Keep GoDaddy as registrar. Put Cloudflare ahead of the droplet for free SSL, a global CDN, WAF/DDoS, and a hidden origin IP — and add Cloudflare R2 as a second offsite backup leg beside B2. About 190 sites, mail-safe, Let's-Encrypt-aware, and reversible at every step.
✓ Adversarially reviewed — 6 outage risks caught & corrected in this planThe nameserver change is the only cutover. Nothing inside your 190 webroots changes. Pointing NS back to GoDaddy is the heavy rollback — and grey-clouding a record inside Cloudflare is the instant one.
Everything else here is $0 and fits the subscription-only rule perfectly. R2 does not: it bills per GB stored, so it's the one piece that can produce a surprise invoice. It's small and worth it for a zero-egress second backup — but it's genuinely your call.
Free SSL, a global CDN for your portable static pages, an edge WAF with automatic DDoS mitigation, and — once the firewall is locked at the very end — a hidden origin. Today 143.198.182.180 is printed in every DNS record for anyone to see and hit directly.
Nothing here replaces the droplet. nginx keeps serving /var/www and reverse-proxying the /opt apps exactly as now — Cloudflare just sits in front, and mail deliberately steps around it.
Every DNS record lands in one of two buckets. Get this split right per zone and the migration is safe; get it wrong on a mail record and that domain stops delivering. On import, default the proxy correctly and verify against GoDaddy before cutover.
Cloudflare's auto-scan on import is best-effort and misses records it can't enumerate (especially DKIM selectors and app subdomains) — so diff every zone against GoDaddy before the NS flip.
This is a real sequence, so it's numbered. The first five phases have zero live impact — creating a zone and loading records does nothing until that domain's nameservers flip. Only Phase 6 touches users. The green notes mark where the adversarial review changed the plan.
S3-compatible object storage with zero egress. It becomes the second offsite copy of the daily tarball, at a different company than Backblaze — so an account or billing problem at one never orphans your backups. rclone is already on the droplet with b2: and gdrive:; you just add a third remote.
# ~/.config/rclone/rclone.conf on the droplet — alongside [b2] and [gdrive]
[r2]
type = s3
provider = Cloudflare
access_key_id = <R2_ACCESS_KEY_ID>
secret_access_key = <R2_SECRET_ACCESS_KEY>
endpoint = https://<ACCOUNT_ID>.r2.cloudflarestorage.com
region = auto
acl = private
no_check_bucket = true
# wholetech-backup.sh — add beside the B2 vars, then copy each tarball to BOTH R2=r2:walhus-droplet-snapshots R2_KEEP_DAYS=30 # shorter tail than B2's 90d to bound cost rclone copy "$WWW" "$B2/" # existing — unchanged rclone copy "$WWW" "$R2/" # new — additive rclone delete --min-age ${R2_KEEP_DAYS}d "$R2/"
| Cloudflare Free plan × ~190 zones — DNS, CDN, SSL, WAF baseline, DDoS | $0/mo |
| Universal SSL + Origin CA certificate (15-yr) | $0 |
| Cloudflare Tunnel (optional, instead of IP firewalling) | $0 |
| R2 storage — ~8GB/day, 30-day tail (~240GB) @ $0.015/GB-mo | ~$3.50/mo |
| R2 storage if matched to B2's 90-day tail (~720GB) | ~$11/mo |
| R2 egress — restores, test-restores, pull-backs | $0 forever |
| GoDaddy — registrar renewals only (unchanged) | no change |
| Net new spend for the whole migration | ~$3.50/mo |
Everything except R2 is $0. R2 is the only metered line — hence the decision at the top.