Migrate DNS to Gandi (#175)

Co-authored-by: Jake Howard <git@theorangeone.net> Co-committed-by: Jake Howard <git@theorangeone.net>
2025-04-06 20:21:49 +01:00 · 2025-04-06 20:21:49 +01:00 · 6f855fcc18
commit 6f855fcc18
parent 69b909afa2
10 changed files with 582 additions and 498 deletions
--- a/ansible/roles/traefik/files/docker-compose.yml
+++ b/ansible/roles/traefik/files/docker-compose.yml
@ -3,7 +3,6 @@ services:
    image: traefik:v3
    user: "{{ docker_user.id }}"
    environment:
-      - CF_DNS_API_TOKEN={{ vault_cloudflare_api_token }}
      - GANDIV5_PERSONAL_ACCESS_TOKEN={{ vault_gandi_personal_access_token }}
    volumes:
      - ./traefik:/etc/traefik
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@ -54,17 +54,6 @@ api:

 certificatesResolvers:
  le:
-    acme:
-      email: "{{ vault_letsencrypt_email }}"
-      storage: /etc/traefik/acme.json
-      dnsChallenge:
-        provider: cloudflare
-        delayBeforeCheck: 0s
-        resolvers:
-          - 1.1.1.1:53
-          - 1.0.0.1:53
-
-  gandi:
    acme:
      email: "{{ vault_letsencrypt_email }}"
      storage: /etc/traefik/acme.json
@ -72,8 +61,8 @@ certificatesResolvers:
        provider: gandiv5
        delayBeforeCheck: 0s
        resolvers:
-          - 1.1.1.1:53
-          - 1.0.0.1:53
+          - 9.9.9.9:53
+          - 149.112.112.112:53

 serversTransport:
  insecureSkipVerify: true
--- a/ansible/roles/traefik/vars/vault.yml
+++ b/ansible/roles/traefik/vars/vault.yml
@ -1,15 +1,11 @@
 $ANSIBLE_VAULT;1.1;AES256
-30383663326161656238386262313539666365336361366532323636343731366264303732613566
-3933643237303966633539626466373430366262393132630a303063666631343664653930653065
-36396635383761613461306431643438316536313330363435326339303337363438383037313338
-3638343733623962610a326264386139383266666437313464353232623164363134393765653430
-35363830626135313162336435653861336635386233653531616332633466666265366535643862
-63623866623764636332633932613735383463663062393036643261313038383532313963343836
-61306665653833353735303935326536633934613831343637313062616537653533303037356262
-61346364336538376331353061663232653339363839323438376262623363666362306335616436
-35326161663566393934303363343464633664323330613838363364623164633834363335623032
-32326366343562316664623230373532303636656437643864376231326465666162326631326332
-34336263333937333064363861326632393936316332313338323037393066346566393662633737
-35386530646539373833383330336536303632326631323836303438303934323762393636656531
-31356161323134633263663438653639333335383430623565336139343639653232623365663031
-3066633965303134336139633033306434646337313536346365
+30393461663462666434333462386264383831333936633961636237616338303335393861626336
+3566306338633735613431393736653061636536353335620a366335623630643137343863636161
+37383436323439393965623436393465626362633134346239356463633936396236666164333762
+3565623930353964620a303965626164396536646336313438346464663236633465353036303935
+30373230393432643330663434313637396234306563336137653861333839623530636465653532
+37363239663939303834633332656365363437356236633933313339656563343130383262626539
+61363762663630366430326635386163613936653938303366636363363334643035396233646430
+32636431616335326264343931343064646363393736303263633038623562623965393763636562
+35316264636264366161326463343730613232663539306532303838656338343535376439343834
+3234663334333866376233336538343264623930653662303835
--- a/ansible/roles/yourls/files/docker-compose.yml
+++ b/ansible/roles/yourls/files/docker-compose.yml
@ -16,7 +16,6 @@ services:
    labels:
      - traefik.enable=true
      - traefik.http.routers.yourls.rule=Host(`0rng.one`)
-      - traefik.http.routers.yourls.tls.certresolver=gandi
    networks:
      - default
      - traefik
--- a/terraform/0rng.one.tf
+++ b/terraform/0rng.one.tf
@ -8,7 +8,7 @@ resource "gandi_livedns_record" "orngone_apex" {
  type = "ALIAS" # Gandi doesn't support CNAME-flattening
  ttl  = 3600
  values = [
-    cloudflare_record.sys_domain_pve.hostname
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
  ]
 }

