# Cloudflare Tunnel Configuration for the Mac Mini production server. # # This file is the SINGLE SOURCE OF TRUTH for which public hostnames # the tunnel exposes. The cloudflared launchd plist is started with # `--config run` so any change here is one `git pull` + # `launchctl kickstart -k gui/501/com.cloudflare.cloudflared` away # from being live in production. # # Adding a new public hostname: # 1. Append the hostname / service line below in the matching section # 2. Make sure the corresponding Cloudflare DNS record exists (the # tunnel needs the hostname pointing at its CNAME — see # `cloudflared tunnel route dns ` if not) # 3. Run `./scripts/mac-mini/sync-tunnel-config.sh` to copy this file # onto the Mac Mini and reload cloudflared # 4. Verify with `curl -sI https:///health` (or the route's # equivalent) — expect a non-404 status line # # Removing a hostname: same steps, just delete the lines. # # Catch-all at the bottom returns http_status:404 for any hostname # Cloudflare routes here that we don't have an explicit ingress rule # for. This is the desired failure mode. tunnel: 1435166a-0e3f-4222-8de6-744f32cea5c9 credentials-file: /Users/mana/.cloudflared/1435166a-0e3f-4222-8de6-744f32cea5c9.json ingress: # ============================================ # SSH (requires cloudflared on the client) # ============================================ - hostname: ssh.mana.how service: ssh://localhost:22 # ============================================ # Unified Mana Web App (Port 5000) # ============================================ # Every per-product subdomain points at the same SvelteKit container. # The container's hooks.server.ts reads the host header and renders # the matching module surface. mana.how itself is the dashboard. - hostname: mana.how service: http://localhost:5000 - hostname: verein.mana.how service: http://localhost:3088 - hostname: design.mana.how service: http://localhost:3089 # ============================================ # mana e.V. Verein-Landing (öffentliche Domains) # mana-ev.ch ist die kanonische Domain (Schweizer Verein in Gründung). # .com/.de/.at + alle www-Varianten 301-Redirect zu https://mana-ev.ch # via mana-infra-landings (nginx :4400). DNS-Routes pro Hostname # einmalig via `cloudflared tunnel route dns 1435166a-... `. # ============================================ - hostname: mana-ev.ch service: http://localhost:3088 - hostname: www.mana-ev.ch service: http://localhost:4400 - hostname: mana-ev.com service: http://localhost:4400 - hostname: www.mana-ev.com service: http://localhost:4400 - hostname: mana-ev.de service: http://localhost:4400 - hostname: www.mana-ev.de service: http://localhost:4400 - hostname: mana-ev.at service: http://localhost:4400 - hostname: www.mana-ev.at service: http://localhost:4400 - hostname: chat.mana.how service: http://localhost:5000 - hostname: todo.mana.how service: http://localhost:5000 - hostname: calendar.mana.how service: http://localhost:5000 - hostname: clock.mana.how service: http://localhost:5000 - hostname: contacts.mana.how service: http://localhost:5000 - hostname: quotes.mana.how service: http://localhost:5000 - hostname: skilltree.mana.how service: http://localhost:5000 # cardecky.mana.how → standalone Cardecky SvelteKit container (apps/cards/apps/web). # Was pointed at :5000 (the unified mana-web) until the standalone spinoff # landed. mana.how/cards still serves the in-mana cards module. # cardecky.mana.how — Cutover 2026-05-17: 301-Redirect zu wordeck.com # (via nginx mana-infra-landings :4400). Alte Bookmarks + Browser-Links # leiten weiter. cards-native v0.9.4 nutzt nur cardecky-api.mana.how # (bleibt direkt) — Universal-Links der alten App brechen bewusst. - hostname: cardecky.mana.how service: http://localhost:4400 # wordeck.com — Cards-Rebrand (siehe mana/docs/playbooks/WORDECK_REBRAND.md, 2026-05-17). # Zeigt auf denselben cards-web-Container wie cardecky.mana.how (port 5181). - hostname: wordeck.com service: http://localhost:5181 - hostname: www.wordeck.com service: http://localhost:5181 - hostname: storage.mana.how service: http://localhost:5000 - hostname: presi.mana.how service: http://localhost:5000 - hostname: photos.mana.how service: http://localhost:5000 - hostname: mukke.mana.how service: http://localhost:5000 - hostname: picture.mana.how service: