2.1 KiB
02 — GoDaddy DNS Credentials for SWAG (Prod)
Context
Identical to test-env-setup/02, except the storagebox path is prod/ instead of test/.
⚠️ Security — Rotate credentials before use
If credentials were shared in any chat log, Slack message, or email, revoke them immediately:
- Go to: https://developer.godaddy.com/keys
- Revoke the exposed key
- Create a new Production key pair
Never commit credentials to the repository.
Step 1 — Add credentials to storagebox .env.secrets.shared (prod path)
Open the file at storagebox path:
prod/secrets/iklim.co/.env.secrets.shared
Add:
GODADDY_KEY=<your-new-api-key>
GODADDY_SECRET=<your-new-api-secret>
Step 2 — Repo template file
Same file as test: swag/dns-conf/godaddy.ini.tpl (already created in test step 02).
No additional action needed in the repo.
Step 3 — (Handled by pipeline) Write credentials file on prod host
The deploy pipeline (see 08-deploy-pipeline-update.md) runs on service-1:
mkdir -p /opt/iklimco/swag/dns-conf
envsubst < swag/dns-conf/godaddy.ini.tpl > /opt/iklimco/swag/dns-conf/godaddy.ini
chmod 600 /opt/iklimco/swag/dns-conf/godaddy.ini
Step 4 — GoDaddy A records for prod subdomains
In GoDaddy DNS panel for iklim.co, add/update A records pointing to service-1's public IP:
| Record | Value |
|---|---|
api |
<service-1-public-ip> |
apigw |
<service-1-public-ip> |
rabbitmq |
<service-1-public-ip> |
grafana |
<service-1-public-ip> |
Swarm's routing mesh means any node IP would work, but service-1 is the designated entry point (runs SWAG). Using a single IP keeps DNS simple.
For HA: add a load balancer or use Hetzner's floating IP in front of the 3 service nodes. DNS then points to the floating IP. This is a future improvement.
Notes
- Test and prod SWAG instances both obtain
*.iklim.coindependently from Let's Encrypt. There is no conflict — they use the same domain, different servers. DNSPROPAGATION=90handles GoDaddy's typical 30-90s propagation delay.