# Cloudflare Setup Guide for Home Server This guide walks you through setting up Cloudflare to: 1. Point `chat.tonybtw.com` to your home IP (dynamic DNS) 2. Get SSL certificates via DNS challenge (works behind NAT) --- ## Step 1: Point Domain to Cloudflare 1. **Log in to Cloudflare:** https://dash.cloudflare.com 2. **Add a site:** Click "Add a site" → Enter `tonybtw.com` 3. **Choose Free plan** 4. **Cloudflare will scan your DNS records** (if you have existing ones) 5. **Click Continue** --- ## Step 2: Update Nameservers at Your Registrar Cloudflare will show you two nameservers like: ``` chloe.ns.cloudflare.com walt.ns.cloudflare.com ``` 1. Log in to where you bought `tonybtw.com` (Namecheap, Porkbun, etc.) 2. Find **"Nameservers"** or **"DNS Settings"** 3. Change from default nameservers to Cloudflare's nameservers 4. Save changes **Wait 5-60 minutes** for nameserver propagation. Cloudflare will email you when it's active. --- ## Step 3: Add DNS Records in Cloudflare Once Cloudflare is active: 1. Go to **DNS → Records** 2. Add these records: ### **A Records:** | Type | Name | Content | Proxy Status | TTL | |------|-------|---------|--------------|-----| | A | chat | YOUR_HOME_IP | DNS only (gray cloud) | Auto | | A | conference.chat | YOUR_HOME_IP | DNS only | Auto | | A | upload.chat | YOUR_HOME_IP | DNS only | Auto | **IMPORTANT:** Click the **gray cloud** icon (not orange). Orange = Cloudflare proxy (breaks XMPP). **To find your home IP:** ```bash curl ifconfig.me ``` ### **SRV Records (Optional but Recommended):** These help XMPP clients auto-discover your server. | Type | Name | Service | Protocol | Priority | Weight | Port | Target | |------|------|---------|----------|----------|--------|------|--------| | SRV | @ | _xmpp-client | _tcp | 0 | 5 | 5222 | chat.tonybtw.com | | SRV | @ | _xmpp-server | _tcp | 0 | 5 | 5269 | chat.tonybtw.com | **Note:** Some SRV record UIs differ. Key values: - Service: `_xmpp-client` or `_xmpp-server` - Protocol: `_tcp` - Port: `5222` (client) or `5269` (server) - Target: `chat.tonybtw.com` --- ## Step 4: Create API Token for Dynamic DNS Your home IP changes occasionally. We need an API token so NixOS can update Cloudflare automatically. 1. Go to **My Profile → API Tokens** 2. Click **"Create Token"** 3. Click **"Create Custom Token"** 4. Set: - **Token Name:** `NixOS DDNS` - **Permissions:** - `Zone → DNS → Edit` - **Zone Resources:** - `Include → Specific zone → tonybtw.com` 5. Click **"Continue to summary"** 6. Click **"Create Token"** 7. **Copy the token** (you'll only see it once!) Example token format: `abcdef1234567890_ABCDEFGHIJKLMNOP` Save this for the next step. --- ## Step 5: Create Cloudflare Token File on Your Server On your home server (the laptop): ```bash # Create secrets directory sudo mkdir -p /root/secrets sudo chmod 700 /root/secrets # Create Cloudflare DDNS token file sudo nano /root/secrets/cloudflare-token ``` Paste your API token (just the token, nothing else): ``` abcdef1234567890_ABCDEFGHIJKLMNOP ``` Save and exit (Ctrl+O, Enter, Ctrl+X). ```bash # Set permissions sudo chmod 600 /root/secrets/cloudflare-token ``` --- ## Step 6: Create Cloudflare ACME Credentials For Let's Encrypt SSL certificates using DNS challenge: ```bash sudo nano /root/secrets/cloudflare-acme-credentials ``` Paste this (replace with YOUR token): ``` CF_DNS_API_TOKEN=abcdef1234567890_ABCDEFGHIJKLMNOP ``` Save and exit. ```bash # Set permissions sudo chmod 600 /root/secrets/cloudflare-acme-credentials ``` --- ## Step 7: Verify DNS Configuration Wait 5 minutes for DNS propagation, then test: ```bash # Check A record dig chat.tonybtw.com # Should show: # chat.tonybtw.com. 300 IN A YOUR_HOME_IP # Check SRV records dig SRV _xmpp-client._tcp.tonybtw.com # Should show: # _xmpp-client._tcp.tonybtw.com. 300 IN SRV 0 5 5222 chat.tonybtw.com. ``` If these work, you're ready to deploy! --- ## Step 8: Deploy NixOS Configuration Now that Cloudflare is set up, go back to the home deployment guide and continue with: 1. Importing modules in `configuration.nix` 2. Running `nixos-rebuild switch` 3. Creating XMPP accounts --- ## Troubleshooting ### **DNS not resolving?** - Check nameservers are pointing to Cloudflare: `dig NS tonybtw.com` - Wait longer (DNS propagation can take up to 48 hours, usually 10 minutes) - Make sure proxy is **disabled** (gray cloud, not orange) ### **API token not working?** - Verify token has `Zone → DNS → Edit` permission - Check token is scoped to `tonybtw.com` zone - Regenerate token if unsure ### **ACME certificate failing?** - Check `/root/secrets/cloudflare-acme-credentials` format - Verify token has DNS edit permission - Check logs: `sudo journalctl -u acme-chat.tonybtw.com` --- ## Cloudflare Settings (Recommended) ### **SSL/TLS:** 1. Go to **SSL/TLS → Overview** 2. Set encryption mode to **"Full"** (not "Full (strict)") 3. This allows self-signed certs on your server ### **Security:** - **Firewall Rules:** You can add rules to block countries/IPs if needed - **Rate Limiting:** Can limit connections to prevent abuse - **DDoS Protection:** Automatic (part of Cloudflare free tier) ### **Speed:** - **Auto Minify:** Leave OFF (can break XMPP) - **Brotli:** Can enable (safe) --- ## What Cloudflare Can and Can't See ### **Cloudflare CAN see (when proxy is DISABLED - gray cloud):** - DNS queries for `chat.tonybtw.com` - Nothing else (they're just a DNS provider) ### **Cloudflare CAN'T see:** - Your XMPP traffic (encrypted, goes directly to your home IP) - Who you're talking to (OMEMO encryption) - Message contents (E2E encrypted) **By using "DNS only" mode (gray cloud), you bypass Cloudflare's proxy entirely.** They just update DNS records. Your XMPP traffic goes directly from clients → your home server. --- ## Maintenance ### **Updating Your Home IP Manually (if DDNS fails):** 1. Go to Cloudflare Dashboard 2. **DNS → Records** 3. Edit `chat` A record 4. Change IP to your current home IP 5. Save But NixOS should handle this automatically via `cloudflare-dyndns` service. ### **Check DDNS Status:** ```bash # Check if DDNS service is running sudo systemctl status cloudflare-dyndns # Check logs sudo journalctl -u cloudflare-dyndns ``` --- ## Next Steps Once Cloudflare is configured: 1. Continue with router port forwarding guide 2. Deploy NixOS configuration 3. Test XMPP connection You're almost there!