From e1bd1115623a6e71d14bb13ecca9a2ad87c844fe Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 3 Jul 2026 10:52:30 +0000 Subject: [PATCH] rename CF Pages site most.viktorbarzin.me -> bridge.viktorbarzin.me MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Viktor asked to rename the 'мост' school static site to 'bridge'. New Cloudflare Pages project 'bridge' (bridge-cv2.pages.dev) already deployed and the custom domain attached; this renames the public CNAME (TF resource most_pages -> bridge_pages, destroy+create swaps the record) and the internal split-horizon static CNAME in the ingress-dns-sync CronJob. The old 'most' Pages project and the stale internal 'most' record are removed out-of-band after this applies. Co-Authored-By: Claude Fable 5 --- docs/architecture/dns.md | 4 ++-- stacks/cloudflared/modules/cloudflared/cloudflare.tf | 8 ++++---- stacks/technitium/modules/technitium/main.tf | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/architecture/dns.md b/docs/architecture/dns.md index 106c2021..07c3b31c 100644 --- a/docs/architecture/dns.md +++ b/docs/architecture/dns.md @@ -277,7 +277,7 @@ Technitium's **Split Horizon AddressTranslation** app post-processes DNS respons Config is synced to all 3 Technitium instances by CronJob `technitium-split-horizon-sync` (every 6h). -**Superset rule for the internal `viktorbarzin.me` zone**: it is authoritative for every internal client (pods included since 2026-06-10), so it must carry every record type those clients consume — not just ingress A/CNAMEs. The `technitium-ingress-dns-sync` CronJob therefore also maintains the static **mail-auth records** (apex SPF + brevo-code TXT, MX → mail.viktorbarzin.me, `_dmarc`, `mail._domainkey` DKIM), mirrored from the public Cloudflare zone. Without them, rspamd on the mailserver saw `SPF=none` for inbound `@viktorbarzin.me` mail and quarantined it (broke the Brevo email-roundtrip probe, 2026-06-10). If these records change in Cloudflare, update the sync script too. The same applies to **off-infra sites** (e.g. `most` → CNAME `most-6if.pages.dev`, Cloudflare Pages): any public-only name with no Traefik ingress must be added as a static record in the sync script, or internal clients NXDOMAIN on it while it works fine externally. +**Superset rule for the internal `viktorbarzin.me` zone**: it is authoritative for every internal client (pods included since 2026-06-10), so it must carry every record type those clients consume — not just ingress A/CNAMEs. The `technitium-ingress-dns-sync` CronJob therefore also maintains the static **mail-auth records** (apex SPF + brevo-code TXT, MX → mail.viktorbarzin.me, `_dmarc`, `mail._domainkey` DKIM), mirrored from the public Cloudflare zone. Without them, rspamd on the mailserver saw `SPF=none` for inbound `@viktorbarzin.me` mail and quarantined it (broke the Brevo email-roundtrip probe, 2026-06-10). If these records change in Cloudflare, update the sync script too. The same applies to **off-infra sites** (e.g. `bridge` → CNAME `bridge-cv2.pages.dev`, Cloudflare Pages): any public-only name with no Traefik ingress must be added as a static record in the sync script, or internal clients NXDOMAIN on it while it works fine externally. ## NodeLocal DNSCache @@ -368,7 +368,7 @@ The Cloudflare tunnel uses a **wildcard rule** (`*.viktorbarzin.me → Traefik`) | TXT (MTA-STS) | 1 | `v=STSv1; id=20260412` | TLS enforcement | | TXT (TLSRPT) | 1 | `v=TLSRPTv1; rua=mailto:postmaster@...` | TLS reporting | | A (keyserver) | 1 | `130.162.165.220` (Oracle VPS) | PGP keyserver | -| CNAME (CF Pages) | 1 | `most-6if.pages.dev` (Cloudflare Pages) | `most` — static site hosted off-infra on CF Pages, content deployed via wrangler | +| CNAME (CF Pages) | 1 | `bridge-cv2.pages.dev` (Cloudflare Pages) | `bridge` — static site hosted off-infra on CF Pages, content deployed via wrangler | ### Proxied vs Non-Proxied diff --git a/stacks/cloudflared/modules/cloudflared/cloudflare.tf b/stacks/cloudflared/modules/cloudflared/cloudflare.tf index 58d87333..92554bb1 100644 --- a/stacks/cloudflared/modules/cloudflared/cloudflare.tf +++ b/stacks/cloudflared/modules/cloudflared/cloudflare.tf @@ -236,11 +236,11 @@ resource "cloudflare_record" "keyserver" { } # Cloudflare Pages site "мост" (ОбУ „Отец Паисий“ school static site). -# Content is deployed off-infra to the Pages project `most` via +# Content is deployed off-infra to the Pages project `bridge` via # `wrangler pages deploy`; this record just points the custom domain at it. -resource "cloudflare_record" "most_pages" { - content = "most-6if.pages.dev" - name = "most" +resource "cloudflare_record" "bridge_pages" { + content = "bridge-cv2.pages.dev" + name = "bridge" proxied = true ttl = 1 type = "CNAME" diff --git a/stacks/technitium/modules/technitium/main.tf b/stacks/technitium/modules/technitium/main.tf index a80c209c..5dfe8cbf 100644 --- a/stacks/technitium/modules/technitium/main.tf +++ b/stacks/technitium/modules/technitium/main.tf @@ -1008,7 +1008,7 @@ resource "kubernetes_cron_job_v1" "technitium_ingress_dns_sync" { # internal client (LAN, VLANs, pods) gets NXDOMAIN for them. # Target is the pages.dev host — resolves via upstream to CF # edge IPs; normal egress, no hairpin involved. - add_cname "most.$$ZONE" "most-6if.pages.dev" + add_cname "bridge.$$ZONE" "bridge-cv2.pages.dev" # Pin the .lan ingress anchor A record to the LIVE Traefik LB IP. # *.viktorbarzin.lan ingress hosts CNAME to ingress.viktorbarzin.lan,