From 20b2373090ebf71bad7d3f8c1c28bf64b5ac477a Mon Sep 17 00:00:00 2001
From: Daniel McKnight <daniel@mcknight.tech>
Date: Thu, 3 Oct 2024 05:20:38 +0000
Subject: [PATCH 1/3] Document Cloudflare DNS

---
 2024-10-02_Cloudflare-DNS.md | 78 ++++++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 2024-10-02_Cloudflare-DNS.md

diff --git a/2024-10-02_Cloudflare-DNS.md b/2024-10-02_Cloudflare-DNS.md
new file mode 100644
index 0000000..c5b15ae
--- /dev/null
+++ b/2024-10-02_Cloudflare-DNS.md
@@ -0,0 +1,78 @@
+---
+date: 2024-10-02
+title: Cloudflare DNS
+tags: 
+  - homelab
+  - opnsense
+  - hosting
+---
+
+Since I purchased this domain, I have been using Namecheap for DNS mostly out of convenience. Most of the domains I manage for work use
+DigitalOcean which is a little different, but not necessarily better in my opinion. I went into this with pretty minimal knowledge about
+different DNS providers and I did not do a thorough comparison of the various providers out there. I settled on Cloudflare as a service
+that I trust (I use their 1.1.1.1 DNS) and that is free; I skipped DigitalOcean because the OPNSense integration does not show updates in
+DDNS and I recall it being a bit of a pain getting resource IDs that are used as usernames for authentication.
+
+
+## Motivation
+I was configuring a new domain at work and it reminded me how inconvenient it is to use HTTP challenges for my personal domain because 
+Namecheap [requires a static IP for DNS challenges](https://www.namecheap.com/support/api/intro/). Some brief searching indicated other
+users have had success using Cloudflare; 
+[this Reddit post](https://www.reddit.com/r/selfhosted/comments/184fhrv/a_warning_about_namecheap_when_using_dynamic_dns/) in particular
+described my exact situation with Cloudflare DNS as a suggested solution.
+
+## Cloudflare Configuration
+Creating a free account with Cloudflare is easy. After account creation, I waited to change my domain DNS settings until after I created
+the necessary records on Cloudflare to avoid any downtime. I have a `CNAME` record to point `mcknight.tech` to `www.mcknight.tech` and 
+then a single wildcard `A` record that DDNS updates to point at my home network.
+
+I also have email through Namecheap; I followed their 
+[configuration guide](https://www.namecheap.com/support/knowledgebase/article.aspx/9967/31/how-to-set-up-dns-records-for-namecheap-email-service-with-Cloudflare-cpanel-and-private-email/#pe)
+to get those records in place.
+
+## OPNSense Updates
+I have an OPNSense router handling DDNS updates and LetsEncrypt certificate renewal. It isn't possible to start issuing certificates
+until the DNS servers are updated (and the update propagates), but this can be configured in OPNSense so everything is ready to go.
+
+### Dynamic DNS
+Under `Services` -> `Dynamic DNS` -> `Settings`, I created a new entry; Cloudflare uses the username `token` and an API key for the
+password. I set `zone` to `mcknight.tech` and `Hostname(s)` to `*.mcknight.tech` (the one `A` record configured earlier). I use
+`Interface` for the Check IP Method since it is the most straight-forward method for getting my public IP address. After applying the
+changes and waiting a few minutes, the `Current IP` and `Updated` fields should show something after refreshing the page; the `Log File`
+menu option can be used to check for any errors.
+
+### ACME Client
+I already have HTTP-based certificates configured, so I am re-using an existing Account. 
+Under `Services` -> `ACME Client` -> `Challenge Types`, I created a new DNS-01 challenge; the `Global API Key` section may be left empty,
+`CF Account ID` is most easily found as the first part of the URL slug when logged in at dash.Cloudflare.com. The API key could use the
+same key as Dynamic DNS, though I prefer to generate separate ones in case I have to re-issue a key to change some service configuration
+in the future. I left `CF Zone ID` empty.
+
+Next under the `Certificates` menu, I created a new certificate with Common Name `*.mcknight.tech`, using my existing Account and newly-
+defined Challenge. At this point, the OPNSense configuration is complete but a certificate cannot be issued until DNS records are updated
+with Namecheap.
+
+## Update Namecheap DNS
+With all of the above configuration done, updating Namecheap DNS shouldn't cause any service interruption; when the name servers update,
+Cloudflare should keep all of the routing working. In the Namecheap `Domain` menu, I changed `Nameservers` to `Custom DNS` and entered the 
+nameservers listed in Cloudflare. 
+
+At this point, it will take some time for DNS changes to propagate (this time it took less than an hour, but I've waited up to 12 in the past).
+Cloudflare shows a warning when it is not managing DNS, so I waited for this warning to go away as an indication that routing moved over.
+
+## Test Changes
+I have TrueNAS (among other things) set up to send email alerts, so I sent a test email there to check that my DNS records for emails are all
+valid. I suppose it would have been just as easy to send an email to myself, but I had the TrueNAS dashboard open already.
+
+I also did some quick checks for external access to my domain from my phone since my 
+[Uptime Kuma monitoring](https://github.com/louislam/uptime-kuma) runs on the same subnet as everything else on my domain. In the future, I
+might get that running remotely for a more complete test.
+
+## Issue DNS Certificate
+With routing all updated, that [configured certificate](#acme-client) can now be issued. After watching LetsEncrypt issue the certificate,
+I am confident that all of my changes were successful.
+
+## Conclusion
+This was a quick change that I am very glad to have made. Now, I can add services/subdomains simply by updating Nginx and they will
+automatically have working SSL with a valid certificate. I am also interested in checking out all the analytics Cloudflare exposes;
+I see there is more web scraping traffic than I expected, that or there are a lot more people reading this than I thought.
-- 
2.45.2


