feat: Cloudflare DNS management with automatic record sync

Add flexible DNS management to Docker Watcher. By default, wildcard DNS
is assumed (current behavior). When disabled, users can configure a
Cloudflare DNS provider with API token and zone selection. DNS A records
are automatically created/updated/deleted in sync with proxy consumers
(deployed instances and standalone proxies).

- Settings: wildcard_dns toggle, dns_provider, cloudflare credentials
- Cloudflare client: Provider interface with EnsureRecord/DeleteRecord/ListRecords
- DNS lifecycle hooks in deployer and proxy manager (best-effort)
- Settings UI: DNS config section with provider picker, zone selector, test button
- DNS Records page at /dns with filtering, sync status, reconciliation
- Records visible in both wildcard and managed modes
- Cleanup on provider change: removes old records when switching modes

internal/store/dns_records.go

@@ -0,0 +1,123 @@
+package store
+
+import (
+	"database/sql"
+	"errors"
+	"fmt"
+
+	"github.com/google/uuid"
+)
+
+// CreateDNSRecord inserts a new DNS record tracking entry.
+func (s *Store) CreateDNSRecord(rec DNSRecord) (DNSRecord, error) {
+	if rec.ID == "" {
+		rec.ID = uuid.New().String()
+	}
+	now := Now()
+	rec.CreatedAt = now
+	rec.UpdatedAt = now
+
+	_, err := s.db.Exec(
+		`INSERT INTO dns_records (id, fqdn, provider_record_id, consumer_type, consumer_id, created_at, updated_at)
+		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
+		rec.ID, rec.FQDN, rec.ProviderRecordID, rec.ConsumerType, rec.ConsumerID, rec.CreatedAt, rec.UpdatedAt,
+	)
+	if err != nil {
+		return DNSRecord{}, fmt.Errorf("insert dns_record: %w", err)
+	}
+	return rec, nil
+}
+
+// GetDNSRecordByFQDN returns a DNS record by its FQDN.
+func (s *Store) GetDNSRecordByFQDN(fqdn string) (DNSRecord, error) {
+	var rec DNSRecord
+	err := s.db.QueryRow(
+		`SELECT id, fqdn, provider_record_id, consumer_type, consumer_id, created_at, updated_at
+		 FROM dns_records WHERE fqdn = ?`, fqdn,
+	).Scan(&rec.ID, &rec.FQDN, &rec.ProviderRecordID, &rec.ConsumerType, &rec.ConsumerID, &rec.CreatedAt, &rec.UpdatedAt)
+	if errors.Is(err, sql.ErrNoRows) {
+		return DNSRecord{}, fmt.Errorf("dns record %s: %w", fqdn, ErrNotFound)
+	}
+	if err != nil {
+		return DNSRecord{}, fmt.Errorf("query dns_record: %w", err)
+	}
+	return rec, nil
+}
+
+// ListDNSRecords returns all tracked DNS records.
+func (s *Store) ListDNSRecords() ([]DNSRecord, error) {
+	rows, err := s.db.Query(
+		`SELECT id, fqdn, provider_record_id, consumer_type, consumer_id, created_at, updated_at
+		 FROM dns_records ORDER BY fqdn`,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("query dns_records: %w", err)
+	}
+	defer rows.Close()
+
+	var records []DNSRecord
+	for rows.Next() {
+		var rec DNSRecord
+		if err := rows.Scan(&rec.ID, &rec.FQDN, &rec.ProviderRecordID, &rec.ConsumerType, &rec.ConsumerID, &rec.CreatedAt, &rec.UpdatedAt); err != nil {
+			return nil, fmt.Errorf("scan dns_record: %w", err)
+		}
+		records = append(records, rec)
+	}
+	return records, rows.Err()
+}
+
+// GetDNSRecordsByConsumer returns all DNS records for a specific consumer.
+func (s *Store) GetDNSRecordsByConsumer(consumerType, consumerID string) ([]DNSRecord, error) {
+	rows, err := s.db.Query(
+		`SELECT id, fqdn, provider_record_id, consumer_type, consumer_id, created_at, updated_at
+		 FROM dns_records WHERE consumer_type = ? AND consumer_id = ? ORDER BY fqdn`,
+		consumerType, consumerID,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("query dns_records by consumer: %w", err)
+	}
+	defer rows.Close()
+
+	var records []DNSRecord
+	for rows.Next() {
+		var rec DNSRecord
+		if err := rows.Scan(&rec.ID, &rec.FQDN, &rec.ProviderRecordID, &rec.ConsumerType, &rec.ConsumerID, &rec.CreatedAt, &rec.UpdatedAt); err != nil {
+			return nil, fmt.Errorf("scan dns_record: %w", err)
+		}
+		records = append(records, rec)
+	}
+	return records, rows.Err()
+}
+
+// UpdateDNSRecordProviderID updates the provider record ID for an existing DNS record.
+func (s *Store) UpdateDNSRecordProviderID(fqdn, providerRecordID string) error {
+	_, err := s.db.Exec(
+		`UPDATE dns_records SET provider_record_id = ?, updated_at = ? WHERE fqdn = ?`,
+		providerRecordID, Now(), fqdn,
+	)
+	if err != nil {
+		return fmt.Errorf("update dns_record provider_id: %w", err)
+	}
+	return nil
+}
+
+// DeleteDNSRecord removes a DNS record by FQDN.
+func (s *Store) DeleteDNSRecord(fqdn string) error {
+	_, err := s.db.Exec(`DELETE FROM dns_records WHERE fqdn = ?`, fqdn)
+	if err != nil {
+		return fmt.Errorf("delete dns_record: %w", err)
+	}
+	return nil
+}
+
+// DeleteDNSRecordsByConsumer removes all DNS records for a specific consumer.
+func (s *Store) DeleteDNSRecordsByConsumer(consumerType, consumerID string) error {
+	_, err := s.db.Exec(
+		`DELETE FROM dns_records WHERE consumer_type = ? AND consumer_id = ?`,
+		consumerType, consumerID,
+	)
+	if err != nil {
+		return fmt.Errorf("delete dns_records by consumer: %w", err)
+	}
+	return nil
+}

