Traffic Flow
No ports are exposed to the internet. All inbound traffic goes through the Cloudflare tunnel.DNS
Domain*.augustin.ai managed in Cloudflare. Each service gets a CNAME pointing to the tunnel.
Cloudflare Tunnel
cloudflared runs on i3 as a Docker container on the traefik network. It connects outbound to Cloudflare and forwards traffic to Traefik on port 8880.
Traefik
Single Traefik instance on i3. Listens on 8880 (HTTP) and 8443 (HTTPS), mapped from container ports 80 and 443.- i3 services — routed via Docker labels on the
traefikDocker network - Pentium services — routed via
traefik/dynamic/pentium-services.yaml, which forwards over LAN to192.168.1.16:<port>
| Service | Port |
|---|---|
| jellyfin | 8096 |
| sonarr | 8989 |
| radarr | 7878 |
| bazarr | 6767 |
| seerr | 5055 |
| audiobookshelf | 13378 |
| qbittorrent | 8085 |
| prowlarr | 9696 |
| calibre-web | 8083 |
| chaptarr | 8789 |
traefik.augustin.ai, protected by basic auth.
LAN
| Machine | IP |
|---|---|
| i3 | 192.168.1.100 |
| Pentium | 192.168.1.16 |
~/.ssh/config aliases (ssh pentium from i3, ssh i3 from Pentium).