How traffic gets from the internet to apps at home. I'm behind CGNAT, so inbound port forwarding does not work. External access is almost entirely Cloudflare Tunnels.
The short version
Someone visits example.saxobroko.com
Cloudflare handles DNS, SSL, and WAF (including block no aus on most homelab hosts)
For home services: Cloudflare Tunnel → cloudflared on TrueNAS → app (often via NPM or direct port) — see cloudflared
For SaxDocs: Cloudflare Pages serves static files from GitHub — no tunnel involved
Internet → Cloudflare edge → Tunnel → TrueNAS / LAN services
Internet → Cloudflare edge → Pages (docs.saxobroko.com only)