# Step 2 — DNS and Cloudflare Setup

**Track:** With AI (Beginner)  
**Time for this step:** 1–2 hours

In this step you will set up Cloudflare so your domain points to Cloudflare's servers,
and you will create the Cloudflare Tunnel that allows the internet to reach your home
computer without exposing your home IP address.

---

## What Is Happening Here?

When someone types `www.kitestacks.com` into a browser, their computer asks a system
called DNS: "What is the IP address for kitestacks.com?"

Normally, that answer would be your home IP address. But we do NOT want that — your
home IP could change, could be targeted by attackers, or could be blocked by your ISP.

Instead, the DNS answer will be Cloudflare's IP address. Traffic goes to Cloudflare,
Cloudflare sends it to your computer through a tunnel, and your home IP is never involved.

**Ask your AI:** "Can you explain in simple terms how Cloudflare Tunnel works?"

---

## Step 2A — Add Your Domain to Cloudflare

If you bought your domain from Cloudflare Registrar, skip to Step 2B.

If you bought it elsewhere (Namecheap, GoDaddy, etc.):

1. Log in to Cloudflare at cloudflare.com
2. Click "Add a site"
3. Enter your domain name
4. Choose the Free plan
5. Cloudflare will give you two nameserver addresses (like `vera.ns.cloudflare.com`)
6. Go to your domain registrar's website and replace the nameservers with Cloudflare's

**Ask your AI:** "How do I change nameservers on [your registrar]?"

It can take up to 24 hours for nameserver changes to propagate worldwide, but usually
it happens within an hour.

---

## Step 2B — Create Your Cloudflare Tunnel

A Cloudflare Tunnel is the invisible connection between your home computer and Cloudflare.
Your home computer reaches out to Cloudflare (outbound connection). Cloudflare holds that
connection open. When someone visits your website, Cloudflare sends the request back through
that existing connection. Your home router never needs to be configured.

**To create a tunnel:**

1. In your Cloudflare dashboard, go to: **Zero Trust → Networks → Tunnels**
2. Click **"Create a tunnel"**
3. Choose **"Cloudflared"** as the connector type
4. Name your tunnel (e.g., `kitestacks-tunnel`)
5. Cloudflare will show you a token — a long string of characters starting with `eyJ`
6. **Save this token somewhere safe** — you will need it in Step 3

---

## Step 2C — Add Public Hostnames to the Tunnel

A public hostname tells Cloudflare: "When someone visits this URL, send the traffic
to this container on my home computer."

You will set up hostnames for all eleven of your services. For each one:

1. In the tunnel settings, click **"Public Hostnames"**
2. Click **"Add a public hostname"**

Add all of these (you will complete the services in later steps, but adding the
hostnames now means they are ready):

| Subdomain | Domain | Service | URL |
|-----------|--------|---------|-----|
| www | yourdomain.com | http://homepage:3000 | www.yourdomain.com |
| auth | yourdomain.com | http://authentik:9000 | auth.yourdomain.com |
| gitforge | yourdomain.com | http://forgejo:3000 | gitforge.yourdomain.com |
| ai | yourdomain.com | http://kite-openwebui:8080 | ai.yourdomain.com |
| links | yourdomain.com | http://karakeep:3000 | links.yourdomain.com |
| kavita | yourdomain.com | http://kavita:5000 | kavita.yourdomain.com |
| grafana | yourdomain.com | http://grafana:3000 | grafana.yourdomain.com |
| status | yourdomain.com | http://uptime-kuma:3001 | status.yourdomain.com |
| wiki | yourdomain.com | http://bookstack:80 | wiki.yourdomain.com |
| tasks | yourdomain.com | http://osticket-app:80 | tasks.yourdomain.com |
| portainer | yourdomain.com | https://portainer:9443 | portainer.yourdomain.com |

For the `portainer` entry, enable **"No TLS Verify"** (Portainer uses its own self-signed certificate internally).

Replace `yourdomain.com` with your actual domain throughout.

**Ask your AI:** "What does the 'service' field in a Cloudflare Tunnel hostname mean?
Why do I use `http://homepage:3000` instead of an IP address?"

---

## Step 2D — Create the Docker Network

Everything in this homelab runs in Docker (covered in the next step), and all the
containers need to be able to talk to each other and to the Cloudflare connector.
They do this by being on the same Docker network.

On your **home computer**, run:
```bash
docker network create kitestacks
```

You will also do this on your **cloud VPS** in a later step.

**Ask your AI:** "What is a Docker network and why do all containers need to be on the same one?"

---

## Checkpoint

Before moving to Step 3, make sure:

- [ ] Your domain is on Cloudflare (nameservers changed or bought from Cloudflare)
- [ ] You created a Cloudflare Tunnel and saved the tunnel token
- [ ] You added all 11 public hostnames to the tunnel
- [ ] You ran `docker network create kitestacks` on your home computer

---

**Next:** [Step 3 — Installing Docker](03-docker-setup.md)