Session with Claude (Sonnet 4.6) covering DDNS configuration, TLS certificate
setup, and Caddy reverse proxy deployment. Result: https://www.cornillaud.com
is live and serving the n8n UI with a valid Let’s Encrypt certificate.
DDNS
Established that the home WAN IP is dynamic and needs to be kept current in DNS. Cloudflare is already the registrar and DNS provider for cornillaud.com.
Steps taken:
- Created an A record for
wwwin Cloudflare DNS (TTL 1 minute, DNS only / grey cloud) - Created a scoped Cloudflare API token: “Edit zone DNS”, permissions Zone → DNS → Edit, scoped to cornillaud.com only
- Stored the token in 1Password Lab vault under the Cloudflare item
- Configured the UDM Pro SE built-in DDNS client (Settings → Internet → WAN → Dynamic DNS)
with Service: Cloudflare, Hostname:
www, Domain:cornillaud.com, using the API token as the password
The www A record updated to the current WAN IP on first check — confirmed in the
Cloudflare DNS dashboard.
Design decision: only www is maintained by DDNS. Future subdomains (n8n,
home, etc.) will be CNAME records pointing to www.cornillaud.com, inheriting
the current IP automatically.
Caddy reverse proxy
Decided to run Caddy on the n8n Pi (10.20.0.7) as the single TLS-terminating entry point for all inbound HTTPS traffic.
New files committed to main (commit 98b9c3b):
lab/services/caddy/docker-compose.yml— Caddy service definition; joinsproxyDocker network; binds ports 80 and 443lab/services/caddy/Caddyfile— routeswww.cornillaud.com→n8n:5678; future subdomains stubbed as commentslab/services/caddy/pre-deploy.sh— creates the sharedproxyDocker network if absent (idempotent)
n8n compose updated:
- Port 5678 now bound to
127.0.0.1only (no direct internet exposure) N8N_PROTOCOL,WEBHOOK_URL,N8N_SECURE_COOKIEdefaulted to HTTPS values- n8n container joined to the
proxyDocker network so Caddy can reach it by container name
UDM Pro SE port forwards added (Settings → Firewall & Security → Port Forwarding):
- WAN 80 → 10.20.0.7:80
- WAN 443 → 10.20.0.7:443
Deployment:
./provision-service.sh --env prod --host <n8n-host> --service caddy
./provision-service.sh --env prod --host <n8n-host> --service n8nCaddy obtained the Let’s Encrypt certificate on startup. https://www.cornillaud.com
loads the n8n UI with a valid certificate.
Documentation added
40-Services/Caddy.md— new service note40-Services/Cloudflare.md— added DNS management, DDNS, and API tokens sectionsA20-MetaDoc/HTTPS and DDNS Setup.md— reference doc covering architecture, how DDNS and Let’s Encrypt work, port forward configuration, and how to add new subdomains
Next steps
- Configure OAuth in n8n (requires the HTTPS webhook URL now in place)
- Add
n8n.cornillaud.comandhome.cornillaud.comas CNAME records and corresponding Caddyfile blocks when those services are ready to be exposed