# Deployment Checklist Complete checklist for deploying Cloudflare Multi-Tunnel setup. ## Pre-Deployment ### Prerequisites Verification - [ ] Run: `./scripts/verify-prerequisites.sh` - [ ] All automated checks pass - [ ] VMID 102 is accessible and running - [ ] Network connectivity verified ### Cloudflare Account Setup - [ ] Cloudflare account created - [ ] Zero Trust enabled (free for up to 50 users) - [ ] Domain `d-bis.org` added to Cloudflare - [ ] DNS management verified ## Step 1: Create Tunnels in Cloudflare - [ ] Go to: https://one.dash.cloudflare.com - [ ] Navigate to: Zero Trust → Networks → Tunnels - [ ] Create tunnel: `tunnel-ml110` - [ ] Copy tunnel token/ID - [ ] Save credentials securely - [ ] Create tunnel: `tunnel-r630-01` - [ ] Copy tunnel token/ID - [ ] Save credentials securely - [ ] Create tunnel: `tunnel-r630-02` - [ ] Copy tunnel token/ID - [ ] Save credentials securely ## Step 2: Configure Tunnel Public Hostnames For each tunnel in Cloudflare Dashboard: ### tunnel-ml110 - [ ] Click "Configure" - [ ] Go to "Public Hostnames" tab - [ ] Add hostname: - [ ] Subdomain: `ml110-01` - [ ] Domain: `d-bis.org` - [ ] Service: `https://192.168.11.10:8006` - [ ] Type: HTTP - [ ] Save ### tunnel-r630-01 - [ ] Click "Configure" - [ ] Go to "Public Hostnames" tab - [ ] Add hostname: - [ ] Subdomain: `r630-01` - [ ] Domain: `d-bis.org` - [ ] Service: `https://192.168.11.11:8006` - [ ] Type: HTTP - [ ] Save ### tunnel-r630-02 - [ ] Click "Configure" - [ ] Go to "Public Hostnames" tab - [ ] Add hostname: - [ ] Subdomain: `r630-02` - [ ] Domain: `d-bis.org` - [ ] Service: `https://192.168.11.12:8006` - [ ] Type: HTTP - [ ] Save ## Step 3: Run Setup Script - [ ] Navigate to: `scripts/cloudflare-tunnels` - [ ] Run: `./scripts/setup-multi-tunnel.sh` - [ ] Enter tunnel IDs when prompted - [ ] Provide credentials file paths - [ ] Verify all services installed ## Step 4: Update Configuration Files - [ ] Edit `/etc/cloudflared/tunnel-ml110.yml` - [ ] Replace `` with actual tunnel ID - [ ] Edit `/etc/cloudflared/tunnel-r630-01.yml` - [ ] Replace `` with actual tunnel ID - [ ] Edit `/etc/cloudflared/tunnel-r630-02.yml` - [ ] Replace `` with actual tunnel ID ## Step 5: Place Credentials Files - [ ] Copy `tunnel-ml110.json` to `/etc/cloudflared/` - [ ] Copy `tunnel-r630-01.json` to `/etc/cloudflared/` - [ ] Copy `tunnel-r630-02.json` to `/etc/cloudflared/` - [ ] Set permissions: `chmod 600 /etc/cloudflared/tunnel-*.json` ## Step 6: Create DNS Records In Cloudflare Dashboard → DNS → Records: - [ ] Create CNAME: `ml110-01` → `.cfargotunnel.com` - [ ] Proxy: Enabled (orange cloud) - [ ] TTL: Auto - [ ] Create CNAME: `r630-01` → `.cfargotunnel.com` - [ ] Proxy: Enabled (orange cloud) - [ ] TTL: Auto - [ ] Create CNAME: `r630-02` → `.cfargotunnel.com` - [ ] Proxy: Enabled (orange cloud) - [ ] TTL: Auto ## Step 7: Start Services - [ ] Start ml110 tunnel: `systemctl start cloudflared-ml110` - [ ] Start r630-01 tunnel: `systemctl start cloudflared-r630-01` - [ ] Start r630-02 tunnel: `systemctl start