Public production Mina Indexer lacks domain name and TLS certificate

[jhult]

This is a follow-up to #851.

We now need to connect a DNS entry (api.minasearch.com) to the publicly exposed Indexer. We plan to do this using Cloudflare. This will allow us to proxy behind it for CDN purposes and provide a TLS certificate.

Utilizing Cloudflare distantly relates to my plan for Granola-Team/mina-block-explorer#44

[jhult]

I have created a Cloudflare account.

@trevorbernard, @robinbb, and I all (currently) have this role: Super Administrator - All Privileges. Jeff has been added with the Billing role (in case we need it).

[jhult]

Currently, minasearch.com is registered at Namecheap with nameservers pointing to AWS Route 53.

Cloudflare does support partial CNAME setup:

A partial (CNAME) setup allows you to use Cloudflare’s reverse proxy while maintaining your primary and authoritative DNS provider.

Use this option to proxy only individual subdomains through Cloudflare’s global network when you cannot change your authoritative DNS provider.

Unfortunately, partial (CNAME) setup is not available on the free plan.

Thus, my current recommendation is to either:

1. transfer the domain to Cloudflare (as the registrar) or
2. transfer nameservers to Cloudflare
   • Find the DNSSEC setting in Namecheap control panel. If it is on, turn DNSSEC off at least 24 hours before step next step.
   • Update the nameservers to use Custom DNS with these values:
   • isabel.ns.cloudflare.com
   • patryk.ns.cloudflare.com

[robinbb]

We chose option 1, FYI.

[jhult]

Before we could transfer the domain, we needed to update the nameservers (which @trevorbernard did). We then proceeded to transfer the domain and the transfer has been completed.

[robinbb]

I think that this is done.

[jhult]

I ended up creating a (remotely-managed) Cloudflare Tunnel in the Cloudflare Dashboard.

A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel. You can get a tunnel’s token from the dashboard or via the API.

I ran these commands to download the tunnel config (nixos-builder-1 being the tunnel name):

nix-env -iA nixos.cloudflared
cloudflared tunnel login
cloudflared tunnel token --cred-file /root/.cloudflared/tunnel.json nixos-builder-1

I updated machine nixos-builder-1 with this config (file /root/nixos-builder-1-config.nix):

services.cloudflared = {
    enable = true;
    user = "root";
    tunnels = {
      "950210ce-REST-OF-TUNNEL-ID" = {
        credentialsFile = "${config.users.users.root.home}/.cloudflared/tunnel.json";
        default = "http_status:404";
      };
    };
  };

I also added cloudflared into environment.systemPackages = with pkgs; [

I then ran: nixos-rebuild switch -I nixos-config=/root/nixos-builder-1-config.nix

[robinbb]

Nice! I will update the automation so that the above configuration is preserved whenever new configs are applied.