Domain & DNS — apexstem.org

Organization: Apex STEM Education Inc. (proposed)
Primary domain: apexstem.org
Related: Portal & SOP Wiki Plan (Section 6 stack, Phase 0–2 DNS tasks)
Status: Domain on Cloudflare — zone connected (nameservers active)
Last updated: May 2026

Repo hygiene: Do not commit registrar passwords, API tokens, or recovery codes. Store credentials in a board-approved password manager (1Password, Bitwarden org vault, etc.).

---

1. Registrar (Spaceship)

Field	Value
Registrar	Spaceship (www.spaceship.org redirects to product site)
Account username	rexnfx79
Account email	See § Internal — restrict access below
Domain(s)	apexstem.org (confirm in Spaceship dashboard; add www only if purchased or included)

Account recovery checklist

• [ ] Confirm domain appears under My Domains for account rexnfx79
• [ ] Verify registrar account email is current and accessible by at least two trusted adults (founder + backup board contact when named)
• [ ] Enable two-factor authentication (2FA) on Spaceship (authenticator app preferred over SMS)
• [ ] Save recovery/backup codes in password manager — not in this repo
• [ ] Document who holds the password manager entry (admin role per portal plan)
• [ ] When org email exists (admin@apexstem.org or it@apexstem.org), add as secondary contact and plan to migrate primary login to org-owned email

Security

1. 2FA required on Spaceship and on Cloudflare (once added).
2. Separate Cloudflare account for Apex (org email as account owner when available); do not reuse personal Cloudflare accounts long-term.
3. Least privilege: Only admin volunteers get registrar + Cloudflare super-admin; board chair holds break-glass recovery info offline.
4. Lock domain (registrar lock / transfer lock) after DNS is stable.
5. WHOIS privacy: Enable if offered; org contact can still be legal entity address when incorporated.

---

2. Planned DNS targets (portal stack)

Aligns with apexstem_portal_plan.md phased stack.

Hostname	Purpose	Hosting / auth
apexstem.org	Public org site (mission, teams, donate, sponsor)	Cloudflare Pages (Astro or MkDocs public section)
www.apexstem.org	Optional alias	301 redirect → https://apexstem.org (recommended)
docs.apexstem.org	Internal SOP wiki (MkDocs Material)	Cloudflare Pages + Cloudflare Access (invite-only)
ridgeracersnj.com	Team competition site	Existing Netlify deploy (separate; cross-link only)

DNS record checklist (after Cloudflare zone is active)

Use Proxied (orange cloud) for web records unless a provider requires DNS-only.

Type	Name	Content / target	Notes
CNAME	@ or A	Cloudflare Pages apex target	Pages provides exact hostname per project
CNAME	www	apexstem.org or Pages www	Redirect rule preferred over duplicate content
CNAME	docs	Cloudflare Pages project for MkDocs	Access policy on this hostname
TXT	@	SPF (if sending mail via provider)	Add when email provider chosen
TXT	_dmarc	v=DMARC1; p=none; → tighten later	After SPF/DKIM stable
CAA	@	Optional: restrict CAs to Let's Encrypt / Cloudflare	Hardening

SSL/TLS: With Cloudflare proxy + Pages, certificates are automatic. Set SSL mode to Full (strict) once origin is configured.

---

3. Recommended path: Cloudflare nameservers

Why: Single place for DNS, DDoS protection, Access policies for docs.apexstem.org, and Pages deploys for apex + docs.

Step A — Create Cloudflare zone

1. Sign up / log in at dash.cloudflare.com with org email when available.
2. Add site → enter apexstem.org.
3. Select Free plan (sufficient for MVP).
4. Cloudflare scans existing records (may be empty).
5. Copy the two nameservers assigned (e.g. ada.ns.cloudflare.com, bob.ns.cloudflare.com).

Step B — Point registrar to Cloudflare

1. Log in to Spaceship → Domains → apexstem.org → DNS or Nameservers.
2. Choose Custom nameservers (not Spaceship default DNS).
3. Paste Cloudflare’s two nameserver hostnames → save.
4. Propagation: typically minutes to 48 hours. Cloudflare dashboard shows Active when complete.

Step C — Configure records in Cloudflare

1. Add Pages projects (apexstem-public, apexstem-docs or similar naming).
2. Attach custom domains per project (apexstem.org, docs.apexstem.org).
3. Cloudflare UI will suggest required CNAMEs — add any missing records.
4. Redirect rule: www.apexstem.org/* → https://apexstem.org/$1 (301).
5. Enable Always Use HTTPS and Automatic HTTPS Rewrites.

Cloudflare Access for docs {#cloudflare-access}

(Step D in cutover sequence.)