cloudflared-r630-02` - [ ] Enable on boot: `systemctl enable cloudflared-*` ## Step 8: Verify Services - [ ] Check status: `systemctl status cloudflared-*` - [ ] All services show "active (running)" - [ ] Run health check: `./scripts/check-tunnel-health.sh` - [ ] All checks pass ## Step 9: Test DNS Resolution - [ ] `dig ml110-01.d-bis.org` - Resolves to Cloudflare IPs - [ ] `dig r630-01.d-bis.org` - Resolves to Cloudflare IPs - [ ] `dig r630-02.d-bis.org` - Resolves to Cloudflare IPs ## Step 10: Test HTTPS Access - [ ] `curl -I https://ml110-01.d-bis.org` - Returns 200/302/401/403 - [ ] `curl -I https://r630-01.d-bis.org` - Returns 200/302/401/403 - [ ] `curl -I https://r630-02.d-bis.org` - Returns 200/302/401/403 ## Step 11: Configure Cloudflare Access Follow: `docs/CLOUDFLARE_ACCESS_SETUP.md` ### For ml110-01 - [ ] Create application: `Proxmox ml110-01` - [ ] Domain: `ml110-01.d-bis.org` - [ ] Configure policy with MFA - [ ] Test access in browser ### For r630-01 - [ ] Create application: `Proxmox r630-01` - [ ] Domain: `r630-01.d-bis.org` - [ ] Configure policy with MFA - [ ] Test access in browser ### For r630-02 - [ ] Create application: `Proxmox r630-02` - [ ] Domain: `r630-02.d-bis.org` - [ ] Configure policy with MFA - [ ] Test access in browser ## Step 12: Set Up Monitoring - [ ] Configure alerting: Edit `monitoring/alerting.conf` - [ ] Set email/webhook addresses - [ ] Test alerts: `./scripts/alert-tunnel-failure.sh ml110 service_down` - [ ] Start monitoring: `./scripts/monitor-tunnels.sh --daemon` - [ ] Verify monitoring is running: `ps aux | grep monitor-tunnels` ## Step 13: Final Verification - [ ] All three Proxmox hosts accessible via browser - [ ] Cloudflare Access login appears - [ ] Can login and access Proxmox UI - [ ] All tunnels show "Healthy" in Cloudflare dashboard - [ ] Monitoring is running - [ ] Alerts configured and tested ## Post-Deployment ### Documentation - [ ] Review all documentation - [ ] Bookmark troubleshooting guide - [ ] Save tunnel credentials securely - [ ] Document any custom configurations ### Maintenance - [ ] Schedule regular health checks - [ ] Review access logs monthly - [ ] Update documentation as needed - [ ] Test disaster recovery procedures ## Troubleshooting If any step fails: 1. Check [TROUBLESHOOTING.md](docs/TROUBLESHOOTING.md) 2. Run health check: `./scripts/check-tunnel-health.sh` 3. Review logs: `journalctl -u cloudflared-* -f` 4. Verify Cloudflare dashboard tunnel status ## Quick Reference ### Service Management ```bash # Start all tunnels systemctl start cloudflared-ml110 cloudflared-r630-01 cloudflared-r630-02 # Check status systemctl status cloudflared-* # View logs journalctl -u cloudflared-* -f ``` ### Health Checks ```bash # One-time check ./scripts/check-tunnel-health.sh # Continuous monitoring ./scripts/monitor-tunnels.sh --daemon ``` ### URLs - ml110-01: `https://ml110-01.d-bis.org` - r630-01: `https://r630-01.d-bis.org` - r630-02: `https://r630-02.d-bis.org` --- **Status:** Ready for deployment **Last Updated:** $(date)