# 02 — GoDaddy DNS Credentials for SWAG (Prod) ## Context Identical to test-env-setup/02, except the storagebox path is `prod/` instead of `test/`. ## ⚠️ Security — Rotate credentials before use If credentials were shared in any chat log, Slack message, or email, **revoke them immediately**: 1. Go to: https://developer.godaddy.com/keys 2. Revoke the exposed key 3. Create a new Production key pair **Never commit credentials to the repository.** ## Step 1 — Add credentials to storagebox `.env.secrets.swag` (prod path) Open the file at storagebox path: ``` prod/secrets/iklim.co/.env.secrets.swag ``` Add: ```bash GODADDY_KEY= GODADDY_SECRET= ``` > `.env.secrets.swag` contains SWAG/GoDaddy credentials only. > `.env.secrets.shared` contains AppRole IDs, DB passwords, and other runtime secrets — do not mix. ## Step 2 — Repo template file Same file as test: `swag/dns-conf/godaddy.ini.tpl` (already created in test step 02). No additional action needed in the repo. ## Step 3 — (Handled by pipeline) Write credentials file on prod host The deploy pipeline (see `08-deploy-pipeline-update.md`) runs on iklim-app-01: ```bash set -a; . ./.env; set +a mkdir -p "$SWAG_CONFIG_DIR/dns-conf" envsubst < swag/dns-conf/godaddy.ini.tpl > "$SWAG_CONFIG_DIR/dns-conf/godaddy.ini" chmod 600 "$SWAG_CONFIG_DIR/dns-conf/godaddy.ini" ``` ## Step 4 — GoDaddy A records for prod subdomains (handled by pipeline) The deploy pipeline's **Update DNS Records** step automatically manages A records via GoDaddy API. It reads the Floating IP from the Gitea variable `vars.PROD_FLOATING_IP` — set this once in Gitea project settings. To get the Floating IP: `terraform output prod_floating_ip` | Record | Value | |--------|-------| | `api` | `vars.PROD_FLOATING_IP` | | `apigw` | `vars.PROD_FLOATING_IP` | | `rabbitmq` | `vars.PROD_FLOATING_IP` | | `grafana` | `vars.PROD_FLOATING_IP` | Logic: for each record, pipeline queries the current value via GoDaddy API. If already correct, it skips. Otherwise it creates/updates the record. > The Floating IP is assigned to `iklim-app-01` (`06-prod-terraform-iaac.md` — `floating_ip.tf`). > If failover is needed, the Floating IP can be reassigned to another app node; DNS does not change. ## Notes - Test and prod SWAG instances both obtain `*.iklim.co` independently from Let's Encrypt. There is no conflict — they use the same domain, different servers. - `DNSPROPAGATION=90` handles GoDaddy's typical 30-90s propagation delay.