eac77ef7b4
Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
3.2 KiB
3.2 KiB
name, description, version
| name | description | version |
|---|---|---|
| cloudflare-tunnel-manager | Plan/apply/rollback for Cloudflare Tunnel lifecycle (create, configure, route DNS, run as service). Includes DRY_RUN safety gates, status matrix, and audit report. Triggers: 'cloudflare tunnel', 'create tunnel', 'tunnel plan', 'tunnel rollback', 'cloudflared config', 'dns route'. | 1.0.0 |
Cloudflare Tunnel Manager
Tier 1 skill for managing Cloudflare Tunnels safely:
- Plan → Apply workflow (two-phase)
- Rollback scripts for DNS route, service, and tunnel delete
- Verification + audit report
Designed for sovereign Node A style setups where you terminate TLS at Cloudflare and route traffic to a local service over a tunnel.
Quick Start
cd ~/.claude/skills/cloudflare-tunnel-manager
# Required
export CF_API_TOKEN="..." # Cloudflare API token
export CF_ACCOUNT_ID="..." # Cloudflare account ID
# Tunnel identity
export TUNNEL_NAME="node-a-tunnel"
export ZONE_NAME="example.com" # domain in Cloudflare
export HOSTNAME="node-a.example.com"
# Local origin (what tunnel forwards to)
export LOCAL_SERVICE="http://127.0.0.1:9110"
# Safety
export DRY_RUN=1
export REQUIRE_CONFIRM=1
export CONFIRM_PHRASE="I UNDERSTAND THIS CAN CHANGE DNS AND TUNNEL ROUTES"
./scripts/00_preflight.sh
./scripts/10_tunnel_plan.sh
./scripts/20_dns_plan.sh
./scripts/30_service_plan.sh
export DRY_RUN=0
./scripts/11_tunnel_apply.sh
./scripts/21_dns_apply.sh
./scripts/31_service_apply.sh
./scripts/90_verify.sh
./scripts/99_report.sh
Inputs
| Parameter | Required | Default | Description |
|---|---|---|---|
| CF_API_TOKEN | Yes | (none) | Cloudflare API token with Tunnel + DNS permissions |
| CF_ACCOUNT_ID | Yes | (none) | Cloudflare account ID |
| TUNNEL_NAME | Yes | (none) | Tunnel name |
| ZONE_NAME | Yes | (none) | Zone/domain in Cloudflare (e.g., example.com) |
| HOSTNAME | Yes | (none) | DNS hostname to route (e.g., node-a.example.com) |
| LOCAL_SERVICE | Yes | (none) | Local origin URL (e.g., http://127.0.0.1:9110) |
| CONFIG_DIR | No | outputs/config | Where generated config lives |
| SERVICE_NAME | No | cloudflared-tunnel | systemd unit name |
| DRY_RUN | No | 1 | Apply scripts refuse unless DRY_RUN=0 |
| REQUIRE_CONFIRM | No | 1 | Require confirmation phrase |
| CONFIRM_PHRASE | No | I UNDERSTAND THIS CAN CHANGE DNS AND TUNNEL ROUTES | Safety phrase |
Outputs
outputs/config/config.yml(generated cloudflared config)outputs/config/tunnel.json(tunnel metadata snapshot)outputs/status_matrix.jsonoutputs/audit_report.md
Safety Guarantees
- Default DRY_RUN=1
- Confirmation phrase required for apply and rollback
- Plan scripts print exact commands and expected changes
- Rollbacks available:
- DNS route removal
- systemd service stop/disable
- tunnel delete (optional)
Notes
- This skill uses
cloudflaredCLI. - You can run the tunnel without systemd (manual) if desired.
EU Compliance
| Aspect | Value |
|---|---|
| Data Residency | EU (Ireland - Dublin) |
| Jurisdiction | Irish Law |
| Transport | Encrypted tunnel (Cloudflare) |
| Logs | Local status + reports only |