Ryan Malloy
3720cd2885
Wires the custom CoreDNS image (built via coredns/Dockerfile, source
includes git.supported.systems/rsp2k/coredns-rfc2136) into production:
- docker-compose.yml: switch coredns service from upstream image pin
to a build target. New `image: coredns-rfc2136:${COREDNS_IMAGE_TAG}`
is locally-built; `up -d coredns` triggers the build.
- .env: COREDNS_IMAGE_TAG=2026.05.21 (CalVer). Old COREDNS_IMAGE kept
as a comment for emergency rollback to upstream 1.11.3.
- Corefile: new rfc2136 directive inside (common) snippet enumerating
all 84 zones currently in zones/. Plugin is now in the chain for
every server block (plain DNS, DoT, DoH). UPDATE opcode lands in
the plugin handler; auto-commit on, CalVer SOA serial bumping on,
zones-dir /zones matches the existing bind-mount.
TSIG key is read from ${ACME_TSIG_SECRET} which lives in .env.local
(gitignored). Production deployment needs that file synced to dell01
separately.
This commit DOESN'T trigger the deployment by itself -- the image
must be built on dell01 and the container recreated to apply.
37 lines
1.5 KiB
Bash
37 lines
1.5 KiB
Bash
COMPOSE_PROJECT_NAME=coredns
|
|
|
|
# Custom CoreDNS image tag (CalVer). Built locally via `docker compose
|
|
# build coredns` using ./coredns/Dockerfile; pulls plugins from the
|
|
# referenced git repos at build time. Bump this when re-rolling.
|
|
COREDNS_IMAGE_TAG=2026.05.21
|
|
# Legacy pin (no longer the active image; kept for emergency rollback
|
|
# to upstream CoreDNS if the custom build needs to be reverted).
|
|
COREDNS_IMAGE=coredns/coredns:1.11.3
|
|
|
|
# Host ports. systemd-resolved usually binds 53, so default to 5353.
|
|
# Override to 53 if you actually want this to be the host's resolver.
|
|
DNS_PORT=5353
|
|
METRICS_PORT=9153
|
|
# 8080 is famously contested (dev servers, alternate HTTP). 8081 less so.
|
|
HEALTH_PORT=8081
|
|
|
|
# DoT (DNS-over-TLS, RFC 7858) — IANA port 853. Host port 8853 to
|
|
# stay unprivileged.
|
|
DOT_PORT=8853
|
|
|
|
# DoH (DNS-over-HTTPS, RFC 8484) — typically 443. Host port 8443
|
|
# because Caddy already owns 443 on this host.
|
|
DOH_PORT=8443
|
|
|
|
# --- Production cert provisioning (Caddy sidecar + Let's Encrypt) ---
|
|
# Hostname the cert is issued for. Must be a name you control and that
|
|
# resolves via the public DNS server holding the zone (Vultr's NS).
|
|
CADDY_HOSTNAME=dns.supported.systems
|
|
|
|
# Contact email registered with Let's Encrypt for expiry notifications.
|
|
ACME_EMAIL=rpm@malloys.us
|
|
|
|
# VULTR_API_KEY is intentionally NOT stored here. Caddy reads it from
|
|
# the shell environment via docker compose's variable interpolation —
|
|
# export it in your shell (or in ~/.zshenv) before `make tls-up`.
|