Vish/homelab-optimized

Fork 0

Files

Gitea Mirror Bot 6f8fd5e7f5

Documentation / Deploy to GitHub Pages (push) Has been cancelled

Details

Documentation / Build Docusaurus (push) Has been cancelled

Details

Sanitized mirror from private repository - 2026-04-05 05:27:58 UTC

2026-04-05 05:27:58 +00:00

3.5 KiB

Raw Blame History

Cloudflare DNS Configuration

DNS management for vish.gg and thevish.io domains.

Overview

All public-facing services use Cloudflare for:

DNS management
DDoS protection (orange cloud proxy)
SSL/TLS termination
Caching

DNS Records - vish.gg

🟠 Proxied (Orange Cloud) - Protected

These domains route through Cloudflare's network, hiding your real IP:

Domain	Service	Host
`vish.gg`	Main website	Atlantis
`www.vish.gg`	Main website	Atlantis
`sso.vish.gg`	Authentik SSO	Calypso
`gf.vish.gg`	Grafana	homelab-vm
`git.vish.gg`	Gitea	Calypso
`pw.vish.gg`	Vaultwarden	Atlantis
`ntfy.vish.gg`	Ntfy notifications	homelab-vm
`cal.vish.gg`	Calendar	Atlantis
`mastodon.vish.gg`	Mastodon	Atlantis
`vp.vish.gg`	Piped (YouTube)	Concord NUC
`mx.vish.gg`	Mail proxy	Atlantis

⚪ DNS Only (Grey Cloud) - Direct Connection

These domains expose your real IP (use only when necessary):

Domain	Reason for DNS-only
`*.vish.gg`	Wildcard fallback
`api.vish.gg`	API endpoints (Concord NUC)
`api.vp.vish.gg`	Piped API
`spotify.vish.gg`	Spotify API
`client.spotify.vish.gg`	Spotify client
`in.vish.gg`	Invidious

DDNS Updaters

Dynamic DNS is managed by favonia/cloudflare-ddns containers:

Atlantis NAS

Stack: dynamicdnsupdater.yaml
Proxied: Most vish.gg and thevish.io domains
Updates when Atlantis's public IP changes

Calypso NAS

Stack: dynamic_dns.yaml
Proxied: sso.vish.gg, git.vish.gg, gf.vish.gg
Updates when Calypso's public IP changes

Concord NUC

Stack: dyndns_updater.yaml
DNS Only: API endpoints (require direct connection)

Cloudflare API

API token for DDNS: REDACTED_CLOUDFLARE_TOKEN

Query DNS Records

curl -s "https://api.cloudflare.com/client/v4/zones/4dbd15d096d71101b7c0c6362b307a66/dns_records" \
  -H "Authorization: Bearer $TOKEN" | jq '.result[] | {name, proxied}'

Enable/Disable Proxy

# Get record ID
RECORD_ID=$(curl -s "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records?name=example.vish.gg" \
  -H "Authorization: Bearer $TOKEN" | jq -r '.result[0].id')

# Enable proxy (orange cloud)
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records/$RECORD_ID" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"proxied":true}'

SSL/TLS Configuration

Mode: Full (Strict)
Origin Certificate: Cloudflare-issued for *.vish.gg
Certificate ID: lONWNn (Synology reverse proxy)

Adding New Subdomains

Create DNS record via Cloudflare dashboard or API
Set proxy status: Orange cloud for public services
Update DDNS config on appropriate host
Configure reverse proxy on Synology
Test connectivity and SSL

IP Addresses

IP	Location	Services
`YOUR_WAN_IP`	Home (Atlantis/Calypso)	Most services
`YOUR_WAN_IP`	Concord NUC	API endpoints
`YOUR_WAN_IP`	VPS	nx, obs, pp, wb

Troubleshooting

DNS not resolving

Check Cloudflare dashboard for propagation
Verify DDNS container is running
Check API token permissions

SSL errors

Ensure Cloudflare SSL mode is "Full (Strict)"
Verify origin certificate is valid
Check reverse proxy SSL settings

Proxy issues

Some services (SSH, non-HTTP) can't use orange cloud
APIs may need direct connection for webhooks

3.5 KiB Raw Blame History