Refactor Cloudflare Tunnel integration in scripts

- Removed Cloudflare Tunnel Token prompts from the secrets generation script.
- Added logic to handle Cloudflare Tunnel Token input in the service selection wizard.
- Updated final report script to simplify security notice related to Cloudflare Tunnel.

scripts/03_generate_secrets.sh

@@ -275,44 +275,6 @@ fi
 # Ensure N8N_WORKER_COUNT is definitely set (should be by logic above)
 N8N_WORKER_COUNT="${N8N_WORKER_COUNT:-1}"
 
-# Cloudflare Tunnel Token (optional)
-echo ""
-echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-echo "Cloudflare Tunnel Configuration (Optional)"
-echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-echo ""
-echo "Cloudflare Tunnel provides secure zero-trust access to your services"
-echo "without exposing ports 80/443 on your server."
-echo ""
-echo "To set up:"
-echo "1. Create a tunnel at https://one.dash.cloudflare.com/"
-echo "3. Copy the tunnel token"
-echo ""
-
-if [[ -v existing_env_vars[CLOUDFLARE_TUNNEL_TOKEN] ]]; then
-    CLOUDFLARE_TUNNEL_TOKEN="${existing_env_vars[CLOUDFLARE_TUNNEL_TOKEN]}"
-    if [[ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]]; then
-        log_info "Found existing Cloudflare Tunnel Token in .env"
-    else
-        log_info "Found empty Cloudflare Tunnel Token in .env. You can provide one now or leave empty."
-        echo ""
-        read -p "Cloudflare Tunnel Token (leave empty to skip): " CLOUDFLARE_TUNNEL_TOKEN
-    fi
-else
-    echo ""
-    read -p "Cloudflare Tunnel Token (leave empty to skip): " CLOUDFLARE_TUNNEL_TOKEN
-fi
-
-if [ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]; then
-    log_success "Cloudflare Tunnel Token configured"
-    echo ""
-    echo "🔒 After confirming the tunnel works, enhance security by:"
-    echo "   Closing ports 80, 443, and 7687 in your VPS firewall"
-    echo "   Example: sudo ufw delete allow 80/tcp"
-    echo ""
-else
-    log_info "Cloudflare Tunnel skipped - you can enable it later in the service selection wizard"
-fi
 
 log_info "Generating secrets and creating .env file..."
 
@@ -416,10 +378,6 @@ if [[ -n "$OPENAI_API_KEY" ]]; then
     generated_values["OPENAI_API_KEY"]="$OPENAI_API_KEY"
 fi
 
-if [[ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]]; then
-    generated_values["CLOUDFLARE_TUNNEL_TOKEN"]="$CLOUDFLARE_TUNNEL_TOKEN"
-fi
-
 # Create a temporary file for processing
 TMP_ENV_FILE=$(mktemp)
 # Ensure temp file is cleaned up on exit
@@ -434,7 +392,6 @@ found_vars["RUN_N8N_IMPORT"]=0
 found_vars["PROMETHEUS_USERNAME"]=0
 found_vars["SEARXNG_USERNAME"]=0
 found_vars["OPENAI_API_KEY"]=0
-found_vars["CLOUDFLARE_TUNNEL_TOKEN"]=0
 found_vars["LANGFUSE_INIT_USER_EMAIL"]=0
 found_vars["N8N_WORKER_COUNT"]=0
 found_vars["WEAVIATE_USERNAME"]=0
@@ -569,7 +526,7 @@ if [[ -z "${generated_values[SERVICE_ROLE_KEY]}" ]]; then
 fi
 
