# ☁️ Cloudflare & Tunnel Configuration - Home Lab This document outlines the Cloudflare account, tunnel configurations, connector deployments, certificate handling, and service exposure details for secure external access to homelab services. --- ## 🌐 Cloudflare Account | Field | Value | |---------------------|---------------------------| | **Email** | chris.darrigo@gmail.com | | **Domains Managed** | `wtfsolutions.cc`, `whatsolutions.us` | | **DNS Provider** | Cloudflare (nameservers: `aspen.ns.cloudflare.com`, `jeremy.ns.cloudflare.com`) | | **Cloudflare Access** | Not in use currently | --- ## 🔒 TLS & Certificate Management | Field | Value | |----------------------------|--------------------------------------------| | **TLS Termination** | Cloudflare Proxy (edge termination) | | **TLS Mode (`wtfsolutions.cc`)** | Full or Full (Strict) (recommended) | | **TLS Mode (`whatsolutions.us`)** | Flexible or Full | | **Home Assistant Cert** | Issued by Google Trust Services (CN=WE1) | | **Nextcloud Cert** | Issued by Cloudflare Origin CA | | **Cert Expiry (HA)** | Sep 20, 2025 | | **Cert Expiry (Nextcloud)**| Sep 19, 2025 | | **Renewal** | Automatic (Cloudflare-managed) | --- ## 🔁 Tunnels & Service Routing ### Tunnel 1: `nextcloud-tunnel` | Field | Value | |---------------------|------------------------------------------------------| | **Tunnel ID** | `18240cbb-71f2-4767-89e7-f6f18186da3b` | | **Connector Location** | LXC 111 (Nextcloud container) | | **Version** | cloudflared 2025.7.0 | | **Binary Path** | `/usr/bin/cloudflared` | | **Config File** | `/root/.cloudflared/config.yml` | | **Tunnel Command** | `cloudflared tunnel --config /root/.cloudflared/config.yml run` | | **Credentials File** | `/root/.cloudflared/18240cbb-71f2-4767-89e7-f6f18186da3b.json` | **Ingress Rules**: ```yaml ingress: - hostname: drive.whatsolutions.us service: http://localhost:11000 originRequest: originServerName: drive.whatsolutions.us noTLSVerify: true http2Origin: true disableChunkedEncoding: true - service: http_status:404 ``` --- ### Tunnel 2: `homeassistant` | Field | Value | |---------------------|----------------------------------------------------| | **Tunnel ID** | `8a3cb4ad-4538-4709-bf3c-aa52db05bfc4` | | **Status** | Created, not actively running | | **Expected Hostname**| `wtfsolutions.cc` | | **Connector Location** | LXC 111 (same as Nextcloud + cloudflared) | | **Config** | Not registered in `config.yml` | | **Expected Routing** | Home Assistant (`192.168.1.36:8123`) via tunnel | --- ## 🔐 Notes - `cloudflared` is installed and managed in LXC 111 - The config file `/root/.cloudflared/config.yml` currently runs `nextcloud-tunnel` only - `homeassistant` tunnel credentials exist but the tunnel is not active (yet) - No Cloudflare Access (SSO or 2FA policies) is enforced for either subdomain - All service credentials stored in Bitwarden → folder `homelab` - Tunnel routing is HTTP-only behind Cloudflare (TLS at edge)