בס״ד

Camera fix — Cloudflare Tunnel (the secure way, per the 6/1 audit)

docs/CAMERA_TUNNEL_PLAN.md · last changed (pre-VM history) · rendered from GitHub master

Camera fix — Cloudflare Tunnel (the secure way, per the 6/1 audit)

Sam hardened the NVR (off 8500, HTTPS, login-lockout) — correctly, per SECURITY_AUDIT_2026-06-01. That broke the old plain-HTTP:8500 portal path. This is the fix the audit recommended: a Cloudflare Tunnel so the cameras reach the portal with NO open port on the home router, a valid cert, and Worker-reachable. Planned 2026-06-24.

Why this fixes everything

What it needs

One always-on device on the home "Cookies" WiFi running cloudflared (the tunnel daemon):
- Best: a ~$100 mini-PC or Raspberry Pi (also becomes the Home Assistant hub later for full live video).
- Works today: any always-on computer on the home network (a Surface that stays on).

Steps

Sam (one-time, ~15 min):
1. Cloudflare dashboard → Zero Trust → Networks → Tunnels → Create a tunnel → name treitel-cameras. It shows an install command + token.
2. On the home device: install cloudflared (paste the command). It connects out — no port-forward.
3. In the tunnel → Public Hostname → add: cam.hookstreetservices.com → Service HTTPS192.168.4.47:443 → Additional settings → No TLS Verify: ON (for the NVR's self-signed cert).
4. (After it works) delete the eero 8500 + 8501 port-forwards — no longer needed, fully closes the exposure.

Claude:
5. Repoint /camera/snapshot (NVR_HOST) + cameras.html from the eero-DDNS:port to cam.hookstreetservices.com (https, no port).
6. Verify all 7 cams render. Then the family/Chanie pages light up too.

Net result

Cameras live on every page, no open ports, valid cert, login-lockout intact — secure and working, exactly what the audit wanted. Guardian keeps working throughout (independent).

Source trail · docs/CAMERA_TUNNEL_PLAN.md @ master · rendered 2026-07-02 7:23 PM EDT by scripts/build-docs.py · the .md in the repo is the truth; this page is the phone-readable view