feat(cloudflare-tunnel): switch to Cloudflare Tunnel

Nitestack · Nitestack · commit 56a8cdb08e66 · 2025-11-25T00:35:50.000+01:00
diff --git a/README.md b/README.md
@@ -37,7 +37,6 @@ _This [Ansible](https://ansible.com) configuration automates the setup of a Home
 - **Beszel**: Server Monitoring
 - **Caddy**: Reverse Proxy & TLS
 - **Calibre Web Automated**: eBook Manager
-- **Cloudflare DDNS**: Dynamic DNS Updater
 - **Ente Auth**: Two-factor Authenticator
 - **FreshRSS**: Feed Aggregator
 - **Ghostfolio**: Wealth Manager
@@ -56,8 +55,9 @@ _This [Ansible](https://ansible.com) configuration automates the setup of a Home
 
 1. **Raspberry Pi OS Lite (64-bit)**: Ensure your Raspberry Pi is running the latest version.
 2. **Ansible**: Install Ansible on your local machine.
-3. **Cloudflare-managed domain**: Required for dynamic DNS updates and subdomain routing.
-4. **Ethernet connection**: Use a wired connection for your Raspberry Pi for stable performance.
+3. **Cloudflare Account**: Required for dynamic DNS updates and subdomain routing. Sign up for a [Cloudflare account](https://dash.cloudflare.com/sign-up).
+4. **Cloudflare Zero Trust**: Required for secure access via Cloudflare Tunnel. Create a [Zero Trust Organization](https://developers.cloudflare.com/cloudflare-one/setup/#create-a-zero-trust-organization).
+5. **Ethernet connection**: Use a wired connection for your Raspberry Pi for stable performance.
 
 > [!Important]
 > When flashing your SD card, enable SSH and select the `Use password authentication` option.
@@ -125,16 +125,8 @@ ansible-vault encrypt group_vars/all/vault.yml # encrypt file
 To ensure remote access and proper functionality, configure the following port forwarding rules on your router. The playbook will automatically configure the server's firewall (UFW) based on these variables.
 
 ```plaintext
-# Caddy (handling all websites and APIs)
-public:80/tcp -> local:80/tcp
-public:443/tcp -> local:443/tcp
-public:443/udp -> local:443/udp
-
 # WireGuard
 public:51820/udp -> local:51820/udp
-
-# SSH (optional, if you want to access the Pi with a URL)
-public:22/tcp -> local:22/tcp
 ```
 
 ## 🛡️ Security
diff --git a/deploy.yml b/deploy.yml
@@ -14,8 +14,8 @@
       tags: docker
     - role: caddy
       tags: caddy
-    - role: cloudflare_ddns
-      tags: cloudflare_ddns
+    - role: cloudflare_tunnel
+      tags: cloudflare_tunnel
 
     - role: wg_easy
       tags: wg_easy
diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
@@ -7,10 +7,7 @@ data_base_dir: "/mnt/data"
 backup_base_dir: "/mnt/backup"
 service_base_dir: "~/services"
 allowed_ports:
-  - 22 # SSH
   - 53 # DNS
-  - 80 # Caddy HTTP
-  - 443 # Caddy HTTPS
   - 51820 # VPN
 
