feat: add Cloudflare Tunnel integration#923
Conversation
- Add traefik.enable=true to nginx-public.base.yml for defensive correctness - Remove redundant WARDEN_CLOUDFLARED_TUNNEL_ID export in cf.cmd create - Add comment linking UUID regex to sed substitution safety
There was a problem hiding this comment.
Pull request overview
Adds a Cloudflare Tunnel integration to Warden, including a new warden cf command, conditional global cloudflared service startup, and automatic tunnel config regeneration based on running environments that opt in via TRAEFIK_PUBLIC_DOMAIN.
Changes:
- Introduces
warden cfsubcommands to manage Cloudflare Tunnel lifecycle and local credential/config files. - Adds conditional
cloudflaredglobal service and generates~/.warden/etc/cloudflared/config.ymlby scanning container labels. - Adds an
nginx-publicTraefik routing partial to opt environments into public-domain routing.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| utils/core.sh | Adds regenerateCloudflaredConfig to generate cloudflared config from running container labels and restart cloudflared |
| commands/svc.cmd | Conditionally includes the cloudflared compose file and triggers config regeneration on svc up |
| commands/env.cmd | Adds nginx-public partial opt-in and triggers cloudflared config regeneration on env lifecycle actions |
| docker/docker-compose.cloudflared.yml | Defines the global cloudflared service container and mounts generated config/credentials |
| environments/includes/nginx-public.base.yml | Adds Traefik router labels for TRAEFIK_PUBLIC_DOMAIN and emits dev.warden.cf.domain label |
| commands/cf.cmd | Implements warden cf (login/create/delete/status/update/logout) behaviors |
| commands/cf.help | Adds help/usage text for the new cf command |
| CHANGELOG.md | Documents the new Cloudflare Tunnel integration under UNRELEASED |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Prevents trailing \r on Windows/WSL from breaking tunnel operations.
- Remove duplicate regenerateCloudflaredConfig calls in pre-down/pre-up blocks (keep only the post-command call when containers are in final state) - Add preflight warning in svc.cmd when config.yml is missing - Add varnish-public.base.yml for TRAEFIK_PUBLIC_DOMAIN with varnish enabled (varnish.base.yml disables traefik on nginx, so labels must go on varnish) - Fix comment on docker restart to reflect actual behavior
|
Interesting. I'll have to give this a test drive before approving, but seems like an almost no-brainer alternative to ngrok.com. |
|
I think my biggest surprise is that (at least according to Google's AI, because I didn't do more research than that) that Cloudflare offers this free? I've already merged in the image because there's no potential harm from building it; but the rest I want to spend more time looking over |
|
@navarr I've been using that for more than a year for my Home Assistant and my microservices (e.g. MCPs, self-hosted LMStudio). Finally I found motivation to introduce that to Warden :) |
Summary
warden cfcommand for tunnel lifecycle management (login, create, delete, status, update, logout)cloudflaredglobal service (enabled byWARDEN_CLOUDFLARED_TUNNEL_IDin~/.warden/.env)dev.warden.cf.domaincontainer labelsnginx-public.base.ymlpartial forTRAEFIK_PUBLIC_DOMAINroutingenv up/down/stop/startRelated PRs
All PRs must be merged together.
Test plan
warden cf login→warden cf create→warden svc upTRAEFIK_PUBLIC_DOMAINin.envandwarden env upwarden cf statusshows tunnel and connected domains~/.warden/etc/cloudflared/config.ymlhas correct ingress ruleswarden cf updateregenerates configwarden env downremoves domain from configwarden cf deleteandwarden cf logoutclean up correctlyWARDEN_CLOUDFLARED_TUNNEL_IDis not set