Hi everyone

Thanks for all the advice on buying a domain. Its a big week for me. Getting on grapheneos, buying a domain, and I also recently started self hosting my contacts and calendar. I love this way of life.

My original plan was to one of the xyz 1.1111b domains for $1 a year but most of the feedback I got said just go with cloudflare. Its a lot more money than I had planned but all the security features are baked in and I feel that’s worth the extra money.

Here are my questions. I use the latest version of truenas community

  1. How do I connect my domain to my server apps? I’ve got a series of apps I’d love to he able to access without tailscale and solely use the domain.
  2. I have heard the term DNS a million times but don’t really understand it. What do.I need to know about DNS to keep security up and stay protected
  3. I’d like to let family access my media server, are there any considerations I need to make?
  4. How can I use one domain to access multiple services on my server? Do I need to pay extra for subdomains?

Thank you for any advice

  • lyralycan@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    9 hours ago

    I kept all my certificates separate - have I been wasting time with 15 subdomains each with their own cert and A record? I have wondered. And then set in my reverse proxy a single domain.tld cert for each entry? TIA.

    I wrote bash scripts to run via cron to keep my IPs updated, using Cloudflare API. It’s probably useful to other folk but as I used to need just v4 addresses I made one separate script for v4 IPs, v6 IPs and proxied, but it wouldn’t take long to combine. Here’s my v4:

    #!/bin/bash
    CLOUDFLARE_API_TOKEN="<api_here>"
    ZONE_ID="<zone_id_here"
    DOMAINS=({subdomains.,www.}domain.tld)
    log="/opt/ddns/log_$(date +%F).txt"
    result=""
    CURL="/usr/bin/curl"
    JQ="/usr/bin/jq"
    IP=$($CURL -s http://ipv4.icanhazip.com/)
    echo $(date +"%FT%T")>>$log
    echo "Performing v4 proxied domain IP address check...">>$log
    
    # Get v4 records
    for DNS_RECORD in ${DOMAINS[@]}; do
    DNS_RECORD_ID=$($CURL -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=A&name=$DNS_RECORD" \
      -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
      -H "Content-Type: application/json" | $JQ -r '{"result"}[] | .[0] | .id')
    
    # Get each record's IP
    current_ip=$($CURL -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \
      -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
      -H "Content-Type: application/json" | $JQ -r '.result.content')
    
    # Check if the IP addresses are different
    if [[ "$IP" == "$current_ip" ]] || [[ "$IP" == "" ]]; then
      continue
    fi
    
    echo "IP address for $DNS_RECORD has changed from $current_ip to $IP. Updating record...">>$log
    result="$result${DNS_RECORD%%.*}, "
    
    # Sets the new IP if different
    response=$($CURL -s -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \
      -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
      -H "Content-Type: application/json" \
      --data '{
        "type": "'"A"'",
        "name": "'"$DNS_RECORD"'",
        "content": "'"$IP"'",
        "ttl": 120,
        "proxied": true
      }')
    
    if [[ $response == *"\"success\":true"* ]]; then
    echo "DNS record updated successfully">>$log
    else
    echo "Failed to update DNS record for $DNS_RECORD. Response: $response">>$log
    result="$result\nFailed. See log."
    fi
    
    # Sends information to webhook
    unset DNS_RECORD_ID
    done
    if [ -n "$result" ]; then
      $CURL -X POST -d '{"result": "'"$result"'\n'"$current_ip"' -> '"$IP"'"}' "<home_assistant_local_webhook-delete_this_block_if_unwanted>" -H "Content-Type:application/json"
    fi
    echo $result>>$log
    echo $'Done.\n'>>$log
    /opt/ddns/cloudflare_ddns_v4_direct.sh # This triggers the next script
    
    • Svinhufvud@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      2
      ·
      8 hours ago

      A single wildcard CNAME that points to your domains A record is easier to manage I would say. This comes handy when you add a new service to your stack, as you dont have to go and make a new subdomain record.

      You already seem to manage all subdomain updates with that script, so it won’t help you much with dyndns. That is, unless you hit a rate limit when trying to update a very large amount of records at once.

      Keeping separate TLS certificates is a separate topic from having a single wildcard CNAME record. Separate TLS certificates offer a slight security advantage over a wildcard cert, as a single leaked certificate secret wont compromize the rest of your sites.