Camera fix — Cloudflare Tunnel (the secure way, per the 6/1 audit)
Sam hardened the NVR (off 8500, HTTPS, login-lockout) — correctly, per
SECURITY_AUDIT_2026-06-01. That broke the old plain-HTTP:8500 portal path. This is the fix the audit recommended: a Cloudflare Tunnel so the cameras reach the portal with NO open port on the home router, a valid cert, and Worker-reachable. Planned 2026-06-24.
Why this fixes everything
- No raw port-forward → close the eero 8500/8501 forwards = the #1 vulnerability gone (Hikvision NVRs are top botnet targets).
- Valid HTTPS (Cloudflare's cert) → solves the self-signed-cert wall that made the Worker fail.
- Cloudflare hostname (
cam.hookstreetservices.com) → the ops-api Worker + cameras.html can reach it (it's on Cloudflare's network, same as the portal). - The tunnel daemon dials OUT to Cloudflare — nothing inbound is opened.
What it needs
One always-on device on the home "Cookies" WiFi running cloudflared (the tunnel daemon):
- Best: a ~$100 mini-PC or Raspberry Pi (also becomes the Home Assistant hub later for full live video).
- Works today: any always-on computer on the home network (a Surface that stays on).
Steps
Sam (one-time, ~15 min):
1. Cloudflare dashboard → Zero Trust → Networks → Tunnels → Create a tunnel → name treitel-cameras. It shows an install command + token.
2. On the home device: install cloudflared (paste the command). It connects out — no port-forward.
3. In the tunnel → Public Hostname → add: cam.hookstreetservices.com → Service HTTPS → 192.168.4.47:443 → Additional settings → No TLS Verify: ON (for the NVR's self-signed cert).
4. (After it works) delete the eero 8500 + 8501 port-forwards — no longer needed, fully closes the exposure.
Claude:
5. Repoint /camera/snapshot (NVR_HOST) + cameras.html from the eero-DDNS:port to cam.hookstreetservices.com (https, no port).
6. Verify all 7 cams render. Then the family/Chanie pages light up too.
Net result
Cameras live on every page, no open ports, valid cert, login-lockout intact — secure and working, exactly what the audit wanted. Guardian keeps working throughout (independent).