Cloudflare zero trust

Terraform-managed tunnel for the homelab, kept zero trust by default.

Every ingress rule lives in code: Cloudflare Access at the edge, `cloudflared` inside the network, and a safety net 404 for unknown subdomains. This is the live blueprint behind the lab.

Ingress rules 0 Terraform-managed hosts via cloudflared

Operational 0/0 Zero Trust checks at the edge

Last rollout just now Terraform apply from GitHub Actions

Tunnel jobs 0 jobs cloudflared + cron flows in motion

Service control center

The ingress map for the Zero Trust perimeter. Filter by focus to surface the tunnelled services you need right now.

Terraform blueprint

The ingress map below is generated from a single cloudflare_zero_trust_tunnel_cloudflared_config resource. The catch-all rule returns 404s for unknown hosts, keeping the perimeter predictable.

Tunnel 45d4cf36-1b6e-4b88-ad13-24de351681a2

toom.homelab with warp routing enabled.

Account variable("account_id")

Passed in via Terraform secrets.

Ingress map 11 hosts + catch-all

Origin requests pinned with keep-alives and tuned timeouts.

Realtime logbook

Highlights from the last apply window. Tunnel changes, Access enforcement, and service rollouts land here for an at-a-glance pulse check.