1. Zero Trust → Access → Applications → add docs.apexstem.org.
2. Policy: allow emails in groups apex-board, apex-mentors, etc. (see portal plan RBAC).
3. Test with a non-member email (should deny).

---

4. Alternative: DNS at Spaceship (not recommended long-term)

Use only for a short bridge before Cloudflare migration.

1. Keep Spaceship default nameservers.
2. Add A/CNAME records Spaceship provides for temporary hosting.
3. You cannot use Cloudflare Access on the same hostname without proxying through Cloudflare — so internal docs still need Cloudflare (or another auth gateway).

Migration tip: When ready, switch nameservers to Cloudflare; remove duplicate records at Spaceship to avoid conflicts.

---

5. Email forwarding (pre-Google Workspace)

Until Google Workspace or Microsoft 365 for nonprofits is approved:

Address	Suggested routing	Notes
hello@apexstem.org	Founder inbox	Public contact on website
board@apexstem.org	Google Group (all 3 trustees)	Governance — Option B
treasurer@apexstem.org	Treasurer (spouse) inbox	Finance SOPs
sponsorships@apexstem.org	Founder inbox	Org sponsors; team may still use ridgeracersnj until site updated

Providers (low cost): Cloudflare Email Routing (free, if MX pointed to Cloudflare), ImprovMX, Forward Email, or registrar forwarding if Spaceship offers it.

Checklist:

• [ ] Choose provider; add MX + TXT verification records in Cloudflare DNS
• [ ] Create hello@ and test send/receive
• [ ] Publish hello@ on public site; keep personal emails off public pages
• [ ] Plan migration to admin@apexstem.org on Google Workspace post-incorporation/EIN

---

6. Operational ownership (RACI)

Task	Responsible	Accountable
Registrar account & 2FA	Technical admin volunteer	Board chair
Cloudflare zone & Access	Technical admin volunteer	Board chair
Public site DNS cutover	Admin + marketing volunteer	Board
Email forwarding / Workspace	Secretary + treasurer	Board

---

7. Immediate action list (founder)

• [x] Cloudflare: Zone for apexstem.org — connected
• [x] Spaceship: Nameservers pointed to Cloudflare
• [ ] Spaceship: 2FA, auto-renew, registrar lock (recommended now)
• [ ] Cloudflare: 2FA + second super-admin account
• [x] Email Routing: hello@, board@ (→ Google Group), treasurer@, sponsorships@ (Option B)
• [x] Send mail as: board@ via Gmail (working)
• [ ] Pages: Deploy wiki → docs.apexstem.org — deploy_docs_cloudflare_pages.md
• [ ] Pages (optional): Placeholder on apexstem.org
• [ ] Access: Policies on docs.apexstem.org (rbac-groups.md)
• [ ] SSL: Full (strict) once Pages attached

---

8. Next steps — zone is Active

Do these in order in the Cloudflare dashboard.

A. Email Routing (15 min)

1. Email → Email Routing → enable for apexstem.org.
2. Add destinations (your Gmail or workspace inboxes).
3. Create routes:

Address	Forward to
hello@apexstem.org	Shared inbox you monitor
board@apexstem.org	You + board distribution
treasurer@apexstem.org	Treasurer
sponsorships@apexstem.org	Sponsorship lead

1. Send test mail to hello@apexstem.org.

B. Internal wiki — docs.apexstem.org (30–60 min) {#deploy-docs}

Full runbook: deploy_docs_cloudflare_pages.md

1. Workers & Pages → Create → Pages → Connect to Git → rexnfx79/STEMRacing.
2. Build command: pip install -r docs-requirements.txt && mkdocs build -f apexstem/mkdocs.yml
3. Output directory: site/apexstem-docs
4. Custom domain: docs.apexstem.org

C. Cloudflare Access (20 min) {#cloudflare-access}

1. Zero Trust → Access → Applications → add Self-hosted app.
2. Domain: docs.apexstem.org; session duration per policy.
3. Create policies + groups per rbac-groups.md.
4. Test: invite your email; confirm a random Gmail is blocked.

D. Public root (optional)

• Second Pages project or redirect apexstem.org → “Coming soon” or link to Ridge Racers + mission one-pager.
• Redirect rule: www.apexstem.org → https://apexstem.org (301).

E. GitHub Actions deploy (optional alternative to Git-connected Pages)

If you prefer CI deploy: add Cloudflare API token to GitHub secrets and use cloudflare/pages-action — only if Git-connected build is insufficient.

---

Internal — restrict access {#internal-restrict-access}

For board/admin only. Store registrar login email, username (rexnfx79), and recovery codes in the board password manager only — not in git.

When Apex has org email and a second admin, update Spaceship and Cloudflare contacts to org-owned addresses.

---

Document control

Field	Value
Author	Operations draft (STEMRacing repo)
Next review	After Cloudflare zone Active + first Pages deploy