Cloudflare tunnels

Today I learned about Cloudflare Tunnels, which I am now using to manage the network for this blog and my nextcloud instance.

I had actually considered using it earlier, but the documentation and product description is so abhorrent that it was easier for me to write a terraform script and systemd service that would provision an EC2 instance and use it as an ssh jumphost.

I hate it with a passion when companies insist only describing what their products are supposedly good for, rather than explaining what they actually are or do. (Prime offender: OS-integrated network file sharing. “Share this folder on the network” means absolutely nothing unless you also tell me what protocol its using and which clients are available on different platforms)

But for some reason (I think https://lemmy.world/post/21778874 was what sparked it, even though the post itself is only tangentially related, or maybe it was that my monthly AWS bill had ballooned to a whopping €5.50. Always was a miser.) I started reconsidering my tunneling infrastructure.

I shall try not to get myself started on ranting about why this is necessary in the first place.. something something CG-NAT... something something IPv6... something something running for office..

So I started looking, and rediscovered ngrok. Only to find that the base offering is at $18/month just to not have the tunnel endpoint change with every restart, which in comparison made my homerolled EC2 setup look like a bargain.

Then I revisited cloudflare and took the time to learn what it is that they actually do.

So it turns out that, for my intents and purposes, what Cloudflare does (and the tunnels specifically) is:

There is a bit of kit needed to get this working, and I won't detail it all. Just mention that I had to do quite a bit of debugging and fiddling, even to figure out when I had in fact arrived at a working configuration.

The Nixos wiki page shows reasonably nicely how to enable cloudflared.

What took a bit more digging was:

All-together: