Add Cloudflare Tunnel connector (profile-gated) to the deploy stack
A cloudflared service (opt-in via the 'tunnel' compose profile, token from CLOUDFLARE_TUNNEL_TOKEN) connects the lab to Cloudflare. One public hostname -> http://caddy:80 is sufficient because Caddy does the internal path routing. Mirrors the drawbar tunnel setup. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Justin Paul <justin@jpaul.me>
This commit is contained in:
@@ -26,8 +26,16 @@ S3_REGION=us-east-1
|
|||||||
|
|
||||||
# --- Edge (Caddy) ---
|
# --- Edge (Caddy) ---
|
||||||
# Local: ':80' (http://localhost). Production: 'provenance.example.com' for auto-HTTPS.
|
# Local: ':80' (http://localhost). Production: 'provenance.example.com' for auto-HTTPS.
|
||||||
|
# Behind a Cloudflare Tunnel, keep ':80' — Cloudflare terminates TLS and the
|
||||||
|
# tunnel forwards plain HTTP to caddy:80.
|
||||||
PROVENANCE_SITE_ADDRESS=:80
|
PROVENANCE_SITE_ADDRESS=:80
|
||||||
|
|
||||||
|
# --- Cloudflare Tunnel (optional) ---
|
||||||
|
# Enable by setting COMPOSE_PROFILES=tunnel and supplying the connector token
|
||||||
|
# from the Cloudflare dashboard. Public hostname -> http://caddy:80.
|
||||||
|
CLOUDFLARE_TUNNEL_TOKEN=
|
||||||
|
COMPOSE_PROFILES=
|
||||||
|
|
||||||
# --- Auth / sessions ---
|
# --- Auth / sessions ---
|
||||||
SESSION_TTL_DAYS=30
|
SESSION_TTL_DAYS=30
|
||||||
TOKEN_TTL_HOURS=24
|
TOKEN_TTL_HOURS=24
|
||||||
|
|||||||
@@ -86,6 +86,24 @@ services:
|
|||||||
- frontend
|
- frontend
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
|
||||||
|
# Cloudflare Tunnel connector. The tunnel/ingress is configured in the
|
||||||
|
# Cloudflare dashboard; this container just connects. One public hostname
|
||||||
|
# (e.g. provenance.paul.farm) -> http://caddy:80 is enough, because Caddy
|
||||||
|
# does the internal path routing (/ -> frontend, /api + /health -> backend).
|
||||||
|
#
|
||||||
|
# Opt-in via the "tunnel" profile so local dev doesn't start it. On the lab
|
||||||
|
# host set COMPOSE_PROFILES=tunnel so `docker compose up -d` includes it.
|
||||||
|
cloudflared:
|
||||||
|
image: cloudflare/cloudflared:latest
|
||||||
|
restart: unless-stopped
|
||||||
|
command: tunnel --no-autoupdate run
|
||||||
|
environment:
|
||||||
|
TUNNEL_TOKEN: ${CLOUDFLARE_TUNNEL_TOKEN:-}
|
||||||
|
depends_on:
|
||||||
|
- caddy
|
||||||
|
profiles:
|
||||||
|
- tunnel
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
pgdata:
|
pgdata:
|
||||||
miniodata:
|
miniodata:
|
||||||
|
|||||||
Reference in New Issue
Block a user