homelab-iac/modules/dns/main.tf

/**
 * # DNS Module
 *
 * Manages Cloudflare DNS records for the root domain:
 * - A / AAAA records for the apex and wildcard pointing at the Pangolin proxy.
 * - CDN-proxied A / AAAA records for selected subdomains.
 */

terraform {
  required_providers {
    cloudflare = {
      source = "cloudflare/cloudflare"
    }
  }
}

resource "cloudflare_dns_record" "proxy_ipv4" {
  zone_id = var.domain_zone_id
  name    = "${var.domain_name}"
  content = var.pangolin-proxy-v4
  comment = "Azure VPS"
  type    = "A"
  proxied = false
  ttl     = 1
}

resource "cloudflare_dns_record" "proxy_ipv6" {
  zone_id = var.domain_zone_id
  name    = "${var.domain_name}"
  content = var.pangolin-proxy-v6
  comment = "Azure VPS"
  type    = "AAAA"
  proxied = false
  ttl     = 1
}


resource "cloudflare_dns_record" "subdomains_ipv4" {
  zone_id = var.domain_zone_id
  name    = "*.${var.domain_name}"
  content = var.pangolin-proxy-v4
  comment = "Azure VPS"
  type    = "A"
  proxied = false
  ttl     = 1
}

resource "cloudflare_dns_record" "subdomains_ipv6" {
  zone_id = var.domain_zone_id
  name    = "*.${var.domain_name}"
  content = var.pangolin-proxy-v6
  comment = "Azure VPS"
  type    = "AAAA"
  proxied = false
  ttl     = 1
}

# ── CDN-proxied subdomains ───────────────────────────────────
# Specific records with proxied=true override the wildcard for
# these subdomains, enabling Cloudflare edge caching.

resource "cloudflare_dns_record" "cdn_ipv4" {
  for_each = toset(var.cdn_subdomains)

  zone_id = var.domain_zone_id
  name    = "${each.value}.${var.domain_name}"
  content = var.pangolin-proxy-v4
  comment = "CDN-proxied via Cloudflare"
  type    = "A"
  proxied = true
  ttl     = 1
}

resource "cloudflare_dns_record" "cdn_ipv6" {
  for_each = toset(var.cdn_subdomains)

  zone_id = var.domain_zone_id
  name    = "${each.value}.${var.domain_name}"
  content = var.pangolin-proxy-v6
  comment = "CDN-proxied via Cloudflare"
  type    = "AAAA"
  proxied = true
  ttl     = 1
}