http://localhost:5000 - hostname: calc.mana.how service: http://localhost:5000 - hostname: inventar.mana.how service: http://localhost:5000 - hostname: times.mana.how service: http://localhost:5000 - hostname: context.mana.how service: http://localhost:5000 - hostname: questions.mana.how service: http://localhost:5000 # ============================================ # Auth (Split: Portal-UI :3042, API :3001) # ============================================ # /api/* geht direkt an mana-auth (Hono/Bun, JWT-Ausstellung, Better Auth). # Alles andere (Login, Register, Reset, Verify-Email) → mana-auth-web (SvelteKit). # mana-auth-web läuft auf Host-Port 3042 (3002 belegt durch legacy mana-credits). # Reihenfolge zählt: spezifischere Pfad-Regeln zuerst. - hostname: auth.mana.how path: /api/.* service: http://localhost:3001 - hostname: auth.mana.how service: http://localhost:3042 # ============================================ # Unified Backend API (Hono/Bun, port 3060) # ============================================ # apps/api hosts every product compute module (calendar, chat, # picture, planta, news, who, …) under /api/v1/{module}/*. The # unified web app's PUBLIC_MANA_API_URL_CLIENT points here. - hostname: mana-api.mana.how service: http://localhost:3060 # ============================================ # mana-ai — background AI Mission Runner # ============================================ # Serves the user-facing decrypt-audit endpoint # /api/v1/me/ai-audit that powers the Workbench "Datenzugriff" tab. # The background tick loop + /metrics stay internal; only the # JWT-gated user endpoint is public. # ============================================ # API Gateway (Go) # ============================================ # Older gateway in front of the per-service compute layer. New # services should go directly through mana-api above; this gateway # only handles legacy entry points. - hostname: api.mana.how service: http://localhost:3016 # ============================================ # Forgejo (Git + CI/CD) # ============================================ - hostname: git.mana.how service: http://localhost:3030 # ============================================ # Standalone microservices # ============================================ - hostname: uload-api.mana.how service: http://localhost:3107 # ulo.ad serviert die Web-UI direkt (kanonisch seit 2026-05-20). # Path-Routing: API-Pfade gehen an :3107, alles andere an SvelteKit :3108. # Reihenfolge zählt — spezifische Regeln zuerst. - hostname: ulo.ad path: ^/(r|api|public|healthz|readyz|\.well-known)(/.*)?$ service: http://localhost:3107 - hostname: ulo.ad service: http://localhost:3108 - hostname: media.mana.how service: http://localhost:3011 - hostname: llm.mana.how service: http://localhost:3025 - hostname: sync.mana.how service: http://localhost:3010 - hostname: credits.mana.how service: http://localhost:3002 - hostname: subscriptions.mana.how service: http://localhost:3063 - hostname: events.mana.how service: http://localhost:3065 # Föderations-Backbone (Phase F deployed 2026-05-08) - hostname: share.mana.how service: http://localhost:3072 - hostname: mcp.mana.how service: http://localhost:3069 - hostname: cardecky-api.mana.how service: http://localhost:3191 - hostname: api.wordeck.com service: http://localhost:3191 - hostname: feedback.mana.how service: http://localhost:3064 # ============================================ # mana e.V. platform (Code/mana, separate repo) # Lives under ~/projects/mana-platform/ on the Mac Mini, deployed via # infrastructure/docker-compose.macmini.yml. Coexists with this stack. # ============================================ - hostname: admin.mana.how service: http://localhost:3071 # Verdaccio @mana/* npm-Registry. Standalone-Compose-Project unter # ~/projects/verdaccio/ auf dem Mini (storage + htpasswd survive im # bind-mount). Phase 2f-1 hatte das nach GPU verlagert, aber das # Storage-Volume kam dort nie an — am 2026-05-07 zurueckgerollt, # Mini bleibt Single-Source. - hostname: npm.mana.how service: http://localhost:4873 # ============================================ # Memoro (Code/memoro, separate repo) # ~/projects/memoro-deploy/ on the Mac Mini. # ============================================ - hostname: memoro.mana.how service: http://localhost:3120 # Web-App (SvelteKit static SPA). Lives next