DNS is provided by the nameserver
group and role. It manages two authoritative DNS servers located at core.host.jb3.dev
and rt1.host.jb3.dev
.
DNS servers are authoritative for the following zones:
- jb3.dev
Zones are signed using DNSSEC and keys are automatically generated if not present on the local machine. After DNS has been deployed the necessary DS records are downloaded from core.host.jb3.dev, it is only required to put the SHA256 hash at the registrar, not the shorter SHA1 hash.
Eventually I’ll write a blog post on this.
NGINX is installed and deployed to a single server using the nginx
role. Configuration is automatically generated according to role variables defining static sites and reverse proxies.
See the NGINX role for configuration and active sites. TLS certificates are currently generated using the HTTP-01 ACME challenge, though I hope to migrate this to DNS-01 with the above custom DNS system soon.
My blog (jb3.dev) is hosted by the above NGINX instance. It is deployed via rsync
over the Tailscale network that all hosts are a member of.
You can find that workflow here.