hayeah/cloudflare-tunnel
skills/cloudflare-tunnel/SKILL.md
Manage Cloudflare Tunnel ingress rules and DNS records via CLI. Use when the user wants to expose a local service to the internet through a Cloudflare Tunnel.
tools
Updated Apr 21, 2026
$ install --global
skillsauthnpx skillsauth add hayeah/dotfiles cloudflare-tunnelInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 21, 2026, 7:27 AM49.4s9 files scanned
SKILL.md
- name:
- cloudflare-tunnel
- description:
- Manage Cloudflare Tunnel ingress rules and DNS records via CLI. Use when the user wants to expose a local service to the internet through a Cloudflare Tunnel.
cloudflare-tunnel
CLI for managing Cloudflare Tunnel ingress rules and DNS records. One tunnel per machine, ingress rules synced from devportv3 config.
Model
- One remotely-managed tunnel per machine, named after
$(hostname) cloudflaredconnector is run via devport (configured indevport.toml, not by this tool)- Ingress rules are synced from
devport ingressoutput — devport.toml is the source of truth - Each hostname gets a proxied CNAME record pointing to
<tunnel_id>.cfargotunnel.com - cloudflared polls for config changes from Cloudflare's edge — no restart needed after sync
Prerequisites
CLOUDFLARE_API_TOKENin~/.env.secret- Required permissions: Account: Cloudflare Tunnel (Edit), Zone: DNS (Edit)
cloudflaredinstalled via mise- Domain already on Cloudflare
Install
cd skills/cloudflare-tunnel
uv tool install -e .
Usage
All commands require CLOUDFLARE_API_TOKEN. Use godotenv to load it:
# First time: create tunnel and save config (prints token)
godotenv -f ~/.env.secret cloudflare-tunnel setup
# Sync ingress rules from devport config
devport ingress | godotenv -f ~/.env.secret cloudflare-tunnel sync
# List current tunnel mappings (JSON output)
godotenv -f ~/.env.secret cloudflare-tunnel ls
# Tear down everything: tunnel, DNS records, and local config
godotenv -f ~/.env.secret cloudflare-tunnel teardown
Running cloudflared
cloudflared is run independently via devport. Add to devport.toml:
[service.cloudflared]
cwd = "~"
command = ["cloudflared", "tunnel", "--no-autoupdate", "run", "--token", "${CLOUDFLARE_TUNNEL_TOKEN}"]
no_port = true
env_files = ["~/.env.secret"]
[service.cloudflared.health]
type = "process"
The token is saved in ~/.cloudflare-tunnel.json after setup. Add CLOUDFLARE_TUNNEL_TOKEN to ~/.env.secret.
Commands
setup
Idempotent. Creates a remotely-managed tunnel named after the hostname, initializes empty ingress, fetches and caches the connector token in ~/.cloudflare-tunnel.json. Safe to re-run.
sync
Reads the full ingress JSON from stdin (output of devport ingress) and:
- Replaces the tunnel's ingress rules with the desired set
- Ensures CNAME records exist for all hostnames
- Removes CNAME records for hostnames no longer in the config
ls
Fetch and display current ingress rules from Cloudflare (excludes the catch-all). Output is JSON.
teardown
Deletes all DNS records for ingress hostnames, deletes the tunnel, and removes ~/.cloudflare-tunnel.json. Prompts for confirmation.
Local State
~/.cloudflare-tunnel.json stores tunnel identity and token:
{
"tunnel_id": "<uuid>",
"tunnel_name": "<hostname>",
"account_id": "<account-id>",
"tunnel_token": "<base64-token>"
}
Quirks and Gotchas
- Ingress updates are full PUT: every sync fetches the full config, replaces it, and PUTs it back. Safe for single-operator use but not concurrent
- Zone matching: zone ID is resolved by matching the longest suffix of the FQDN against
cf.zones.list() - cloudflared polls config: remotely-managed tunnels pick up ingress changes from Cloudflare's edge automatically
Project Structure
skills/cloudflare-tunnel/
SKILL.md -> README.md
docs/DESIGN.md
pyproject.toml
examples/now/ # example time server
src/cloudflare_tunnel/
__init__.py
main.py # typer CLI entrypoint
config.py # load/save ~/.cloudflare-tunnel.json
tunnel.py # Cloudflare API operations (tunnel CRUD, ingress, DNS)
Related Skills
hayeah/webui
tools
VerifiedTrustedCommunity
Web UI development — Vite+ toolchain setup and browser-based E2E testing workflow.
SKILL.mdUpdated Apr 24, 2026
hayeah/typescript
tools
VerifiedTrustedCommunity
Tooling and style guide for TypeScript projects.
SKILL.mdUpdated Apr 24, 2026
hayeah/tmuxcap
development
VerifiedTrustedCommunity
Capture tmux pane content and export as text, HTML, SVG, PNG, or JPG. Use when you need a screenshot or text dump of a tmux pane for sharing, feeding to AI, or archiving terminal state.
SKILL.mdUpdated Apr 24, 2026
hayeah/text-copyedit
testing
VerifiedTrustedCommunity
Copy-edit text. Fix grammar and/or tidy text into a concise listicle.
SKILL.mdUpdated Apr 24, 2026