 # Add any custom variables that weren't found in the template
-for var in "FLOWISE_USERNAME" "DASHBOARD_USERNAME" "LETSENCRYPT_EMAIL" "RUN_N8N_IMPORT" "OPENAI_API_KEY" "PROMETHEUS_USERNAME" "SEARXNG_USERNAME" "LANGFUSE_INIT_USER_EMAIL" "N8N_WORKER_COUNT" "WEAVIATE_USERNAME" "NEO4J_AUTH_USERNAME" "COMFYUI_USERNAME" "RAGAPP_USERNAME" "CLOUDFLARE_TUNNEL_TOKEN"; do
+for var in "FLOWISE_USERNAME" "DASHBOARD_USERNAME" "LETSENCRYPT_EMAIL" "RUN_N8N_IMPORT" "OPENAI_API_KEY" "PROMETHEUS_USERNAME" "SEARXNG_USERNAME" "LANGFUSE_INIT_USER_EMAIL" "N8N_WORKER_COUNT" "WEAVIATE_USERNAME" "NEO4J_AUTH_USERNAME" "COMFYUI_USERNAME" "RAGAPP_USERNAME"; do
     if [[ ${found_vars["$var"]} -eq 0 && -v generated_values["$var"] ]]; then
         # Before appending, check if it's already in TMP_ENV_FILE to avoid duplicates
         if ! grep -q -E "^${var}=" "$TMP_ENV_FILE"; then

scripts/04_wizard.sh

@@ -228,6 +228,46 @@ if [ ! -f "$ENV_FILE" ]; then
     touch "$ENV_FILE"
 fi
 
+# If Cloudflare Tunnel is selected, prompt for the token and write to .env
+cloudflare_selected=0
+for profile in "${selected_profiles[@]}"; do
+    if [ "$profile" == "cloudflare-tunnel" ]; then
+        cloudflare_selected=1
+        break
+    fi
+done
+
+if [ $cloudflare_selected -eq 1 ]; then
+    existing_cf_token=""
+    if grep -q "^CLOUDFLARE_TUNNEL_TOKEN=" "$ENV_FILE"; then
+        existing_cf_token=$(grep "^CLOUDFLARE_TUNNEL_TOKEN=" "$ENV_FILE" | cut -d'=' -f2- | sed 's/^\"//' | sed 's/\"$//')
+    fi
+
+    if [ -n "$existing_cf_token" ]; then
+        log_info "Cloudflare Tunnel token found in .env; reusing it."
+        # Do not prompt; keep existing token as-is
+    else
+        log_info "Cloudflare Tunnel selected. Please provide your Cloudflare Tunnel token."
+        echo ""
+        read -p "Cloudflare Tunnel Token: " input_cf_token
+        token_to_write="$input_cf_token"
+
+        # Update the .env with the token (may be empty if user skipped)
+        if grep -q "^CLOUDFLARE_TUNNEL_TOKEN=" "$ENV_FILE"; then
+            sed -i.bak "/^CLOUDFLARE_TUNNEL_TOKEN=/d" "$ENV_FILE"
+        fi
+        echo "CLOUDFLARE_TUNNEL_TOKEN=\"$token_to_write\"" >> "$ENV_FILE"
+
+        if [ -n "$token_to_write" ]; then
+            log_success "Cloudflare Tunnel token saved to .env."
+            echo ""
+            echo "🔒 After confirming the tunnel works, consider closing ports 80, 443, and 7687 in your firewall."
+        else
+            log_warning "Cloudflare Tunnel token was left empty. You can set it later in .env."
+        fi
+    fi
+fi
+
 # Remove existing COMPOSE_PROFILES line if it exists
 if grep -q "^COMPOSE_PROFILES=" "$ENV_FILE"; then
     # Using a different delimiter for sed because a profile name might contain '/' (unlikely here)

scripts/06_final_report.sh

@@ -287,7 +287,7 @@ log_info "To update the services, run the 'update.sh' script: bash ./scripts/upd
 # ============================================
 # Cloudflare Tunnel Security Notice
 # ============================================
-if is_profile_active "cloudflare-tunnel" && [ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]; then
+if is_profile_active "cloudflare-tunnel"; then
   echo ""
   echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
   echo "🔒 CLOUDFLARE TUNNEL SECURITY"
@@ -304,10 +304,6 @@ if is_profile_active "cloudflare-tunnel" && [ -n "$CLOUDFLARE_TUNNEL_TOKEN" ]; t
   echo "   • Port 443 (HTTPS)" 
   echo "   • Port 7687 (Neo4j Bolt)"
   echo ""
-  echo "   Example commands:"
-  echo "   └─ UFW:     sudo ufw delete allow 80/tcp && sudo ufw delete allow 443/tcp"
-  echo "   └─ IPtables: sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT"
-  echo ""
   echo "   ⚠️  Only close ports AFTER confirming tunnel connectivity!"
   echo ""
 fi