papanito.cloudflared
Posted February 23, 2021 by Adrian Wyssmann
Source
https://github.com/papanito/ansible-role-cloudflared
Role Summary
This ansible role does download and install cloudflared
on the host and optionally installs the argo-tunnel as a service.
The role is made in a way that you can install multiple services in parallel - simply run the role several times with different parameters service
, hostname
and url
.
The role performs the following steps:
-
Download and install binary according to downloads
-
Install/configure the daemon - see Authenticate the daemon
-
Create a config file per
service
in/etc/cloudflare
The file is named
{{ tunnel }}.yml
and will contain the minimal configuration is as followshostname: {{ hostname }} url: {{ url }} logfile: /var/log/cloudflared_{{ tunnel }}.log
Additional parameters are configured via Cloudflare parameters
-
Create a systemd-unit-template
[email protected]{{ tunnel }}.service
and start an instance for each service in the list oftunnels
cloudflared tunnel --config {{ tunnel }}.yml
Authenticate the daemon
According to authenticate-the-cloudflare-daemon when authenticate the daemon, there is a browser window opened or - if this is not possible - then the link has to be put manually. During this time the daemon waits. I could not come up with a solution how to automate this behavior so I came up with the following implementation.
-
if nothing is specified, then ansible calls the
cloudflared login
and will continue when the authentication is done - this makes sens if you use the role to install the daemon locally on your machine and where you have a browser window -
if
cert_location
the certificate is actually copied from thecert_location
, or ifcert_content
is defined then the certificate is created directly from the value stored in it. So you could login once to cloudflare from your master node (where you run ansible) or from a remote location.You can encrypt the
cert.pem
with ansible vault and store it somewhere save.
References:
- downloads - cloudflared download instructions
- ssh-guide - ssh connections with cloudflared
- cli-args - command-line arguments
Background
CLoudflare offers Argo Tunnel which allows you to establishes outbound connections (Tunnels) between your web server and the Cloudflare edge. For this, you need the cloudflared daemon. The installation is quite straightforward but installing it on various servers is best done with ansible or any suitable tool.