Cloudflare Integration
Cloudflare Integration
Edge services binding the platform together.
Overview
Cloudflare provides the edge layer for all Pvdify services:
| Service | Purpose |
|---|---|
| DNS | Domain management for 49 zones |
| TLS | SSL certificates (Full strict mode) |
| Tunnels | Secure app ingress without public IPs |
| Pages | Static site hosting (Forge docs, Admin UI) |
| Access | Zero Trust authentication |
| WAF | Web application firewall |
Account Details
| Field | Value |
|---|---|
| Account | verious.smith@philoveracity.com |
| Account ID | 4c0e79c7e403fe6e8d616ecca5564ee9 |
| Zones | 49 |
CLI Tools
Three CLI tools available on the VPS:
flarectl (cf)
DNS and zone management:
# List zonescf zone list
# List DNS recordscf dns list --zone example.com
# Create A recordcf dns create --zone example.com \ --type A --name @ \ --content 199.167.200.52 \ --proxy=true
# Create CNAME for tunnelcf dns create --zone example.com \ --type CNAME --name app \ --content tunnel-id.cfargotunnel.com \ --proxy=trueWrangler (cfw)
Workers, Pages, R2, KV:
# List Pages projectscfw pages project list
# Deploy static sitecfw pages deploy ./dist --project-name myproject
# Manage Workerscfw deploycfw tail
# R2 storagecfw r2 bucket listcloudflared
Tunnel management:
# Create tunnelcloudflared tunnel create pvdify-apps
# Configure tunnelcloudflared tunnel route dns pvdify-apps app.example.com
# Run tunnelcloudflared tunnel run pvdify-apps
# List tunnelscloudflared tunnel listTunnel Architecture
Cloudflare Tunnels provide secure ingress for containerized apps:
┌─────────────────────────────────────────────────────────────┐│ Internet │└──────────────────────────────┬──────────────────────────────┘ │┌──────────────────────────────▼──────────────────────────────┐│ Cloudflare Edge ││ (TLS termination, WAF) │└──────────────────────────────┬──────────────────────────────┘ │ Tunnel (encrypted)┌──────────────────────────────▼──────────────────────────────┐│ cloudflared ││ (running on VPS) │└──────────────────────────────┬──────────────────────────────┘ │ localhost ┌──────────────────────┼──────────────────────┐ ▼ ▼ ▼ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ App 1 │ │ App 2 │ │ App 3 │ │ :3001 │ │ :3002 │ │ :3003 │ └─────────┘ └─────────┘ └─────────┘Tunnel Configuration
Product-isolated tunnels:
| Tunnel | Purpose | Config File |
|---|---|---|
pvdify | Pvdify control plane + apps | /etc/cloudflared/pvdify.yml |
wirebot | Wirebot Chat AI partner | /etc/cloudflared/wirebot.yml |
tunnel: <tunnel-id>credentials-file: /root/.cloudflared/<tunnel-id>.json
ingress: - hostname: pvdify.win service: http://localhost:9443 - hostname: *.pvdify.win service: http://localhost:9443 - hostname: myapp.com service: http://localhost:3001 - hostname: api.myapp.com service: http://localhost:3002 - service: http_status:404Pvdify Tunnel Integration
When a domain is added to an app:
- pvdifyd calls Cloudflare API to create CNAME record
- pvdifyd updates cloudflared config with new ingress rule
- cloudflared reloads configuration
- Traffic routes through tunnel to app container
# Automated by pvdify domains:addpvdify domains:add myapp newdomain.com
# Results in:# 1. DNS: newdomain.com CNAME → tunnel-id.cfargotunnel.com# 2. Tunnel: hostname: newdomain.com → http://localhost:3001Cloudflare Access
Zero Trust authentication for internal services:
Protected Services
| Service | Domain | Auth Method |
|---|---|---|
| Forge Docs | forge.philoveracity.com | Email OTP |
| Admin UI | pvdify.win | Email OTP |
| pvdifyd API | api.pvdify.win | Service Token |
Access Policies
# Create Access applicationcurl -X POST \ "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \ -H "Authorization: Bearer $CF_TOKEN" \ -d '{ "name": "Pvdify Admin", "domain": "pvdify.win", "type": "self_hosted", "session_duration": "24h" }'
# Add email policycurl -X POST \ "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/$APP_ID/policies" \ -H "Authorization: Bearer $CF_TOKEN" \ -d '{ "name": "Admin Access", "decision": "allow", "include": [{"email": {"email": "admin@philoveracity.com"}}] }'Cloudflare Pages
Static site hosting:
Active Projects
| Project | Domain | Content |
|---|---|---|
| forge-philoveracity | forge.philoveracity.com | Forge docs (Starlight) |
| pvdify-admin | pvdify.win | Admin UI (SvelteKit) |
Deployment
# Build and deploynpm run buildcfw pages deploy ./dist --project-name forge-philoveracity
# Or via GitHub integration (automatic)git push origin mainAPI Integration
pvdifyd uses Cloudflare API for:
| Operation | API Endpoint |
|---|---|
| Create DNS record | POST /zones/{zone_id}/dns_records |
| Update DNS record | PATCH /zones/{zone_id}/dns_records/{id} |
| Delete DNS record | DELETE /zones/{zone_id}/dns_records/{id} |
| Purge cache | POST /zones/{zone_id}/purge_cache |
Example: Add Domain
// pvdifyd internal flowfunc (s *Service) AddDomain(app, domain string) error { // 1. Get zone ID for domain zoneID, err := s.cf.GetZoneID(domain)
// 2. Create CNAME record pointing to tunnel _, err = s.cf.CreateDNSRecord(zoneID, DNSRecord{ Type: "CNAME", Name: domain, Content: s.tunnelHostname, Proxied: true, })
// 3. Update tunnel config err = s.tunnel.AddIngress(domain, app.BindPort)
// 4. Reload cloudflared return s.tunnel.Reload()}VPS IP Inventory
| IP | Assignment | Cloudflare Status |
|---|---|---|
| 199.167.200.52 | Main/Shared (WHM) | Proxied (orange cloud) |
| 199.167.201.52 | Available | - |
| 199.167.202.209 | Available | - |
| 199.167.203.234 | Available | - |
| 67.222.9.109 | thedream (dedicated) | Proxied |
One available IP will be dedicated to pvdify.win control plane.
Configuration Files
| File | Purpose |
|---|---|
~/.cloudflare/cloudflare.yaml | flarectl config |
/etc/cloudflared/pvdify.yml | Pvdify tunnel config |
/etc/cloudflared/wirebot.yml | Wirebot tunnel config |
/root/.cloudflared/*.json | Tunnel credentials |
/usr/local/bin/cf | flarectl wrapper |
/usr/local/bin/cfw | wrangler wrapper |