# Cloudflare DNS + Home Network Setup for `git.bhatfamily.in`
## Goal
Expose local Gitea securely from home network while preserving Git-over-SSH support.
## Recommended Cloudflare DNS records
Create DNS records in Cloudflare for zone `bhatfamily.in`:
1. `A` record
   - Name: `git`
   - Content: your home public IPv4
   - Proxy status: **DNS only** (gray cloud)
2. Optional `AAAA` record
   - Name: `git`
   - Content: your home public IPv6
   - Proxy status: **DNS only**
## Why DNS-only is recommended
This setup uses direct inbound routing for both HTTPS and custom SSH (`2222` by default). DNS-only avoids Cloudflare proxy protocol limitations around direct SSH forwarding.
## Router/NAT rules
Create forwards to this server's LAN IP:
- TCP 80 -> `<server_lan_ip>:80` (ACME challenge + redirect)
- TCP 443 -> `<server_lan_ip>:443` (HTTPS via Caddy)
- TCP 2222 -> `<server_lan_ip>:2222` (Git SSH)
## Firewall alignment
If UFW is active, use install flag to open public web ports:
- `./scripts/install.sh --with-tls --open-public-web`
To close those later:
- `./scripts/uninstall.sh --with-tls --close-public-web`
## ISP constraints check
Some ISPs block inbound ports. Validate from outside your network:
- `curl -I https://git.bhatfamily.in`
- `nc -vz git.bhatfamily.in 2222`
If blocked, use alternate routing (VPN/tunnel) or ISP-compatible ports.
## Recommended hardening
- Keep strong secrets in `.env`
- Restrict SSH source ranges if practical
- Keep containers patched (`docker compose pull` and recreate)
- Add off-host backups for gitea/postgres/caddy data directories

## Post-cutover verification checklist
Run these after DNS/NAT/firewall updates to confirm end-to-end readiness:
1. DNS resolution
   - `dig +short git.bhatfamily.in A`
2. HTTPS response and redirect chain
   - `curl -I https://git.bhatfamily.in`
   - `curl -I http://git.bhatfamily.in`
3. Certificate validity/issuer
   - `openssl s_client -connect git.bhatfamily.in:443 -servername git.bhatfamily.in </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates`
4. Git SSH port reachability
   - `nc -vz git.bhatfamily.in 2222`
5. Stack self-check
   - `./scripts/test.sh --with-tls`
If any check fails during first-time propagation, run:
- `./scripts/test.sh --with-tls --allow-pending-external`
Then re-run strict checks once DNS/certificate propagation completes.