From e94faba126bbbbaec7f990bc50c9387d26cd0eea Mon Sep 17 00:00:00 2001
From: Daniel McKnight <daniel@mcknight.tech>
Date: Thu, 3 Oct 2024 05:27:34 +0000
Subject: [PATCH 2/3] Add note to update DNS

---
 2024-10-02_Cloudflare-DNS.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/2024-10-02_Cloudflare-DNS.md b/2024-10-02_Cloudflare-DNS.md
index c5b15ae..c199a36 100644
--- a/2024-10-02_Cloudflare-DNS.md
+++ b/2024-10-02_Cloudflare-DNS.md
@@ -72,6 +72,9 @@ might get that running remotely for a more complete test.
 With routing all updated, that [configured certificate](#acme-client) can now be issued. After watching LetsEncrypt issue the certificate,
 I am confident that all of my changes were successful.
 
+With the DNS Certificate issued, I updated nginx to use the new certificate and then restarted that service in OPNSense. I usually wait
+a few minutes and then open a page in a private browser to check for the new certificate without worrying about the old one being cached.
+
 ## Conclusion
 This was a quick change that I am very glad to have made. Now, I can add services/subdomains simply by updating Nginx and they will
 automatically have working SSL with a valid certificate. I am also interested in checking out all the analytics Cloudflare exposes;
-- 
2.45.2


From f136c947618d351261a40cd7d6bcce014670f097 Mon Sep 17 00:00:00 2001
From: d_mcknight <d_mcknight@noreply.localhost>
Date: Tue, 7 Jan 2025 21:51:01 -0800
Subject: [PATCH 3/3] Update Date and minor grammar

---
 ...10-02_Cloudflare-DNS.md => 2025-01-07_Cloudflare-DNS.md | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)
 rename 2024-10-02_Cloudflare-DNS.md => 2025-01-07_Cloudflare-DNS.md (93%)

diff --git a/2024-10-02_Cloudflare-DNS.md b/2025-01-07_Cloudflare-DNS.md
similarity index 93%
rename from 2024-10-02_Cloudflare-DNS.md
rename to 2025-01-07_Cloudflare-DNS.md
index c199a36..3896485 100644
--- a/2024-10-02_Cloudflare-DNS.md
+++ b/2025-01-07_Cloudflare-DNS.md
@@ -1,5 +1,5 @@
 ---
-date: 2024-10-02
+date: 2025-01-07
 title: Cloudflare DNS
 tags: 
   - homelab
@@ -7,9 +7,8 @@ tags:
   - hosting
 ---
 
-Since I purchased this domain, I have been using Namecheap for DNS mostly out of convenience. Most of the domains I manage for work use
-DigitalOcean which is a little different, but not necessarily better in my opinion. I went into this with pretty minimal knowledge about
-different DNS providers and I did not do a thorough comparison of the various providers out there. I settled on Cloudflare as a service
+Since I registered this domain, I have been using Namecheap for DNS mostly out of convenience. Most of the domains I manage for work use
+DigitalOcean which is a little different, but not necessarily better in my opinion. I went into this project with fairly minimal knowledge about different DNS providers and I did not do a thorough comparison of the various providers out there. I settled on Cloudflare as a service
 that I trust (I use their 1.1.1.1 DNS) and that is free; I skipped DigitalOcean because the OPNSense integration does not show updates in
 DDNS and I recall it being a bit of a pain getting resource IDs that are used as usernames for authentication.
 
-- 
2.45.2