Cloudflare
Cloudflare provides two distinct services for this homelab: the Tunnel (cloudflared on TrueNAS) for routing internal services outbound without port forwarding, and Zero Trust Access for gating those services behind an identity check.
Cloudflare Tunnel
Section titled “Cloudflare Tunnel”| Item | Detail |
|---|---|
| App version | 2026.2.0 |
| TrueNAS catalogue version | 1.4.2 |
| Installed via | TrueNAS Apps - Community train |
| Tunnel name | TrueNAS |
| Tunnel ID | 514c6307-671f-410b-a8c5-e988f4018599 |
| Status | Healthy |
The tunnel runs as an outbound-only connection from TrueNAS to Cloudflare’s network on port 443. No inbound ports need to be opened on the Dream Router 7.
Browser -> Cloudflare Edge -> Cloudflare Tunnel (TrueNAS) -> cloudflared on TrueNAS -> Internal servicePublished application routes
Section titled “Published application routes”| Hostname | Internal target | Service |
|---|---|---|
| nas.wighttrash.uk | https://localhost | TrueNAS admin UI |
| docker.wighttrash.uk | http://localhost:30258 | Arcane |
Unmatched requests return http_status:404 via the catch-all rule.
Limitations
Section titled “Limitations”Cloudflare imposes a 100 MB maximum request size on all tunnelled traffic. This is why Immich and Jellyfin are routed through Pangolin rather than the Cloudflare Tunnel. See Pangolin for details.
Zero Trust Access
Section titled “Zero Trust Access”All admin-facing services are protected by Cloudflare Access. The shared reusable policy is Admin Only - Allow, email: [email protected], authentication via One-time PIN.
The docs wiki uses a separate Keycloak OIDC policy - see Docs wiki access below.
Access applications
Section titled “Access applications”| Application | URL | Policy | Notes |
|---|---|---|---|
| Arcane | docker.wighttrash.uk | Admin Only | - |
| Pangolin | pangolin.wighttrash.uk | Admin Only | - |
| Pangolin API Bypass | pangolin.wighttrash.uk/api/ | Bypass (Everyone) | Required for Newt token requests |
| Docs | docs.wighttrash.uk | Keycloak OIDC (wighttrash realm) | - |
| TrueNAS Admin | nas.wighttrash.uk | Admin Only | - |
photos.wighttrash.uk has no Access policy. The Immich mobile app cannot handle Cloudflare Access authentication flows - Immich’s own Keycloak-backed authentication is the protection layer.
Adding a new protected service
Section titled “Adding a new protected service”Step 1. Add the service to the Cloudflare Tunnel published routes, or ensure the DNS record points to the correct target.
Step 2. Go to Cloudflare Zero Trust dashboard - Access Controls - Applications.
Step 3. Click Add an application and select Self-hosted.
Step 4. Set the application domain to the service hostname.
Step 5. Under Policies, select the existing Admin Only reusable policy.
Step 6. Save.
Docs wiki access
Section titled “Docs wiki access”The wiki at docs.wighttrash.uk uses Cloudflare Access with Keycloak as the OIDC identity provider. This allows invited users to sign in with their Google or Microsoft account via Keycloak, without needing a Cloudflare account or OTP.
Cloudflare Access application
Section titled “Cloudflare Access application”| Item | Detail |
|---|---|
| Application name | Wight Trash Docs |
| Application URL | docs.wighttrash.uk |
| Type | Self-hosted |
| Application ID | 5c60a885-39a6-4660-a402-89d80c978911 |
Access policy
Section titled “Access policy”| Item | Detail |
|---|---|
| Policy name | KeyCloak |
| Action | Allow |
| Session duration | 6 hours |
| Rule selector | Login Methods |
| Rule value | OpenID Connect |
Anyone who successfully authenticates through the Keycloak OIDC identity provider is granted access. Access control is enforced at the Keycloak level - only users with an account in the wighttrash realm can complete authentication.
