Domains

Audience

PLANA staff and integration partners who need to know what hostname maps to which service.

PLANA owns six second-level domains. Each one has a clear role; the distinction matters because TLS certs, security policies, and DNS-level restrictions are applied per domain.

At a glance

Domain	Role	Notes
planapulse.ai	Brand, marketing, product	Customer-facing
planapulse.app	Tenant Odoo instances	{client}.planapulse.app
planapulse.online	Production aliases for tenants	Optional per-tenant alias
planapulse.dev	Test and preview environments	Internal + early access
planapulse.com	Internal backbone services	Staff-only by convention
plana.cloud	ONLY the Hetzner Mailu box	Never touch from the SKS cluster

plana.solutions (the legal entity domain) is used for staff email and is not routed to the PLANA platform.

planapulse.ai — the brand

Hostname	Service	Backed by
planapulse.ai	Marketing site	pulse-website (static, vite-ssg → nginx)
my.planapulse.ai	Customer account portal and BOS entry	pulse-account, pulse-account-api, bos-portal
admin.planapulse.ai	PLANA staff admin panel	pulse-admin (VPN + MFA required)
erp.planapulse.ai	PLANA's own Odoo tenant	The plana tenant in plana-odoo-18
docs.planapulse.com (separate domain)	This documentation site	docs-portal

my.planapulse.ai is the most complex route — it serves three different backends keyed on path prefix. See Envoy Gateway → platform route example.

planapulse.app — tenant Odoo

The convention for a customer tenant:

Concept	Pattern	Example
Hostname	{subdomain}.planapulse.app	acme.planapulse.app
DB name on pg01	same as the hostname	acme.planapulse.app
Filestore subdir	same as the DB name	/var/lib/odoo/filestore/acme.planapulse.app
K8s namespace	depends on the tenant's odooVersion	plana-odoo-18 for v18

The hostname is the DB name. Odoo's dbfilter=^%h$ setting maps the HTTP Host header directly to a database. This is how a single worker-odoo Deployment can serve hundreds of tenants without per-tenant configuration — the routing happens inside Odoo from the host header.

Templates also live in this domain and follow the same convention:

Template	Hostname / DB name
Basic v17	basic-template.planapulse.app
Pro v17	pro-template.planapulse.app
Basic v18	basic-template-18.planapulse.app
Pro v18	pro-template-18.planapulse.app
Basic v19	basic-template-19.planapulse.app

Templates are real PostgreSQL databases with datistemplate=true. They are not routed by the Envoy Gateway — visitors who try a template hostname get the standard Odoo "Database not found" page, because templates are excluded from Odoo's _db_list() by the datistemplate=true flag.

planapulse.online — production aliases

Identical mechanism to planapulse.app, optionally used as a "production" alias for tenants who prefer their stable URL to look different from the default. Same Envoy listener, same wildcard cert. Used sparingly — most tenants stay on the default .app URL.

planapulse.dev — preview and test

Reserved for non-production tenants:

• e2etest.planapulse.dev — the test tenant used for cross-major upgrade verification
• Per-developer preview tenants on demand
• Pre-cutover staging copies of production tenants

The .dev domain has the same security policies as production, but the DNS resolves only inside Bulgarian residential and corporate ranges by default (Cloudflare DNS rule); operators access it through the standard VPN + MFA path.

planapulse.com — internal backbone

Every backbone service has a *.planapulse.com hostname. This is the convention for "infrastructure, not customer-facing":

Hostname	Service	Audience
pg01.planapulse.com	PostgreSQL VM (10.10.0.11)	Internal only
nfs01.planapulse.com	NFS filestore	Internal only
redis.planapulse.com	Redis / Valkey	Internal only
auth.planapulse.com	Authentik (staff SSO)	PLANA staff
vault.planapulse.com	Vaultwarden	PLANA staff
design.planapulse.com	Penpot	PLANA staff
matrix.planapulse.com	Matrix Synapse	PLANA staff + customers (their workspace room)
chat.planapulse.com	Element Web	PLANA staff
grafana.planapulse.com	Grafana	PLANA staff
analytics.planapulse.com	Matomo	PLANA staff (admin via Authentik proxy)
git.planapulse.com	Forgejo	PLANA staff
mail.planapulse.com	Mailu webmail	Staff, see Mailu page
webmail.planapulse.com	Mailu alias	Staff
smtp.planapulse.com	Mailu SMTP	Service-to-service mail
docs.planapulse.com	This site	Public

A few *.planapulse.com services (Matrix, Docs) are public; the rest are restricted at the gateway level. See Identity and access.

plana.cloud — Mailu only

plana.cloud is not part of the PLANA Pulse Kubernetes platform. It exists only because the Mailu email server runs on a separate Hetzner box at 135.181.21.92. Email delivery has different operational characteristics (reverse DNS, SPF/DKIM/DMARC, IP reputation) and is intentionally segregated.

Do not touch plana.cloud from the SKS cluster or from any GitOps reconcile. The Mailu box is hand-operated; the runbook is on the platform side at Shared infrastructure → Mailu.

TLS

Each second-level domain has one wildcard certificate issued by cert-manager from Let's Encrypt. DNS-01 challenge against the Exoscale DNS API. Renewals happen automatically; failures generate Alertmanager pages 24h before expiry.

Domain	Cert
*.planapulse.app	wildcard, auto-renewed
*.planapulse.online	wildcard, auto-renewed
*.planapulse.ai	wildcard, auto-renewed
*.planapulse.com	wildcard, auto-renewed
*.planapulse.dev	wildcard, auto-renewed

Cert objects live in the envoy-gateway-system namespace.

DNS

DNS is hosted by Exoscale. The Exoscale DNS API is used by:

• cert-manager DNS-01 challenges
• The Crossplane PLANAClient Composition, which emits a CNAME from {subdomain}.planapulse.app to the LB CNAME on tenant provisioning
• Manual DNS changes via the Exoscale console for new top-level routes

The Exoscale DNS API token is in SOPS under exoscale.dns_api_token.

Where to read more

• Envoy Gateway — how the actual routing rules are declared and matched
• Crossplane — how tenant DNS records get created
• Shared infrastructure → Mailu — why email is on its own box