internal/store/models.go

@@ -58,9 +58,24 @@ type Settings struct {
 	SSLCertificateID   int    `json:"ssl_certificate_id"`
 	StaleThresholdDays int    `json:"stale_threshold_days"`
 	AllowedVolumePaths string `json:"allowed_volume_paths"` // JSON array of allowed absolute paths
+	WildcardDNS        bool   `json:"wildcard_dns"`
+	DNSProvider        string `json:"dns_provider"`
+	CloudflareAPIToken string `json:"cloudflare_api_token"`
+	CloudflareZoneID   string `json:"cloudflare_zone_id"`
 	UpdatedAt          string `json:"updated_at"`
 }
 
+// DNSRecord tracks a DNS record managed by the application.
+type DNSRecord struct {
+	ID               string `json:"id"`
+	FQDN             string `json:"fqdn"`
+	ProviderRecordID string `json:"provider_record_id"`
+	ConsumerType     string `json:"consumer_type"` // "instance" or "standalone"
+	ConsumerID       string `json:"consumer_id"`
+	CreatedAt        string `json:"created_at"`
+	UpdatedAt        string `json:"updated_at"`
+}
+
 // Instance represents a running (or stopped) container for a project stage.
 type Instance struct {
 	ID          string `json:"id"`

internal/store/settings.go

@@ -7,36 +7,46 @@ import (
 // GetSettings returns the global settings (single-row pattern, always row id=1).
 func (s *Store) GetSettings() (Settings, error) {
 	var st Settings
+	var wildcardDNS int
 	err := s.db.QueryRow(
 		`SELECT domain, server_ip, network, subdomain_pattern, notification_url,
 		        npm_url, npm_email, npm_password, webhook_secret, polling_interval,
 		        base_volume_path, ssl_certificate_id, stale_threshold_days,
-		        allowed_volume_paths, updated_at
+		        allowed_volume_paths, wildcard_dns, dns_provider,
+		        cloudflare_api_token, cloudflare_zone_id, updated_at
 		 FROM settings WHERE id = 1`,
 	).Scan(&st.Domain, &st.ServerIP, &st.Network, &st.SubdomainPattern, &st.NotificationURL,
 		&st.NpmURL, &st.NpmEmail, &st.NpmPassword, &st.WebhookSecret, &st.PollingInterval,
 		&st.BaseVolumePath, &st.SSLCertificateID, &st.StaleThresholdDays,
-		&st.AllowedVolumePaths, &st.UpdatedAt)
+		&st.AllowedVolumePaths, &wildcardDNS, &st.DNSProvider,
+		&st.CloudflareAPIToken, &st.CloudflareZoneID, &st.UpdatedAt)
 	if err != nil {
 		return Settings{}, fmt.Errorf("query settings: %w", err)
 	}
+	st.WildcardDNS = wildcardDNS != 0
 	return st, nil
 }
 