@ -29,6 +29,6 @@ resource "gandi_livedns_record" "orngone_who" {
  type = "CNAME"
  ttl  = 3600
  values = [
-    "${cloudflare_record.sys_domain_pve.hostname}."
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
  ]
 }
--- a/terraform/casey_vps.tf
+++ b/terraform/casey_vps.tf
@ -96,10 +96,10 @@ resource "linode_firewall" "casey" {

 resource "linode_rdns" "casey_reverse_ipv4" {
  address = linode_instance.casey.ip_address
-  rdns    = cloudflare_record.sys_domain_casey.hostname
+  rdns    = "${gandi_livedns_record.sys_domain_casey.name}.${gandi_livedns_record.sys_domain_casey.zone}"
 }

 resource "linode_rdns" "casey_reverse_ipv6" {
  address = split("/", linode_instance.casey.ipv6)[0]
-  rdns    = cloudflare_record.sys_domain_casey.hostname
+  rdns    = "${gandi_livedns_record.sys_domain_casey.name}.${gandi_livedns_record.sys_domain_casey.zone}"
 }
--- a/terraform/jakehoward.tech.tf
+++ b/terraform/jakehoward.tech.tf
@ -1,307 +1,365 @@
-resource "cloudflare_zone" "jakehowardtech" {
-  zone = "jakehoward.tech"
+data "gandi_livedns_domain" "jakehowardtech" {
+  name = "jakehoward.tech"
 }

