Add Cloudflare Tunnel connector (profile-gated) to the deploy stack

A cloudflared service (opt-in via the 'tunnel' compose profile, token from CLOUDFLARE_TUNNEL_TOKEN) connects the lab to Cloudflare. One public hostname -> http://caddy:80 is sufficient because Caddy does the internal path routing. Mirrors the drawbar tunnel setup.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
This commit is contained in:
2026-06-06 11:32:15 -04:00
parent 4921ce0776
commit 828445a6b3
2 changed files with 26 additions and 0 deletions
+18
View File
@@ -86,6 +86,24 @@ services:
- frontend
restart: unless-stopped
# Cloudflare Tunnel connector. The tunnel/ingress is configured in the
# Cloudflare dashboard; this container just connects. One public hostname
# (e.g. provenance.paul.farm) -> http://caddy:80 is enough, because Caddy
# does the internal path routing (/ -> frontend, /api + /health -> backend).
#
# Opt-in via the "tunnel" profile so local dev doesn't start it. On the lab
# host set COMPOSE_PROFILES=tunnel so `docker compose up -d` includes it.
cloudflared:
image: cloudflare/cloudflared:latest
restart: unless-stopped
command: tunnel --no-autoupdate run
environment:
TUNNEL_TOKEN: ${CLOUDFLARE_TUNNEL_TOKEN:-}
depends_on:
- caddy
profiles:
- tunnel
volumes:
pgdata:
miniodata: