External Dependencies

Everything the homelab needs from outside this repo. Check this list first when a subdomain doesn't resolve, an OAuth login fails, or a tunnel won't come up.

Cloudflare

• Account — holds the zone + Tunnel.
• Zone for h5h.me (free plan is fine).
  • DNS: CNAMEs for sh, auth, photos, drive, plex, grafana, prometheus, torrent, notes → <tunnel-id>.cfargotunnel.com (created by make setup-tunnel).
  • Apex h5h.me + www.h5h.me point to Vercel for the portfolio — not through the tunnel.
• API tokens stored in code/docker/.env:
  • CF_API_TOKEN — Zone.DNS:Edit + Account.Tunnel:Edit (used by setup_tunnel.py).
  • CF_DNS_API_TOKEN — Zone.DNS:Edit only (used by Traefik for DNS-01 ACME).
  • CF_ACCOUNT_ID, CF_ZONE_ID — IDs (not secrets, but committed to .env).
  • CF_TUNNEL_TOKEN — auto-populated by make setup-tunnel.
• Tunnel named h5h-homelab-auto. Created and ingress-configured via API — no config.yml is written to disk.
• Zero Trust dashboard: https://one.dash.cloudflare.com/ (tunnel health).

Tailscale

• Tailnet with an auth key at https://login.tailscale.com/admin/settings/keys (reusable + ephemeral recommended).
• Auth key stored as TS_AUTHKEY in .env.
• Container runs userspace (TS_USERSPACE=true), advertises ${DOCKER_SUBNET} as a subnet route, and is an --advertise-exit-node.
• Approve the subnet route + exit node in the Tailscale admin UI after first boot.
• Homepage widget reads HOMEPAGE_VAR_TAILSCALE_DEVICE_ID + HOMEPAGE_VAR_TAILSCALE_API_KEY.

Google OAuth (Authentik source)

• Project at https://console.cloud.google.com/apis/credentials.
• Authorised redirect URI: https://auth.h5h.me/source/oauth/callback/google/.
• Creds in .env: GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET.
• setup_rbac.py wires the source into Authentik automatically on make setup-authentik.

Plex

• Claim token from https://plex.tv/claim (expires after 4 minutes — set PLEX_CLAIM in .env right before make plex).

External git repo — Obsidian notes

• code/docker/obsidian/init.sh first-boot-clones https://github.com/callmehetch/notes-obsidian into /config.
• If that repo becomes private or gets renamed, Obsidian will start with an empty vault on a fresh volume.
• data/obsidian/ persists, so this only matters on migrations or restore-from-scratch.

SMTP relay (optional)

• Self-hosted mail is intentionally excluded — see decisions/0001-no-self-hosted-email.md.
• For transactional email (Authentik password resets, alerts) use Brevo (300/day free), Mailgun, or SendGrid. Vars pre-commented in .env.example: SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD.

CrowdSec

• Community instance at https://app.crowdsec.net — optional, lets you share decisions with the community blocklist.
• Local bouncer key is the CROWDSEC_BOUNCER_KEY in .env; generate via docker exec h5h_crowdsec cscli bouncers add traefik-bouncer.
• Homepage also has a plaintext CrowdSec admin credential in services.yaml — see known_issues.md #1.

Docker Hub (optional, for portfolio image)

• Not currently used by CI. To enable push, add DOCKERHUB_USERNAME + DOCKERHUB_TOKEN secrets and uncomment the push block in .github/workflows/ci.yml.

Vercel (portfolio)

• Project root = code/. Build command from vercel.json. See portfolio_deployment.md.