Add Cloudflare Tunnel connector (profile-gated) to the deploy stack

A cloudflared service (opt-in via the 'tunnel' compose profile, token from CLOUDFLARE_TUNNEL_TOKEN) connects the lab to Cloudflare. One public hostname -> http://caddy:80 is sufficient because Caddy does the internal path routing. Mirrors the drawbar tunnel setup.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
This commit is contained in:
2026-06-06 11:32:15 -04:00
parent 4921ce0776
commit 828445a6b3
2 changed files with 26 additions and 0 deletions
+8
View File
@@ -26,8 +26,16 @@ S3_REGION=us-east-1
# --- Edge (Caddy) ---
# Local: ':80' (http://localhost). Production: 'provenance.example.com' for auto-HTTPS.
# Behind a Cloudflare Tunnel, keep ':80' — Cloudflare terminates TLS and the
# tunnel forwards plain HTTP to caddy:80.
PROVENANCE_SITE_ADDRESS=:80
# --- Cloudflare Tunnel (optional) ---
# Enable by setting COMPOSE_PROFILES=tunnel and supplying the connector token
# from the Cloudflare dashboard. Public hostname -> http://caddy:80.
CLOUDFLARE_TUNNEL_TOKEN=
COMPOSE_PROFILES=
# --- Auth / sessions ---
SESSION_TTL_DAYS=30
TOKEN_TTL_HOURS=24