proxmox/scripts/cloudflare-tunnels/DEPLOYMENT_CHECKLIST.md

Deployment Checklist

Complete checklist for deploying Cloudflare Multi-Tunnel setup.

Pre-Deployment

Prerequisites Verification

• Run: ./scripts/verify-prerequisites.sh
• All automated checks pass
• VMID 102 is accessible and running
• Network connectivity verified

Cloudflare Account Setup

• Cloudflare account created
• Zero Trust enabled (free for up to 50 users)
• Domain d-bis.org added to Cloudflare
• DNS management verified

Step 1: Create Tunnels in Cloudflare

• Go to: https://one.dash.cloudflare.com
• Navigate to: Zero Trust → Networks → Tunnels
• Create tunnel: tunnel-ml110
  • Copy tunnel token/ID
  • Save credentials securely
• Create tunnel: tunnel-r630-01
  • Copy tunnel token/ID
  • Save credentials securely
• Create tunnel: tunnel-r630-02
  • Copy tunnel token/ID
  • Save credentials securely

Step 2: Configure Tunnel Public Hostnames

For each tunnel in Cloudflare Dashboard:

tunnel-ml110

• Click "Configure"
• Go to "Public Hostnames" tab
• Add hostname:
  • Subdomain: ml110-01
  • Domain: d-bis.org
  • Service: https://192.168.11.10:8006
  • Type: HTTP
  • Save

tunnel-r630-01

• Click "Configure"
• Go to "Public Hostnames" tab
• Add hostname:
  • Subdomain: r630-01
  • Domain: d-bis.org
  • Service: https://192.168.11.11:8006
  • Type: HTTP
  • Save

tunnel-r630-02

• Click "Configure"
• Go to "Public Hostnames" tab
• Add hostname:
  • Subdomain: r630-02
  • Domain: d-bis.org
  • Service: https://192.168.11.12:8006
  • Type: HTTP
  • Save

Step 3: Run Setup Script

• Navigate to: scripts/cloudflare-tunnels
• Run: ./scripts/setup-multi-tunnel.sh
• Enter tunnel IDs when prompted
• Provide credentials file paths
• Verify all services installed

Step 4: Update Configuration Files

• Edit /etc/cloudflared/tunnel-ml110.yml
  • Replace <TUNNEL_ID_ML110> with actual tunnel ID
• Edit /etc/cloudflared/tunnel-r630-01.yml
  • Replace <TUNNEL_ID_R630_01> with actual tunnel ID
• Edit /etc/cloudflared/tunnel-r630-02.yml
  • Replace <TUNNEL_ID_R630_02> with actual tunnel ID

Step 5: Place Credentials Files

• Copy tunnel-ml110.json to /etc/cloudflared/
• Copy tunnel-r630-01.json to /etc/cloudflared/
• Copy tunnel-r630-02.json to /etc/cloudflared/
• Set permissions: chmod 600 /etc/cloudflared/tunnel-*.json

Step 6: Create DNS Records

In Cloudflare Dashboard → DNS → Records:

• Create CNAME: ml110-01 → <tunnel-id-ml110>.cfargotunnel.com
  • Proxy: Enabled (orange cloud)
  • TTL: Auto
• Create CNAME: r630-01 → <tunnel-id-r630-01>.cfargotunnel.com
  • Proxy: Enabled (orange cloud)
  • TTL: Auto
• Create CNAME: r630-02 → <tunnel-id-r630-02>.cfargotunnel.com
  • Proxy: Enabled (orange cloud)
  • TTL: Auto

Step 7: Start Services

• Start ml110 tunnel: systemctl start cloudflared-ml110
• Start r630-01 tunnel: systemctl start cloudflared-r630-01
• Start r630-02 tunnel: systemctl start cloudflared-r630-02
• Enable on boot: systemctl enable cloudflared-*

Step 8: Verify Services

• Check status: systemctl status cloudflared-*
• All services show "active (running)"
• Run health check: ./scripts/check-tunnel-health.sh
• All checks pass

Step 9: Test DNS Resolution

• dig ml110-01.d-bis.org - Resolves to Cloudflare IPs
• dig r630-01.d-bis.org - Resolves to Cloudflare IPs
• dig r630-02.d-bis.org - Resolves to Cloudflare IPs

Step 10: Test HTTPS Access

• curl -I https://ml110-01.d-bis.org - Returns 200/302/401/403
• curl -I https://r630-01.d-bis.org - Returns 200/302/401/403
• curl -I https://r630-02.d-bis.org - Returns 200/302/401/403

Step 11: Configure Cloudflare Access

Follow: docs/CLOUDFLARE_ACCESS_SETUP.md

For ml110-01

• Create application: Proxmox ml110-01
• Domain: ml110-01.d-bis.org
• Configure policy with MFA
• Test access in browser

For r630-01

• Create application: Proxmox r630-01
• Domain: r630-01.d-bis.org
• Configure policy with MFA
• Test access in browser

For r630-02

• Create application: Proxmox r630-02
• Domain: r630-02.d-bis.org
• Configure policy with MFA
• Test access in browser

Step 12: Set Up Monitoring

• Configure alerting: Edit monitoring/alerting.conf
• Set email/webhook addresses
• Test alerts: ./scripts/alert-tunnel-failure.sh ml110 service_down
• Start monitoring: ./scripts/monitor-tunnels.sh --daemon
• Verify monitoring is running: ps aux | grep monitor-tunnels

Step 13: Final Verification

• All three Proxmox hosts accessible via browser
• Cloudflare Access login appears
• Can login and access Proxmox UI
• All tunnels show "Healthy" in Cloudflare dashboard
• Monitoring is running
• Alerts configured and tested

Post-Deployment

Documentation

• Review all documentation
• Bookmark troubleshooting guide
• Save tunnel credentials securely
• Document any custom configurations

Maintenance

• Schedule regular health checks
• Review access logs monthly
• Update documentation as needed
• Test disaster recovery procedures

Troubleshooting

If any step fails:

1. Check TROUBLESHOOTING.md
2. Run health check: ./scripts/check-tunnel-health.sh
3. Review logs: journalctl -u cloudflared-* -f
4. Verify Cloudflare dashboard tunnel status

Quick Reference

Service Management

# Start all tunnels
systemctl start cloudflared-ml110 cloudflared-r630-01 cloudflared-r630-02

# Check status
systemctl status cloudflared-*

# View logs
journalctl -u cloudflared-* -f

Health Checks

# One-time check
./scripts/check-tunnel-health.sh

# Continuous monitoring
./scripts/monitor-tunnels.sh --daemon

URLs

• ml110-01: https://ml110-01.d-bis.org
• r630-01: https://r630-01.d-bis.org
• r630-02: https://r630-02.d-bis.org

---

Status: Ready for deployment Last Updated: $(date)