External how-to
Tasks that happen outside the NAS — Cloudflare (DNS, Pages, WAF, Access), Authentik SSO, GitHub, and domain renewal. These services keep saxobroko.com and homelab URLs working on the internet.
Audience: Ryan or a helper with Vaultwarden and YubiKey access.
What "external" means here
| Service | Role |
|---|---|
| Cloudflare | Domain registrar, DNS, SSL, WAF, Tunnels, Pages (SaxDocs), Zero Trust Access |
| Authentik | SSO at auth.saxobroko.com — login for docs, dash, etc. |
| GitHub | Source code, SaxDocs auto-deploy, SaxWeather and other repos |
Homelab apps still run on TrueNAS — Cloudflare is the front door from the internet.
Before you start
- Where passwords live — Vaultwarden at vault.saxobroko.com
- YubiKey for Cloudflare and GitHub 2FA — YubiKey
- Glossary if terms are unfamiliar — Basics glossary
Guides in this section
| Task | Guide |
|---|---|
| Log into Cloudflare and understand what it controls | Cloudflare account access |
| Public site unreachable | When a site is down |
| Add family to SSO / docs login | Add an Authentik user |
| Saxon gone — keep GitHub and SaxDocs running | If Saxon dies — GitHub |
| Renew saxobroko.com | Renew the domain |
| Emergency — bypass Access login | Disable Cloudflare Access temporarily — last resort |
Rules
- No secrets in SaxDocs — tokens and passwords stay in Vaultwarden or GitHub Actions secrets.
- Do not delete DNS records unless you know what hostname they serve.
- Do not turn off the whole Cloudflare zone — that takes down every subdomain at once.
- Bot Fight Mode must stay off — it breaks Authentik + Access — WAF and access rules.