-resource "cloudflare_record" "jakehowardtech_mx1" {
-  zone_id  = cloudflare_zone.jakehowardtech.id
-  name     = "@"
-  value    = "in1-smtp.messagingengine.com"
-  type     = "MX"
-  priority = 10
-  ttl      = 1
+resource "gandi_livedns_record" "jakehowardtech_mx" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "@"
+  type = "MX"
+  ttl  = 3600
+  values = [
+    "10 in1-smtp.messagingengine.com.",
+    "20 in2-smtp.messagingengine.com.",
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_mx2" {
-  zone_id  = cloudflare_zone.jakehowardtech.id
-  name     = "@"
-  value    = "in2-smtp.messagingengine.com"
-  type     = "MX"
-  priority = 20
-  ttl      = 1
+resource "gandi_livedns_record" "jakehowardtech_spf" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "@"
+  type = "SPF"
+  ttl  = 3600
+  values = [
+    "\"v=spf1 include:spf.messagingengine.com -all\""
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_txt" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "@"
-  value   = "v=spf1 include:spf.messagingengine.com -all"
-  type    = "TXT"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_dkim_fm1" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "fm1._domainkey"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "fm1.jakehoward.tech.dkim.fmhosted.com."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_dkim_fm1" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "fm1._domainkey"
-  value   = "fm1.jakehoward.tech.dkim.fmhosted.com"
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_dkim_fm2" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "fm2._domainkey"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "fm2.jakehoward.tech.dkim.fmhosted.com."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_dkim_fm2" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "fm2._domainkey"
-  value   = "fm2.jakehoward.tech.dkim.fmhosted.com"
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_dkim_fm3" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "fm3._domainkey"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "fm3.jakehoward.tech.dkim.fmhosted.com."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_dkim_fm3" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "fm3._domainkey"
-  value   = "fm3.jakehoward.tech.dkim.fmhosted.com"
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_dmarc" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "_dmarc"
+  type = "TXT"
+  ttl  = 3600
+  values = [
+    "\"v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;\""
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_dmarc" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "_dmarc"
-  value   = "v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;"
-  type    = "TXT"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_wallabag" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "wallabag"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_wallabag" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "wallabag"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_ttrss" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "tt-rss"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_ttrss" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "tt-rss"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_speed" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "speed"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_speed" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "speed"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_quassel" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "quassel"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_quassel" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "quassel"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_media" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "media"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_media" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "media"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_matrix" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "matrix"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_matrix" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "matrix"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_intersect" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "intersect"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_intersect" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "intersect"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_calibre" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "calibre"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_calibre" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "calibre"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_homeassistant" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "homeassistant"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve_private.name}.${gandi_livedns_record.sys_domain_pve_private.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_homeassistant" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "homeassistant"
-  value   = cloudflare_record.sys_domain_pve_private.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_grafana" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "grafana"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_grafana" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "grafana"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_vaultwarden" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "vaultwarden"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve_private.name}.${gandi_livedns_record.sys_domain_pve_private.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_vaultwarden" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "vaultwarden"
-  value   = cloudflare_record.sys_domain_pve_private.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_recipes" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "recipes"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_tandoor" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "recipes"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_mailgun_spf" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "mg"
+  type = "SPF"
+  ttl  = 3600
+  values = [
+    "\"v=spf1 include:mailgun.org -all\""
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_mailgun_spf" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "mg"
-  value   = "v=spf1 include:mailgun.org -all"
-  type    = "TXT"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_mailgun_dkim" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "s1._domainkey.mg"
+  type = "TXT"
+  ttl  = 3600
+  values = [
+    "\"k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4E4cv86U+sFUjgLys26ZLccTghzGfHiFpitWdFg68lGXG63aoG2/+9bgKVT0ZBG7bjPvj6Kyj4N3TIe4oCJo2saVvtsNK1pvZ\" \"kOadaBPgjzKeRvBaw48ZatUGKoV7q1NCa0kXAfiJleF7bMvbt8rYDmBljr/BG6TtZYPt6XgoZyh8HHXjv/1L6WT3JBVQ8q5UtqVRVujXNHf57FmJTOJpvs0bKn/6TUaXYZmt5z3jpDhc/HfmkzVV22\" \"AwRf9jn7kgKkgaKpkvfSL8gtYNn5oyfS0Y9W9x9ntqb4g72RCbynMppQb1uwxbIuWRVOp0un0koQDm3C8ZzhOOYAwe58BYQIDAQAB\""
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_mailgun_dkim" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "s1._domainkey.mg"
-  value   = "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4E4cv86U+sFUjgLys26ZLccTghzGfHiFpitWdFg68lGXG63aoG2/+9bgKVT0ZBG7bjPvj6Kyj4N3TIe4oCJo2saVvtsNK1pvZkOadaBPgjzKeRvBaw48ZatUGKoV7q1NCa0kXAfiJleF7bMvbt8rYDmBljr/BG6TtZYPt6XgoZyh8HHXjv/1L6WT3JBVQ8q5UtqVRVujXNHf57FmJTOJpvs0bKn/6TUaXYZmt5z3jpDhc/HfmkzVV22AwRf9jn7kgKkgaKpkvfSL8gtYNn5oyfS0Y9W9x9ntqb4g72RCbynMppQb1uwxbIuWRVOp0un0koQDm3C8ZzhOOYAwe58BYQIDAQAB"
-  type    = "TXT"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_mailgun_dmarc" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "_dmarc.mg"
+  type = "TXT"
+  ttl  = 3600
+  values = [
+    "\"v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;\""
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_mailgun_dmarc" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "_dmarc.mg"
-  value   = "v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;"
-  type    = "TXT"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_synapse_admin" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "synapse-admin"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_matrix_admin" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "synapse-admin"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_apex" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "@"
+  type = "ALIAS"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_walker.name}.${gandi_livedns_record.sys_domain_walker.zone}."
+  ]
 }

