diff --git a/.gitignore b/.gitignore
index c265584..55a58f3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,9 @@
 # Docker volume mounts
 */*-data/
 
+# envfiles
+.env
+
 # backups
 
 *.tar
diff --git a/README.md b/README.md
index f46e05d..323e962 100644
--- a/README.md
+++ b/README.md
@@ -1,22 +1,36 @@
 # Michael's Homelab
 
-## Hosts
+## Hosts & Services
 
 ### Cuddlefish
 
 ![CentOS](https://img.shields.io/badge/centos%207-002260?style=for-the-badge&logo=centos&logoColor=F0F0F0)
 
-Services:
-
-| Service | Internal Ports | External Ports | URL  |
-| :------ | :------------- | :------------- | :--- |
-| Gitea   | `3000`         | `80`           | `git.michaellisano.com` |
+- `git.michaellisano.com`
 
 ### Rocktiplex
 
 ![Rocky Linux](https://img.shields.io/badge/-Rocky%20Linux%209-%2310B981?style=for-the-badge&logo=rockylinux&logoColor=white)
 
-| Service          | Internal Ports | External Ports | URL  |
-| :--------------- | :------------- | :------------- | :--- |
-| Fathom Analytics | `8080`         | `80`           | `analytics.michaellisano.com` |
+- `analytics.michaellisano.com`
+
+## Dockerized Cloudflared Notes
+
+If a docker-compose file looks like this:
+
+```yaml
+services:
+  gitea-server:
+    image: gitea/gitea:1.19.3
+    ...
+  gitea-cloudflared:
+    image: cloudflare/cloudflared
+    ...
+```
+
+Then in this case the name of the target service is `gitea-server`, and (per Docker's networking shenanigans), should be specified **directly by service name,** e.g.
+
+```
+https://git.michaellisano.com -> http://gitea-server:3000
+```
 
diff --git a/cuddlefish/docker-compose.old.yaml b/cuddlefish/archive/docker-compose.2022.yaml
similarity index 100%
rename from cuddlefish/docker-compose.old.yaml
rename to cuddlefish/archive/docker-compose.2022.yaml
diff --git a/cuddlefish/archive/nginx.2022.conf b/cuddlefish/archive/nginx.2022.conf
new file mode 100644
index 0000000..de5e746
--- /dev/null
+++ b/cuddlefish/archive/nginx.2022.conf
@@ -0,0 +1,67 @@
+#/etc/nginx/nginx.conf
+
+events {}
+
+http {
+    server {
+	listen 80;
+	server_name git.turtlebasket.ml;
+	client_max_body_size 50m; 
+
+	location / {
+	    proxy_pass http://127.0.0.1:3000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	}
+    }
+
+    server {
+	listen 80;
+	server_name analytics.turtlebasket.ml;
+
+	location / {
+	    proxy_pass http://127.0.0.1:8080;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	}
+    }
+
+    server {
+	listen 80;
+	server_name md.turtlebasket.ml;
+
+	location / {
+	    proxy_pass http://192.168.1.25:3000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	}
+    }
+
+    server {
+	listen 80;
+	server_name money.turtlebasket.ml;
+
+	location / {
+	    proxy_pass http://192.168.1.25:8080;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	}
+    }
+
+    server {
+	listen 80;
+	server_name iot.turtlebasket.ml;
+
+	location / {
+	    proxy_pass http://192.168.1.25:8123;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+	    # Critical for websockets, which Home Assistant uses
+            proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	}
+    }
+}
+
diff --git a/cuddlefish/backup b/cuddlefish/backup
index c7aac00..ea56d23 100755
--- a/cuddlefish/backup
+++ b/cuddlefish/backup
@@ -1,8 +1,11 @@
 #!/bin/bash
 
-# CONTAINER_ID=b581d6283772
-CONTAINER_ID=gitea
+# NOTE: DEPENDING ON PERMISSIONING, YOU MAY NEED TO RUN THIS SCRIPT USING SUDO
 
