# Cloudflare Tunnel Configuration for the Mac Mini production server. # # This file is the SINGLE SOURCE OF TRUTH for which public hostnames # the tunnel exposes. The cloudflared launchd plist is started with # `--config run` so any change here is one `git pull` + # `launchctl kickstart -k gui/501/com.cloudflare.cloudflared` away # from being live in production. # # Adding a new public hostname: # 1. Append the hostname / service line below in the matching section # 2. Make sure the corresponding Cloudflare DNS record exists (the # tunnel needs the hostname pointing at its CNAME — see # `cloudflared tunnel route dns ` if not) # 3. Run `./scripts/mac-mini/sync-tunnel-config.sh` to copy this file # onto the Mac Mini and reload cloudflared # 4. Verify with `curl -sI https:///health` (or the route's # equivalent) — expect a non-404 status line # # Removing a hostname: same steps, just delete the lines. # # Catch-all at the bottom returns http_status:404 for any hostname # Cloudflare routes here that we don't have an explicit ingress rule # for. This is the desired failure mode. tunnel: 1435166a-0e3f-4222-8de6-744f32cea5c9 credentials-file: /Users/mana/.cloudflared/1435166a-0e3f-4222-8de6-744f32cea5c9.json ingress: # ============================================ # SSH (requires cloudflared on the client) # ============================================ - hostname: ssh.mana.how service: ssh://localhost:22 # ============================================ # Unified Mana Web App (Port 5000) # ============================================ # Every per-product subdomain points at the same SvelteKit container. # The container's hooks.server.ts reads the host header and renders # the matching module surface. mana.how itself is the dashboard. - hostname: mana.how service: http://localhost:5000 - hostname: verein.mana.how service: http://localhost:3088 - hostname: design.mana.how service: http://localhost:3089 # ============================================ # mana e.V. Verein-Landing (öffentliche Domains) # mana-ev.ch ist die kanonische Domain (Schweizer Verein in Gründung). # .com/.de/.at + alle www-Varianten 301-Redirect zu https://mana-ev.ch # via mana-infra-landings (nginx :4400). DNS-Routes pro Hostname # einmalig via `cloudflared tunnel route dns 1435166a-... `. # ============================================ - hostname: mana-ev.ch service: http://localhost:3088 - hostname: www.mana-ev.ch service: http://localhost:4400 - hostname: mana-ev.com service: http://localhost:4400 - hostname: www.mana-ev.com service: http://localhost:4400 - hostname: mana-ev.de service: http://localhost:4400 - hostname: www.mana-ev.de service: http://localhost:4400 - hostname: mana-ev.at service: http://localhost:4400 - hostname: www.mana-ev.at service: http://localhost:4400 - hostname: chat.mana.how service: http://localhost:5000 - hostname: todo.mana.how service: http://localhost:5000 - hostname: calendar.mana.how service: http://localhost:5000 - hostname: clock.mana.how service: http://localhost:5000 - hostname: contacts.mana.how service: http://localhost:5000 - hostname: quotes.mana.how service: http://localhost:5000 - hostname: skilltree.mana.how service: http://localhost:5000 - hostname: plants.mana.how service: http://localhost:5000 # cardecky.mana.how → standalone Cardecky SvelteKit container (apps/cards/apps/web). # Was pointed at :5000 (the unified mana-web) until the standalone spinoff # landed. mana.how/cards still serves the in-mana cards module. - hostname: cardecky.mana.how service: http://localhost:5181 - hostname: storage.mana.how service: http://localhost:5000 - hostname: presi.mana.how service: http://localhost:5000 - hostname: food.mana.how service: http://localhost:5000 - hostname: photos.mana.how service: http://localhost:5000 - hostname: mukke.mana.how service: http://localhost:5000 - hostname: picture.mana.how service: http://localhost:5000 - hostname: calc.mana.how service: http://localhost:5000 - hostname: citycorners.mana.how service: http://localhost:5000 - hostname: inventar.mana.how service: http://localhost:5000 - hostname: times.mana.how service: http://localhost:5000 - hostname: uload.mana.how service: http://localhost:5000 # memoro.mana.how moved off the unified mana web app (5000) to the # Memoro Astro landing container (Code/memoro/apps/landing → :3120) on # 2026-05-06. The standalone Memoro stack lives at memoro-api/audio # below; the landing is the public marketing site. # NB: keep this entry in the Memoro section, not the unified-app block. - hostname: context.mana.how service: http://localhost:5000 - hostname: questions.mana.how service: http://localhost:5000 - hostname: moodlit.mana.how service: http://localhost:5000 # ============================================ # Auth (Split: Portal-UI :3042, API :3001) # ============================================ # /api/* geht direkt an mana-auth (Hono/Bun, JWT-Ausstellung, Better Auth). # Alles andere (Login, Register, Reset, Verify-Email) → mana-auth-web (SvelteKit). # mana-auth-web läuft auf Host-Port 3042 (3002 belegt durch legacy mana-credits). # Reihenfolge zählt: spezifischere Pfad-Regeln zuerst. - hostname: auth.mana.how path: /api/.* service: http://localhost:3001 - hostname: auth.mana.how service: http://localhost:3042 # ============================================ # Unified Backend API (Hono/Bun, port 3060) # ============================================ # apps/api hosts every product compute module (calendar, chat, # picture, planta, news, who, …) under /api/v1/{module}/*. The # unified web app's PUBLIC_MANA_API_URL_CLIENT points here. - hostname: mana-api.mana.how service: http://localhost:3060 # ============================================ # mana-ai — background AI Mission Runner # ============================================ # Serves the user-facing decrypt-audit endpoint # /api/v1/me/ai-audit that powers the Workbench "Datenzugriff" tab. # The background tick loop + /metrics stay internal; only the # JWT-gated user endpoint is public. # ============================================ # API Gateway (Go) # ============================================ # Older gateway in front of the per-service compute layer. New # services should go directly through mana-api above; this gateway # only handles legacy entry points. - hostname: api.mana.how service: http://localhost:3016 # ============================================ # Forgejo (Git + CI/CD) # ============================================ - hostname: git.mana.how service: http://localhost:3030 # ============================================ # Standalone microservices # ============================================ - hostname: uload-api.mana.how service: http://localhost:3070 - hostname: media.mana.how service: http://localhost:3011 - hostname: llm.mana.how service: http://localhost:3025 - hostname: sync.mana.how service: http://localhost:3010 - hostname: credits.mana.how service: http://localhost:3002 - hostname: subscriptions.mana.how service: http://localhost:3063 - hostname: events.mana.how service: http://localhost:3065 # Föderations-Backbone (Phase F deployed 2026-05-08) - hostname: share.mana.how service: http://localhost:3072 - hostname: mcp.mana.how service: http://localhost:3069 - hostname: cardecky-api.mana.how service: http://localhost:3191 - hostname: feedback.mana.how service: http://localhost:3064 # ============================================ # mana e.V. platform (Code/mana, separate repo) # Lives under ~/projects/mana-platform/ on the Mac Mini, deployed via # infrastructure/docker-compose.macmini.yml. Coexists with this stack. # ============================================ - hostname: admin.mana.how service: http://localhost:3071 # Verdaccio @mana/* npm-Registry. Standalone-Compose-Project unter # ~/projects/verdaccio/ auf dem Mini (storage + htpasswd survive im # bind-mount). Phase 2f-1 hatte das nach GPU verlagert, aber das # Storage-Volume kam dort nie an — am 2026-05-07 zurueckgerollt, # Mini bleibt Single-Source. - hostname: npm.mana.how service: http://localhost:4873 # ============================================ # Memoro (Code/memoro, separate repo) # ~/projects/memoro-deploy/ on the Mac Mini. # ============================================ - hostname: memoro.mana.how service: http://localhost:3120 # Web-App (SvelteKit static SPA). Lives next to memoro-api/memoro-audio # at first-level subdomain depth so Cloudflare Universal SSL covers it. - hostname: memoro-app.mana.how service: http://localhost:3130 - hostname: memoro-api.mana.how service: http://localhost:3110 - hostname: memoro-audio.mana.how service: http://localhost:3101 # ============================================ # Zitare (Code/zitare, separate repo) # ~/projects/zitare-deploy/ on the Mac Mini (planned — Phase 1.6). # Ports per mana/docs/PORTS.md: 3083 api / 3084 app / 3085 com. # zitare.com is a separate Cloudflare zone; tunnel route for that # hostname must be added via `cloudflared tunnel route dns # 1435166a-0e3f-4222-8de6-744f32cea5c9 zitare.com` (one-time). # ============================================ - hostname: zitare.com service: http://localhost:3085 - hostname: zitare.mana.how service: http://localhost:3084 - hostname: zitare-api.mana.how service: http://localhost:3083 # Nutriphi (Code/nutriphi, separate repo) # ~/projects/nutriphi/ on the Mac Mini. # Ports per mana/docs/PORTS.md: 3086 api / 3087 web. - hostname: nutriphi.mana.how service: http://localhost:3087 - hostname: nutriphi-api.mana.how service: http://localhost:3086 # manawald — Skizzenbuch + Mini-App-Inkubator (Code/manawald, separate repo). # Port 3090 per mana/docs/PORTS.md. Alpha-only, kein public. - hostname: manawald.mana.how service: http://localhost:3090 # Manaspur (GPS-Tracking) — Code/manaspur + Code/manaspur-native. # ~/projects/manaspur/ on the Mac Mini. Port 3193 api / 5183 web. # Phase 8 Cutover 2026-05-13. Web kommt mit Phase 6 — Hostname # ist DNS-only vorgemerkt, der Service liefert vorerst 502 (das # ist okay, niemand zeigt drauf). - hostname: manaspur.mana.how service: http://localhost:5183 - hostname: manaspur-api.mana.how service: http://localhost:3193 # ============================================ # Standalone web apps (separate containers) # ============================================ - hostname: playground.mana.how service: http://localhost:5050 - hostname: manavoxel.mana.how service: http://localhost:5028 # ============================================ # Who? Game (Standalone-Bun-Stack, native auf Mac Mini unter PM2) # Source: ~/projects/who/, Deploy-Doc: who/docs/MAC_MINI_DEPLOY.md # ============================================ - hostname: who.mana.how service: http://localhost:5092 - hostname: who-api.mana.how service: http://localhost:3092 # ============================================ # Self-hosted landing pages (Nginx on port 4400) # ============================================ # Cardecky-Migration: alte Hostnames → Nginx 301-Redirect (2026-05-08). - hostname: cards.mana.how service: http://localhost:4400 - hostname: cards-api.mana.how service: http://localhost:4400 # cardecky.com Marketing-Landing — DNS zeigt am Cloudflare-Zone von # cardecky.com auf diesen Tunnel; nginx-Block in docker/nginx/landings.conf. - hostname: cardecky.com service: http://localhost:4400 - hostname: it.mana.how service: http://localhost:4400 - hostname: chats.mana.how service: http://localhost:4400 - hostname: pics.mana.how service: http://localhost:4400 - hostname: quotess.mana.how service: http://localhost:4400 - hostname: presis.mana.how service: http://localhost:4400 - hostname: clocks.mana.how service: http://localhost:4400 - hostname: docs.mana.how service: http://localhost:4400 # ============================================ # Monitoring & observability # ============================================ # ============================================ # GPU services (NOT in this tunnel) # ============================================ # gpu-llm / gpu-stt / gpu-tts / gpu-img / gpu-video / gpu-ollama # are served by a SEPARATE cloudflared tunnel running on the Windows # GPU box itself (`mana-gpu-server` tunnel ID 83454e8e-...). Routing # them via the Mac Mini's tunnel would cause DNS routing conflicts # because each Cloudflare DNS CNAME can only point at one tunnel. # ============================================ # Catch-all (returns 404 for any unmapped hostname) # ============================================ - service: http_status:404