-# Cloudflare supports CNAME flattening - so this is ok
-resource "cloudflare_record" "jakehowardtech_apex" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "@"
-  value   = cloudflare_record.sys_domain_walker.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_collabora" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "collabora"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_collabora" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "collabora"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_tasks" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "tasks"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_tasks" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "tasks"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_auth" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "auth"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_auth" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "auth"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_minio" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "minio"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_minio" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "minio"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_s3" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "s3"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_s3" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "s3"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_ntfy" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "ntfy"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_ntfy" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "ntfy"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_headscale" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "headscale"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_casey.name}.${gandi_livedns_record.sys_domain_casey.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_headscale" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "headscale"
-  value   = cloudflare_record.sys_domain_casey.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_slides" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "slides"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_walker.name}.${gandi_livedns_record.sys_domain_walker.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_slides" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "slides"
-  value   = cloudflare_record.sys_domain_walker.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_uptime" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "uptime"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_uptime" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "uptime"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_baby-buddy" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "baby-buddy"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve_private.name}.${gandi_livedns_record.sys_domain_pve_private.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_baby-buddy" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "baby-buddy"
-  value   = cloudflare_record.sys_domain_pve_private.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_immich" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "immich"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve_private.name}.${gandi_livedns_record.sys_domain_pve_private.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_immich" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "immich"
-  value   = cloudflare_record.sys_domain_pve_private.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "jakehowardtech_photos" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "photos"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "jakehowardtech_photos" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "photos"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
-}
-
-resource "cloudflare_record" "jakehowardtech_caa" {
-  zone_id = cloudflare_zone.jakehowardtech.id
-  name    = "@"
-  type    = "CAA"
-  ttl     = 1
-
-  data = {
-    tag   = "issue"
-    flags = 0
-    value = "letsencrypt.org"
-  }
+resource "gandi_livedns_record" "jakehowardtech_caa" {
+  zone = data.gandi_livedns_domain.jakehowardtech.id
+  name = "@"
+  type = "CAA"
+  ttl  = 3600
+  values = [
+    "0 issue \"letsencrypt.org\"",
+    "0 wildissue \"letsencrypt.org\"",
+  ]
 }
--- a/terraform/sys_domains.tf
+++ b/terraform/sys_domains.tf
@ -1,47 +1,59 @@
-resource "cloudflare_record" "sys_domain_casey" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "casey.sys"
-  value   = linode_instance.casey.ip_address
-  type    = "A"
-  ttl     = 1
+resource "gandi_livedns_record" "sys_domain_casey" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "casey.sys"
+  type = "A"
+  ttl  = 3600
+  values = [
+    linode_instance.casey.ip_address
+  ]
 }

-resource "cloudflare_record" "sys_domain_walker" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "walker.sys"
-  value   = hcloud_server.walker.ipv4_address
-  type    = "A"
-  ttl     = 1
+resource "gandi_livedns_record" "sys_domain_casey_v6" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "casey.sys"
+  type = "AAAA"
+  ttl  = 3600
+  values = [
+    split("/", linode_instance.casey.ipv6)[0]
+  ]
 }

-resource "cloudflare_record" "sys_domain_casey_v6" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "casey.sys"
-  value   = split("/", linode_instance.casey.ipv6)[0]
-  type    = "AAAA"
-  ttl     = 1
+resource "gandi_livedns_record" "sys_domain_walker" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "walker.sys"
+  type = "A"
+  ttl  = 3600
+  values = [
+    hcloud_server.walker.ipv4_address
+  ]
 }

-resource "cloudflare_record" "sys_domain_walker_v6" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "walker.sys"
-  value   = hcloud_server.walker.ipv6_address
-  type    = "AAAA"
-  ttl     = 1
+resource "gandi_livedns_record" "sys_domain_walker_v6" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "walker.sys"
+  type = "AAAA"
+  ttl  = 3600
+  values = [
+    hcloud_server.walker.ipv6_address
+  ]
 }

-resource "cloudflare_record" "sys_domain_pve" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "pve.sys"
-  value   = linode_instance.casey.ip_address
-  type    = "A"
-  ttl     = 1
+resource "gandi_livedns_record" "sys_domain_pve" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "pve.sys"
+  type = "A"
+  ttl  = 3600
+  values = [
+    linode_instance.casey.ip_address
+  ]
 }

