papanito.cloudflared

Posted February 23, 2021 by Adrian Wyssmann

Source

https://github.com/papanito/ansible-role-cloudflared

Role Summary

Ansible Role Ansible Quality Score Ansible Role GitHub issues GitHub pull requests

This ansible role does download and install cloudflared on the host and optionally installs the argo-tunnel as a service.

The role is made in a way that you can install multiple services in parallel - simply run the role several times with different parameters service, hostname and url.

The role performs the following steps:

  1. Download and install binary according to downloads

  2. Install/configure the daemon - see Authenticate the daemon

  3. Create a config file per service in /etc/cloudflare

    The file is named {{ tunnel }}.yml and will contain the minimal configuration is as follows

    hostname: {{ hostname }}
    url: {{ url }}
    logfile: /var/log/cloudflared_{{ tunnel }}.log
    

    Additional parameters are configured via Cloudflare parameters

  4. Create a systemd-unit-template [email protected]{{ tunnel }}.service and start an instance for each service in the list of tunnels

    cloudflared tunnel --config {{ tunnel }}.yml
    

Authenticate the daemon

According to authenticate-the-cloudflare-daemon when authenticate the daemon, there is a browser window opened or - if this is not possible - then the link has to be put manually. During this time the daemon waits. I could not come up with a solution how to automate this behavior so I came up with the following implementation.

  • if nothing is specified, then ansible calls the cloudflared login and will continue when the authentication is done - this makes sens if you use the role to install the daemon locally on your machine and where you have a browser window

  • if cert_location the certificate is actually copied from the cert_location, or if cert_content is defined then the certificate is created directly from the value stored in it. So you could login once to cloudflare from your master node (where you run ansible) or from a remote location.

    You can encrypt the cert.pem with ansible vault and store it somewhere save.

References:

Background

CLoudflare offers Argo Tunnel which allows you to establishes outbound connections (Tunnels) between your web server and the Cloudflare edge. For this, you need the cloudflared daemon. The installation is quite straightforward but installing it on various servers is best done with ansible or any suitable tool.

Edit this page