nixos/services/cloudflare-ddns.md

## Store your API key securely

Create a file outside your /etc/nixos directory to store your Cloudflare API token:

```bash
sudo mkdir -p /var/secrets
sudo nano /var/secrets/cloudflare-token
sudo chmod 600 /var/secrets/cloudflare-token
sudo chown root:root /var/secrets/cloudflare-token
```

This token is shared by both `cloudflare-ddns.nix` (DDNS updates) and `nginx.nix` (ACME wildcard cert via DNS-01 challenge).

## Get your Cloudflare API Token

Go to Cloudflare Dashboard → My Profile → API Tokens and create a token with:

- **Zone : Zone : Read**
- **Zone : DNS : Edit**

Both permissions are required — Zone:Read for ACME to locate the zone, DNS:Edit for DDNS updates and ACME challenge TXT records.

Copy the token to `/var/secrets/cloudflare-token`.
Update docs: add new services to readme, remove obsolete go2rtc-readme - readme.md: add authelia, fail2ban, homepage, arr-interconnect, nginx description updated to mention ACME. Remove omnisearch, add cachyos kernel to flake inputs table. - cloudflare-ddns.md: document shared token usage with ACME, note Zone:Zone:Read permission requirement. - Delete go2rtc-readme.md (documented Docker setup, now native NixOS). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:42:19 +01:00			`## Store your API key securely`

Create cloudflare-ddns.md 2026-02-15 06:24:20 +00:00			`Create a file outside your /etc/nixos directory to store your Cloudflare API token:`
Update docs: add new services to readme, remove obsolete go2rtc-readme - readme.md: add authelia, fail2ban, homepage, arr-interconnect, nginx description updated to mention ACME. Remove omnisearch, add cachyos kernel to flake inputs table. - cloudflare-ddns.md: document shared token usage with ACME, note Zone:Zone:Read permission requirement. - Delete go2rtc-readme.md (documented Docker setup, now native NixOS). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:42:19 +01:00
			```bash
			`sudo mkdir -p /var/secrets`
Create cloudflare-ddns.md 2026-02-15 06:24:20 +00:00			`sudo nano /var/secrets/cloudflare-token`
Update docs: add new services to readme, remove obsolete go2rtc-readme - readme.md: add authelia, fail2ban, homepage, arr-interconnect, nginx description updated to mention ACME. Remove omnisearch, add cachyos kernel to flake inputs table. - cloudflare-ddns.md: document shared token usage with ACME, note Zone:Zone:Read permission requirement. - Delete go2rtc-readme.md (documented Docker setup, now native NixOS). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:42:19 +01:00			`sudo chmod 600 /var/secrets/cloudflare-token`
Create cloudflare-ddns.md 2026-02-15 06:24:20 +00:00			`sudo chown root:root /var/secrets/cloudflare-token`
Update docs: add new services to readme, remove obsolete go2rtc-readme - readme.md: add authelia, fail2ban, homepage, arr-interconnect, nginx description updated to mention ACME. Remove omnisearch, add cachyos kernel to flake inputs table. - cloudflare-ddns.md: document shared token usage with ACME, note Zone:Zone:Read permission requirement. - Delete go2rtc-readme.md (documented Docker setup, now native NixOS). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:42:19 +01:00			```

			This token is shared by both `cloudflare-ddns.nix` (DDNS updates) and `nginx.nix` (ACME wildcard cert via DNS-01 challenge).

			`## Get your Cloudflare API Token`

			`Go to Cloudflare Dashboard → My Profile → API Tokens and create a token with:`
Create cloudflare-ddns.md 2026-02-15 06:24:20 +00:00
Update docs: add new services to readme, remove obsolete go2rtc-readme - readme.md: add authelia, fail2ban, homepage, arr-interconnect, nginx description updated to mention ACME. Remove omnisearch, add cachyos kernel to flake inputs table. - cloudflare-ddns.md: document shared token usage with ACME, note Zone:Zone:Read permission requirement. - Delete go2rtc-readme.md (documented Docker setup, now native NixOS). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:42:19 +01:00			`- Zone : Zone : Read`
			`- Zone : DNS : Edit`
Create cloudflare-ddns.md 2026-02-15 06:24:20 +00:00
Update docs: add new services to readme, remove obsolete go2rtc-readme - readme.md: add authelia, fail2ban, homepage, arr-interconnect, nginx description updated to mention ACME. Remove omnisearch, add cachyos kernel to flake inputs table. - cloudflare-ddns.md: document shared token usage with ACME, note Zone:Zone:Read permission requirement. - Delete go2rtc-readme.md (documented Docker setup, now native NixOS). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:42:19 +01:00			`Both permissions are required — Zone:Read for ACME to locate the zone, DNS:Edit for DDNS updates and ACME challenge TXT records.`
Create cloudflare-ddns.md 2026-02-15 06:24:20 +00:00
Update docs: add new services to readme, remove obsolete go2rtc-readme - readme.md: add authelia, fail2ban, homepage, arr-interconnect, nginx description updated to mention ACME. Remove omnisearch, add cachyos kernel to flake inputs table. - cloudflare-ddns.md: document shared token usage with ACME, note Zone:Zone:Read permission requirement. - Delete go2rtc-readme.md (documented Docker setup, now native NixOS). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:42:19 +01:00			Copy the token to `/var/secrets/cloudflare-token`.