 # ── Service Configuration ─────────────────────────────────────────────
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
diff --git a/inventory.ini b/inventory.ini
@@ -1,2 +1,2 @@
 [raspberrypi]
-npham.de ansible_user=nhan ansible_python_interpreter=auto_silent
+raspberrypi.local ansible_user=nhan ansible_python_interpreter=auto_silent
diff --git a/roles/caddy/templates/Caddyfile.j2 b/roles/caddy/templates/Caddyfile.j2
@@ -1,58 +1,85 @@
 {% for name, service in services.items() %}
-{% if service.enabled %}
-{{ service.domain }} {
-{% if name == "adventure_log" %}
-	@frontend {
-		not path /media* /admin* /static* /accounts*
-	}
-	reverse_proxy @frontend {{ service.container_names.frontend }}:{{ service.ports.frontend }}
-	reverse_proxy {{ service.container_names.backend }}:{{ service.ports.backend }}
-{% elif name == "beszel" %}
-	request_body {
-		max_size 10MB
-	}
-	reverse_proxy {{ service.container_name }}:{{ service.port }} {
-		transport http {
-			read_timeout 360s
-		}
-	}
-{% elif name == "n8n" %}
-	reverse_proxy {{ service.container_name }}:{{ service.port }} {
-		flush_interval -1
-	}
-{% elif name == "nextcloud" %}
-	header Strict-Transport-Security max-age=31536000;
+{% if service.enabled and service.domain == domain %}
+{{ domain }} {
 	reverse_proxy {{ service.container_name }}:{{ service.port }}
-{% elif name == "nextcloud_aio" %}
-	reverse_proxy {{ service.container_name }}:{{ service.port }} {
-		transport http {
-			tls_insecure_skip_verify
+}
+{% endif %}
+{% endfor %}
+
+*.{{ domain }} {
+	tls internal
+
+	{% for name, service in services.items() %}
+	{% if service.enabled and service.domain == domain %}
+	@www host www.{{ domain }}
+
+	redir @www {scheme}://{{ domain }}/{uri} permanent
+
+	{% endif %}
+	{% endfor %}
+
+	{% for name, service in services.items() %}
+	{% if service.enabled and service.domain != domain %}
+	@{{ name }} host {{ service.domain }}
+
+	handle @{{ name }} {
+	{% if name == "adventure_log" %}
+		@frontend {
+			not path /media* /admin* /static* /accounts*
 		}
-	}
-{% elif name == "vaultwarden" %}
-	encode zstd gzip
-	reverse_proxy {{ service.container_name }}:{{ service.port }} {
-		header_up X-Real-IP {remote_host}
-	}
-{% elif name == "wger" %}
-	encode
+		reverse_proxy @frontend {{ service.container_names.frontend }}:{{ service.ports.frontend }}
+		reverse_proxy {{ service.container_names.backend }}:{{ service.ports.backend }}
+	{% elif name == "beszel" %}
+		request_body {
+			max_size 10MB
+		}
+		reverse_proxy {{ service.container_name }}:{{ service.port }} {
+			transport http {
+				read_timeout 360s
+			}
+		}
+	{% elif name == "n8n" %}
+		reverse_proxy {{ service.container_name }}:{{ service.port }} {
+			flush_interval -1
+		}
+	{% elif name == "nextcloud" %}
+		header Strict-Transport-Security max-age=31536000;
+		reverse_proxy {{ service.container_name }}:{{ service.port }}
+	{% elif name == "nextcloud_aio" %}
+		reverse_proxy {{ service.container_name }}:{{ service.port }} {
+			transport http {
+				tls_insecure_skip_verify
+			}
+		}
+	{% elif name == "vaultwarden" %}
+		encode zstd gzip
+		reverse_proxy {{ service.container_name }}:{{ service.port }} {
+			header_up X-Real-IP {remote_host}
+		}
+	{% elif name == "wger" %}
+		encode
 
-	reverse_proxy {{ service.container_name }}:{{ service.port }} {
-		header_up X-Real-IP {remote_host}
-	}
+		reverse_proxy {{ service.container_name }}:{{ service.port }} {
+			header_up X-Real-IP {remote_host}
+		}
 
-	handle /static/* {
-		root * /srv/wger
-		file_server
+		handle /static/* {
+			root * /srv/wger
+			file_server
+		}
+
+		handle /media/* {
+			root * /srv/wger
+			file_server
+		}
+	{% else %}
+		reverse_proxy {{ service.container_name }}:{{ service.port }}
+	{% endif %}
 	}
+	{% endif %}
+	{% endfor %}
 
