38 lines
1.0 KiB
Markdown
38 lines
1.0 KiB
Markdown
# Jefflix VPN Setup — Headscale + Tailscale
|
|
|
|
Protects all `*.jefflix.lol` services behind the existing Headscale VPN at `vpn.jeffemmett.com`.
|
|
|
|
## How It Works
|
|
|
|
```
|
|
Before (public):
|
|
Browser → Cloudflare → Tunnel → Traefik → Jellyfin/etc
|
|
|
|
After (VPN-only):
|
|
Browser → Tailscale (WireGuard) → Traefik → Jellyfin/etc
|
|
(Only works if connected to the tailnet)
|
|
```
|
|
|
|
Traefik still routes by Host header — the only change is how traffic reaches it.
|
|
|
|
## Quick Start
|
|
|
|
SSH into the server and follow the phases in order:
|
|
|
|
```bash
|
|
ssh netcup
|
|
```
|
|
|
|
Then run `setup.sh` (or follow the manual steps below).
|
|
|
|
## Files
|
|
|
|
| File | Purpose |
|
|
|------|---------|
|
|
| `setup.sh` | Full setup script (run on Netcup) |
|
|
| `coredns/Corefile` | CoreDNS config — resolves *.jefflix.lol to Tailscale IP |
|
|
| `coredns/docker-compose.yml` | CoreDNS container definition |
|
|
| `headscale-config-patch.yaml` | Split DNS addition for Headscale config |
|
|
| `cloudflared-config-clean.yml` | Cloudflare tunnel config with jefflix entries removed |
|
|
| `rollback.sh` | Emergency rollback script |
|