hermes-ice/homelab/entities/cloudflare.md

---
title: Cloudflare
created: 2026-05-24
updated: 2026-05-24
type: entity
tags: [services, networking, dns, identity]
sources: [homelab/architecture.md, homelab/concepts/docker-traefik-stack.md]
confidence: high
---

# Cloudflare

## Overview

DNS provider and reverse proxy layer for all `*.tophermayor.com` domains. Handles TLS certificate issuance via DNS challenge on grizzley and ubuntu Traefik instances.

## Key Facts

- **DNS Zone**: `tophermayor.com` managed at Cloudflare
- **Role**: Authoritative DNS for all homelab public-facing services
- **Wildcard cert source**: grizzley Traefik obtains `*.tophermayor.com` cert via Cloudflare DNS challenge
- **certsync**: TLS certs synced from grizzley NFS mount (`/mnt/truenas/traefik-certs/grizzley`) → ubuntu via NFS or direct sync

## Traefik Integration

Both Traefik instances use `certresolver=cloudflare`:

```yaml
# ubuntu Traefik dynamic config
tls:
  certresolver: cloudflare
  domains:
    - main: toophermayor.com
      sans:
        - "*.tophermayor.com"
```

grizzley is the primary ACME source; ubuntu obtains certs from the shared NFS mount or via grizzley → ubuntu cert sync pipeline.

## DNS Records

| Record | Type | Target | Purpose |
|--------|------|--------|---------|
| `*.tophermayor.com` | A/CNAME | Traefik ingress | Wildcard for all services |
| `@.tophermayor.com` | A | Home IP | Bare domain |
| `traefik.tophermayor.com` | A | 192.168.50.84 | Grizzley edge ingress direct |

## Related

- [[grizzley]] — runs primary ACME Traefik instance
- [[traefik]] — TLS certificate management
- [[docker-traefik-stack]] — Traefik configuration patterns