feat: add Cloudflare Tunnel integration#923
Conversation
- Add traefik.enable=true to nginx-public.base.yml for defensive correctness - Remove redundant WARDEN_CLOUDFLARED_TUNNEL_ID export in cf.cmd create - Add comment linking UUID regex to sed substitution safety
There was a problem hiding this comment.
Pull request overview
Adds a Cloudflare Tunnel integration to Warden, including a new warden cf command, conditional global cloudflared service startup, and automatic tunnel config regeneration based on running environments that opt in via TRAEFIK_PUBLIC_DOMAIN.
Changes:
- Introduces
warden cfsubcommands to manage Cloudflare Tunnel lifecycle and local credential/config files. - Adds conditional
cloudflaredglobal service and generates~/.warden/etc/cloudflared/config.ymlby scanning container labels. - Adds an
nginx-publicTraefik routing partial to opt environments into public-domain routing.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| utils/core.sh | Adds regenerateCloudflaredConfig to generate cloudflared config from running container labels and restart cloudflared |
| commands/svc.cmd | Conditionally includes the cloudflared compose file and triggers config regeneration on svc up |
| commands/env.cmd | Adds nginx-public partial opt-in and triggers cloudflared config regeneration on env lifecycle actions |
| docker/docker-compose.cloudflared.yml | Defines the global cloudflared service container and mounts generated config/credentials |
| environments/includes/nginx-public.base.yml | Adds Traefik router labels for TRAEFIK_PUBLIC_DOMAIN and emits dev.warden.cf.domain label |
| commands/cf.cmd | Implements warden cf (login/create/delete/status/update/logout) behaviors |
| commands/cf.help | Adds help/usage text for the new cf command |
| CHANGELOG.md | Documents the new Cloudflare Tunnel integration under UNRELEASED |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Prevents trailing \r on Windows/WSL from breaking tunnel operations.
- Remove duplicate regenerateCloudflaredConfig calls in pre-down/pre-up blocks (keep only the post-command call when containers are in final state) - Add preflight warning in svc.cmd when config.yml is missing - Add varnish-public.base.yml for TRAEFIK_PUBLIC_DOMAIN with varnish enabled (varnish.base.yml disables traefik on nginx, so labels must go on varnish) - Fix comment on docker restart to reflect actual behavior
|
Interesting. I'll have to give this a test drive before approving, but seems like an almost no-brainer alternative to ngrok.com. |
|
I think my biggest surprise is that (at least according to Google's AI, because I didn't do more research than that) that Cloudflare offers this free? I've already merged in the image because there's no potential harm from building it; but the rest I want to spend more time looking over |
|
@navarr I've been using that for more than a year for my Home Assistant and my microservices (e.g. MCPs, self-hosted LMStudio). Finally I found motivation to introduce that to Warden :) |
|
@navarr indeed, Cloudflare offers it for free, but it only requires a domain name. I have been using it for years. However, I would strongly recommend that anyone who needs to test a local website on other devices, rather than on a host, consider Tailscale. It is free, requires no configuration, and does not require a domain name. In addition, with Tailscale, it is possible to use Funnel and expose certain ports and URLs to the internet, making it possible to test webhooks and other functionality. I highly recommend it. They have a free plan for 6 users and unlimited number of devices. With Cloudflare you would need to play around with Zero trust policies, firewall, configuration, DNS and so on. If someone needs, they can easily inject the Cloudflare tunnel container using |
Summary
warden cfcommand for tunnel lifecycle management (login, create, delete, status, update, logout)cloudflaredglobal service (enabled byWARDEN_CLOUDFLARED_TUNNEL_IDin~/.warden/.env)dev.warden.cf.domaincontainer labelsnginx-public.base.ymlpartial forTRAEFIK_PUBLIC_DOMAINroutingenv up/down/stop/startRelated PRs
All PRs must be merged together.
Test plan
warden cf login→warden cf create→warden svc upTRAEFIK_PUBLIC_DOMAINin.envandwarden env upwarden cf statusshows tunnel and connected domains~/.warden/etc/cloudflared/config.ymlhas correct ingress ruleswarden cf updateregenerates configwarden env downremoves domain from configwarden cf deleteandwarden cf logoutclean up correctlyWARDEN_CLOUDFLARED_TUNNEL_IDis not set