# Cloudflare Tunnel — external access connector — managed by felhom-controller (base-infra bring-up).
# Routes are configured in the Cloudflare dashboard (Zero Trust > Networks > Tunnels > Public Hostname);
# the tunnel connects Cloudflare's edge to Traefik, which handles TLS + routing internally.
services:
  cloudflared:
    image: {{.Image}}
    container_name: cloudflared
    restart: unless-stopped
    command: tunnel run
    environment:
      - TUNNEL_TOKEN={{.CFTunnelToken}}
    dns:
      - 1.1.1.1
      - 8.8.8.8
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik-public

networks:
  traefik-public:
    external: true