-resource "cloudflare_record" "sys_domain_pve_private" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "pve-private.sys"
-  value   = local.private_ipv6_marker
-  type    = "AAAA"
-  ttl     = 1
+resource "gandi_livedns_record" "sys_domain_pve_private" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "pve-private.sys"
+  type = "AAAA"
+  ttl  = 3600
+  values = [
+    local.private_ipv6_marker
+  ]
 }
--- a/terraform/theorangeone.net.tf
+++ b/terraform/theorangeone.net.tf
@ -1,251 +1,282 @@
-resource "cloudflare_zone" "theorangeonenet" {
-  zone = "theorangeone.net"
+data "gandi_livedns_domain" "theorangeonenet" {
+  name = "theorangeone.net"
 }

-resource "cloudflare_record" "theorangeonenet_git" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "git"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_git" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "git"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_whoami" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "whoami"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_whoami" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "whoami"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_whoami_cdn" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "whoami-cdn"
-  value   = cloudflare_record.sys_domain_casey.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_whoami_cdn" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "whoami-cdn"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_whoami_private" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "whoami-private"
-  value   = cloudflare_record.sys_domain_pve_private.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_whoami_private" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "whoami-private"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_mx1" {
-  zone_id  = cloudflare_zone.theorangeonenet.id
-  name     = "@"
-  value    = "in1-smtp.messagingengine.com"
-  type     = "MX"
-  priority = 10
-  ttl      = 1
+resource "gandi_livedns_record" "theorangeonenet_mx" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "@"
+  type = "MX"
+  ttl  = 3600
+  values = [
+    "10 in1-smtp.messagingengine.com.",
+    "20 in2-smtp.messagingengine.com.",
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_mx2" {
-  zone_id  = cloudflare_zone.theorangeonenet.id
-  name     = "@"
-  value    = "in2-smtp.messagingengine.com"
-  type     = "MX"
-  priority = 20
-  ttl      = 1
+resource "gandi_livedns_record" "theorangeonenet_spf" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "@"
+  type = "SPF"
+  ttl  = 3600
+  values = [
+    "\"v=spf1 include:spf.messagingengine.com -all\""
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_spf" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "@"
-  value   = "v=spf1 include:spf.messagingengine.com -all"
-  type    = "TXT"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_dkim_fm1" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "fm1._domainkey"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "fm1.theorangeone.net.dkim.fmhosted.com."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_dkim_fm1" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "fm1._domainkey"
-  value   = "fm1.theorangeone.net.dkim.fmhosted.com"
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_dkim_fm2" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "fm2._domainkey"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "fm2.theorangeone.net.dkim.fmhosted.com."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_dkim_fm2" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "fm2._domainkey"
-  value   = "fm2.theorangeone.net.dkim.fmhosted.com"
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_dkim_fm3" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "fm3._domainkey"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "fm3.theorangeone.net.dkim.fmhosted.com."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_dkim_fm3" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "fm3._domainkey"
-  value   = "fm3.theorangeone.net.dkim.fmhosted.com"
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_dmarc" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "_dmarc"
+  type = "TXT"
+  ttl  = 3600
+  values = [
+    "\"v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;\""
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_dmarc" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "_dmarc"
-  value   = "v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;"
-  type    = "TXT"
-  ttl     = 1
-}
-
-resource "cloudflare_record" "theorangeonenet_dmarc_report" {
+resource "gandi_livedns_record" "theorangeonenet_dmarc_report" {
  for_each = toset([
-    cloudflare_zone.theorangeonenet.zone,
-    cloudflare_zone.jakehowardtech.zone,
-    cloudflare_record.theorangeonenet_mailgun_spf.hostname,
-    cloudflare_record.jakehowardtech_mailgun_spf.hostname,
+    data.gandi_livedns_domain.theorangeonenet.name,
+    data.gandi_livedns_domain.jakehowardtech.name,
+    "${gandi_livedns_record.theorangeonenet_mailgun_spf.name}.${gandi_livedns_record.theorangeonenet_mailgun_spf.zone}",
+    "${gandi_livedns_record.jakehowardtech_mailgun_spf.name}.${gandi_livedns_record.jakehowardtech_mailgun_spf.zone}"
  ])

-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "${each.value}._report._dmarc"
-  value   = "v=DMARC1"
-  type    = "TXT"
-  ttl     = 1
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "${each.value}._report._dmarc"
+  type = "TXT"
+  ttl  = 3600
+  values = [
+    "\"v=DMARC1\""
+  ]
 }

-# Cloudflare supports CNAME flattening - so this is ok
-resource "cloudflare_record" "theorangeonenet_apex" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "@"
-  value   = cloudflare_record.sys_domain_walker.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_apex" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "@"
+  type = "ALIAS"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_walker.name}.${gandi_livedns_record.sys_domain_walker.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_srv_matrix" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "_matrix._tcp"
-  type    = "SRV"
-  ttl     = 1
-
-  data = {
-    service  = "_matrix"
-    proto    = "_tcp"
-    name     = cloudflare_zone.theorangeonenet.zone
-    priority = 10
-    weight   = 0
-    port     = 8448
-    target   = cloudflare_record.theorangeonenet_matrix.hostname
-  }
+resource "gandi_livedns_record" "theorangeonenet_srv_matrix" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "_matrix._tcp"
+  type = "SRV"
+  ttl  = 3600
+  values = [
+    "10 0 8448 ${gandi_livedns_record.theorangeonenet_matrix.name}.${gandi_livedns_record.theorangeonenet_matrix.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_matrix" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "matrix"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_matrix" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "matrix"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_plausible" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "plausible"
-  value   = cloudflare_record.sys_domain_walker.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_plausible" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "plausible"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_walker.name}.${gandi_livedns_record.sys_domain_walker.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_plausible_bare" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "elbisualp"
-  value   = cloudflare_record.sys_domain_walker.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_plausible_bare" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "elbisualp"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_walker.name}.${gandi_livedns_record.sys_domain_walker.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_notes" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "notes"
-  value   = "realorangeone.github.io"
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_notes" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "notes"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "realorangeone.github.io."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_privatebin" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "bin"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_bin" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "bin"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_google_site_verification" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "@"
-  value   = "google-site-verification=IXY4iSBN_vOcM3cp_f-BgVvEI_shz1GzXuY_8dqY61o"
-  type    = "TXT"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_google_site_verification" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "@"
+  type = "TXT"
+  ttl  = 3600
+  values = [
+    "\"google-site-verification=IXY4iSBN_vOcM3cp_f-BgVvEI_shz1GzXuY_8dqY61o\""
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_mailgun_spf" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "mg"
-  value   = "v=spf1 include:mailgun.org -all"
-  type    = "TXT"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_mailgun_spf" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "mg"
+  type = "SPF"
+  ttl  = 3600
+  values = [
+    "\"v=spf1 include:mailgun.org -all\""
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_mailgun_dkim" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "mta._domainkey.mg"
-  value   = "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Z/MHEzpbWm5EgMkyWb+Xkz44Xrzr4SA5i2u8M2H5yZ1PSb4DpGk3IAX+I05UWax02+WBW3CBb5wU9rH9flgxezBoCf/hiMS1Wjb9hKGIBa2jMCzpF+wa5fyqLkLoAJZF4bc/BJKyi/ET2c7+DAA/2KlWv/nv4MEjcUR4hNGLPEC9+6PhUp8z2PnUQLzPRWHpKc1oLrnROWaX3XxdDekCzwyOw7ygzZdThVevE+0CqXVOt5SUSUCnd2tjVbvblGi6DBiQY5Tl6+xLqkQHCRqks9187+EN4FdJXkjQodkFzzyiBH5cXVGiZLOhal4koEvxGirr596qM97bIXiJWArdQIDAQAB"
-  type    = "TXT"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_mailgun_dkim" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "mta._domainkey.mg"
+  type = "TXT"
+  ttl  = 3600
+  values = [
+    "\"k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Z/MHEzpbWm5EgMkyWb+Xkz44Xrzr4SA5i2u8M2H5yZ1PSb4DpGk3IAX+I05UWax02+WBW3CBb5wU9rH9flgxezBoCf/hiMS1\" \"Wjb9hKGIBa2jMCzpF+wa5fyqLkLoAJZF4bc/BJKyi/ET2c7+DAA/2KlWv/nv4MEjcUR4hNGLPEC9+6PhUp8z2PnUQLzPRWHpKc1oLrnROWaX3XxdDekCzwyOw7ygzZdThVevE+0CqXVOt5SUSUCnd2\" \"tjVbvblGi6DBiQY5Tl6+xLqkQHCRqks9187+EN4FdJXkjQodkFzzyiBH5cXVGiZLOhal4koEvxGirr596qM97bIXiJWArdQIDAQAB\""
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_mailgun_dmarc" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "_dmarc.mg"
-  value   = "v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;"
-  type    = "TXT"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_mailgun_dmarc" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "_dmarc.mg"
+  type = "TXT"
+  ttl  = 3600
+  values = [
+    "\"v=DMARC1; p=quarantine; ruf=mailto:dmarc-report@jakehoward.tech;\""
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_mastodon" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "mastodon"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_mastodon" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "mastodon"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_comentario" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "comentario"
-  value   = cloudflare_record.sys_domain_walker.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_comentario" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "comentario"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_walker.name}.${gandi_livedns_record.sys_domain_walker.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_bsky" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "bsky"
-  value   = cloudflare_record.sys_domain_pve.hostname
-  type    = "CNAME"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_bsky" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "bsky"
+  type = "CNAME"
+  ttl  = 3600
+  values = [
+    "${gandi_livedns_record.sys_domain_pve.name}.${gandi_livedns_record.sys_domain_pve.zone}."
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_atproto" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "_atproto"
-  value   = "did=did:plc:pgyg4ih7zsqkwdon34jqkbuz"
-  type    = "TXT"
-  ttl     = 1
+resource "gandi_livedns_record" "theorangeonenet_atproto" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "_atproto"
+  type = "TXT"
+  ttl  = 3600
+  values = [
+    "\"did=did:plc:pgyg4ih7zsqkwdon34jqkbuz\""
+  ]
 }

