git/gitea-homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gitea-homelab/docs/cloudflare-networking.md
Raghav 71f6d374a2 Document edge routing updates and align Nextcloud proxy target 
Co-Authored-By: Oz <oz-agent@warp.dev>
2026-04-20 18:56:54 +05:30

2.8 KiB
Raw Permalink Blame History

Cloudflare DNS + Home Network Setup for git.bhatfamily.in

Goal

Expose local Gitea securely from home network while preserving Git-over-SSH support.

Recommended Cloudflare DNS records

Create DNS records in Cloudflare for zone bhatfamily.in:

  1. A record
    • Name: git
    • Content: your home public IPv4
    • Proxy status: DNS only (gray cloud)
  2. Optional AAAA record
    • Name: git
    • Content: your home public IPv6
    • Proxy status: DNS only

Why DNS-only is recommended

This setup uses direct inbound routing for both HTTPS and custom SSH (2222 by default). DNS-only avoids Cloudflare proxy protocol limitations around direct SSH forwarding.

Router/NAT rules

Create forwards to this server's LAN IP:

  • TCP 80 -> <server_lan_ip>:80 (ACME challenge + redirect)
  • TCP 443 -> <server_lan_ip>:443 (HTTPS via Caddy)
  • TCP 2222 -> <server_lan_ip>:2222 (Git SSH)

Shared edge ports currently in use (verified 2026-04-19)

On this homelab WAN edge, additional TCP ports are currently reachable for other *.bhatfamily.in services:

  • 3000 (Gemma Open WebUI direct)
  • 8000 (vLLM API direct)
  • 8082 (Nextcloud HTTP direct)
  • 8445 (OpenVPN-AS admin/direct)
  • 8447 (Nextcloud HTTPS direct)
  • 943 (OpenVPN-AS client web/direct)

If you want git.bhatfamily.in to be the only internet-exposed service on this host, close the extra forwards/firewall allows above.

Firewall alignment

If UFW is active, use install flag to open public web ports:

  • ./scripts/install.sh --with-tls --open-public-web To close those later:
  • ./scripts/uninstall.sh --with-tls --close-public-web

ISP constraints check

Some ISPs block inbound ports. Validate from outside your network:

  • curl -I https://git.bhatfamily.in
  • nc -vz git.bhatfamily.in 2222 If blocked, use alternate routing (VPN/tunnel) or ISP-compatible ports.

Recommended hardening

  • Keep strong secrets in .env
  • Restrict SSH source ranges if practical
  • Keep containers patched (docker compose pull and recreate)
  • Add off-host backups for gitea/postgres/caddy data directories

Post-cutover verification checklist

Run these after DNS/NAT/firewall updates to confirm end-to-end readiness:

  1. DNS resolution
    • dig +short git.bhatfamily.in A
  2. HTTPS response and redirect chain
    • curl -I https://git.bhatfamily.in
    • curl -I http://git.bhatfamily.in
  3. Certificate validity/issuer
    • openssl s_client -connect git.bhatfamily.in:443 -servername git.bhatfamily.in </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
  4. Git SSH port reachability
    • nc -vz git.bhatfamily.in 2222
  5. Stack self-check
    • ./scripts/test.sh --with-tls If any check fails during first-time propagation, run:
  • ./scripts/test.sh --with-tls --allow-pending-external Then re-run strict checks once DNS/certificate propagation completes.