this post was submitted on 02 Jul 2026
115 points (95.3% liked)

Selfhosted

60366 readers
633 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Hi everyone

Thanks for all the advice on buying a domain. Its a big week for me. Getting on grapheneos, buying a domain, and I also recently started self hosting my contacts and calendar. I love this way of life.

My original plan was to one of the xyz 1.1111b domains for $1 a year but most of the feedback I got said just go with cloudflare. Its a lot more money than I had planned but all the security features are baked in and I feel that's worth the extra money.

Here are my questions. I use the latest version of truenas community

  1. How do I connect my domain to my server apps? I've got a series of apps I'd love to he able to access without tailscale and solely use the domain.
  2. I have heard the term DNS a million times but don't really understand it. What do.I need to know about DNS to keep security up and stay protected
  3. I'd like to let family access my media server, are there any considerations I need to make?
  4. How can I use one domain to access multiple services on my server? Do I need to pay extra for subdomains?

Thank you for any advice

you are viewing a single comment's thread
view the rest of the comments
[โ€“] lyralycan@sh.itjust.works 2 points 1 day ago* (last edited 1 day ago) (1 children)

I kept all my certificates separate - have I been wasting time with 15 subdomains each with their own cert and A record? I have wondered. And then set in my reverse proxy a single domain.tld cert for each entry? TIA.

I wrote bash scripts to run via cron to keep my IPs updated, using Cloudflare API. It's probably useful to other folk but as I used to need just v4 addresses I made one separate script for v4 IPs, v6 IPs and proxied, but it wouldn't take long to combine. Here's my v4:

#!/bin/bash
CLOUDFLARE_API_TOKEN="<api_here>"
ZONE_ID="<zone_id_here"
DOMAINS=({subdomains.,www.}domain.tld)
log="/opt/ddns/log_$(date +%F).txt"
result=""
CURL="/usr/bin/curl"
JQ="/usr/bin/jq"
IP=$($CURL -s http://ipv4.icanhazip.com/)
echo $(date +"%FT%T")>>$log
echo "Performing v4 proxied domain IP address check...">>$log

# Get v4 records
for DNS_RECORD in ${DOMAINS[@]}; do
DNS_RECORD_ID=$($CURL -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=A&name=$DNS_RECORD" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" | $JQ -r '{"result"}[] | .[0] | .id')

# Get each record's IP
current_ip=$($CURL -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" | $JQ -r '.result.content')

# Check if the IP addresses are different
if [[ "$IP" == "$current_ip" ]] || [[ "$IP" == "" ]]; then
  continue
fi

echo "IP address for $DNS_RECORD has changed from $current_ip to $IP. Updating record...">>$log
result="$result${DNS_RECORD%%.*}, "

# Sets the new IP if different
response=$($CURL -s -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "'"A"'",
    "name": "'"$DNS_RECORD"'",
    "content": "'"$IP"'",
    "ttl": 120,
    "proxied": true
  }')

if [[ $response == *"\"success\":true"* ]]; then
echo "DNS record updated successfully">>$log
else
echo "Failed to update DNS record for $DNS_RECORD. Response: $response">>$log
result="$result\nFailed. See log."
fi

# Sends information to webhook
unset DNS_RECORD_ID
done
if [ -n "$result" ]; then
  $CURL -X POST -d '{"result": "'"$result"'\n'"$current_ip"' -> '"$IP"'"}' "<home_assistant_local_webhook-delete_this_block_if_unwanted>" -H "Content-Type:application/json"
fi
echo $result>>$log
echo $'Done.\n'>>$log
/opt/ddns/cloudflare_ddns_v4_direct.sh # This triggers the next script
[โ€“] Svinhufvud@sopuli.xyz 2 points 1 day ago* (last edited 1 day ago)

A single wildcard CNAME that points to your domains A record is easier to manage I would say. This comes handy when you add a new service to your stack, as you dont have to go and make a new subdomain record.

You already seem to manage all subdomain updates with that script, so it won't help you much with dyndns. That is, unless you hit a rate limit when trying to update a very large amount of records at once.

Keeping separate TLS certificates is a separate topic from having a single wildcard CNAME record. Separate TLS certificates offer a slight security advantage over a wildcard cert, as a single leaked certificate secret wont compromize the rest of your sites.