# Jefflix VPN Setup — Headscale + Tailscale

Protects all `*.jefflix.lol` services behind the existing Headscale VPN at `vpn.jeffemmett.com`.

## How It Works

```
Before (public):
  Browser → Cloudflare → Tunnel → Traefik → Jellyfin/etc

After (VPN-only):
  Browser → Tailscale (WireGuard) → Traefik → Jellyfin/etc
  (Only works if connected to the tailnet)
```

Traefik still routes by Host header — the only change is how traffic reaches it.

## Quick Start

SSH into the server and follow the phases in order:

```bash
ssh netcup
```

Then run `setup.sh` (or follow the manual steps below).

## Files

| File | Purpose |
|------|---------|
| `setup.sh` | Full setup script (run on Netcup) |
| `coredns/Corefile` | CoreDNS config — resolves *.jefflix.lol to Tailscale IP |
| `coredns/docker-compose.yml` | CoreDNS container definition |
| `headscale-config-patch.yaml` | Split DNS addition for Headscale config |
| `cloudflared-config-clean.yml` | Cloudflare tunnel config with jefflix entries removed |
| `rollback.sh` | Emergency rollback script |