Workshop Prerequisites & Domain Setup Guide
Updated 2026-05-05. The in-class path is shared parent zone with ACM: each student gets a slot under
eplabs.cloudand a scoped CF API token from their assignment card. The instructor manages all DNS records on the parent zone; you do not need a Cloudflare account for class. This guide is the take-home BYO-domain track — how to graduate from the shared slot to your own zone after the workshop.
Two paths
| In-class (default) | Take-home (this guide) | |
|---|---|---|
| Domain | <slot>.eplabs.cloud (assigned) | a domain you own |
| Cost | $0 during class | $10–15/year |
| Setup time | 0 (instructor pre-provisions) | 30–60 min on your bench |
wrangler auth | API token on your card | OAuth or your own token |
| Lifetime | revoked after the cohort window | yours forever |
If you only need the in-class flow, your assignment card has
everything; see also handouts/workshop_onboarding_guide.md.
BYO-domain setup
Pick a registrar and a name, add the zone to your own free Cloudflare account, point your registrar’s nameservers at CF, then re-deploy your Worker against the new zone. ~30 minutes total.
1. Register a domain
Any registrar works; integration is easiest if you also use Cloudflare for DNS afterwards.
| Registrar | Notes |
|---|---|
| Cloudflare Registrar | best integration; at-cost pricing; one-step zone hand-off |
| Namecheap, Porkbun | competitive pricing; fine for non-CF zones |
| Google Domains / Squarespace | acceptable; UI changed since the GD acquisition |
Typical pricing: .dev $12–15/yr, .com $10–12/yr, .cloud $8–20/yr.
Avoid trademarked names, hard-to-spell names, and long names with mixed digits and hyphens (you will type it a lot).
2. Add the domain to Cloudflare (free plan)
# Cloudflare dashboard → Add a Site → enter your domain
# → Free plan → CF scans existing DNS → continue.
# CF returns two assigned nameservers (e.g. xxx.ns.cloudflare.com).
# Update the NS records at your registrar to those two values.
# Activation usually completes in 5–60 minutes.
Verify activation:
dig NS yourdomain.com
# Expected: two *.ns.cloudflare.com hostnames
3. Create the same DNS records the workshop’s slot has
Substitute yourdomain.com for <slot>.eplabs.cloud everywhere in
the labs.
| Type | Name | Content | Proxy |
|---|---|---|---|
| A | @ (apex) | 192.0.2.1 | Proxied (orange) |
| A | * (wildcard) | 192.0.2.1 | Proxied (orange) |
| A | test | 1.2.3.4 | DNS only (gray) |
Lab 04 validate.sh checks these three.
4. Re-deploy the Worker against your zone
cd labs/lab07-first-worker/worker
sed -i "s/YOUR_DOMAIN/yourdomain.com/g; s/YOUR_PARENT_ZONE/yourdomain.com/g" wrangler.toml
npx wrangler deploy
For the take-home variant YOUR_DOMAIN and YOUR_PARENT_ZONE are
the same value (your own zone). The in-class form has them differ
(slot vs. parent zone).
5. Re-issue secrets that were tied to the in-class slot
- GitHub fine-grained PAT (Lab 11)
- GitHub webhook secret (Lab 11)
- CF Access service token (Lab 08, only if you wired CF Access in)
- Tailscale auth keys (Lab 05; new keys for new tag scope)
Account checklist
You need three accounts for the take-home version:
- Cloudflare (free) —
cloudflare.com/sign-up. Enable 2FA. - Tailscale (free) —
tailscale.com/start. Enable MagicDNS in the admin console. - GitHub (free) — for Workers source control + the Lab 11 ChatOps webhook target.
Plus: a registrar account for the domain itself (or Cloudflare Registrar to keep it under one roof).
Verification
export DOMAIN=yourdomain.com
bash labs/lab04-domain-verification/validate.sh
If Lab 04 hard-passes, your zone is ready for the rest of the labs.
SSL provisioning for new proxied subdomains can take 5–30 minutes;
validate.sh soft-passes that window with a [WARN].
If you hit a failure: the in-class path uses Advanced Certificate
Manager (paid) on eplabs.cloud for nested-subdomain SSL. On your
own free zone, free Universal SSL covers the apex and one wildcard
level — that is enough for everything labs 04–14 actually need.
The ACM dependency is specific to the shared-zone setup.
Help
- DNS propagation:
dig NS yourdomain.com @1.1.1.1from a non-cached resolver. - Cloudflare zone won’t activate: registrar nameserver update may not have saved; re-enter and wait 30 min.
- Worker deploy fails on routes: the route’s
zone_namemust be your apex zone; not a subdomain.
For workshop-specific questions: ask during the cohort or email
workshop@eplabs.cloud.