coredns/.env
Ryan Malloy 3d47d67e89 coredns: production port defaults (5353 plain DNS, 8081 health)
Deployed to dell01.mer.idahomuellers.net with firewall NAT'ing
public requests in to host:5353/tcp+udp.

Port changes baked in as new defaults so future hosts inherit them:
- DNS_PORT: 1053 -> 5353 (dev was 1053 because avahi-daemon owns
  5353 on Arch desktops; production hosts typically don't run avahi
  and 5353 is the conventional non-privileged DNS port — mDNS uses
  multicast 224.0.0.251:5353 which never conflicts with a unicast bind)
- HEALTH_PORT: 8080 -> 8081 (8080 collided with a python3 service
  on dell01; 8081 is less commonly contested)
2026-05-16 13:59:33 -06:00

32 lines
1.1 KiB
Bash

COMPOSE_PROJECT_NAME=coredns
# CoreDNS image pin — use a digest in real deploys
COREDNS_IMAGE=coredns/coredns:1.11.3
# Host ports. systemd-resolved usually binds 53, so default to 5353.
# Override to 53 if you actually want this to be the host's resolver.
DNS_PORT=5353
METRICS_PORT=9153
# 8080 is famously contested (dev servers, alternate HTTP). 8081 less so.
HEALTH_PORT=8081
# DoT (DNS-over-TLS, RFC 7858) — IANA port 853. Host port 8853 to
# stay unprivileged.
DOT_PORT=8853
# DoH (DNS-over-HTTPS, RFC 8484) — typically 443. Host port 8443
# because Caddy already owns 443 on this host.
DOH_PORT=8443
# --- Production cert provisioning (Caddy sidecar + Let's Encrypt) ---
# Hostname the cert is issued for. Must be a name you control and that
# resolves via the public DNS server holding the zone (Vultr's NS).
CADDY_HOSTNAME=dns.l.supported.systems
# Contact email registered with Let's Encrypt for expiry notifications.
ACME_EMAIL=rpm@malloys.us
# VULTR_API_KEY is intentionally NOT stored here. Caddy reads it from
# the shell environment via docker compose's variable interpolation —
# export it in your shell (or in ~/.zshenv) before `make tls-up`.