diff --git a/.github/workflows/deploy-on-merge.yml b/.github/workflows/deploy-on-merge.yml index 49dbc01..6288595 100644 --- a/.github/workflows/deploy-on-merge.yml +++ b/.github/workflows/deploy-on-merge.yml @@ -104,7 +104,7 @@ jobs: HOSTS="$HOSTS nuremberg-a" ;; # copenhagen-a services (gaming) - ansible/services/minecraft/*|ansible/services/mangos-*|ansible/services/cloudflared/*) + ansible/services/minecraft/*|ansible/services/mangos-*) HOSTS="$HOSTS copenhagen-a" ;; # --- Unmapped ansible paths → full fleet as safety fallback --- diff --git a/ansible/inventory/host_vars/copenhagen-a.yml b/ansible/inventory/host_vars/copenhagen-a.yml index c6c5bc6..02399c3 100644 --- a/ansible/inventory/host_vars/copenhagen-a.yml +++ b/ansible/inventory/host_vars/copenhagen-a.yml @@ -5,11 +5,9 @@ host_location: "Copenhagen" # MaNGOS runs as systemd services, not Docker # MariaDB is the MaNGOS database backend (character, world, auth DBs) -# cloudflared provides Cloudflare Tunnel access systemd_services: - mangos-realmd - mangos-world - - cloudflared - node_exporter # Docker Compose services deployed by docker_services role diff --git a/ansible/roles/media_stack/tasks/main.yml b/ansible/roles/media_stack/tasks/main.yml index e451e27..f9b25fe 100644 --- a/ansible/roles/media_stack/tasks/main.yml +++ b/ansible/roles/media_stack/tasks/main.yml @@ -1,7 +1,7 @@ --- # media_stack role — deploys the full media stack on london-b # Manages: *arr suite, jellyfin, plex, transmission, samba, -# ollama, promtail, cloudflared, vsftpd, and cron jobs. +# ollama, promtail, vsftpd, and cron jobs. # ── Systemd service units (custom, not package-managed) ── @@ -53,7 +53,6 @@ - transmission-daemon - smbd - vsftpd - - cloudflared # ── Snap packages ── diff --git a/ansible/services/README.md b/ansible/services/README.md index f2d186e..393bfb1 100644 --- a/ansible/services/README.md +++ b/ansible/services/README.md @@ -9,8 +9,7 @@ services/ ├── systemd/ # systemd unit files (Linux hosts) │ ├── copenhagen-a/ │ │ ├── mangos-realmd.service # MaNGOS Zero realm server -│ │ ├── mangos-world.service # MaNGOS Zero world server -│ │ └── cloudflared.service # Cloudflare tunnel (token redacted) +│ │ └── mangos-world.service # MaNGOS Zero world server │ └── helsinki-a/ │ ├── caddy.service # Caddy reverse proxy (stock unit) │ └── thiswebsitedoesnotexist.service # Node.js app on port 3721 @@ -27,7 +26,6 @@ services/ |---------|------|--------|-------| | MaNGOS realmd | `mangos-realmd.service` | enabled, custom | Realm server for WoW private server. Depends on MariaDB. | | MaNGOS world | `mangos-world.service` | enabled, custom | World server. Depends on MariaDB and realmd. | -| cloudflared | `cloudflared.service` | enabled, custom | Cloudflare tunnel. **Token redacted** — replace `${CLOUDFLARED_TOKEN}` with the real token on deploy. | ### helsinki-a (Linux) @@ -46,13 +44,9 @@ No custom rc.d scripts — all services installed via `pkg`. The `rc.conf` captu | Prometheus | `prometheus_enable="YES"` | Metrics collection | | node_exporter | `node_exporter_enable="YES"` | Host metrics exporter | | Tailscale | `tailscaled_enable="YES"` | Mesh VPN | -| cloudflared | `cloudflared_enable="YES"` | Cloudflare tunnel (tunnel ID in rc.conf) | | InfluxDB | `influxd_enable="YES"` | Time-series database | | libvirtd | `libvirtd_enable="YES"` | Virtualisation