Initial commit: homelab infrastructure wiki

- Full Obsidian vault content
- Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte)
- Media stack documentation
- Traefik HA setup
- Automation scripts
- Bachelor party planning

homelab/entities/cloudflare.md

@@ -0,0 +1,52 @@
+---
+title: Cloudflare
+created: 2026-05-24
+updated: 2026-05-24
+type: entity
+tags: [services, networking, dns, identity]
+sources: [homelab/architecture.md, homelab/concepts/docker-traefik-stack.md]
+confidence: high
+---
+
+# Cloudflare
+
+## Overview
+
+DNS provider and reverse proxy layer for all `*.tophermayor.com` domains. Handles TLS certificate issuance via DNS challenge on grizzley and ubuntu Traefik instances.
+
+## Key Facts
+
+- **DNS Zone**: `tophermayor.com` managed at Cloudflare
+- **Role**: Authoritative DNS for all homelab public-facing services
+- **Wildcard cert source**: grizzley Traefik obtains `*.tophermayor.com` cert via Cloudflare DNS challenge
+- **certsync**: TLS certs synced from grizzley NFS mount (`/mnt/truenas/traefik-certs/grizzley`) → ubuntu via NFS or direct sync
+
+## Traefik Integration
+
+Both Traefik instances use `certresolver=cloudflare`:
+
+```yaml
+# ubuntu Traefik dynamic config
+tls:
+  certresolver: cloudflare
+  domains:
+    - main: toophermayor.com
+      sans:
+        - "*.tophermayor.com"
+```
+
+grizzley is the primary ACME source; ubuntu obtains certs from the shared NFS mount or via grizzley → ubuntu cert sync pipeline.
+
+## DNS Records
+
+| Record | Type | Target | Purpose |
+|--------|------|--------|---------|
+| `*.tophermayor.com` | A/CNAME | Traefik ingress | Wildcard for all services |
+| `@.tophermayor.com` | A | Home IP | Bare domain |
+| `traefik.tophermayor.com` | A | 192.168.50.84 | Grizzley edge ingress direct |
+
+## Related
+
+- [[grizzley]] — runs primary ACME Traefik instance
+- [[traefik]] — TLS certificate management
+- [[docker-traefik-stack]] — Traefik configuration patterns