-resource "cloudflare_record" "theorangeonenet_caa" {
-  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "@"
-  type    = "CAA"
-  ttl     = 1
-
-  data = {
-    tag   = "issue"
-    flags = 0
-    value = "letsencrypt.org"
-  }
+resource "gandi_livedns_record" "theorangeonenet_caa" {
+  zone = data.gandi_livedns_domain.theorangeonenet.id
+  name = "@"
+  type = "CAA"
+  ttl  = 3600
+  values = [
+    "0 issue \"letsencrypt.org\"",
+    "0 wildissue \"letsencrypt.org\"",
+  ]
 }
--- a/terraform/walker_vps.tf
+++ b/terraform/walker_vps.tf
@ -16,11 +16,11 @@ resource "hcloud_server" "walker" {
 resource "hcloud_rdns" "walker_reverse_ipv4" {
  server_id  = hcloud_server.walker.id
  ip_address = hcloud_server.walker.ipv4_address
-  dns_ptr    = cloudflare_record.sys_domain_walker.hostname
+  dns_ptr    = "${gandi_livedns_record.sys_domain_walker.name}.${gandi_livedns_record.sys_domain_walker.zone}"
 }

 resource "hcloud_rdns" "walker_reverse_ipv6" {
  server_id  = hcloud_server.walker.id
  ip_address = hcloud_server.walker.ipv6_address
-  dns_ptr    = cloudflare_record.sys_domain_walker.hostname
+  dns_ptr    = "${gandi_livedns_record.sys_domain_walker.name}.${gandi_livedns_record.sys_domain_walker.zone}"
 }