILE="zones/${DOMAIN}.zone"
|
|
|
|
# Must run from the repo root so the relative zone path resolves.
|
|
if [[ ! -f "$ZONE_FILE" ]]; then
|
|
echo "Zone file not found: $ZONE_FILE" >&2
|
|
echo "Run from the coredns repo root, and ensure the zone exists." >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Refuse to add a duplicate.
|
|
if grep -qE "^_acme-challenge\b" "$ZONE_FILE"; then
|
|
echo "_acme-challenge record already present in $ZONE_FILE — skipping." >&2
|
|
echo "Existing line(s):" >&2
|
|
grep -E "^_acme-challenge\b" "$ZONE_FILE" >&2
|
|
exit 1
|
|
fi
|
|
|
|
UUID="$(cat /proc/sys/kernel/random/uuid)"
|
|
LINE=$(printf "_acme-challenge\t300\tIN\tCNAME\t%s.auth.supported.systems" "$UUID")
|
|
|
|
echo "$LINE" >> "$ZONE_FILE"
|
|
|
|
echo "Added to $ZONE_FILE:"
|
|
echo " $LINE"
|
|
echo ""
|
|
echo "Caddyfile snippet for ${DOMAIN}:"
|
|
cat <<EOF
|
|
${DOMAIN} {
|
|
tls {
|
|
dns rfc2136 {
|
|
key_name acme-update-key.
|
|
key_alg hmac-sha256
|
|
key {env.ACME_TSIG_SECRET}
|
|
server dns.supported.systems:53
|
|
}
|
|
}
|
|
# ... rest of site config
|
|
}
|
|
EOF
|
|
echo ""
|
|
echo "Next steps: git commit, rsync to dell01, run 'make prep'."
|