nixos-dotfiles

nixos-dotfiles

https://git.tonybtw.com/nixos-dotfiles.git git://git.tonybtw.com/nixos-dotfiles.git
nixos-dotfiles / future-modules / cloudflare-setup.md
6,481 bytes raw

Cloudflare Setup Guide for Home Server

This guide walks you through setting up Cloudflare to:

  1. Point chat.tonybtw.com to your home IP (dynamic DNS)
  2. Get SSL certificates via DNS challenge (works behind NAT)

Step 1: Point Domain to Cloudflare

  1. Log in to Cloudflare: https://dash.cloudflare.com
  2. Add a site: Click "Add a site" → Enter tonybtw.com
  3. Choose Free plan
  4. Cloudflare will scan your DNS records (if you have existing ones)
  5. Click Continue

Step 2: Update Nameservers at Your Registrar

Cloudflare will show you two nameservers like:

chloe.ns.cloudflare.com
walt.ns.cloudflare.com
  1. Log in to where you bought tonybtw.com (Namecheap, Porkbun, etc.)
  2. Find "Nameservers" or "DNS Settings"
  3. Change from default nameservers to Cloudflare's nameservers
  4. Save changes

Wait 5-60 minutes for nameserver propagation. Cloudflare will email you when it's active.

Step 3: Add DNS Records in Cloudflare

Once Cloudflare is active:

  1. Go to DNS → Records
  2. Add these records:

A Records:

Type Name Content Proxy Status TTL
A chat YOUR_HOME_IP DNS only (gray cloud) Auto
A conference.chat YOUR_HOME_IP DNS only Auto
A upload.chat YOUR_HOME_IP DNS only Auto

IMPORTANT: Click the gray cloud icon (not orange). Orange = Cloudflare proxy (breaks XMPP).

To find your home IP:

curl ifconfig.me

SRV Records (Optional but Recommended):

These help XMPP clients auto-discover your server.

Type Name Service Protocol Priority Weight Port Target
SRV @ _xmpp-client _tcp 0 5 5222 chat.tonybtw.com
SRV @ _xmpp-server _tcp 0 5 5269 chat.tonybtw.com

Note: Some SRV record UIs differ. Key values:

  • Service: _xmpp-client or _xmpp-server
  • Protocol: _tcp
  • Port: 5222 (client) or 5269 (server)
  • Target: chat.tonybtw.com

Step 4: Create API Token for Dynamic DNS

Your home IP changes occasionally. We need an API token so NixOS can update Cloudflare automatically.

  1. Go to My Profile → API Tokens
  2. Click "Create Token"
  3. Click "Create Custom Token"
  4. Set:
    • Token Name: NixOS DDNS
    • Permissions:
      • Zone → DNS → Edit
    • Zone Resources:
      • Include → Specific zone → tonybtw.com
  5. Click "Continue to summary"
  6. Click "Create Token"
  7. Copy the token (you'll only see it once!)

Example token format: abcdef1234567890_ABCDEFGHIJKLMNOP

Save this for the next step.

Step 5: Create Cloudflare Token File on Your Server

On your home server (the laptop):

# Create secrets directory
sudo mkdir -p /root/secrets
sudo chmod 700 /root/secrets

# Create Cloudflare DDNS token file
sudo nano /root/secrets/cloudflare-token

Paste your API token (just the token, nothing else):

abcdef1234567890_ABCDEFGHIJKLMNOP

Save and exit (Ctrl+O, Enter, Ctrl+X).

# Set permissions
sudo chmod 600 /root/secrets/cloudflare-token

Step 6: Create Cloudflare ACME Credentials

For Let's Encrypt SSL certificates using DNS challenge:

sudo nano /root/secrets/cloudflare-acme-credentials

Paste this (replace with YOUR token):

CF_DNS_API_TOKEN=abcdef1234567890_ABCDEFGHIJKLMNOP

Save and exit.

# Set permissions
sudo chmod 600 /root/secrets/cloudflare-acme-credentials

Step 7: Verify DNS Configuration

Wait 5 minutes for DNS propagation, then test:

# Check A record
dig chat.tonybtw.com

# Should show:
# chat.tonybtw.com. 300 IN A YOUR_HOME_IP

# Check SRV records
dig SRV _xmpp-client._tcp.tonybtw.com

# Should show:
# _xmpp-client._tcp.tonybtw.com. 300 IN SRV 0 5 5222 chat.tonybtw.com.

If these work, you're ready to deploy!

Step 8: Deploy NixOS Configuration

Now that Cloudflare is set up, go back to the home deployment guide and continue with:

  1. Importing modules in configuration.nix
  2. Running nixos-rebuild switch
  3. Creating XMPP accounts

Troubleshooting

DNS not resolving?

  • Check nameservers are pointing to Cloudflare: dig NS tonybtw.com
  • Wait longer (DNS propagation can take up to 48 hours, usually 10 minutes)
  • Make sure proxy is disabled (gray cloud, not orange)

API token not working?

  • Verify token has Zone → DNS → Edit permission
  • Check token is scoped to tonybtw.com zone
  • Regenerate token if unsure

ACME certificate failing?

  • Check /root/secrets/cloudflare-acme-credentials format
  • Verify token has DNS edit permission
  • Check logs: sudo journalctl -u acme-chat.tonybtw.com

Cloudflare Settings (Recommended)

SSL/TLS:

  1. Go to SSL/TLS → Overview
  2. Set encryption mode to "Full" (not "Full (strict)")
  3. This allows self-signed certs on your server

Security:

  • Firewall Rules: You can add rules to block countries/IPs if needed
  • Rate Limiting: Can limit connections to prevent abuse
  • DDoS Protection: Automatic (part of Cloudflare free tier)

Speed:

  • Auto Minify: Leave OFF (can break XMPP)
  • Brotli: Can enable (safe)

What Cloudflare Can and Can't See

Cloudflare CAN see (when proxy is DISABLED - gray cloud):

  • DNS queries for chat.tonybtw.com
  • Nothing else (they're just a DNS provider)

Cloudflare CAN'T see:

  • Your XMPP traffic (encrypted, goes directly to your home IP)
  • Who you're talking to (OMEMO encryption)
  • Message contents (E2E encrypted)

By using "DNS only" mode (gray cloud), you bypass Cloudflare's proxy entirely. They just update DNS records. Your XMPP traffic goes directly from clients → your home server.

Maintenance

Updating Your Home IP Manually (if DDNS fails):

  1. Go to Cloudflare Dashboard
  2. DNS → Records
  3. Edit chat A record
  4. Change IP to your current home IP
  5. Save

But NixOS should handle this automatically via cloudflare-dyndns service.

Check DDNS Status:

# Check if DDNS service is running
sudo systemctl status cloudflare-dyndns

# Check logs
sudo journalctl -u cloudflare-dyndns

Next Steps

Once Cloudflare is configured:

  1. Continue with router port forwarding guide
  2. Deploy NixOS configuration
  3. Test XMPP connection

You're almost there!