From 71f6d374a29a7334b005753a0c495a8c130de992 Mon Sep 17 00:00:00 2001
From: Raghav <1858838+quantumrag@users.noreply.github.com>
Date: Mon, 20 Apr 2026 18:56:54 +0530
Subject: [PATCH] Document edge routing updates and align Nextcloud proxy
 target

Co-Authored-By: Oz <oz-agent@warp.dev>
---
 README.md                     | 12 ++++++++++++
 caddy/Caddyfile               |  5 +----
 docs/cloudflare-networking.md | 12 ++++++++++++
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index e4446e0..a831e71 100644
--- a/README.md
+++ b/README.md
@@ -64,6 +64,18 @@ Automated Docker-based setup for a self-hosted Gitea server with PostgreSQL, per
 - Host HTTP: `3000` -> container `3000`
 - Host SSH: `2222` -> container `22`
 - TLS profile ports: `80`, `443` -> Caddy
+
+## Current edge endpoint map (verified 2026-04-19)
+Caddy routes on `443/tcp`:
+- `git.bhatfamily.in` -> `gitea:3000`
+- `chat.bhatfamily.in` -> `gemma3-chat-ui:8080`
+- `openvpn.bhatfamily.in` -> `https://<lan-host>:8445`
+- `nxt.bhatfamily.in` -> `https://<lan-host>:8447`
+- `vpn.bhatfamily.in` -> `https://<lan-host>:943`
+
+Public TCP ports observed reachable on the shared WAN edge:
+- `80`, `443`, `2222`, `3000`, `8000`, `8082`, `8445`, `8447`, `943`
+
 ## Firewall behavior
 When UFW is active:
 - install always adds:
diff --git a/caddy/Caddyfile b/caddy/Caddyfile
index d699206..4507f1e 100644
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -26,7 +26,6 @@ chat.bhatfamily.in {
 	}
 }
 
-
 openvpn.bhatfamily.in {
 	encode zstd gzip
 	reverse_proxy https://172.17.0.1:8445 {
@@ -43,10 +42,9 @@ openvpn.bhatfamily.in {
 	}
 }
 
-
 nxt.bhatfamily.in {
 	encode zstd gzip
-	reverse_proxy https://172.17.0.1:8446 {
+	reverse_proxy https://172.17.0.1:8447 {
 		transport http {
 			tls_insecure_skip_verify
 		}
@@ -60,7 +58,6 @@ nxt.bhatfamily.in {
 	}
 }
 
-
 vpn.bhatfamily.in {
 	encode zstd gzip
 	reverse_proxy https://172.17.0.1:943 {
diff --git a/docs/cloudflare-networking.md b/docs/cloudflare-networking.md
index f970a61..b40640e 100644
--- a/docs/cloudflare-networking.md
+++ b/docs/cloudflare-networking.md
@@ -18,6 +18,18 @@ Create forwards to this server's LAN IP:
 - TCP 80 -> `<server_lan_ip>:80` (ACME challenge + redirect)
 - TCP 443 -> `<server_lan_ip>:443` (HTTPS via Caddy)
 - TCP 2222 -> `<server_lan_ip>:2222` (Git SSH)
+
+## Shared edge ports currently in use (verified 2026-04-19)
+On this homelab WAN edge, additional TCP ports are currently reachable for other `*.bhatfamily.in` services:
+- `3000` (Gemma Open WebUI direct)
+- `8000` (vLLM API direct)
+- `8082` (Nextcloud HTTP direct)
+- `8445` (OpenVPN-AS admin/direct)
+- `8447` (Nextcloud HTTPS direct)
+- `943` (OpenVPN-AS client web/direct)
+
+If you want `git.bhatfamily.in` to be the only internet-exposed service on this host, close the extra forwards/firewall allows above.
+
 ## Firewall alignment
 If UFW is active, use install flag to open public web ports:
 - `./scripts/install.sh --with-tls --open-public-web`