Skip to content

External how-to

Tasks that happen outside the NAS — Cloudflare (DNS, Pages, WAF, Access), Authentik SSO, GitHub, and domain renewal. These services keep saxobroko.com and homelab URLs working on the internet.

Audience: Ryan or a helper with Vaultwarden and YubiKey access.

What "external" means here

Service Role
Cloudflare Domain registrar, DNS, SSL, WAF, Tunnels, Pages (SaxDocs), Zero Trust Access
Authentik SSO at auth.saxobroko.com — login for docs, dash, etc.
GitHub Source code, SaxDocs auto-deploy, SaxWeather and other repos

Homelab apps still run on TrueNAS — Cloudflare is the front door from the internet.

Before you start

  1. Where passwords live — Vaultwarden at vault.saxobroko.com
  2. YubiKey for Cloudflare and GitHub 2FA — YubiKey
  3. Glossary if terms are unfamiliar — Basics glossary

Guides in this section

Task Guide
Log into Cloudflare and understand what it controls Cloudflare account access
Public site unreachable When a site is down
Add family to SSO / docs login Add an Authentik user
Saxon gone — keep GitHub and SaxDocs running If Saxon dies — GitHub
Renew saxobroko.com Renew the domain
Emergency — bypass Access login Disable Cloudflare Access temporarilylast resort

Rules

  1. No secrets in SaxDocs — tokens and passwords stay in Vaultwarden or GitHub Actions secrets.
  2. Do not delete DNS records unless you know what hostname they serve.
  3. Do not turn off the whole Cloudflare zone — that takes down every subdomain at once.
  4. Bot Fight Mode must stay off — it breaks Authentik + Access — WAF and access rules.