# Automated Setup via Cloudflare API Complete automation of all manual steps using Cloudflare API from `.env` file. ## Overview This automated setup uses your Cloudflare API credentials from `.env` to: 1. ✅ Create tunnels in Cloudflare 2. ✅ Configure tunnel routes 3. ✅ Create DNS records 4. ✅ Create Cloudflare Access applications 5. ✅ Save credentials automatically ## Prerequisites ✅ `.env` file with Cloudflare API credentials: ```bash CLOUDFLARE_API_TOKEN="your-api-token" # OR CLOUDFLARE_API_KEY="your-api-key" CLOUDFLARE_EMAIL="your-email@example.com" CLOUDFLARE_ACCOUNT_ID="your-account-id" # Optional, will be auto-detected CLOUDFLARE_ZONE_ID="your-zone-id" # Optional, will be auto-detected DOMAIN="d-bis.org" ``` ## Quick Start ### Option 1: Complete Automated Setup (Recommended) ```bash cd scripts/cloudflare-tunnels ./scripts/automate-cloudflare-setup.sh ./scripts/save-credentials-from-file.sh ./scripts/setup-multi-tunnel.sh --skip-credentials ``` ### Option 2: Step-by-Step #### Step 1: Create Tunnels, DNS, and Access via API ```bash ./scripts/automate-cloudflare-setup.sh ``` This will: - Create 3 tunnels: `tunnel-ml110`, `tunnel-r630-01`, `tunnel-r630-02` - Configure tunnel routes for each Proxmox host - Create DNS CNAME records (proxied) - Create Cloudflare Access applications - Save credentials to `tunnel-credentials.json` #### Step 2: Save Credentials to VMID 102 ```bash ./scripts/save-credentials-from-file.sh ``` This automatically loads credentials from `tunnel-credentials.json` and saves them to VMID 102. #### Step 3: Install Systemd Services ```bash ./scripts/setup-multi-tunnel.sh --skip-credentials ``` #### Step 4: Start Services ```bash # From Proxmox host or via SSH ssh root@192.168.11.10 "pct exec 102 -- systemctl start cloudflared-ml110 cloudflared-r630-01 cloudflared-r630-02" ssh root@192.168.11.10 "pct exec 102 -- systemctl enable cloudflared-*" ``` #### Step 5: Verify ```bash ./scripts/check-tunnel-health.sh ``` ## What Gets Created ### Tunnels - `tunnel-ml110` → ml110-01.d-bis.org → 192.168.11.10:8006 - `tunnel-r630-01` → r630-01.d-bis.org → 192.168.11.11:8006 - `tunnel-r630-02` → r630-02.d-bis.org → 192.168.11.12:8006 ### DNS Records - `ml110-01.d-bis.org` → CNAME → `.cfargotunnel.com` (Proxied) - `r630-01.d-bis.org` → CNAME → `.cfargotunnel.com` (Proxied) - `r630-02.d-bis.org` → CNAME → `.cfargotunnel.com` (Proxied) ### Cloudflare Access Applications - `Proxmox ml110` → ml110-01.d-bis.org - `Proxmox r630-01` → r630-01.d-bis.org - `Proxmox r630-02` → r630-02.d-bis.org Each with basic access policy requiring email authentication. ## Manual Steps (If Needed) If automation fails, you can manually: ### Save Individual Tunnel Credentials ```bash ./scripts/save-tunnel-credentials.sh ml110 ./scripts/save-tunnel-credentials.sh r630-01 ./scripts/save-tunnel-credentials.sh r630-02 ``` ### Update Access Policies Access applications are created with basic policies. To enhance: 1. Go to Cloudflare Zero Trust → Access → Applications 2. Edit each application 3. Add MFA requirement 4. Configure additional policies ## Troubleshooting ### API Authentication Fails ```bash # Test API credentials cd /home/intlc/projects/proxmox ./scripts/test-cloudflare-api.sh ``` ### Tunnel Creation Fails - Check API token has `Account:Cloudflare Tunnel:Edit` permission - Verify account ID is correct - Check Zero Trust is enabled ### DNS Records Not Created - Check API token has `Zone:DNS:Edit` permission - Verify zone ID is correct - Check domain is managed by Cloudflare ### Access Applications Not Created - Check API token has `Account:Access:Edit` permission - Verify Zero Trust is enabled - Check account has Access plan ## Files Created - `tunnel-credentials.json` - Contains all tunnel IDs and tokens (keep secure!) ## Security Notes ⚠️ **Important:** - `tunnel-credentials.json` contains sensitive tokens - File is created with `chmod 600` (owner read/write only) - Do not commit to version control - Consider deleting after credentials are saved to VMID 102 ## Next Steps After automated setup: 1. ✅ Verify all services are running 2. ✅ Test access to each Proxmox host 3. ✅ Configure enhanced Access policies (MFA, etc.) 4. ✅ Set up monitoring: `./scripts/monitor-tunnels.sh --daemon` 5. ✅ Configure alerting: Edit `monitoring/alerting.conf` --- **All manual steps are now automated!** 🎉