Private Docs Access — Cloudflare Access Setup¶
Date: 2026-04-07
Context: GitHub repo ajhermosilla/homelab was made private on 2026-04-07 after a series of sensitive content leaks. The Cloudflare Pages site at docs.cronova.dev is still publicly accessible because Cloudflare Pages serves the rendered output regardless of source repo visibility. This runbook gates docs.cronova.dev behind Cloudflare Access (Zero Trust) so only the owner can read it.
Why Cloudflare Access¶
- Free up to 50 users on the Zero Trust Free plan.
- No infrastructure changes — keeps the existing CF Pages → custom domain setup.
- Multiple identity providers — Google, GitHub, one-time PIN to email, etc.
- Per-app policies — can gate
docs.cronova.devwithout touching other Cloudflare-fronted services.
Setup Steps¶
1. Open Cloudflare Zero Trust dashboard¶
Go to https://one.dash.cloudflare.com/ and sign in with the Cloudflare account that owns cronova.dev. If this is the first time using Zero Trust, accept the free plan (no card required for ≤50 users).
2. Add an identity provider (if not already configured)¶
Settings → Authentication → Login methods → Add new.
Recommended: One-time PIN (zero setup, sends a code to your email). Or: Google (smoother flow if you use Google Workspace).
3. Create the Access application¶
Access → Applications → Add an application → Self-hosted.
| Field | Value |
|---|---|
| Application name | docs.cronova.dev |
| Session duration | 24 hours (or longer if you trust the device) |
| Application domain | docs.cronova.dev |
| Path | leave empty (gates the entire site) |
| Identity providers | the one configured in step 2 |
4. Add an access policy¶
On the same application, add a policy:
| Field | Value |
|---|---|
| Policy name | owner-only |
| Action | Allow |
| Rules | Include → Emails → augusto@cronova.dev |
(If you want family or trusted users to access the docs, add their emails here too.)
5. Save and verify¶
- Open
https://docs.cronova.dev/in an incognito browser - Should redirect to the Cloudflare Access login page
- Enter your email → receive PIN → enter PIN → site loads
- From a normal browser already logged in: should load directly
6. Optional — block IPs that bypass via Page Rules¶
If docs.cronova.dev has any Page Rules that bypass cache or rewrite paths in a way that exposes content, double-check those don't bypass Access. Default CF Pages + Access setup is fine.
Verification Checklist¶
- [ ] Anonymous incognito browser →
docs.cronova.dev→ redirected to Access login - [ ] After auth → site loads normally
- [ ]
curl -sS https://docs.cronova.dev/from a non-authenticated host → returns the Access login HTML, not the site content - [ ] GitHub mirror still updates (push a small commit and verify CF Pages rebuilds)
Rollback¶
To revert (make the site public again):
- Access → Applications →
docs.cronova.dev→ Delete - Site is publicly accessible immediately afterwards
Related Decisions¶
- GitHub repo
ajhermosilla/homelab: now private (changed 2026-04-07 viagh repo edit --visibility private). Forgejo push mirror is unaffected (SSH push is visibility-independent). - Cloudflare Pages: still deploys from the now-private GitHub repo because the Cloudflare Pages GitHub App has read access. Future deploys verified working on the next PR after privatization.
- Pre-existing sensitive content (family names in
users_database.yml, HA automations, historical incident docs): no longer urgent now that the site is gated. Can be cleaned up at leisure or left as-is. - Sensitive content scanner (
scripts/check-sensitive-content.sh): kept in place as a guardrail. Pre-commit and CI both still run it. Not strictly needed for a private repo, but cheap defense in depth in case the repo ever goes public again.