-docker commit -p $CONTAINER_ID gitea-checkpoint-latest
-docker save -o gitea-checkpoint-$(date | tr '[:upper:]' '[:lower:]' | tr ' ' '_').tar checkpoint-latest
+source .env
 
+DATESTRING=$(date +"%Y-%m-%d_%H%M%S" | tr '[:upper:]' '[:lower:]' | tr ' ' '_')
+ARCHIVE="gitea-data-${DATESTRING}.tar.gz"
+tar -czvf $ARCHIVE gitea-data/
+scp -i $BACKUP_KEYPATH -P $BACKUP_SSH_PORT $ARCHIVE $BACKUP_HOST:~/backups/
+rm $ARCHIVE && echo Removed $ARCHIVE.
diff --git a/cuddlefish/docker-compose.yaml b/cuddlefish/docker-compose.yaml
index 6f2a163..3acf857 100644
--- a/cuddlefish/docker-compose.yaml
+++ b/cuddlefish/docker-compose.yaml
@@ -5,8 +5,9 @@ networks:
     external: false
 
 services:
-  server:
-    image: gitea/gitea:latest
+
+  gitea-server:
+    image: gitea/gitea:1.19.3
     container_name: gitea
     environment:
       USER_UID: 1000
@@ -22,3 +23,13 @@ services:
       - "3000:3000"
       - "222:22"
 
+  gitea-cloudflared:
+    container_name: cloudflared-gitea
+    image: cloudflare/cloudflared
+    restart: unless-stopped
+    command: tunnel run --url http://server:3000
+    environment:
+      - TUNNEL_TOKEN=${GITEA_TUNNEL_TOKEN}
+    networks:
+      - gitea
+
diff --git a/cuddlefish/example.env b/cuddlefish/example.env
new file mode 100644
index 0000000..4c92250
--- /dev/null
+++ b/cuddlefish/example.env
@@ -0,0 +1,7 @@
+BACKUP_HOST=bob@1.2.3.4
+BACKUP_KEYPATH=~/.ssh/id_backup
+BACKUP_SSH_PORT=22
+
+SSH_TUNNEL_TOKEN=...
+GITEA_TUNNEL_TOKEN=...
+
diff --git a/cuddlefish/nginx.conf b/cuddlefish/nginx.conf
index de5e746..b067e1d 100644
--- a/cuddlefish/nginx.conf
+++ b/cuddlefish/nginx.conf
@@ -1,67 +1,19 @@
-#/etc/nginx/nginx.conf
+#/etc/nginx/stream.conf
 
-events {}
+load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
 
-http {
-    server {
-	listen 80;
-	server_name git.turtlebasket.ml;
-	client_max_body_size 50m; 
 
-	location / {
-	    proxy_pass http://127.0.0.1:3000;
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+stream {
+	map $ssl_preread_server_name $target_host {
+		cuddlefish.ssh.michael.com 		127.0.0.1:22;
+		rocktiplex.ssh.michaellisano.com 	192.168.1.19:22;
+		default					127.0.0.1:22;
 	}
-    }
 
-    server {
-	listen 80;
-	server_name analytics.turtlebasket.ml;
-
-	location / {
-	    proxy_pass http://127.0.0.1:8080;
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	server {
+		listen 2200;
+		proxy_pass $backend;
+		ssl_preread on
 	}
-    }
-
-    server {
-	listen 80;
-	server_name md.turtlebasket.ml;
-
-	location / {
-	    proxy_pass http://192.168.1.25:3000;
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	}
-    }
-
-    server {
-	listen 80;
-	server_name money.turtlebasket.ml;
-
-	location / {
-	    proxy_pass http://192.168.1.25:8080;
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	}
-    }
-
-    server {
-	listen 80;
-	server_name iot.turtlebasket.ml;
-
-	location / {
-	    proxy_pass http://192.168.1.25:8123;
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-	    # Critical for websockets, which Home Assistant uses
-            proxy_http_version 1.1;
-	    proxy_set_header Upgrade $http_upgrade;
-	    proxy_set_header Connection "upgrade";
-	}
-    }
 }