As part of my migration to Bunny CDN for andreas-jaggi.ch, I also moved the DNS zone over.
There are not many records in the zone, but one which turned out to be a bit more tricky was the CAA one.
I wanted to use the following Terraform snippet to create it:
resource "bunnynet_dns_record" "andreas_jaggi_ch_CAA" {
zone = bunnynet_dns_zone.andreas_jaggi_ch.id
name = ""
type = "CAA"
value = "0 issue \"letsencrypt.org;validationmethods=http-01\""
}
But this always failed with a cryptic error message during terraform apply
:
│ Error: Unable to create DNS record
│
│ with bunnynet_dns_record.andreas_jaggi_ch_CAA,
│ on dns.tf line 22, in resource "bunnynet_dns_record" "andreas_jaggi_ch_CAA":
│ 22: resource "bunnynet_dns_record" "andreas_jaggi_ch_CAA" {
│
│ A tag can be a maximum of 50 ASCII characters.
After some head-scratching I figured out that the Terraform provider has dedicated fields for the flags
and tag
parts of the CAA DNS record.
And it insists on them being used this way:
resource "bunnynet_dns_record" "andreas_jaggi_ch_CAA" {
zone = bunnynet_dns_zone.andreas_jaggi_ch.id
name = ""
type = "CAA"
tag = "issue"
flags = 0
value = "letsencrypt.org;validationmethods=http-01"
}
With this in place, it worked fine.
And it prepared me also for the MX record where a similar approach is required.
For andreas-jaggi.ch I wanted to try out Bunny CDN.
Everything went very smooth and I nicely used Terraform to configure Edge Rules blocking all unwanted access.
As andreas-jaggi.ch does not have much content this resulted in a list of allowed files similar to this:
resource "bunnynet_pullzone_edgerule" "andreas_jaggi_4" {
pullzone = bunnynet_pullzone.andreas_jaggi.id
description = "block not(known good) http://www.andreas-jaggi.ch"
enabled = true
match_type = "MatchNone"
actions = [{ type = "BlockRequest", parameter1 = null, parameter2 = null, parameter3 = null }]
triggers = [
{
match_type = "MatchAny",
patterns = [
"http://www.andreas-jaggi.ch/",
"http://www.andreas-jaggi.ch/favicon.ico",
"http://www.andreas-jaggi.ch/robots.txt",
"http://www.andreas-jaggi.ch/security.txt",
],
type = "Url", parameter1 = null, parameter2 = null
},
]
}
After this I did setup the www subdomain as CNAME and added it as additional hostname to the CDN Pullzone.
But the process to get a Let's Encrypt certificate for the www subdomain always failed with an error.
This is where I messed up.
Turns out my Edge Rules blocking all unwanted access also blocked the Let's Encrypt validation requests. 🤦
Once I realized this (which took a shamefully long amount of time), I added an entry to the Edge Rules for the .well-known/acme-challenge/
subpath:
resource "bunnynet_pullzone_edgerule" "andreas_jaggi_4" {
pullzone = bunnynet_pullzone.andreas_jaggi.id
description = "block not(known good) https://www.andreas-jaggi.ch"
enabled = true
match_type = "MatchNone"
actions = [{ type = "BlockRequest", parameter1 = null, parameter2 = null, parameter3 = null }]
triggers = [
{
match_type = "MatchAny",
patterns = [
"http://www.andreas-jaggi.ch/",
"http://www.andreas-jaggi.ch/favicon.ico",
"http://www.andreas-jaggi.ch/robots.txt",
"http://www.andreas-jaggi.ch/security.txt",
"http://www.andreas-jaggi.ch/.well-known/acme-challenge/*",
],
type = "Url", parameter1 = null, parameter2 = null
},
]
}
With this in place, the process worked immediately and the www subdomain now also serves encrypted traffic. 🔐
After a bit more than 13 years I now removed Disqus from the blog.
Over these years, it only contributed 36 comments.
Most of them around a single post that made it onto the frontpage of Hacker News and Reddit.
I'll extract these comments from the export file of Disqus.
Then backfill them as static entries to the corresponding posts so they are preserved.
In the future I might add another way to comment/contribute directly on the blog.
For now, please use the communication channels listed on the About page.