Sankofa/cloudflare

Cloudflare Zero Trust Configuration

This directory contains all Cloudflare Zero Trust configurations for secure global access to the hybrid cloud control plane.

Structure

cloudflare/
├── access-policies.yaml      # Access policies for applications
├── tunnel-configs/           # Per-site tunnel configurations
├── gateway-policies.yaml     # DNS and filtering policies
├── warp-config.json          # WARP device enrollment
└── terraform/                # Terraform modules for Cloudflare

Components

Access Policies

Define who can access which applications based on:

• User identity (from Keycloak)
• Device posture
• IP address
• MFA requirements
• Time-based rules

Tunnels

Outbound-only connections from Proxmox sites and control plane to Cloudflare:

• No public IPs required
• Automatic reconnection
• Load balancing across multiple tunnels
• Health checks

Gateway Policies

DNS filtering and network security:

• Block malicious domains
• Log DNS queries
• Apply policies based on user/device
• Split DNS for internal services

WARP

Device-level VPN for employees:

• Zero Trust network access
• Device posture checks
• Automatic enrollment

Usage

Apply Access Policies

# Using Cloudflare API
cloudflared access policy create --config access-policies.yaml

# Or via Terraform
cd terraform
terraform apply

Deploy Tunnels

1. Create tunnel in Cloudflare dashboard
2. Copy tunnel token
3. Update tunnel config with token
4. Deploy cloudflared agent with config

cloudflared tunnel run --config tunnel-configs/site-1.yaml

Configure WARP

1. Create WARP enrollment in Cloudflare dashboard
2. Update warp-config.json with enrollment details
3. Distribute config to devices

Security Best Practices

• Use service tokens for API access
• Rotate tunnel tokens regularly
• Enable MFA for all access policies
• Use device posture checks
• Log all access attempts
• Review policies quarterly