jeff/portioner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: Add Cloudflare Zero Trust security instructions for Webtop

Browse Source
This commit is contained in:
Jeff Cheng
2026-02-22 20:42:52 -05:00
parent d802c80053
commit 7c0816019b
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
webtop/SETUP.md
View File

@@ -41,3 +41,23 @@ Webtop provides a full Linux desktop environment (Ubuntu XFCE) directly in your
1. **Persistent Data**: Everything saved strictly within the virtual `~` or `/config` directory is retained. If you want to access your real NAS files (like your ebooks or movies) from inside this desktop, you can uncomment and map `/volume1/media` in the `docker-compose.portainer.yml` file.
2. **Security Opt**: The `seccomp:unconfined` flag is enabled. This is required to run multi-process modern browsers (like Google Chrome or Firefox) natively *inside* the container without crashing.
3. **Execution User**: Unlike some custom containers, Linuxserver.io images (like Webtop) handle user switching natively inside the container. Do not forcefully apply the `user:` directive in Docker Compose, as it will break the container's boot process which relies on root purely to set permissions before downgrading to the PUID/PGID.
## 5. Security: Cloudflare Zero Trust (Required for Internet Exposure)
> [!CAUTION]
> The Webtop container gives anyone who accesses it a passwordless root terminal (`sudo`) *within* the container. You **must not** expose this to the public internet (e.g., via Cloudflare Tunnel) without an authentication layer in front of it.
If you are routing `webtop.chengs.uk` through a Cloudflare Tunnel, follow these steps to secure it with Cloudflare Access:
1. Go to your **Cloudflare Zero Trust** Dashboard (`one.dash.cloudflare.com`).
2. Navigate to **Access** -> **Applications** and click **Add an Application**.
3. Choose **Self-hosted**.
4. **Application Configuration**:
- **Application Name**: Webtop NAS
- **Subdomain**: `webtop`
- **Domain**: `chengs.uk`
5. **Add a Policy**:
- **Policy Name**: Allow Admin Only
- **Action**: Allow
- **Include**: Select **Emails** and type your personal email address (e.g., `your-email@gmail.com`).
6. Save the application.
Now, when you visit `webtop.chengs.uk`, you will be intercepted by a Cloudflare login screen. Cloudflare will email you a one-time pin, verifying your identity before you are allowed to reach the Webtop desktop.