to memoro-api/memoro-audio # at first-level subdomain depth so Cloudflare Universal SSL covers it. - hostname: memoro-app.mana.how service: http://localhost:3130 - hostname: memoro-api.mana.how service: http://localhost:3110 - hostname: memoro-audio.mana.how service: http://localhost:3101 # ============================================ # Zitare (Code/zitare, separate repo) # Stand 2026-05-20: zitare.com ist die kanonische Brand-Domain. # zitare.mana.how ist abgeschaltet, zitare-api.mana.how bleibt als # Back-Compat-Surface für externe Tooling. # Ports per mana/docs/PORTS.md: 3083 api / 3084 app / 3085 com. # ============================================ - hostname: zitare.com service: http://localhost:3085 - hostname: app.zitare.com service: http://localhost:3084 - hostname: api.zitare.com service: http://localhost:3083 - hostname: zitare-api.mana.how service: http://localhost:3083 # Nutriphi (Code/nutriphi, separate repo) # ~/projects/nutriphi/ on the Mac Mini. # Ports per mana/docs/PORTS.md: 3086 api / 3087 web. - hostname: nutriphi.mana.how service: http://localhost:3087 - hostname: nutriphi-api.mana.how service: http://localhost:3086 # manawald — Skizzenbuch + Mini-App-Inkubator (Code/manawald, separate repo). # Port 3090 per mana/docs/PORTS.md. Alpha-only, kein public. - hostname: manawald.mana.how service: http://localhost:3090 # Viadocu (GPS-Tracking) — Code/viadocu + Code/viadocu-native. # ~/projects/viadocu/ on the Mac Mini. Port 3193 api / 5183 web. # Phase 8 Cutover 2026-05-13. Web kommt mit Phase 6 — Hostname # ist DNS-only vorgemerkt, der Service liefert vorerst 502 (das # ist okay, niemand zeigt drauf). - hostname: viadocu.mana.how service: http://localhost:5183 - hostname: viadocu-api.mana.how service: http://localhost:3193 # ManaMeme (Bild-Meme-Community) — Code/manameme + Code/manameme-native. # ~/projects/manameme/ on the Mac Mini. Port 3196 api / 3197 web. # Phase 8 Cutover 2026-05-15. alpha-Tier-Gate auf Write-Routen, # Reads sind für Guests offen. - hostname: manameme.mana.how service: http://localhost:3197 - hostname: manameme-api.mana.how service: http://localhost:3196 # Seepuls (Event-Aggregator Konstanz/Kreuzlingen, DE+CH) — Code/seepuls. # ~/projects/seepuls/ on the Mac Mini (Deploy pending, Phase β-4). # Ports per mana/docs/PORTS.md: 3095 api / 3096 web. Aggregator-App, # gilt mana/docs/AGGREGATOR_POLICY.md (robots.txt-Pflicht, sichtbare # Attribution, Take-Down ≤ 72h). DNS vorgemerkt, Service liefert 502 # bis Container deployed ist. - hostname: seepuls.mana.how service: http://localhost:3096 - hostname: seepuls-api.mana.how service: http://localhost:3095 # ============================================ # Standalone web apps (separate containers) # ============================================ - hostname: playground.mana.how service: http://localhost:5050 - hostname: manavoxel.mana.how service: http://localhost:5028 # ============================================ # Who? Game (Standalone-Bun-Stack, native auf Mac Mini unter PM2) # Source: ~/projects/who/, Deploy-Doc: who/docs/MAC_MINI_DEPLOY.md # ============================================ - hostname: who.mana.how service: http://localhost:5092 - hostname: who-api.mana.how service: http://localhost:3092 # ============================================ # Self-hosted landing pages (Nginx on port 4400) # ============================================ # Cardecky-Migration: alte Hostnames → Nginx 301-Redirect (2026-05-08). - hostname: cards.mana.how service: http://localhost:4400 - hostname: cards-api.mana.how service: http://localhost:4400 # cardecky.com Marketing-Landing — DNS zeigt am Cloudflare-Zone von # cardecky.com auf diesen Tunnel; nginx-Block in docker/nginx/landings.conf. - hostname: cardecky.com service: http://localhost:4400 - hostname: it.mana.how service: http://localhost:4400 - hostname: chats.mana.how service: http://localhost:4400 - hostname: pics.mana.how service: http://localhost:4400 - hostname: quotess.mana.how service: http://localhost:4400 - hostname: presis.mana.how service: http://localhost:4400 - hostname: clocks.mana.how service: http://localhost:4400 - hostname: docs.mana.how service: http://localhost:4400 # Pageta — Reader-Webapp (Code/pageta/). ~/projects/pageta/ auf dem # Mac Mini. Ports per mana/docs/PORTS.md: 3099 api / 3100 web. # Live seit 