# 02 — GoDaddy DNS Credentials for SWAG (Test) ## Context SWAG uses certbot with `certbot-dns-godaddy` plugin to obtain and auto-renew the `*.iklim.co` wildcard certificate via DNS-01 challenge. GoDaddy API credentials must be available at deploy time. ## ⚠️ Security — Rotate credentials before use If credentials were shared in any chat log, Slack message, or email, **revoke them immediately**: 1. Go to: https://developer.godaddy.com/keys 2. Revoke the exposed key 3. Create a new Production key pair 4. Use the new Key + Secret everywhere below **Never commit credentials to the repository.** ## Step 1 — Add credentials to storagebox `.env.secrets.swag` Open (or create) the file at storagebox path: ``` test/secrets/iklim.co/.env.secrets.swag ``` Add: ```bash GODADDY_KEY= GODADDY_SECRET= ``` These are fetched by the deploy pipeline's `Fetch Service Secret Files` step and sourced into the environment before further steps run. ## Step 2 — Template file in the repo `swag/dns-conf/godaddy.ini.tpl` already exists in the repository root: ```ini dns_godaddy_key = ${GODADDY_KEY} dns_godaddy_secret = ${GODADDY_SECRET} ``` This template is processed at deploy time (Step 07) with `envsubst`. ## Step 3 — (Handled by pipeline) Write the actual credentials file on the host The deploy pipeline (see `07-deploy-pipeline-update.md`) runs: ```bash mkdir -p /opt/iklimco/swag/dns-conf envsubst < swag/dns-conf/godaddy.ini.tpl > /opt/iklimco/swag/dns-conf/godaddy.ini chmod 600 /opt/iklimco/swag/dns-conf/godaddy.ini ``` `GODADDY_KEY` and `GODADDY_SECRET` are already in the environment (sourced from `.env.secrets.swag`). The file is bind-mounted into the SWAG container at `/config/dns-conf/godaddy.ini` (read-only). ## Step 4 — Verify (after SWAG is deployed) Inside the SWAG container: ```bash docker exec $(docker ps -q -f name=iklimco_swag) cat /config/dns-conf/godaddy.ini ``` Expected output: file with real key/secret values, not `${...}` placeholders. ## Notes - `DNSPROPAGATION=90` is configured in SWAG's environment — GoDaddy DNS changes can take up to 90s. - SWAG stores the obtained cert at `/config/etc/letsencrypt/live/iklim.co/` inside the container (persisted in the `swag-vl` Docker named volume). - cert-reloader service watches this volume and copies renewed certs to `/opt/iklimco/ssl/` for Vault (see `06-cert-reloader.md`).