Keycloak OIDC client
Section titled “Keycloak OIDC client”A dedicated client is registered in Keycloak for Cloudflare Access.
| Setting | Value |
|---|---|
| Client ID | docs-wiki |
| Name | CloudFlare |
| Realm | wighttrash |
| Valid redirect URI | https://wighttrash.cloudflareaccess.com/cdn-cgi/access/callback |
| Web origins | https://wighttrash.cloudflareaccess.com |
| Client authentication | On (confidential client) |
The client secret is held in Cloudflare Zero Trust under Settings - Authentication - OpenID Connect.
Cloudflare OIDC identity provider settings
Section titled “Cloudflare OIDC identity provider settings”Configured in Cloudflare Zero Trust under Settings - Authentication - Add new - OpenID Connect.
| Field | Value |
|---|---|
| Name | OpenID Connect (Keycloak) |
| App ID | docs-wiki |
| Auth URL | https://auth.wighttrash.uk/realms/wighttrash/protocol/openid-connect/auth |
| Token URL | https://auth.wighttrash.uk/realms/wighttrash/protocol/openid-connect/token |
| Certificate URL | https://auth.wighttrash.uk/realms/wighttrash/protocol/openid-connect/certs |
Inviting a user to the wiki
Section titled “Inviting a user to the wiki”Inviting someone to the wiki follows the same process as inviting a user to Immich. Both systems use the same Keycloak wighttrash realm.
Step 1. Go to https://auth.wighttrash.uk/admin/master/console and switch to the wighttrash realm.
Step 2. Go to Users and click Create user.
Step 3. Fill in the user’s email, set Email verified to On, set their name, and leave Enabled On. Do not set a password.
Step 4. Send the user the wiki URL: https://docs.wighttrash.uk. They click Sign in, are redirected to Keycloak, and authenticate with their Google or Microsoft account.
To remove access, delete the user from the wighttrash realm in Keycloak. This immediately blocks access to all services using Keycloak authentication - wiki, Immich, and Jellyfin.
DNS records
Section titled “DNS records”All DNS is managed in Cloudflare for the wighttrash.uk domain. SSL/TLS mode is set to Full.
| Name | Type | Content | Proxy | Notes |
|---|---|---|---|---|
| wighttrash.uk | A | 37.27.183.241 | Proxied | - |
| api | A | 37.27.183.241 | Proxied | - |
| cp | A | 37.27.183.241 | Proxied | - |
| auth | A | 152.53.226.118 | Proxied | Keycloak |
| cloud | A | 152.53.226.118 | Proxied | OpenCloud |
| collabora | A | 152.53.226.118 | Proxied | Collabora Online (OpenCloud) |
| docs | CNAME | 2707e2392d6596dc.vercel-dns-017.com | Proxied | Wiki - hosted on Vercel |
| media | A | 152.53.226.118 | Proxied | Jellyfin |
| pangolin | A | 152.53.226.118 | Proxied | Pangolin admin dashboard |
| photos | A | 152.53.226.118 | DNS only | Immich - must remain DNS-only (upload size limit) |
| planka | A | 152.53.226.118 | Proxied | Planka kanban board |
| wopiserver | A | 152.53.226.118 | Proxied | OpenCloud WOPI server (Collabora endpoint) |
| docker | Tunnel | TrueNAS | Tunnel | Arcane via cloudflared |
| nas | Tunnel | TrueNAS | Tunnel | TrueNAS admin via cloudflared |
Troubleshooting
Section titled “Troubleshooting”Tunnel shows as unhealthy. Check the cloudflared container is running in TrueNAS Apps. Confirm TrueNAS has outbound internet access on port 443. Review container logs in the TrueNAS Apps UI.
502 on a tunnel hostname. Confirm the internal service is running on the port specified in the published routes. Check that the target address in the route config is correct.
Cloudflare Access login loop. Clear browser cookies for cloudflareaccess.com. Confirm your email matches the policy ([email protected]).
Wiki shows Access Denied after Keycloak login. The user does not have an account in the wighttrash Keycloak realm. Create the user in Keycloak Admin - the Cloudflare policy allows anyone authenticated via the OIDC provider, so the block is at the Keycloak level.
Wiki login redirects to Keycloak but fails. Confirm the docs-wiki Keycloak client is enabled and the redirect URI matches exactly: https://wighttrash.cloudflareaccess.com/cdn-cgi/access/callback.