Skip to content

Cloudflare account access

Cloudflare manages saxobroko.com — DNS, SSL, firewalls (WAF), tunnels to the NAS, Cloudflare Pages (SaxDocs), and Zero Trust Access (login wall for docs). You need the Cloudflare account to fix outages, add DNS, or renew the domain.

Find the login in Vaultwarden

  1. Unlock Vaultwardenvault.saxobroko.com or browser extension.
  2. Search for Cloudflare (or dash.cloudflare.com).
  3. Open the entry — username/email and password are stored there.
  4. Note whether 2FA is documented — login requires a YubiKeyYubiKey.

Do not copy passwords into SaxDocs, chat, or email.

Log in

  1. Go to dash.cloudflare.com.
  2. Enter the email and password from Vaultwarden.
  3. Complete 2FA with the YubiKey when prompted.
  4. Select the saxobroko.com zone (or the account that owns it).

If login fails: wrong password (check Vaultwarden), lost YubiKey (see YubiKey recovery), or account lockout — use Cloudflare account recovery options with access to the registered email.

What this Cloudflare account controls

Area Dashboard path What it affects
DNS Websites → saxobroko.com → DNS Every *.saxobroko.com hostname — where traffic goes
SSL/TLS SSL/TLS Certificates for tunnel sites
WAF Security → WAF block no aus — Australia-only for homelab
Configuration rules Rules → Configuration rules localnet full strict ssl for tunnel hosts
Tunnels Zero Trust → Networks → Tunnels Public URLs to TrueNAS (Jellyfin, dash, vault, …)
Pages Workers & Pages → saxdocs docs.saxobroko.com hosting
Access Zero Trust → Access → Applications Login required for SaxDocs (Authentik)
Registrar Domain registration / Renew saxobroko.com expiry — Renew the domain

Deep reference: Cloudflare, WAF and access rules.

What Cloudflare does not host

Still on TrueNAS @ 192.168.2.203 Examples
Media, photos, apps Jellyfin, Immich, Sonarr, Vaultwarden
Tunnel agent cloudflared container — connects out to Cloudflare

Cloudflare is not a backup of NAS data. Turning off Cloudflare does not delete files at home — but public URLs stop working.

API tokens (for automation)

SaxDocs deploy uses a Cloudflare API token stored in GitHub Actions secrets, not in Vaultwarden for day-to-day browsing.

Location Purpose
GitHub SaxDocs secrets CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID — auto deploy
Cloudflare → My Profile → API Tokens Create or rotate tokens if deploy breaks

Rotating tokens requires updating GitHub secrets — see GitHub if Saxon dies.

Safe first tasks to learn the dashboard

  1. DNS — find stream, docs, dash records (tunnel CNAMEs or Pages).
  2. Zero Trust → Tunnels — see one tunnel with many public hostnames.
  3. Workers & Pages → saxdocs — recent deploy history.
  4. Access → Applications — SaxDocs app with Authentik IdP.

Do not delete DNS records or the tunnel to experiment

Removing stream or tunnel config takes Jellyfin offline for everyone. Use read-only browsing until you are following a specific guide.