Cloudflare — DNS, Hosting, and Edge

This page is the single source of truth for everything we run on Cloudflare: DNS authority for ka-26.com, hosting for the docs portal at docs.ka-26.com, and (optionally) Cloudflare Access in front of the docs.

Account: siddugkattimani@gmail.com · Plan: Free · Cost: $0/mo

---

What's hosted where (current state, 2026-04-18)

Surface	Provider	Why
ka26.shop (the app)	GCP Cloud Run + GCP Load Balancer	High-traffic, dynamic, needs server-side rendering
ka-26.com (landing page)	GitHub Pages (sidgk/ka26-website, public)	Free, dead-simple static, no auth needed
docs.ka-26.com (this portal)	Cloudflare Workers Static Assets (sidgk/ka26-docs, private)	GitHub Pages free tier requires public repos; we want the docs source private
MX (email)	Google Workspace (smtp.google.com)	Existing — only the NS authority moved
DNS authority for ka-26.com	Cloudflare (was Hostinger until 2026-04-17)	Required for Cloudflare Pages + Access

DNS authority for ka26.shop is still Hostinger — only ka-26.com moved to Cloudflare.

---

DNS — ka-26.com migration to Cloudflare (2026-04-17)

Why we moved

The docs portal source repo (sidgk/ka26-docs) needs to be private — it documents internal architecture, secrets names (not values), incident playbooks, etc. GitHub Pages free tier only serves public repos. So the docs hosting had to move off GitHub Pages.

Cloudflare Pages (now folded into Workers Static Assets) is free, supports private repos, has built-in SSL, and gives us the side benefit of Cloudflare Access for $0 if we ever want to gate the docs by email.

But Cloudflare Pages can only attach a custom domain when Cloudflare is also the authoritative DNS provider. So step 1 was switching nameservers from Hostinger to Cloudflare.

Nameservers (assigned by Cloudflare)

anahi.ns.cloudflare.com
elmo.ns.cloudflare.com

These were entered at Hostinger → ka-26.com → DNS / Nameservers → Custom nameservers. The old Hostinger defaults (ns1.dns-parking.com / ns2.dns-parking.com) are no longer in use.

Records currently in Cloudflare DNS

All 11 records were imported automatically from Hostinger when the domain was added to Cloudflare. All are set to "DNS only" (gray cloud) — none are proxied (orange cloud), because:

• GitHub Pages SSL breaks behind Cloudflare's proxy (cert mismatch)
• MX/SMTP cannot be proxied at all
• TXT records cannot be proxied by definition

Type	Name	Content	Proxy	Purpose
A	@	185.199.108.153	DNS only	Landing → GitHub Pages
A	@	185.199.109.153	DNS only	Landing → GitHub Pages
A	@	185.199.110.153	DNS only	Landing → GitHub Pages
A	@	185.199.111.153	DNS only	Landing → GitHub Pages
CNAME	www	sidgk.github.io	DNS only	www → Pages
Worker route	docs	(Cloudflare Worker ka26-docs)	n/a	Docs portal — replaces old docs → sidgk.github.io CNAME deleted 2026-04-17
MX	@	smtp.google.com (priority 1)	n/a	Google Workspace email
TXT	@	v=spf1 include:_spf.google.com ~all	n/a	SPF
TXT	google._domainkey	(DKIM key)	n/a	DKIM
TXT	_dmarc	v=DMARC1; p=quarantine; rua=mailto:siddugkattimani@gmail.com; adkim=s; aspf=s	n/a	DMARC
TXT	@	google-site-verification=...	n/a	Google Workspace ownership proof

Verification commands

# Confirms Cloudflare is authoritative
dig ka-26.com NS +short
# Expected: anahi.ns.cloudflare.com / elmo.ns.cloudflare.com

# Apex still points to GitHub Pages (landing page)
dig ka-26.com +short
# Expected: 4× 185.199.108-111.153

# Docs subdomain now hits Cloudflare edge
dig @1.1.1.1 docs.ka-26.com +short
# Expected: Cloudflare IPs (104.21.x.x / 172.67.x.x)

# Email routing intact
dig MX ka-26.com +short
# Expected: 1 smtp.google.com.

Things to know

• Cloudflare may show a banner: "Your domain is not fully protected — all records are DNS only." This is expected and correct for our config. Ignore it. We use Cloudflare for DNS hosting, not for proxying. Do not flip records to Proxied — it will break GitHub Pages SSL and email.
• The DNS migration completed in <1 hour. Email continuity was verified end-to-end (test mail to grievance@ka-26.com arrived) immediately after the nameserver swap.
• Hostinger's DNS panel is now read-only — any change there has zero effect. All future DNS changes happen in Cloudflare.

---

docs.ka-26.com — Cloudflare Workers Static Assets

What it is

Cloudflare's modern unified Pages + Workers product. It clones a Git repo, runs a build command, and serves the output globally via Cloudflare's edge network. Free tier: 100k requests/day, unlimited bandwidth.

Project configuration

Field	Value
Project name	ka26-docs
Linked repo	sidgk/ka26-docs (private)
Production branch	main
Framework preset	Docusaurus
Build command	npm run build
Build output directory	build
Deploy command	npx wrangler deploy
Default URL	https://ka26-docs.siddu-9fe.workers.dev
Custom domain	https://docs.ka-26.com
SSL	Universal SSL (Cloudflare-managed, free, auto-renewing)

⚠️ Critical: deploy command must be wrangler deploy, not wrangler versions upload

By default Cloudflare's auto-config sets the deploy command to npx wrangler versions upload. This creates a new version but doesn't promote it to production traffic. The site will appear "stuck" on the old version (or empty for a brand-new project).

