External Dependencies
Everything the homelab needs from outside this repo. Check this list first when a subdomain doesn't resolve, an OAuth login fails, or a tunnel won't come up.
Cloudflare
- Account — holds the zone + Tunnel.
- Zone for
h5h.me(free plan is fine).- DNS: CNAMEs for
sh,auth,photos,drive,plex,grafana,prometheus,torrent,notes→<tunnel-id>.cfargotunnel.com(created bymake setup-tunnel). - Apex
h5h.me+www.h5h.mepoint to Vercel for the portfolio — not through the tunnel.
- DNS: CNAMEs for
- API tokens stored in
code/docker/.env:CF_API_TOKEN— Zone.DNS:Edit + Account.Tunnel:Edit (used bysetup_tunnel.py).CF_DNS_API_TOKEN— Zone.DNS:Edit only (used by Traefik for DNS-01 ACME).CF_ACCOUNT_ID,CF_ZONE_ID— IDs (not secrets, but committed to.env).CF_TUNNEL_TOKEN— auto-populated bymake setup-tunnel.
- Tunnel named
h5h-homelab-auto. Created and ingress-configured via API — noconfig.ymlis written to disk. - Zero Trust dashboard: https://one.dash.cloudflare.com/ (tunnel health).
Tailscale
- Tailnet with an auth key at https://login.tailscale.com/admin/settings/keys (reusable + ephemeral recommended).
- Auth key stored as
TS_AUTHKEYin.env. - Container runs userspace (
TS_USERSPACE=true), advertises${DOCKER_SUBNET}as a subnet route, and is an--advertise-exit-node. - Approve the subnet route + exit node in the Tailscale admin UI after first boot.
- Homepage widget reads
HOMEPAGE_VAR_TAILSCALE_DEVICE_ID+HOMEPAGE_VAR_TAILSCALE_API_KEY.
Google OAuth (Authentik source)
- Project at https://console.cloud.google.com/apis/credentials.
- Authorised redirect URI:
https://auth.h5h.me/source/oauth/callback/google/. - Creds in
.env:GOOGLE_CLIENT_ID,GOOGLE_CLIENT_SECRET. setup_rbac.pywires the source into Authentik automatically onmake setup-authentik.
Plex
- Claim token from https://plex.tv/claim (expires after 4 minutes — set
PLEX_CLAIMin.envright beforemake plex).
External git repo — Obsidian notes
code/docker/obsidian/init.shfirst-boot-cloneshttps://github.com/callmehetch/notes-obsidianinto/config.- If that repo becomes private or gets renamed, Obsidian will start with an empty vault on a fresh volume.
data/obsidian/persists, so this only matters on migrations or restore-from-scratch.
SMTP relay (optional)
- Self-hosted mail is intentionally excluded — see decisions/0001-no-self-hosted-email.md.
- For transactional email (Authentik password resets, alerts) use Brevo (300/day free), Mailgun, or SendGrid. Vars pre-commented in
.env.example:SMTP_HOST,SMTP_PORT,SMTP_USERNAME,SMTP_PASSWORD.
CrowdSec
- Community instance at https://app.crowdsec.net — optional, lets you share decisions with the community blocklist.
- Local bouncer key is the
CROWDSEC_BOUNCER_KEYin.env; generate viadocker exec h5h_crowdsec cscli bouncers add traefik-bouncer. - Homepage also has a plaintext CrowdSec admin credential in
services.yaml— see known_issues.md #1.
Docker Hub (optional, for portfolio image)
- Not currently used by CI. To enable push, add
DOCKERHUB_USERNAME+DOCKERHUB_TOKENsecrets and uncomment the push block in.github/workflows/ci.yml.
Vercel (portfolio)
- Project root =
code/. Build command fromvercel.json. See portfolio_deployment.md.