# Cloudflare Zero Trust Configuration

This directory contains all Cloudflare Zero Trust configurations for secure global access to the hybrid cloud control plane.

## Structure

```
cloudflare/
├── access-policies.yaml      # Access policies for applications
├── tunnel-configs/           # Per-site tunnel configurations
├── gateway-policies.yaml     # DNS and filtering policies
├── warp-config.json          # WARP device enrollment
└── terraform/                # Terraform modules for Cloudflare
```

## Components

### Access Policies
Define who can access which applications based on:
- User identity (from Keycloak)
- Device posture
- IP address
- MFA requirements
- Time-based rules

### Tunnels
Outbound-only connections from Proxmox sites and control plane to Cloudflare:
- No public IPs required
- Automatic reconnection
- Load balancing across multiple tunnels
- Health checks

### Gateway Policies
DNS filtering and network security:
- Block malicious domains
- Log DNS queries
- Apply policies based on user/device
- Split DNS for internal services

### WARP
Device-level VPN for employees:
- Zero Trust network access
- Device posture checks
- Automatic enrollment

## Usage

### Apply Access Policies

```bash
# Using Cloudflare API
cloudflared access policy create --config access-policies.yaml

# Or via Terraform
cd terraform
terraform apply
```

### Deploy Tunnels

1. Create tunnel in Cloudflare dashboard
2. Copy tunnel token
3. Update tunnel config with token
4. Deploy cloudflared agent with config

```bash
cloudflared tunnel run --config tunnel-configs/site-1.yaml
```

### Configure WARP

1. Create WARP enrollment in Cloudflare dashboard
2. Update warp-config.json with enrollment details
3. Distribute config to devices

## Security Best Practices

- Use service tokens for API access
- Rotate tunnel tokens regularly
- Enable MFA for all access policies
- Use device posture checks
- Log all access attempts
- Review policies quarterly