We changed it to npx wrangler deploy in Worker Settings → Build → Deploy command, which auto-promotes every push to main. If a future build seems to publish but the live site doesn't update, check this setting first.

How deploys work (current pipeline)

1. Developer pushes to main on sidgk/ka26-docs
2. Cloudflare's GitHub App webhook fires
3. Cloudflare clones the repo into /opt/buildhome/repo on a build container
4. Restores cached node_modules (~5s) or installs fresh (~60s)
5. Runs npm run build (Docusaurus, ~3s warm / ~45s cold)
6. Runs npx wrangler deploy — uploads only changed assets (~2s) and routes production traffic to the new version
7. Live at https://docs.ka-26.com within ~30 seconds of build completion

A typical warm build is ~30 seconds total. Cold builds (no cache) are ~90 seconds.

Build logs / monitoring

• Cloudflare dashboard → Workers & Pages → ka26-docs → Deployments tab
• Click any build → see full log
• Failed builds do not affect the live site — production traffic stays on the last successful version

Custom domain attachment (history)

Originally docs.ka-26.com was a CNAME to sidgk.github.io (GitHub Pages). On 2026-04-17:

1. Deleted the old CNAME in Cloudflare DNS
2. In the Worker settings, added docs.ka-26.com as a custom domain
3. Cloudflare auto-created the routing record (Worker route, not a CNAME) and provisioned a fresh SSL cert (CN=ka-26.com with SAN for docs.ka-26.com, valid through 2026-07-16)
4. The cert auto-renews. No manual action needed.

Repo went private (2026-04-17, after Cloudflare hosting was confirmed working)

• sidgk/ka26-docs flipped from public → private
• GitHub Pages was disabled on the repo (Settings → Pages → Source = None)
• The redundant .github/workflows/deploy.yml (GitHub Pages deployer) was deleted in commit b51ab38
• Verified: post-private push triggers a successful Cloudflare build (the GitHub App retains repo access automatically once installed)

---

Cloudflare Access (optional, not enabled as of 2026-04-18)

The docs portal is currently publicly readable at https://docs.ka-26.com. Anyone who knows the URL can read it. We considered this acceptable for launch because:

• Source repo is private (so the markdown isn't browsable on github.com)
• Docs reference secret names, never values
• No customer PII in any doc

If we want to gate the deployed site by email later (free for up to 50 users), the setup is documented in Cloudflare Access Setup. It takes ~10 min and requires no code changes.

---

Known issue (low-pri, cosmetic)

Symptom: Immediately after the cutover, https://docs.ka-26.com failed on the dev's laptop while http://docs.ka-26.com worked. Mobile (cellular) loaded HTTPS fine.

Cause: Stale OS/browser DNS cache pointing at the old GitHub Pages IPs, which were still presenting the old *.github.io cert. Cloudflare's edge was already serving the correct cert (verified with curl --resolve directly to a Cloudflare IP).

Resolution: Self-healed within minutes once OS/browser caches expired. Confirmed working on mobile immediately, on the dev's laptop within ~15 min.

Hardening (recommended, ~30 sec): Cloudflare dashboard → ka-26.com → SSL/TLS → Edge Certificates → enable Always Use HTTPS + Automatic HTTPS Rewrites. Forces an HTTP→HTTPS 301 at the edge so any stale http://-only cache still ends up on a working secure connection.

---

Cost summary

Service	Cost
Cloudflare DNS (ka-26.com)	$0/mo
Cloudflare Workers Static Assets (docs)	$0/mo (well under free tier limits)
Universal SSL	$0/mo (auto-renewing)
Total	$0/mo

We saved ~$4/user/month vs upgrading GitHub Pro for private-repo Pages support.

---

Disaster recovery

If Cloudflare goes down or we lose access to the account:

1. DNS — change nameservers back to Hostinger (ns1.dns-parking.com / ns2.dns-parking.com) at the registrar level. Re-create the 11 DNS records in Hostinger's panel using the table above. Email and landing page recover within ~30 min.
2. Docs site — rebuild on GitHub Pages: re-enable Pages on sidgk/ka26-docs (must flip to public first), restore .github/workflows/deploy.yml from git history (commit 3afee2f^), add docs CNAME → sidgk.github.io in DNS.
3. Account recovery — Cloudflare account is on siddugkattimani@gmail.com. 2FA recovery codes should be in 1Password (TODO: verify they're stored there).

If we need to move the docs back to GitHub Pages (e.g., to make the source public again):

1. Make sidgk/ka26-docs public again
2. Restore the deploy workflow
3. In Cloudflare, remove the custom domain from the ka26-docs worker
4. Add a CNAME docs → sidgk.github.io in Cloudflare DNS
5. Enable Pages on the repo with custom domain docs.ka-26.com
6. Wait for GitHub to re-issue Let's Encrypt cert (~10 min)

---

Related docs

• Cloudflare Access Setup — optional follow-on to gate docs by email
• Production Monitoring — how Cloudflare-hosted docs appear in our hourly health cron
• Email Infrastructure — how MX continuity was preserved through the migration