 // UpdateSettings upserts the global settings row.
 func (s *Store) UpdateSettings(st Settings) error {
 	st.UpdatedAt = Now()
+	wildcardDNS := 0
+	if st.WildcardDNS {
+		wildcardDNS = 1
+	}
 	_, err := s.db.Exec(
 		`UPDATE settings SET
 			domain=?, server_ip=?, network=?, subdomain_pattern=?, notification_url=?,
 			npm_url=?, npm_email=?, npm_password=?, webhook_secret=?, polling_interval=?,
 			base_volume_path=?, ssl_certificate_id=?, stale_threshold_days=?,
-			allowed_volume_paths=?, updated_at=?
+			allowed_volume_paths=?, wildcard_dns=?, dns_provider=?,
+			cloudflare_api_token=?, cloudflare_zone_id=?, updated_at=?
 		 WHERE id = 1`,
 		st.Domain, st.ServerIP, st.Network, st.SubdomainPattern, st.NotificationURL,
 		st.NpmURL, st.NpmEmail, st.NpmPassword, st.WebhookSecret, st.PollingInterval,
 		st.BaseVolumePath, st.SSLCertificateID, st.StaleThresholdDays,
-		st.AllowedVolumePaths, st.UpdatedAt,
+		st.AllowedVolumePaths, wildcardDNS, st.DNSProvider,
+		st.CloudflareAPIToken, st.CloudflareZoneID, st.UpdatedAt,
 	)
 	if err != nil {
 		return fmt.Errorf("update settings: %w", err)

internal/store/store.go

@@ -90,6 +90,11 @@ func (s *Store) runMigrations() error {
 		`ALTER TABLE volumes ADD COLUMN scope TEXT NOT NULL DEFAULT ''`,
 		// Add allowed_volume_paths to settings for absolute volume scope allowlist (2026-04-01).
 		`ALTER TABLE settings ADD COLUMN allowed_volume_paths TEXT NOT NULL DEFAULT '[]'`,
+		// Add DNS management fields to settings (2026-04-02).
+		`ALTER TABLE settings ADD COLUMN wildcard_dns INTEGER NOT NULL DEFAULT 1`,
+		`ALTER TABLE settings ADD COLUMN dns_provider TEXT NOT NULL DEFAULT ''`,
+		`ALTER TABLE settings ADD COLUMN cloudflare_api_token TEXT NOT NULL DEFAULT ''`,
+		`ALTER TABLE settings ADD COLUMN cloudflare_zone_id TEXT NOT NULL DEFAULT ''`,
 	}
 
 	for _, m := range migrations {
@@ -110,6 +115,7 @@ func (s *Store) runMigrations() error {
 		`CREATE INDEX IF NOT EXISTS idx_event_log_severity ON event_log(severity)`,
 		`CREATE INDEX IF NOT EXISTS idx_event_log_source ON event_log(source)`,
 		`CREATE INDEX IF NOT EXISTS idx_event_log_created_at ON event_log(created_at)`,
+		`CREATE INDEX IF NOT EXISTS idx_dns_records_consumer ON dns_records(consumer_type, consumer_id)`,
 	}
 	for _, idx := range indexes {
 		if _, err := s.db.Exec(idx); err != nil {
@@ -297,6 +303,16 @@ CREATE TABLE IF NOT EXISTS standalone_proxies (
 	created_at        TEXT NOT NULL DEFAULT (datetime('now')),
 	updated_at        TEXT NOT NULL DEFAULT (datetime('now'))
 );
+
+CREATE TABLE IF NOT EXISTS dns_records (
+	id                 TEXT PRIMARY KEY,
+	fqdn               TEXT NOT NULL UNIQUE,
+	provider_record_id TEXT NOT NULL DEFAULT '',
+	consumer_type      TEXT NOT NULL DEFAULT '',
+	consumer_id        TEXT NOT NULL DEFAULT '',
+	created_at         TEXT NOT NULL DEFAULT (datetime('now')),
+	updated_at         TEXT NOT NULL DEFAULT (datetime('now'))
+);
 `
 
 // Now returns the current time formatted for SQLite storage.