Stejný setup používám na 17 serverech. Místo Cloudflared Docker kontejneru (který má overhead) jedu nativní binárku jako systemd. Pohoda, autostart, žurnál.
Instalace
bash
#!/usr/bin/env bash
# /usr/local/bin/install-cloudflared.sh
set -euo pipefail
TUNNEL_ID="${TUNNEL_ID:-?}"
ARCH=$(dpkg --print-architecture)
URL="https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${ARCH}"
curl -fsSL "${URL}" -o /usr/local/bin/cloudflared
chmod +x /usr/local/bin/cloudflared
# Token musí být v /etc/cloudflared/token (chmod 600)
test -f /etc/cloudflared/token || { echo "missing /etc/cloudflared/token"; exit 1; }
# Install service
cloudflared --no-autoupdate service install "$(cat /etc/cloudflared/token)"
systemctl enable --now cloudflared
systemctl status cloudflared --no-pagerSystemd unit (custom)
Pokud nechceš service install (vytvoří symlink někde v /etc/systemd/system/),
udělej si vlastní:
ini
# /etc/systemd/system/cloudflared.service
[Unit]
Description=Cloudflare Tunnel
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/cloudflared tunnel --config /etc/cloudflared/config.yml --no-autoupdate run
Restart=on-failure
RestartSec=5s
User=cloudflared
Group=cloudflared
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log/cloudflared
[Install]
WantedBy=multi-user.targetHealthcheck
bash
# /etc/healthcheck.d/cloudflared.sh
systemctl is-active cloudflared >/dev/null && \
cloudflared tunnel info "${TUNNEL_ID}" 2>&1 | grep -q "ACTIVE"Tak jedeme.