From 813148c4af3e2d358d037ea5cdf8d378ddfe76ea Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Wed, 6 May 2026 18:02:25 +0000
Subject: [PATCH] kms: switch to non-proxied DNS so port 1688 is reachable
 externally

Cloudflare cannot proxy raw TCP/1688 (KMS protocol). Switch
kms.viktorbarzin.me from CF-proxied CNAME to direct A/AAAA so
clients can reach the vlmcsd LoadBalancer (10.0.20.200) via the
existing pfSense WAN port-forward for 1688.

Verified end-to-end: vlmcs against 176.12.22.76:1688 completes
the KMS V4 handshake for Office Professional Plus 2019.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/kms/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf
index 1ad91cd2..3b758159 100644
--- a/stacks/kms/main.tf
+++ b/stacks/kms/main.tf
@@ -124,7 +124,7 @@ resource "kubernetes_service" "kms-web-page" {
 
 module "ingress" {
   source          = "../../modules/kubernetes/ingress_factory"
-  dns_type        = "proxied"
+  dns_type        = "non-proxied"
   namespace       = kubernetes_namespace.kms.metadata[0].name
   name            = "kms"
   tls_secret_name = var.tls_secret_name