Indeed you can. When a user makes a request, it is sent to Cloudflare, which then routes it to your server through the tunnel. The traffic can be encrypted while in transit to Cloudflare, ensuring that their network does not inspect or decrypt the contents. Once the encrypted traffic reaches your server, you handle decryption using your own application logic. Only your server has the keys to decrypt the data, so Cloudflare remains blind to any sensitive information.

I self host Navidrome, and after deploying one or two companion apps for Navidrome, I’m right now digging Substreamer. I have never heard of Tempus, so I have added it to the ‘apps to try’ list. One of the features of Substreamer that I really enjoy is the Playlist Builder. Substreamer apparently goes through your collection and pre-creates playlists based on commonalities like genre, tags, etc. Let’s say that you click on the Blues playlist. It then has the Blues master playlist broken down into All Time, Recent, 2010+, etc. After you listen to/edit the playlist, you can save it to Navidrome. I find this feature to be quite handy and it just works very well for me. Not only can I physically make playlists in Navidrome, but in Substreamer automatically as well.

Saying all of that to say, does Tempus have any such feature? Like I said, I’ve never heard of Tempus, which really doesn’t mean much, but it looks very well put together. I’m sure OP didn’t set out to make Tempus a Substreamer copycat, I just find that one feature of Substreamer very handy.

I’m an expert at nothing, however, the following is how I understand the relationship between your origin server and Cloudflare Tunnels/Zero Trust services. I stand by to be schooled:

• Traffic between your origin server and Cloudflare’s edge is always encrypted (with outbound only connections via cloudflared daemon). That protects against eaves dropping on the wire between your origin server and Cloudflare.
• Traffic between end users/clients and Cloudflare’s edge is encrypted (via HTTPS/TLS).
• However, Cloidflare acts as a proxy, similar to a reverse proxy. For standard HTTP/HTTPS services. Cloudflare terminates TLS decrypts at their edge to apply features like WAF, DDoS protection, caching, or Zero Trust policies. They then reencrypt and forward the traffic to your origin server. This means Cloudflare can see the plaintext content of your traffic in transit through their network.
• If you expose non-HTTP protocols that are end 2 end encrypted by design (e.g., SSH, RDP, or VPN protocols like WG/OVPN), and you tunnel them thru Cloudflare Tunnel without Cloudflare terminating the encryption, the application slayer data remains encrypted end 2 end. Cloudflare only sees encrypted blobs which they can’t decrypt without the keys.
• Utilizing Tailscale on the origin server creates a mesh VPN using WG. It encryps all traffic directly between devices. P2P when possible, or encrypted relays. Your data is encrypted on the source device and only decrypted on the destination device. Neither Tailscale’s coordination servers nor Cloudflare can decrypt it.

If this is inaccurate, please do EILI5. I’m always down to learn.

In what way am I the product when using CloudFlare’s free tier?

I realize the name of the game is to protect as much of your data as possible, however, unless you have your own ISP/backbone, you are, at some point, the product. I utilize the evil Cloudflare Tunnels/Zero Trust. For last month, I used 375.28 GiB. I don’t run the 'arr stack tho. I do, however, stream my own audio collection via Navidrome. I have had zero issues with the evil Cloudflare Tunnels/Zero Trust, except for a brief pause while Cloudflare had some issues last month. Other than that, smooth sailing. I also have tailscale as an overlay on the server and on the stand alone pfsense firewall, which has a very robust set of rules and heavy filtering going on.

Is there another way

There are always other ways. Pangolin, et al. It just depends on you, and what you want to put in to get out of it all. If you are going this route, investigate a WAF like Crowdsec, or similar, and you might want to look at pfsense or opnsense.

I was hoping for an answer. I think OP is saying that the backends are not persistent. So each time data is written or accessed, the backend may be dynamically created or modified. Guessing in lieu of OP’s response. However, the OP’s account is 6 hours old so…

It was a load of fun.

I’m not sure if NextDoor is available in your area but a lot of people dig that sort of thing. Maybe you could put the word out leveraging NextDoor along with some posters around the neighborhood…

I was rather green then, and when I got the nastygram, the host had already shut things down because it was reeking havoc. So I never really got to observe and I didn’t want to light that candle again. I just wiped it…started studying, and when I felt comfortable, I gave it another go.

I sure haven’t seen any nay sayers. Just some people giving advice, and sharing their experiences.

Sure. It wasn’t a dig against OG Watchtower, it was just that it ceased to work correctly for me, and I sought other options. Whomever produces selfh.st does have a bit of sarcastic wit to his writing that I kind of like anyways. When speaking about GitHub, he threw out another zinger: ‘Cue the intense backlash from users who hate paying for things’. So, I just think it is his writing style. I didn’t get all hung up on it.

Oh this one here will keep you from having a seizure everyday, but you’ll shit your pants every 30 minutes. So the choice is, do you want to roll around on the ground looking like you’re trying out a weird pop-lock break dance, trying to eat your tongue, or do you just want to crap your pants on a regular basis. You pick.

Hey thank you very much for the tip. I have bookmarked it. I feel better knowing it is going to be maintained.

My issue was that Watchtower would sporadically just fumble the update, making re-deployment sometimes necessary. It wasn’t a tag issue. At least none that I could see. Of course, the possibility exists that I could just very well be a dumbass. I just assumed that to be the Docker updates that have happened over the past year, and, without any new code, it just broke. There was a recent Docker/Portainer issue. It happens.

I either read somewhere or someone tipped me off to the fork. I can only speak for my network, but the fork did the trick. Have had zero issues, and I’ve been using it for a good while. Now, I notice that Watchtower fork hasn’t been updated in 6 months. I guess it’s either been abandoned again or there just hasn’t been a need to do so.

Same. No issues.

I mean, there can be some serious consequences, especially if your server starts attacking other servers. They don’t take that shit lightly.

I remember the first Linux server I stood up on a VPS. It got thoroughly hacked almost immedietly. Not only did they hack the server, they set up attack vectors on other servers…aaaand a bitcoin miner. Got up that morning, checked mail, and there was a nastygram from my host wanting to know WTF over. Since then, I did a ton of reading, took a couple basic online courses for my own edification. I now tend to go overboard on security now days if that is possible. I’ve been told my set up is way over engineered. However, it’s been ticking along these many, many years now without issue. Also, since I am the only user of my network, it’s a little easier to lock down. Users create complexities and complexities cause issues.

I’m sure you have done the leg work in bolstering your knowledge base in setting up your first VPS server, but as others have said, beware. It reminds me of the movie Constantine, where just beyond light, in the shadows, lurk thousands and thousands of demons. They are sophisticated bots too, and are quite autonomous.

Authentik

In my reading, tho I don’t run it, VoidAuth is supposed to be lighter than Authentik. Do you have a directive or purpose sketched out for your server? What you want to accomplish, etc?

VPN (At least for local-to-VPS connection, but possibly also for external clients?)

Tailscale is my choice for my VPN overlay on the server. I also use the evil Cloudflare Tunnel/Zero Trust. All devices also run their own VPN.

I have played around with Cosmos. Pretty neat little package, especially for someone just starting out. I can’t speak to it’s performance, but I read glowing reviews. YunoHost would be in that category as well, with a very large app catalog.

Looks like you are heading in the right direction.

Factorio

only old people use computers.

I feel assaulted.

Hmmmm, I did not know that existed. I’ll check it out.

be aware though that if you are not using https

Most definitely using https. I’ll give it a go and see what shakes out. Thanks for the help. I’ll report back.