Adding cloudflare tunnel mod

docker-compose.yml - Add the cloudflared service definition .env.example - Add CLOUDFLARE_TUNNEL_TOKEN variable with documentation scripts/03_generate_secrets.sh - Add tunnel token prompt with auto-enable logic scripts/04_wizard.sh - Add cloudflare-tunnel to service selection menu scripts/06_final_report.sh - Add security reminder when tunnel is enabled README.md - Add comprehensive documentation section
2026-03-07 22:33:11 +00:00 · 2025-08-13 20:27:02 -04:00
parent fc6b46ca3e
commit 0ac3f89e15
6 changed files with 211 additions and 1 deletions
--- a/scripts/03_generate_secrets.sh
+++ b/scripts/03_generate_secrets.sh
@@ -274,6 +274,46 @@ fi
 # Ensure N8N_WORKER_COUNT is definitely set (should be by logic above)
 N8N_WORKER_COUNT="${N8N_WORKER_COUNT:-1}"

+# Cloudflare Tunnel Token (optional)
+echo ""
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo "Cloudflare Tunnel Configuration (Optional)"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo ""
+echo "Cloudflare Tunnel provides secure zero-trust access to your services"
+echo "without exposing ports 80/443 on your server."
+echo ""
+echo "To set up:"
+echo "1. Create a tunnel at https://one.dash.cloudflare.com/"
+echo "2. Configure hostname: *.${DOMAIN} → http://caddy:80"
+echo "3. Copy the tunnel token"
+echo ""
+
+if [[ -v existing_env_vars[CLOUDFLARE_TUNNEL_TOKEN] ]]; then
+    CLOUDFLARE_TUNNEL_TOKEN="${existing_env_vars[CLOUDFLARE_TUNNEL_TOKEN]}"
+    if [[ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]]; then
+        log_info "Found existing Cloudflare Tunnel Token in .env"
+    else
+        log_info "Found empty Cloudflare Tunnel Token in .env. You can provide one now or leave empty."
+        echo ""
+        read -p "Cloudflare Tunnel Token: " CLOUDFLARE_TUNNEL_TOKEN
+    fi
+else
+    echo ""
+    read -p "Cloudflare Tunnel Token: " CLOUDFLARE_TUNNEL_TOKEN
+fi
+
+if [ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]; then
+    log_success "Cloudflare Tunnel Token configured"
+    echo ""
+    echo "🔒 After confirming the tunnel works, enhance security by:"
+    echo "   Closing ports 80, 443, and 7687 in your VPS firewall"
+    echo "   Example: sudo ufw delete allow 80/tcp"
+    echo ""
+else
+    log_info "Cloudflare Tunnel skipped - you can enable it later in the service selection wizard"
+fi
+
 log_info "Generating secrets and creating .env file..."

 # --- Helper Functions ---
@@ -375,6 +415,10 @@ if [[ -n "$OPENAI_API_KEY" ]]; then
    generated_values["OPENAI_API_KEY"]="$OPENAI_API_KEY"
 fi

+if [[ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]]; then
+    generated_values["CLOUDFLARE_TUNNEL_TOKEN"]="$CLOUDFLARE_TUNNEL_TOKEN"
+fi
+
 # Create a temporary file for processing
 TMP_ENV_FILE=$(mktemp)
 # Ensure temp file is cleaned up on exit
@@ -389,6 +433,7 @@ found_vars["RUN_N8N_IMPORT"]=0
 found_vars["PROMETHEUS_USERNAME"]=0
 found_vars["SEARXNG_USERNAME"]=0
 found_vars["OPENAI_API_KEY"]=0
+found_vars["CLOUDFLARE_TUNNEL_TOKEN"]=0
 found_vars["LANGFUSE_INIT_USER_EMAIL"]=0
 found_vars["N8N_WORKER_COUNT"]=0
 found_vars["WEAVIATE_USERNAME"]=0
@@ -522,7 +567,7 @@ if [[ -z "${generated_values[SERVICE_ROLE_KEY]}" ]]; then
 fi

 # Add any custom variables that weren't found in the template
-for var in "FLOWISE_USERNAME" "DASHBOARD_USERNAME" "LETSENCRYPT_EMAIL" "RUN_N8N_IMPORT" "OPENAI_API_KEY" "PROMETHEUS_USERNAME" "SEARXNG_USERNAME" "LANGFUSE_INIT_USER_EMAIL" "N8N_WORKER_COUNT" "WEAVIATE_USERNAME" "NEO4J_AUTH_USERNAME" "COMFYUI_USERNAME"; do
+for var in "FLOWISE_USERNAME" "DASHBOARD_USERNAME" "LETSENCRYPT_EMAIL" "RUN_N8N_IMPORT" "OPENAI_API_KEY" "PROMETHEUS_USERNAME" "SEARXNG_USERNAME" "LANGFUSE_INIT_USER_EMAIL" "N8N_WORKER_COUNT" "WEAVIATE_USERNAME" "NEO4J_AUTH_USERNAME" "COMFYUI_USERNAME" "CLOUDFLARE_TUNNEL_TOKEN"; do
    if [[ ${found_vars["$var"]} -eq 0 && -v generated_values["$var"] ]]; then
        # Before appending, check if it's already in TMP_ENV_FILE to avoid duplicates
        if ! grep -q -E "^${var}=" "$TMP_ENV_FILE"; then
--- a/scripts/04_wizard.sh
+++ b/scripts/04_wizard.sh
@@ -55,6 +55,7 @@ base_services_data=(
    "flowise" "Flowise (AI Agent Builder)"
    "monitoring" "Monitoring Suite (Prometheus, Grafana, cAdvisor, Node-Exporter)"
    "portainer" "Portainer (Docker management UI)"
+	"cloudflare-tunnel Cloudflare_Tunnel_(Zero-Trust_Secure_Access) off"
    "langfuse" "Langfuse Suite (AI Observability - includes Clickhouse, Minio)"
    "qdrant" "Qdrant (Vector Database)"
    "supabase" "Supabase (Backend as a Service)"
--- a/scripts/06_final_report.sh
+++ b/scripts/06_final_report.sh
@@ -253,6 +253,35 @@ echo
 # --- Update Script Info (Placeholder) ---
 log_info "To update the services, run the 'update.sh' script: bash ./scripts/update.sh"

+# ============================================
+# Cloudflare Tunnel Security Notice
+# ============================================
+if is_profile_active "cloudflare-tunnel" && [ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]; then
+  echo ""
+  echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+  echo "🔒 CLOUDFLARE TUNNEL SECURITY"
+  echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+  echo ""
+  echo "✅ Cloudflare Tunnel is configured and running!"
+  echo ""
+  echo "Your services are accessible through Cloudflare's secure network."
+  echo "All traffic is encrypted and routed through the tunnel."
+  echo ""
+  echo "🛡️  RECOMMENDED SECURITY ENHANCEMENT:"
+  echo "   For maximum security, close the following ports in your VPS firewall:"
+  echo "   • Port 80 (HTTP)"
+  echo "   • Port 443 (HTTPS)" 
+  echo "   • Port 7687 (Neo4j Bolt)"
+  echo ""
+  echo "   Example commands:"
+  echo "   └─ UFW:     sudo ufw delete allow 80/tcp && sudo ufw delete allow 443/tcp"
+  echo "   └─ IPtables: sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT"
+  echo ""
+  echo "   ⚠️  Only close ports AFTER confirming tunnel connectivity!"
+  echo "   Test first: Visit https://${N8N_HOSTNAME} through Cloudflare"
+  echo ""
+fi
+
 echo
 echo "======================================================================"
 echo