Gandi Operations
How to manage DNS records and cycle the Gandi API token.
Prerequisites
- Pulumi CLI installed (
brew install pulumi) - Access to 1Password blumeops vault (for PAT)
- On the tailnet (Pulumi resolves indri’s IP via MagicDNS)
Preview and Apply DNS Changes
# Preview changes (always do this first)
mise run dns-preview
# Apply changes
mise run dns-upBoth tasks fetch the Gandi PAT from 1Password automatically.
To run Pulumi directly:
export GANDI_PERSONAL_ACCESS_TOKEN=$(op item get mco6ka3dc3rmw7zkg2dhia5d2m --field pat --reveal --vault vg6xf6vvfmoh5hqjjhlhbeoaie)
cd pulumi/gandi
pulumi preview
pulumi up --yesCycle the Gandi PAT
The Gandi Personal Access Token has a maximum lifetime of 90 days. Currently set to 30 days as a security compromise, though shorter may be appropriate given infrequent use.
1. Create a new PAT
Go to the Gandi admin console and create a new token:
- Name:
blumeops-pulumi(or similar) - Expiration: 30 days (max 90; shorter is fine if you run this rarely)
- Required permission: Manage domain name technical configurations
- Also enable: See and renew domain names
Copy the new PAT to your clipboard.
2. Update 1Password
With the new PAT on your clipboard:
op item edit mco6ka3dc3rmw7zkg2dhia5d2m pat="$(pbpaste)" --vault vg6xf6vvfmoh5hqjjhlhbeoaie3. Delete the old PAT
Return to the Gandi admin console and delete the previous token.
4. Verify
mise run dns-previewA successful preview confirms the new PAT is working.
Break-Glass Override
If MagicDNS is unavailable and Pulumi can’t resolve indri’s IP, set the target IP manually:
export BLUMEOPS_REVERSE_PROXY_IP=100.98.163.89
mise run dns-upRelated
- gandi - DNS configuration reference
- caddy - Reverse proxy (also uses a Gandi token for TLS)
- update-tailscale-acls - Similar Pulumi workflow for Tailscale