2026-05-16 (vormals lesen.mana.how, Rebrand 2026-05-18). # Verein-App (Tier-Gate public). Konsumiert mana-news-pool # (Plattform-Service Port 3079). # 2026-05-18 Co-Domain pageta.com + api.pageta.com hinzugefügt # (kein Primary-Switch, pageta.mana.how bleibt funktional). - hostname: pageta.mana.how service: http://localhost:3100 - hostname: pageta-api.mana.how service: http://localhost:3099 - hostname: pageta.com service: http://localhost:3100 - hostname: api.pageta.com service: http://localhost:3099 # ============================================ # Monitoring & observability # ============================================ # ============================================ # GPU services (NOT in this tunnel) # ============================================ # gpu-llm / gpu-stt / gpu-tts / gpu-img / gpu-video / gpu-ollama # are served by a SEPARATE cloudflared tunnel running on the Windows # GPU box itself (`mana-gpu-server` tunnel ID 83454e8e-...). Routing # them via the Mac Mini's tunnel would cause DNS routing conflicts # because each Cloudflare DNS CNAME can only point at one tunnel. # ============================================ # Werdrobe — Digitaler Kleiderschrank + KI-Try-On (Code/werdrobe/). # ~/projects/werdrobe/ on the Mac Mini. # Ports per mana/docs/PORTS.md: 3097 api / 3098 web. Tier-Gate beta. # Konsumiert mana-me, mana-image-edits, mana-media, mana-credits. # DNS für werdrobe.com + api.werdrobe.com muss Till bei seinem .com- # Registrar als CNAME auf den mana-tunnel zeigen lassen. - hostname: werdrobe.com service: http://localhost:3098 - hostname: api.werdrobe.com service: http://localhost:3097 # Catch-all (returns 404 for any unmapped hostname) # ============================================ # ============================================ # Comicello — Text→Comic-Storyboard (Code/comicello/). # ~/projects/comicello/ on the Mac Mini. # Ports per mana/docs/PORTS.md: 3109 api / 3110 web. Tier-Gate beta. # Konsumiert mana-llm, mana-image-edits, mana-media, mana-me, mana-credits. # Primary-Domain: comicello.com (Cutover 2026-05-20). .mana.how bleibt als Co-Domain. - hostname: comicello.com service: http://localhost:3111 - hostname: www.comicello.com service: http://localhost:3111 - hostname: api.comicello.com service: http://localhost:3109 - hostname: comicello.mana.how service: http://localhost:3111 - hostname: comicello-api.mana.how service: http://localhost:3109 # Moodlit — Ambient-Lighting + Mood-App (Code/moodlit/). # ~/projects/moodlit/ auf dem Mac Mini. Ports 3105 api / 3106 web # (PORTS.md, manacore-monorepo-Netz). Live ab 2026-05-18. - hostname: moodlit.mana.how service: http://localhost:3106 - hostname: moodlit-api.mana.how service: http://localhost:3105 # Herbatrium — Citizen-Science-Pflanzenbeobachtungen (Code/herbatrium/). # Host-Ports 3103+3104 (statt 3101+3102) wegen memoro-audio-Konflikt # auf 3101. Service-interne Ports bleiben 3101+3000 per PORTS.md. # 2026-05-20 Co-Domain herbatrium.com + api.herbatrium.com hinzugefügt # (kein Primary-Switch, herbatrium.mana.how bleibt funktional). - hostname: herbatrium.mana.how service: http://localhost:3104 - hostname: herbatrium-api.mana.how service: http://localhost:3103 - hostname: herbatrium.com service: http://localhost:3104 - hostname: api.herbatrium.com service: http://localhost:3103 # mana-sync-v2 — Event-Sourcing-Platform (mana/services/mana-sync/). # Container `mana-sync-v2` (Host-Port 3055 → Service 3050). SOT für # alle 9 Verein-Apps (Stand 2026-05-19, manaclick + nutriphi/moodlit/ # pageta/herbatrium/werdrobe/comicello/uload/mukke). Co-Existenz mit # Legacy `mana-core-sync` auf sync.mana.how bis Legacy-Removal. - hostname: sync2.mana.how service: http://localhost:3055 # mana-hub-web — Vereins-Hub-UI (mana/apps/hub-web). SvelteKit-App # mit /timeline (Cross-App-Aggregator), /invites, /aura. # Container exponiert intern 3060, gemappt auf Host-Port 3082 # (Konflikt mit unified mana-api auf 3060). - hostname: hub.mana.how service: http://localhost:3082 # Kreisel — Loop-Video-App für Verein-Töpfe (Code/kreisel/). # Container manacore-monorepo, Host-Ports 3115 api / 3116 web # (PORTS.md). Live seit 2026-05-20, invite-only via mana-auth-tier. - hostname: kreisel.mana.how service: http://localhost:3116 - hostname: kreisel-api.mana.how service: http://localhost:3115 - service: http_status:404