How peshlab.com public hostnames are served, and how to fix them when they break. Derived from the running setup as of 2026-07-02.
peshlab.com public sites are served by cloudflared tunnels, fronted by Cloudflare
(proxied). The primary tunnel is pve-tunnel
(9515f719-1358-44f2-a236-ce100b52abba), running as cloudflared.service (systemd)
on the Proxmox host pve (172.16.60.99), config /etc/cloudflared/config.yml.
A separate tunnel peshlab-mail (docker, in CT 105) runs the mail stack.
| Hostname | Backend |
|---|---|
docs | 172.16.60.101:8000 (Paperless) |
photos | 172.16.60.106:2283 (Immich) |
home / status / grafana | https://172.16.60.103 (Traefik, routes by Host header) |
SSH root@172.16.60.99 authenticates via the 1Password SSH agent (key item
"proxmox root (pve)", Ed25519). 1Password must be unlocked and
Settings → Developer → "Use the SSH agent" ON, or ssh-add -l shows no identities
and login fails. Baymax reaches the lab over the LAN — ICMP is blocked by the FortiGate, but TCP works.
1033 / 530 = tunnel connector offline. Fix:
systemctl restart cloudflaredon pve, and watch for 4 "Registered tunnel connection" lines. 502 = tunnel routes fine but the origin/backend is erroring.
home / status / grafana route through Traefik (CT 101 = 172.16.60.103),
file config /etc/traefik/conf.d/*.yaml (hot-reloads). Backends: homarr→172.16.60.107:7575,
gatus→172.16.60.108:8080, grafana→172.16.60.109:3000.
DHCP-assigned, so IPs drift from the vmid.
| CT | Service | IP |
|---|---|---|
| 100 | pihole | .102 |
| 101 | traefik | .103 |
| 103 | paperless | .101 |
| 104 | immich | .106 |
| 105 | mail (stalwart+lldap+cloudflared) | .105 |
| 106 | homarr | .107 |
| 107 | gatus | .108 |
| 108 | monitoring (grafana:3000, prometheus:9090) | .109 |
Both classic failures are "service migrated to a CT but a stale pointer left behind":
cloudflared tunnel route dns --overwrite-dns 9515f719-… <hostname>.conf.d file.Watch: CT 105 mail has a failed
certbot.service(latent mail-cert-renewal risk); pve cloudflared is 2026.3.0 (outdated).