Cloudflare Tunnel Template Pack
===============================

Purpose
- Reusable DNS patterns, host configs, and Zero Trust notes for publishing internal apps without exposing your router.

Prereqs
- Cloudflare account with your domain onboarded.
- Cloudflare Tunnel connector installed on a host inside your lab.
- Nginx Proxy Manager (or similar) to handle internal reverse proxying.

DNS Record Patterns (per app)
- `app.lab.example.com`  CNAME -> `your-tunnel-id.cfargotunnel.com` (orange cloud ON)
- Optional local-only record: `app.lan.example.com` A -> `192.168.50.x` (orange cloud OFF)
- Add an `_service._tcp.app` SRV if you want clients to auto-discover (rare, but helpful for some apps).

NPM Host Config Outline
- Domain names: `app.lab.example.com` and, if needed, local variant.
- Scheme/forward host: `http://10.0.0.20:PORT` (match internal service).
- Enable “Block Common Exploits” and “Websockets Support.”
- SSL tab: Request a new certificate via DNS challenge (Cloudflare). Force SSL redirect on.
- Access list (optional): internal-only list for LAN, separate for WAN via Zero Trust.

Zero Trust Notes
- Create an Access application with `app.lab.example.com`.
- Policy: emails from your domain OR GitHub/Google group. Add bypass policy for a safe IP list.
- Turn on device posture checks if you have WARP enrolled devices.

Operational Checklist (per new service)
- [ ] Create CNAME record in Cloudflare with the tunnel target.
- [ ] Add/verify Access policy for the new hostname.
- [ ] Add host in NPM with correct upstream port and SSL cert.
- [ ] Test from WAN and LAN; confirm 301 redirect to HTTPS works.
- [ ] Capture service notes in your runbook (ports, upstream IP, owners).

Copy/Paste Snippets
```ini
# cloudflared config snippet
tunnel: YOUR-TUNNEL-ID
credentials-file: /etc/cloudflared/YOUR-TUNNEL-ID.json

ingress:
  - hostname: app.lab.example.com
    service: http://10.0.0.20:PORT
  - service: http_status:404
```

```bash
# quick DNS add via Cloudflare API (replace tokens/zone/record)
curl -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE}/dns_records" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "CNAME",
    "name": "app.lab.example.com",
    "content": "YOUR-TUNNEL-ID.cfargotunnel.com",
    "ttl": 120,
    "proxied": true
  }'
```

Audit After Deployment
- Confirm TLS cert expiry > 60 days.
- Confirm NPM access list applied where intended.
- Validate Access policy hit counters increment when testing.
- Log the change in your homelab runbook with a rollback plan.