baymax
Homelab — Cloudflare Tunnels
How peshlab.com is served, and how to fix it
Runbook · peshlab · 2026 · private
Contents

How peshlab.com public hostnames are served, and how to fix them when they break. Derived from the running setup as of 2026-07-02.


1. How sites are served

peshlab.com public sites are served by cloudflared tunnels, fronted by Cloudflare (proxied). The primary tunnel is pve-tunnel (9515f719-1358-44f2-a236-ce100b52abba), running as cloudflared.service (systemd) on the Proxmox host pve (172.16.60.99), config /etc/cloudflared/config.yml. A separate tunnel peshlab-mail (docker, in CT 105) runs the mail stack.

pve-tunnel ingress

HostnameBackend
docs172.16.60.101:8000 (Paperless)
photos172.16.60.106:2283 (Immich)
home / status / grafanahttps://172.16.60.103 (Traefik, routes by Host header)

2. Reaching pve

SSH root@172.16.60.99 authenticates via the 1Password SSH agent (key item "proxmox root (pve)", Ed25519). 1Password must be unlocked and Settings → Developer → "Use the SSH agent" ON, or ssh-add -l shows no identities and login fails. Baymax reaches the lab over the LAN — ICMP is blocked by the FortiGate, but TCP works.

3. Error decode

1033 / 530 = tunnel connector offline. Fix: systemctl restart cloudflared on pve, and watch for 4 "Registered tunnel connection" lines. 502 = tunnel routes fine but the origin/backend is erroring.

4. Reverse proxy (Traefik)

home / status / grafana route through Traefik (CT 101 = 172.16.60.103), file config /etc/traefik/conf.d/*.yaml (hot-reloads). Backends: homarr→172.16.60.107:7575, gatus→172.16.60.108:8080, grafana→172.16.60.109:3000.

5. CT IP map

DHCP-assigned, so IPs drift from the vmid.

CTServiceIP
100pihole.102
101traefik.103
103paperless.101
104immich.106
105mail (stalwart+lldap+cloudflared).105
106homarr.107
107gatus.108
108monitoring (grafana:3000, prometheus:9090).109

6. Known gotchas

Both classic failures are "service migrated to a CT but a stale pointer left behind":

Watch: CT 105 mail has a failed certbot.service (latent mail-cert-renewal risk); pve cloudflared is 2026.3.0 (outdated).