This role puts your server behind Cloudflare. Two options are supported:
- HTTPS traffic is allowed in the new
cloudflarezone in firewalld, which is restricted to Cloudflare's servers as described on their IP Ranges page. - Cloudflare Tunnel is installed on the server with the token provided. In this case, you need to configure your tunnel in the Cloudflare dashboard to select which services to be allowed.
| Name | Required | Example | Description |
|---|---|---|---|
mode |
yes | https |
Either https or tunnel. In https, incoming HTTPS traffic is only allowed from CF IP addresses. In tunnel mode, you shall ensure the node does not have public IP addresses at all. In this case, HTTPS traffic is going through CF Tunnel, while others like SSH must be set up using CF WARP. |
token |
no | foo123 |
Cloudflare token. Mandatory if in tunnel mode, ignored otherwise. |
family |
no | ipv6 |
Tunnel address family. Possible values are ipv4, ipv6, auto. Defaults to auto. If you're using IPv6, you're advised to set explicitly to ipv6, otherwise the connection will likely fail. |
- include_role:
name: noobient.cloudflare
vars:
mode: tunnel
token: foo123
family: ipv6N/A
| Platform | Support | Status |
|---|---|---|
| Linter | ✅ |  |
| AlmaLinux 8 | ✅ |  |
| AlmaLinux 9 | ✅ |  |
| Fedora 40 | ✅ |  |
| Fedora 41 | ✅ |  |
| Ubuntu 20.04 | ✅ |  |
| Ubuntu 22.04 | ✅ |  |
| Ubuntu 24.04 | ✅ |  |