daemon | | Redis | `redis_enable="YES"` | In-memory data store | | PostgreSQL | `postgresql_enable="YES"` | Relational database | -## Security -- The cloudflared token on copenhagen-a has been **redacted** in the committed unit file. The live service uses the real token. -- The cloudflare tunnel ID on london-a is committed as-is (it's not a secret — the tunnel token is separate). diff --git a/ansible/services/systemd/copenhagen-a/cloudflared.service b/ansible/services/systemd/copenhagen-a/cloudflared.service deleted file mode 100644 index 1a66780..0000000 --- a/ansible/services/systemd/copenhagen-a/cloudflared.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=cloudflared -After=network.target - -[Service] -TimeoutStartSec=0 -Type=notify -ExecStart=/usr/bin/cloudflared --no-autoupdate tunnel run --token ${CLOUDFLARED_TOKEN} -Restart=on-failure -RestartSec=5s - -[Install] -WantedBy=multi-user.target diff --git a/ansible/services/systemd/london-b/cloudflared.service b/ansible/services/systemd/london-b/cloudflared.service deleted file mode 100644 index 6e9b1f1..0000000 --- a/ansible/services/systemd/london-b/cloudflared.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=cloudflared -After=network.target - -[Service] -TimeoutStartSec=0 -Type=notify -ExecStart=/usr/bin/cloudflared --no-autoupdate tunnel run -Restart=on-failure -RestartSec=5s - -[Install] -WantedBy=multi-user.target diff --git a/docs/hosts/copenhagen-a.md b/docs/hosts/copenhagen-a.md index af3c089..775aea7 100644 --- a/docs/hosts/copenhagen-a.md +++ b/docs/hosts/copenhagen-a.md @@ -50,16 +50,6 @@ WoW 1.12 (Vanilla) private server using the MaNGOS Zero emulator. Runs natively Both `mangos-realmd` and `mangos-world` start automatically on boot via systemd. -### Cloudflare Tunnel - -| | | -|---|---| -| Binary | `/usr/bin/cloudflared` | -| Managed by | systemd | -| Unit file | `ansible/services/systemd/copenhagen-a/cloudflared.service` | - -Provides Cloudflare Tunnel access to the host. Token-based authentication configured directly in the systemd unit. - ### Monitoring | Service | Port | Managed by | diff --git a/docs/hosts/london-a.md b/docs/hosts/london-a.md index 28037ab..06fc903 100644 --- a/docs/hosts/london-a.md +++ b/docs/hosts/london-a.md @@ -28,7 +28,6 @@ Old gaming PC, now perfectly happy as a monitoring host. Very lightly loaded — | Prometheus | 9090 | Active | prometheus.pez.sh | | Grafana | 3000 | Active | grafana.pez.sh | | node_exporter | 9100 | Active | Metrics exporter | -| cloudflared | — | Active | Tunnel 168eccae-... proxying Grafana/Prometheus | | Tailscale | — | Active | Mesh networking | Both Prometheus and Grafana are behind Authelia (auth handled by Caddy on helsinki-a). diff --git a/docs/hosts/london-b.md b/docs/hosts/london-b.md index d216154..13202ec 100644 --- a/docs/hosts/london-b.md +++ b/docs/hosts/london-b.md @@ -86,7 +86,6 @@ The media automation suite and several supporting services run as native systemd | Samba | smbd | Package-managed | | Ollama | ollama | /usr/local/bin, custom unit | | Promtail | promtail | Custom unit, ships logs to Loki | -| Cloudflared | cloudflared | Tunnel to Cloudflare | | vsftpd | vsftpd | FTP server for /hdd/ftp | | systemd_exporter | systemd_exporter | Ansible-managed | | node_exporter | node_exporter | Ansible-managed |