Sign in Subscribe
2 min read

Cloudflare with * certificates and Traefik

Cloudflare with * certificates and Traefik

So — in breaking from delivering the next part of the Foundations of Sovereign Self-Hosting series, I am, by request, publishing my actual (mostly) Docker Compose file for how I use my domains (chrisalmida.com and casaalmida.com) with a Cloudflare Tunnel and Traefik — configured to use the Cloudflare Origin Server wildcard certificate — to securely access services (like this blog) on my home lab network.

You can view the docker-compose.yml and the associated configuration files for Cloudflared, Traefik, Pi-hole, and Unbound directly in the GitHub repo:

View on GitHub

Why This Setup?

  • I want access to internal services anywhere without exposing ports.
  • I want to own my TLS certs — using Cloudflare Origin certs.
  • I want full DNS and DHCP control at home using Pi-hole + Unbound.
  • I want all traffic to route through Cloudflare Tunnel, secured end-to-end.

This stack achieves all of that, with clean separation between edge-facing components (Cloudflared, Traefik) and internal infrastructure (Pi-hole, Unbound).

Key Components

Cloudflare Tunnel + Origin Certificate

  • Cloudflared creates the tunnel.
  • Traefik terminates HTTPS using a wildcard Origin Cert.
  • Certs are manually managed and mounted into Traefik using a dynamic TLS store:
tls:
  stores:
    default:
      defaultCertificate:
        certFile: "/etc/traefik/certs/cloudflare-origin.pem"
        keyFile: "/etc/traefik/certs/cloudflare-origin.key"
  certificates:
    - certFile: "/etc/traefik/certs/cloudflare-origin.pem"
      keyFile: "/etc/traefik/certs/cloudflare-origin.key"

Pi-hole + Unbound on macvlan

  • Pi-hole is the main DNS resolver and DHCP server.
  • Unbound handles recursive DNS resolution.
  • Both run on the casapilan macvlan network with LAN IPs (192.168.1.x).

About the Macvlan Network

To place Pi-hole and Unbound directly on your LAN:

docker network create -d macvlan \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.1 \
  --ip-range=192.168.1.192/28 \
  -o parent=eth0 \
  casapilan
⚠️ macvlan networks cannot communicate with the Docker host — so you’ll need a separate proxy container or host if services need access to each other (e.g. Pi-hole API).

Deploying the Stack

Clone the repo and run:

docker compose -f docker-compose-netedge.yml up -d

Before deploying, make sure to replace all placeholders like:

ENTER_YOUR_CF_API_TOKEN_HERE
ENTER_YOUR_PIHOLE_PASSWORD_HERE

What's Next

This is just the edge. In the Foundations of Sovereign Self-Hosting series, I’ll show how this connects to:

  • Plex, Jellyfin, Audiobookshelf
  • Radarr, Sonarr, Lidarr
  • qBittorrent, SABnzbd, Prowlarr
  • Homepage dashboards
  • And more...

If you're building sovereign infrastructure — start with the edge. This is mine.

Stay sovereign, stay self-hosted.

Chris Almida

Published by:

Chris Almida