From 7c0816019b6dcb44d77a04f21dad2ac44f2a46bf Mon Sep 17 00:00:00 2001 From: jfcheng Date: Sun, 22 Feb 2026 20:42:52 -0500 Subject: [PATCH] docs: Add Cloudflare Zero Trust security instructions for Webtop --- webtop/SETUP.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/webtop/SETUP.md b/webtop/SETUP.md index ac8dd94..23b6e87 100644 --- a/webtop/SETUP.md +++ b/webtop/SETUP.md @@ -41,3 +41,23 @@ Webtop provides a full Linux desktop environment (Ubuntu XFCE) directly in your 1. **Persistent Data**: Everything saved strictly within the virtual `~` or `/config` directory is retained. If you want to access your real NAS files (like your ebooks or movies) from inside this desktop, you can uncomment and map `/volume1/media` in the `docker-compose.portainer.yml` file. 2. **Security Opt**: The `seccomp:unconfined` flag is enabled. This is required to run multi-process modern browsers (like Google Chrome or Firefox) natively *inside* the container without crashing. 3. **Execution User**: Unlike some custom containers, Linuxserver.io images (like Webtop) handle user switching natively inside the container. Do not forcefully apply the `user:` directive in Docker Compose, as it will break the container's boot process which relies on root purely to set permissions before downgrading to the PUID/PGID. + +## 5. Security: Cloudflare Zero Trust (Required for Internet Exposure) +> [!CAUTION] +> The Webtop container gives anyone who accesses it a passwordless root terminal (`sudo`) *within* the container. You **must not** expose this to the public internet (e.g., via Cloudflare Tunnel) without an authentication layer in front of it. + +If you are routing `webtop.chengs.uk` through a Cloudflare Tunnel, follow these steps to secure it with Cloudflare Access: +1. Go to your **Cloudflare Zero Trust** Dashboard (`one.dash.cloudflare.com`). +2. Navigate to **Access** -> **Applications** and click **Add an Application**. +3. Choose **Self-hosted**. +4. **Application Configuration**: + - **Application Name**: Webtop NAS + - **Subdomain**: `webtop` + - **Domain**: `chengs.uk` +5. **Add a Policy**: + - **Policy Name**: Allow Admin Only + - **Action**: Allow + - **Include**: Select **Emails** and type your personal email address (e.g., `your-email@gmail.com`). +6. Save the application. + +Now, when you visit `webtop.chengs.uk`, you will be intercepted by a Cloudflare login screen. Cloudflare will email you a one-time pin, verifying your identity before you are allowed to reach the Webtop desktop.