Hi everyone

Thanks for all the advice on buying a domain. Its a big week for me. Getting on grapheneos, buying a domain, and I also recently started self hosting my contacts and calendar. I love this way of life.

My original plan was to one of the xyz 1.1111b domains for $1 a year but most of the feedback I got said just go with cloudflare. Its a lot more money than I had planned but all the security features are baked in and I feel that’s worth the extra money.

Here are my questions. I use the latest version of truenas community

  1. How do I connect my domain to my server apps? I’ve got a series of apps I’d love to he able to access without tailscale and solely use the domain.
  2. I have heard the term DNS a million times but don’t really understand it. What do.I need to know about DNS to keep security up and stay protected
  3. I’d like to let family access my media server, are there any considerations I need to make?
  4. How can I use one domain to access multiple services on my server? Do I need to pay extra for subdomains?

Thank you for any advice

  • Svinhufvud@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    16
    ·
    edit-2
    6 hours ago

    I recommend you make A and AAAA records for the top level domain you own, and then set the needed subdomains (or a single wildcard) as CNAME entries.

    example.com points to your IP addresses, and the subdomains point then to your top level name.

    This avoids you having to point a new IP at multiple places (be it manually or by dyndns) when/if your public IP changes.

    Then you can set up a reverse proxy (caddy for example, it comes with automatic TLS), bind ports 80 and 443 to it, and route the traffic based on the domain name a client is trying to connect to.

    So jellyfin.example.com would lead to your reverse proxy which would forward it somewhere internally, say 192.168.1.10:8096 for example.

    This way you can use one top level domain for multiple services, and not have to specify ports when connecting externally

    • lyralycan@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      6 hours ago

      I kept all my certificates separate - have I been wasting time with 15 subdomains each with their own cert and A record? I have wondered. And then set in my reverse proxy a single domain.tld cert for each entry? TIA.

      I wrote bash scripts to run via cron to keep my IPs updated, using Cloudflare API. It’s probably useful to other folk but as I used to need just v4 addresses I made one separate script for v4 IPs, v6 IPs and proxied, but it wouldn’t take long to combine. Here’s my v4:

      #!/bin/bash
      CLOUDFLARE_API_TOKEN="<api_here>"
      ZONE_ID="<zone_id_here"
      DOMAINS=({subdomains.,www.}domain.tld)
      log="/opt/ddns/log_$(date +%F).txt"
      result=""
      CURL="/usr/bin/curl"
      JQ="/usr/bin/jq"
      IP=$($CURL -s http://ipv4.icanhazip.com/)
      echo $(date +"%FT%T")>>$log
      echo "Performing v4 proxied domain IP address check...">>$log
      
      # Get v4 records
      for DNS_RECORD in ${DOMAINS[@]}; do
      DNS_RECORD_ID=$($CURL -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=A&name=$DNS_RECORD" \
        -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
        -H "Content-Type: application/json" | $JQ -r '{"result"}[] | .[0] | .id')
      
      # Get each record's IP
      current_ip=$($CURL -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \
        -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
        -H "Content-Type: application/json" | $JQ -r '.result.content')
      
      # Check if the IP addresses are different
      if [[ "$IP" == "$current_ip" ]] || [[ "$IP" == "" ]]; then
        continue
      fi
      
      echo "IP address for $DNS_RECORD has changed from $current_ip to $IP. Updating record...">>$log
      result="$result${DNS_RECORD%%.*}, "
      
      # Sets the new IP if different
      response=$($CURL -s -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \
        -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
        -H "Content-Type: application/json" \
        --data '{
          "type": "'"A"'",
          "name": "'"$DNS_RECORD"'",
          "content": "'"$IP"'",
          "ttl": 120,
          "proxied": true
        }')
      
      if [[ $response == *"\"success\":true"* ]]; then
      echo "DNS record updated successfully">>$log
      else
      echo "Failed to update DNS record for $DNS_RECORD. Response: $response">>$log
      result="$result\nFailed. See log."
      fi
      
      # Sends information to webhook
      unset DNS_RECORD_ID
      done
      if [ -n "$result" ]; then
        $CURL -X POST -d '{"result": "'"$result"'\n'"$current_ip"' -> '"$IP"'"}' "<home_assistant_local_webhook-delete_this_block_if_unwanted>" -H "Content-Type:application/json"
      fi
      echo $result>>$log
      echo $'Done.\n'>>$log
      /opt/ddns/cloudflare_ddns_v4_direct.sh # This triggers the next script
      
      • Svinhufvud@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        6 hours ago

        A single wildcard CNAME that points to your domains A record is easier to manage I would say. This comes handy when you add a new service to your stack, as you dont have to go and make a new subdomain record.

        You already seem to manage all subdomain updates with that script, so it won’t help you much with dyndns. That is, unless you hit a rate limit when trying to update a very large amount of records at once.

        Keeping separate TLS certificates is a separate topic from having a single wildcard CNAME record. Separate TLS certificates offer a slight security advantage over a wildcard cert, as a single leaked certificate secret wont compromize the rest of your sites.