sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

docs(roadmap): record decided DNS naming scheme in M1

Browse source 
Three-tier scheme: <host>.boma.baobab.band (infra, internal) /
<service>.baobab.band (home, split-horizon, mesh/LAN-only default) /
<service>.askari.baobab.band (off-site, public). nyumbani dropped; mesh carries
the baobab.band match-domain to road-warriors; *.baobab.band DNS-01 wildcard
certs via Gandi API. Resolves TODO 4 and review finding O12.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-06-11 22:17:28 +02:00
parent 3cfcb1c2e9
commit be2679cc66
1 changed files with 14 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
docs/ROADMAP.md
View file

@ -57,13 +57,21 @@ records **managed as code (IaC)**, not hand-edited in a panel.
Cloudflare is never touched again.
- **IaC approach:** follow boma's grain — internal DNS is already Ansible-rendered and
Terraform owns *no* DNS (CLAUDE.md), so **public DNS is Ansible-managed too** (Gandi
LiveDNS via an Ansible module). Exact module/role shape is M1's spec decision.
LiveDNS via an Ansible module — exact module pinned in M1's spec, verified per ADR-014).
- **Naming scheme (decided):** three tiers — `<host>.boma.baobab.band` (infra,
internal-only) · `<service>.baobab.band` (home/cluster services, split-horizon) ·
`<service>.askari.baobab.band` (off-site/VPS, public). **`nyumbani` dropped.** Home
services are **mesh/LAN-only by default** (no public record; reached over LAN or the
NetBird mesh), with public Gandi records only for deliberate exceptions. The NetBird
mesh carries the `baobab.band` match-domain to road-warriors (resolver = dns1/dns2 over
`wt0`); a `*.baobab.band` ACME **DNS-01** wildcard cert (Gandi API) gives even
unexposed services real TLS. Resolves TODO 4 and review finding O12.
- **Care:** the live record `forgejo.nyumbani.baobab.band` (the git `origin` / Forgejo
remote) must not break during the cutover.
- **Records as a new/updated ADR:** amends ADR-007's "served by external DNS (Cloudflare
or equivalent)" line to "Gandi LiveDNS, managed as code."
- **Maps to:** ADR-007 (network/DNS), TODO 4 (split-horizon FQDN — decide w/ or w/o
`nyumbani` here or defer).
remote, :7577) becomes `forgejo.baobab.band` — cutover must update the remote + CI
without breaking pushes.
- **Records as a new/updated ADR:** amends ADR-007 — public DNS provider → Gandi LiveDNS
managed as code; the three-tier naming scheme; `nyumbani` removed; mesh/LAN-only default.
- **Maps to:** ADR-007 (network/DNS), ADR-016 (mesh DNS), TODO 4 (**resolved here**).
### M2 · `askari` provisioned + under Ansible