All Roads Lead to Vault

Plan: DNS Consolidation for All Family Domains

Walter Jr. 🦉 · v1 · March 17, 2026
Vault IP: 34.170.164.0 · Cloudflare Zone: 5ba1104dfa9735110ff9aa9133ccd575

We have 75+ domains. Some point to vault and work. Some point to Cloudflare proxies and don't. Some point to Porkbun parking and definitely don't. The goal: everything points to vault, gets a Let's Encrypt cert, gets an nginx server block, and returns 200. This is the low-hanging fruit harvest.

Current State of the World

Group A — Already on Vault, Already Working (14 domains)

These are done. SSL works, HTTP 200. No action needed.

Domain	Status	Notes
1.foo	✅ 200	The mothership
0.foo	✅ 200
123.foo	✅ 200
12345.foo	✅ 200
12345678.foo	✅ 200
clankers.discount	✅ 200
flawless.engineering	✅ 200
if-anyone-builds-it-everyone-dies.rip	✅ 200
if-anyone-builds-it-everyone-dies.help	✅ 200
patty.adult	✅ 200
drip.xxx	✅ 200
am-i.dog	✅ 200	The only am-i that made it home
vilka.lol	✅ 200	Points to Matilda (34.51.254.133) — intentional, DO NOT CHANGE
1234567.foo	✅ SSL	SSL works, just needs content (403)

Group B — On Vault, SSL Works, Just Empty (8 domains)

DNS correct, certs issued, nginx configured. Just need an index.html.

Domain	HTTP	Fix
2.foo	404	Drop index.html
3.foo	404	Drop index.html
4.foo	403	Drop index.html (cert just issued today!)
5.foo	404	Drop index.html
6.foo	404	Drop index.html
7.foo	404	Drop index.html
8.foo	404	Drop index.html
9.foo	404	Drop index.html

Group C — DNS on Cloudflare but Proxied (not pointing to vault) (5 domains)

These are on Cloudflare nameservers (same zone as 1.foo) but the A record is orange-clouded (proxied through Cloudflare) instead of pointing directly to vault. Need to change the A record to 34.170.164.0 with proxy OFF (DNS-only / grey cloud).

Domain	Current IP	Fix
12.foo	172.67.x (CF proxy)	A → 34.170.164.0, proxy off
1234.foo	104.21.x (CF proxy)	A → 34.170.164.0, proxy off
123456.foo	172.67.x (CF proxy)	A → 34.170.164.0, proxy off
123456789.foo	172.67.x (CF proxy)	A → 34.170.164.0, proxy off
am-i.now	172.67.x (CF proxy)	A → 34.170.164.0, proxy off

After DNS change: issue Let's Encrypt cert, add nginx server block, drop index.html.

Group D — Porkbun Parking (48 am-i.* domains + 2 .foo)

These are on Porkbun nameservers, pointing to Porkbun parking IPs (44.227.65.245 / 44.227.76.166). To bring them to vault, we need to either:

Option 1: Change nameservers from Porkbun to Cloudflare, then set A records to vault
Option 2: Set custom A records in Porkbun's DNS panel pointing to vault

Option 2 is simpler (no nameserver migration), but Let's Encrypt will need to verify each domain. With 48 domains, this is a batch operation.

Domains	Count	Current
am-i.{agency,art,bot,cam,ceo,charity,chat,cloud,company,computer,cool,dad,dev,earth,energy,forsale,free,fun,help,legal,life,living,lol,management,mom,money,monster,movie,observer,one,ooo,organic,pet,phd,quest,racing,science,sh,social,software,support,technology,theater,today,trading,training,wtf,you}	48	Porkbun parking
1234567890.foo, 0123456789.foo	2	Porkbun parking

Execution Plan

🟢 Step 1 — Group B: Drop index.html into empty vault domains

For each of 2.foo through 9.foo + 1234567.foo: create /mnt/public/N.foo/index.html with a simple placeholder page showing the number.

Risk: Zero. These directories exist, nginx is configured, SSL works. Just adding a file.

Time: 2 minutes.

🛑 Stop — Report results, verify all return 200

🟡 Step 2 — Group C: Fix Cloudflare-proxied .foo domains

Using the Cloudflare API (zone 5ba1104dfa9735110ff9aa9133ccd575):

For each of 12.foo, 1234.foo, 123456.foo, 123456789.foo, am-i.now: update A record to 34.170.164.0, set proxied: false
Wait for DNS propagation (~1–5 min)
Issue Let's Encrypt cert: sudo certbot certonly --nginx -d DOMAIN
Add nginx server block (same pattern as other .foo domains)
Drop index.html

Risk: Low. Changing DNS from Cloudflare proxy to direct means losing Cloudflare's DDoS protection and CDN caching — irrelevant since these domains aren't serving anything anyway.

Time: ~10 minutes.

# Cloudflare API to update DNS record:
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records/RECORD_ID" \
  -H "Authorization: Bearer $CF_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"type":"A","name":"12.foo","content":"34.170.164.0","proxied":false}'

🛑 Stop — Report results, verify all return 200

🟠 Step 3 — Group D: Bring Porkbun domains to vault

This is the big batch — 50 domains on Porkbun nameservers. Two sub-options:

Option 3A: Change A records in Porkbun (simpler)

Log into Porkbun, for each am-i.* domain + the two .foo domains: set A record to 34.170.164.0, remove any existing parking records.

Then on vault: issue certs (certbot), add nginx blocks, drop index pages.

Problem: 50 manual DNS changes in Porkbun's UI unless they have an API. Let's Encrypt has rate limits (~50 certs per registered domain per week, but each am-i.X is a different registered domain so we should be fine).

Option 3B: Migrate nameservers to Cloudflare (more work upfront, better long-term)

Add each am-i.* domain to the Cloudflare account. Change nameservers at Porkbun from Porkbun → Cloudflare. Then manage all DNS from one place.

Problem: 50 domains to add to Cloudflare + 50 nameserver changes at Porkbun. More work, but then everything is in one DNS panel forever.

Recommendation: Option 3A for speed. We can always migrate nameservers later.

Time: ~30-60 minutes depending on Porkbun API availability.

🛑 Stop — Report results. By now all 75+ domains should return 200.

⚠️ Important: Porkbun API credentials and Cloudflare API token needed. Do we have these? The Cloudflare zone ID is known (5ba1104dfa9735110ff9aa9133ccd575) but I'll need the API token to make changes. Porkbun may require logging into the web panel.

What "Done" Looks Like

Metric	Before	After
Domains returning 200	14	75+
Domains with valid SSL	~22	75+
Domains on Porkbun parking	50	0
Domains behind Cloudflare proxy	5	0
DNS panels in use	2 (Cloudflare + Porkbun)	1 or 2 (depends on Step 3 choice)