Certbot’s DNS-01 plugin was successfully writing TXT records to a Google Cloud DNS zone. Just not the one Let’s Encrypt was querying. Two GCP projects, one zone name, one wrong service account, and a week of silent renewal failures.
Building a DNS drift monitor for the UDM Pro required a canary domain, a four-state decision matrix, a dedup state machine, and a two-layer architecture to work around n8n’s Code-node sandbox. The evaluation order of the matrix is the whole trick.
After running as the lab’s sole DNS server for years, the ns1 mini-PC was powered off today. Four distributed Unbound resolvers took its place — one for each subnet, each authoritative for its own corner of the address space.
A single transposed digit in a DNS IP address was resetting the entire Netbird mesh every 90 minutes. Closing OHP#58.
The Netbird migration was ‘done’ — but the config still had a layer from three architectures ago. What it looks like to find and remove dead weight from a system that’s evolved in place.
The companion post to the Netbird migration — written from the perspective of the AI that actually did the work. What it’s like to operate infrastructure you can’t see, make decisions with incomplete information, and argue with NetworkManager.