Dokumentation to setup ddns updates for your home domain hostet by cloudflare.
In the first step, add the a record for your hostname manualy.
I addet a cname *.hostname.domain.tld for the other home domains. So you can use letsencrypt at home for any subdomain.
ssh [REPLACE WITH USG USER NAME]@[REPLACE WITH USG IP ADDRESS]
sudo -i
echo "deb http://archive.debian.org/debian/ wheezy main # wheezy #" >> /etc/apt/sources.list
apt-get update; apt-get -y install libdata-validate-ip-perl
cd /tmp
curl -L -O https://raw.githubusercontent.com/ddclient/ddclient/master/ddclient
cp /usr/sbin/ddclient /usr/sbin/ddclient.bkp
cp ddclient /usr/sbin/ddclient
chmod +x /usr/sbin/ddclient
exit
cd /var/lib/unifi/sites/default
vim config.gateway.json
# In the first step, configure the cloudflare ddns settings.
# IN the second step, add static host entrys to your home dns.
{
"service": {
"dns": {
"dynamic": {
"interface": {
"eth0": {
"service": {
"custom-cloudflare": {
"host-name": [
"hostname.domain.tld"
],
"login": "cloudflare@myemail.com",
"options": [
"zone=domain.tld"
],
"password": "cloudflare-api-key",
"protocol": "cloudflare",
"server": "api.cloudflare.com/client/v4"
}
},
"web": "dyndns"
}
}
}
}
},
"system": {
"static-host-mapping": {
"host-name": {
"git.hostname.domain.ltd": {
"alias": [
"git"
],
"inet": [
"<internal_dest_ip>"
]
},
"unifi.hostname.domain.ltd": {
"alias": [
"unifi"
],
"inet": [
"<internal_dest_ip>"
]
}
}
}
}
}
# Caddy with my used plugins. You need tls.dns.cloudflare for this turotial
curl https://getcaddy.com | bash -s personal tls.dns.cloudflare,http.authz,http.cache,http.cgi,http.cors,http.expires,http.forwardproxy,http.git,http.jwt,http.login,http.mailout,http.minify,http.permission,http.prometheus,http.ratelimit,http.realip,http.reauth
# Set your Cloudflare e-mail and api access token as environment variable.
sudo vim /etc/systemd/system/caddy.service
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Environment=CLOUDFLARE_EMAIL=cloudflare@myemail.com
Environment=CLOUDFLARE_API_KEY=cloudflare-api-key
Environment=CADDYPATH=/etc/ssl/caddy
Restart=on-failure
StartLimitInterval=60
StartLimitBurst=3
; User and group the process will run as.
User=www-data
Group=www-data
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -http2=true -agree=true -conf=/etc/caddy/caddy.conf -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=false
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/ssl/caddy
; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
sudo vim /etc/caddy/caddy.conf
# Reverse Proxy for Gogs Git Server
git.hostname.domain.ltd {
tls cloudflare@myemail.com
tls {
dns cloudflare
}
gzip
prometheus
proxy / http://<internal_ip>:3000 {
transparent
}
}
# Reverse Proxy for Unify Controller
unifi.hostname.domain.ltd
tls cloudflare@myemail.com
tls {
dns cloudflare
}
gzip
prometheus
proxy / https://127.0.0.1:8443 {
transparent
insecure_skip_verify
}
}