Cloudflare account access
Cloudflare manages saxobroko.com — DNS, SSL, firewalls (WAF), tunnels to the NAS, Cloudflare Pages (SaxDocs), and Zero Trust Access (login wall for docs). You need the Cloudflare account to fix outages, add DNS, or renew the domain.
Find the login in Vaultwarden
- Unlock Vaultwarden — vault.saxobroko.com or browser extension.
- Search for Cloudflare (or dash.cloudflare.com).
- Open the entry — username/email and password are stored there.
- Note whether 2FA is documented — login requires a YubiKey — YubiKey.
Do not copy passwords into SaxDocs, chat, or email.
Log in
- Go to dash.cloudflare.com.
- Enter the email and password from Vaultwarden.
- Complete 2FA with the YubiKey when prompted.
- Select the saxobroko.com zone (or the account that owns it).
If login fails: wrong password (check Vaultwarden), lost YubiKey (see YubiKey recovery), or account lockout — use Cloudflare account recovery options with access to the registered email.
What this Cloudflare account controls
| Area | Dashboard path | What it affects |
|---|---|---|
| DNS | Websites → saxobroko.com → DNS | Every *.saxobroko.com hostname — where traffic goes |
| SSL/TLS | SSL/TLS | Certificates for tunnel sites |
| WAF | Security → WAF | block no aus — Australia-only for homelab |
| Configuration rules | Rules → Configuration rules | localnet full strict ssl for tunnel hosts |
| Tunnels | Zero Trust → Networks → Tunnels | Public URLs to TrueNAS (Jellyfin, dash, vault, …) |
| Pages | Workers & Pages → saxdocs | docs.saxobroko.com hosting |
| Access | Zero Trust → Access → Applications | Login required for SaxDocs (Authentik) |
| Registrar | Domain registration / Renew | saxobroko.com expiry — Renew the domain |
Deep reference: Cloudflare, WAF and access rules.
What Cloudflare does not host
Still on TrueNAS @ 192.168.2.203 |
Examples |
|---|---|
| Media, photos, apps | Jellyfin, Immich, Sonarr, Vaultwarden |
| Tunnel agent | cloudflared container — connects out to Cloudflare |
Cloudflare is not a backup of NAS data. Turning off Cloudflare does not delete files at home — but public URLs stop working.
API tokens (for automation)
SaxDocs deploy uses a Cloudflare API token stored in GitHub Actions secrets, not in Vaultwarden for day-to-day browsing.
| Location | Purpose |
|---|---|
| GitHub SaxDocs secrets | CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID — auto deploy |
| Cloudflare → My Profile → API Tokens | Create or rotate tokens if deploy breaks |
Rotating tokens requires updating GitHub secrets — see GitHub if Saxon dies.
Safe first tasks to learn the dashboard
- DNS — find
stream,docs,dashrecords (tunnel CNAMEs or Pages). - Zero Trust → Tunnels — see one tunnel with many public hostnames.
- Workers & Pages → saxdocs — recent deploy history.
- Access → Applications — SaxDocs app with Authentik IdP.
Do not delete DNS records or the tunnel to experiment
Removing stream or tunnel config takes Jellyfin offline for everyone. Use read-only browsing until you are following a specific guide.