-	handle /media/* {
-		root * /srv/wger
-		file_server
+	handle {
+		redir https://{{ domain }}{uri}
 	}
-{% else %}
-	reverse_proxy {{ service.container_name }}:{{ service.port }}
-{% endif %}
 }
-{% endif %}
-{% endfor %}
diff --git a/roles/caddy/templates/compose.yml.j2 b/roles/caddy/templates/compose.yml.j2
@@ -6,7 +6,6 @@ services:
     ports:
       - "80:80"
       - "443:443"
-      - "443:443/udp"
     networks:
       - caddy
     volumes:
diff --git a/roles/cloudflare_ddns/defaults/main.yml b/roles/cloudflare_ddns/defaults/main.yml
diff --git a/roles/cloudflare_ddns/tasks/main.yml b/roles/cloudflare_ddns/tasks/main.yml
diff --git a/roles/cloudflare_ddns/templates/compose.yml.j2 b/roles/cloudflare_ddns/templates/compose.yml.j2
diff --git a/roles/cloudflare_tunnel/defaults/main.yml b/roles/cloudflare_tunnel/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+cloudflared_dir_name: "cloudflared"
diff --git a/roles/cloudflare_tunnel/tasks/main.yml b/roles/cloudflare_tunnel/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Deploy client for Cloudflare Tunnel
+  ansible.builtin.include_role:
+    name: service_deploy
+  vars:
+    service_name: "Cloudflare Tunnel"
+    service_dir_name: "{{ cloudflared_dir_name }}"
diff --git a/roles/cloudflare_tunnel/templates/compose.yml.j2 b/roles/cloudflare_tunnel/templates/compose.yml.j2
@@ -0,0 +1,9 @@
+services:
+  cloudflared:
+    image: cloudflare/cloudflared:2025.11.1@sha256:89ee50efb1e9cb2ae30281a8a404fed95eb8f02f0a972617526f8c5b417acae2
+    container_name: cloudflared
+    command: tunnel --no-autoupdate run
+    restart: always
+    network_mode: host
+    environment:
+      TUNNEL_TOKEN: "{{ cloudflared_token }}"
diff --git a/roles/glance/files/config/home.yml b/roles/glance/files/config/home.yml
@@ -37,8 +37,8 @@
                 - title: Calibre Web Automated
                   url: https://github.com/crocodilestick/Calibre-Web-Automated/wiki
                   icon: di:calibre-web
-                - title: Cloudflare DDNS
-                  url: https://github.com/favonia/cloudflare-ddns
+                - title: Cloudflared
+                  url: https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel
                   icon: di:cloudflare
                 - title: Ente
                   url: https://help.ente.io
@@ -133,10 +133,10 @@
               icon: di:calibre-web
               url: ${CALIBRE_WEB_AUTOMATED_URL}
               description: eBook Manager
-            cloudflare-ddns:
-              name: Cloudflare DDNS
+            cloudflared:
+              name: Cloudflared
               icon: di:cloudflare
-              description: Dynamic DNS Updater
+              description: Cloudflare Tunnel
             ente-web:
               name: Ente Auth
               icon: https://cdn.jsdelivr.net/gh/selfhst/icons/webp/ente-auth.webp
@@ -385,7 +385,7 @@
             - henrygd/beszel
             - caddyserver/caddy
             - crocodilestick/Calibre-Web-Automated
-            - favonia/cloudflare-ddns
+            - cloudflare/cloudflared
             - ente-io/ente
             - FreshRSS/FreshRSS
             - ghostfolio/ghostfolio
diff --git a/vault.yml.example b/vault.yml.example
@@ -33,8 +33,8 @@ beszel_agent_key: ""
 # Calibre Web Automated
 calibre_web_automated_hardcover_token: ""
 
-# Cloudflare DDNS
-cloudflare_ddns_api_token: "" # `Edit zone DNS` template
+# Cloudflared
+cloudflared_token: ""
 
 # Ente Auth
 ente_jwt_secret: "" # head -c 32 /dev/urandom | base64 | tr -d '\n' | tr '+/' '-_'

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`[raspberrypi]`
`2`		`-npham.de ansible_user=nhan ansible_python_interpreter=auto_silent`
	`2`	`+raspberrypi.local ansible_user=nhan ansible_python_interpreter=auto_silent`