Cloudflare Tunnel Template for Dropshell
=========================================

This template deploys a Cloudflare Tunnel (cloudflared) to securely expose your local services 
to the internet without opening firewall ports or having a public IP address.

PREREQUISITES
-------------
1. A Cloudflare account (free tier works)
2. A domain added to Cloudflare
3. A tunnel token from the Cloudflare Zero Trust dashboard

SETUP INSTRUCTIONS
------------------
1. Log into Cloudflare Dashboard: https://one.dash.cloudflare.com/
2. Navigate to: Zero Trust -> Access -> Tunnels
3. Click "Create a tunnel"
4. Choose "Cloudflared" and click Next
5. Name your tunnel (e.g., "my-server-tunnel")
6. Copy the token from the install command (it's the long string after --token)
7. Save the tunnel (you'll configure routes in the dashboard later)

CONFIGURATION
-------------
Edit config/service.env and set:
- TUNNEL_TOKEN: Your tunnel token (required)
- TUNNEL_NAME: A friendly name for logs (optional)
- EXTRA_ARGS: Additional cloudflared arguments (optional)

ROUTING CONFIGURATION
--------------------
After the tunnel is running, configure routes in the Cloudflare dashboard:
1. Go to your tunnel's configuration page
2. Click "Configure" 
3. Add public hostname routes to your local services:
   - Subdomain: app
   - Domain: yourdomain.com
   - Type: HTTP
   - URL: localhost:8080 (or your service's local address)

FEATURES
--------
- Automatic reconnection on network issues
- No firewall configuration needed
- Free SSL certificates
- DDoS protection included
- Works behind NAT/CGNAT
- Automatic updates via watchtower

COMMON USE CASES
---------------
- Expose web services: Route subdomain.yourdomain.com -> localhost:port
- SSH access: Configure SSH routes in dashboard
- Multiple services: Add multiple public hostname routes
- Internal services: Use private network routes for VPN-like access

TROUBLESHOOTING
--------------
- Check logs: ds logs [server] cloudflare-tunnel
- Verify token: Ensure TUNNEL_TOKEN is set correctly
- Check dashboard: Verify tunnel shows as "Active" in Cloudflare dashboard
- Test locally: curl http://localhost:yourport to verify service is running

NOTES
-----
- The tunnel will automatically start on system reboot
- One tunnel can handle multiple services via dashboard routing
- Token should be kept secret - it provides full tunnel access
- Free tier allows up to 50 users for private applications