Switch from homelab.local to coreworlds.io with split-horizon DNS and LAN-only access controls
- Migrate all ingress hostnames from *.homelab.local to *.coreworlds.io - Remove broken Traefik certresolver config (cert-manager handles TLS) - Add internal-only IP allowlist middleware for platform services - Add IngressRoutes for ArgoCD, Grafana, Longhorn (LAN-only via middleware) - Seal and add Cloudflare API token for cert-manager DNS-01 challenges - Update cert-manager ClusterIssuers with real email - Update k3s TLS SAN to k3s.coreworlds.io - Rewrite Ubiquiti docs for single-node topology and split-horizon DNS - Fix seal-secret.sh controller name to match Helm release - Add UCG DNS setup script using API key auth
This commit is contained in:
Julia McGhee
@@ -34,7 +34,7 @@ kubectl create secret generic "$SECRET_NAME" \
|
||||
| kubeseal \
|
||||
--format yaml \
|
||||
--controller-namespace kube-system \
|
||||
--controller-name sealed-secrets \
|
||||
--controller-name sealed-secrets-helm \
|
||||
> "${SECRET_NAME}-sealed.yaml"
|
||||
|
||||
echo "Sealed secret written to ${SECRET_NAME}-sealed.yaml"
|
||||
|
||||
63
scripts/ucg-dns-setup.sh
Executable file
63
scripts/ucg-dns-setup.sh
Executable file
@@ -0,0 +1,63 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
UCG_HOST="${UCG_HOST:-192.168.1.1}"
|
||||
BASE_URL="https://${UCG_HOST}"
|
||||
|
||||
TARGET_IP="${1:-192.168.1.50}"
|
||||
DOMAIN="${2:-coreworlds.io}"
|
||||
|
||||
RECORDS=(
|
||||
"$DOMAIN"
|
||||
"*.$DOMAIN"
|
||||
)
|
||||
|
||||
# --- Auth ---
|
||||
|
||||
if [[ -z "${UCG_API_KEY:-}" ]]; then
|
||||
echo "Error: UCG_API_KEY is not set"
|
||||
echo "Create an API key in UniFi OS → Settings → API Keys"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
AUTH_HEADER="X-API-Key: ${UCG_API_KEY}"
|
||||
|
||||
# --- Fetch existing records ---
|
||||
|
||||
echo "Fetching existing static DNS entries..."
|
||||
EXISTING=$(curl -sk -X GET "${BASE_URL}/proxy/network/v2/api/site/default/static-dns" \
|
||||
-H "$AUTH_HEADER")
|
||||
|
||||
# --- Create records ---
|
||||
|
||||
for RECORD in "${RECORDS[@]}"; do
|
||||
# Skip if record already exists
|
||||
if echo "$EXISTING" | grep -q "\"key\":\"${RECORD}\""; then
|
||||
echo " [skip] ${RECORD} → ${TARGET_IP} (already exists)"
|
||||
continue
|
||||
fi
|
||||
|
||||
echo " [create] ${RECORD} → ${TARGET_IP}"
|
||||
HTTP_CODE=$(curl -sk -X POST "${BASE_URL}/proxy/network/v2/api/site/default/static-dns" \
|
||||
-H "$AUTH_HEADER" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{\"key\":\"${RECORD}\",\"value\":\"${TARGET_IP}\",\"record_type\":\"A\",\"enabled\":true}" \
|
||||
-o /dev/null \
|
||||
-w '%{http_code}')
|
||||
|
||||
if [[ "$HTTP_CODE" == "200" || "$HTTP_CODE" == "201" ]]; then
|
||||
echo " ✓ created"
|
||||
else
|
||||
echo " ✗ failed (HTTP ${HTTP_CODE})"
|
||||
fi
|
||||
done
|
||||
|
||||
# --- Verify ---
|
||||
|
||||
echo ""
|
||||
echo "Current static DNS entries:"
|
||||
curl -sk -X GET "${BASE_URL}/proxy/network/v2/api/site/default/static-dns" \
|
||||
-H "$AUTH_HEADER" | python3 -m json.tool 2>/dev/null || echo "(could not pretty-print response)"
|
||||
|
||||
echo ""
|
||||
echo "Done. Test with: dig @${UCG_HOST} ${DOMAIN}"
|
||||
Reference in New Issue
Block a user