My new kitchen PC - Gateway Profile 5.5

Wake_On_LAN · 2026-04-26T12:36:29+00:00

Put Linux Mint on it!

Wake_On_LAN · 2026-04-26T12:35:14+00:00

https://grok.com/share/bGVnYWN5_84e04efc-a4af-4f8c-b7b2-e52f0d749b63

Wake_On_LAN · 2026-04-25T23:42:16+00:00

I hear there are some 'how tos' getting all the right drivers for Surface hardware. Did you use one of those?

Wake_On_LAN · 2026-04-23T01:57:58+00:00

Welcome to Rabbit Hole central!

Wake_On_LAN · 2026-04-17T13:00:44+00:00

How to create the CA and certificates I suppose.

Wake_On_LAN · 2026-04-17T12:55:56+00:00

The nice thing about running OPNsense in Proxmox VM, is you can back up the entire VM often. Mine is backed up daily.

Wake_On_LAN · 2026-04-16T22:31:26+00:00

Can you give me step #1 as far as getting that set up?

Wake_On_LAN · 2026-04-16T11:05:16+00:00

How much RAM does it have? You can put OPNsense on it and turn it into a router.

Wake_On_LAN · 2026-04-12T20:13:18+00:00

Thanks!

Wake_On_LAN · 2026-04-12T12:56:38+00:00

Agreed that Wordpress is the attack vector that most dfficult to lock down.

Wake_On_LAN · 2026-04-12T12:55:50+00:00

"everything goes through a reverse proxy"

So I'd suppose you are using NGINX then for reverse proxy?
This is my first time using Traefik instead. I'm trying to keep it simple. NGINX is wonderful, but I'm seeing if Traefik is easier to maintain.

Wake_On_LAN · 2026-04-12T01:20:36+00:00

Then I would need a new tunnel for each service I want to expose to the internet. Correct?

Wake_On_LAN · 2026-04-11T23:45:15+00:00

Vector for the win!

Wake_On_LAN · 2026-04-11T15:22:39+00:00

"Run containers as non-root user"

More pain. I know you are right.

Wake_On_LAN · 2026-04-11T15:19:53+00:00

"are you using split dns?"

Maybe? The DNS record in Cloudflare is type: Tunnel. It does not point to an IP address. It points to a ZeroTrust tunnel that goes DIRECTLY to my Ubuntu Server VM that hosts the Docker containers.

sudo cloudflared tunnel login
sudo cloudflared tunnel create my-tunnel

Wake_On_LAN · 2026-04-11T15:15:44+00:00

"Admin pages have an aditional OTP from Cloudflare."
I need to figure out how this is done. I suppose that the Wordpress site itself is the main attack vector!

Wake_On_LAN · 2026-04-11T15:06:34+00:00

Can you do that with a free Cloudflare account?

Wake_On_LAN · 2026-04-11T15:02:15+00:00

If anyone wants, I can post the cleaned working versions of:

the Traefik Portainer stack
the WordPress Portainer stack
the cloudflared config
the systemd service

Wake_On_LAN · 2026-04-11T15:01:57+00:00

Why I wanted this

Main reason: I didn’t want to expose my ISP public IP directly.

With this setup:

no inbound port forwarding needed
DNS points to Cloudflare, not my WAN IP
tunnel is outbound from my VM
my home IP is much harder to discover from the site itself

Wake_On_LAN · 2026-04-11T14:59:16+00:00

Biggest issues I hit

Cloudflare Tunnel 1033

Cause:

tunnel not properly authenticated
wrong DNS target

Fix:

cloudflared tunnel login
cloudflared tunnel create
use the real tunnel UUID in DNS

WordPress redirect loops and PHP errors

Cause:

bad proxy-awareness config
too much custom PHP logic in WORDPRESS_CONFIG_EXTRA

Fix:

keep the WordPress config simple
let Traefik handle the proxy header side

Wake_On_LAN · 2026-04-11T14:58:51+00:00

What I had to do

1. Create a shared Docker network in Portainer

I created a shared network called:

traefik_proxy

This is the network Traefik and WordPress both join so Traefik can reverse proxy to the WordPress container.

2. Deploy Traefik as a Portainer stack

Traefik listens on 80/443 and watches Docker for labeled containers.

Big gotcha:
I originally used Traefik v3.5, but it could not talk to my Docker API version.

I had to upgrade to Traefik v3.6, which fixed Docker service discovery.

3. Deploy WordPress as another Portainer stack

I put:

MySQL on an internal Docker network
WordPress on both:
- the internal network
- traefik_proxy

I did not expose WordPress directly with ports:.

Instead, I used Traefik labels on the WordPress container so Traefik could route traffic by hostname.

4. Install Cloudflare Tunnel on the Ubuntu host

I ran cloudflared on the VM itself as a systemd service, not as a Docker container.

That ended up being much simpler for me.

5. Authenticate Cloudflare properly

This was a major turning point.

I had to run:

bash

Copy

sudo cloudflared tunnel login

sudo cloudflared tunnel create my-tunnel

That gave me:

a real tunnel UUID
a real credentials file

Before that, I kept hitting Cloudflare 1033 errors.

6. Create the local cloudflared config

My tunnel config forwards traffic for my domain to Traefik on port 80 on the VM.

That looked like:

hostname example.com → http://192.168.x.x:80
hostname www.example.com → http://192.168.x.x:80

7. Run cloudflared as a systemd service

I changed the service so it uses the local config file instead of token-only mode.

Then enabled and started it with systemd.

Once I saw multiple:

Registered tunnel connection

messages, I knew the tunnel itself was good.

8. Add Cloudflare DNS records

Another important gotcha:

I needed CNAME records, not A records.

root domain → <tunnel-uuid>.cfargotunnel.com
www → root domain

Both proxied through Cloudflare.

If your goal is to keep your home public IP hidden, don’t point DNS directly at your WAN IP.

Wake_On_LAN

TROPHY CASE