Remove cloudflared — replaced by Caddy reverse proxy

Cloudflared tunnels are no longer used. All traffic now routes through
Cloudflare DNS to Caddy on helsinki-a over Tailscale.

- Remove cloudflared systemd unit files (copenhagen-a, london-b)
- Remove cloudflared from media_stack role and copenhagen-a host_vars
- Remove cloudflared references from services README and host docs
- Remove cloudflared deploy trigger from CI workflow

Live service on london-b stopped and disabled. copenhagen-a was
unreachable but the tunnel is unused regardless.

.github/workflows/deploy-on-merge.yml

@@ -104,7 +104,7 @@ jobs:
                 HOSTS="$HOSTS nuremberg-a" ;;
 
               # copenhagen-a services (gaming)
-              ansible/services/minecraft/*|ansible/services/mangos-*|ansible/services/cloudflared/*)
+              ansible/services/minecraft/*|ansible/services/mangos-*)
                 HOSTS="$HOSTS copenhagen-a" ;;
 
               # --- Unmapped ansible paths → full fleet as safety fallback ---

ansible/inventory/host_vars/copenhagen-a.yml

@@ -5,11 +5,9 @@ host_location: "Copenhagen"
 
 # MaNGOS runs as systemd services, not Docker
 # MariaDB is the MaNGOS database backend (character, world, auth DBs)
-# cloudflared provides Cloudflare Tunnel access
 systemd_services:
   - mangos-realmd
   - mangos-world
-  - cloudflared
   - node_exporter
 
 # Docker Compose services deployed by docker_services role

ansible/roles/media_stack/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 # media_stack role — deploys the full media stack on london-b
 # Manages: *arr suite, jellyfin, plex, transmission, samba,
-#           ollama, promtail, cloudflared, vsftpd, and cron jobs.
+#           ollama, promtail, vsftpd, and cron jobs.
 
 # ── Systemd service units (custom, not package-managed) ──
 
@@ -53,7 +53,6 @@
     - transmission-daemon
     - smbd
     - vsftpd
-    - cloudflared
 
 # ── Snap packages ──
 

ansible/services/README.md

@@ -9,8 +9,7 @@ services/
 ├── systemd/              # systemd unit files (Linux hosts)
 │   ├── copenhagen-a/
 │   │   ├── mangos-realmd.service   # MaNGOS Zero realm server
-│   │   ├── mangos-world.service    # MaNGOS Zero world server
+│   │   └── mangos-world.service    # MaNGOS Zero world server
-│   │   └── cloudflared.service     # Cloudflare tunnel (token redacted)
 │   └── helsinki-a/
 │       ├── caddy.service                    # Caddy reverse proxy (stock unit)
 │       └── thiswebsitedoesnotexist.service  # Node.js app on port 3721
@@ -27,7 +26,6 @@ services/
 |---------|------|--------|-------|
 | MaNGOS realmd | `mangos-realmd.service` | enabled, custom | Realm server for WoW private server. Depends on MariaDB. |
 | MaNGOS world | `mangos-world.service` | enabled, custom | World server. Depends on MariaDB and realmd. |
-| cloudflared | `cloudflared.service` | enabled, custom | Cloudflare tunnel. **Token redacted** — replace `${CLOUDFLARED_TOKEN}` with the real token on deploy. |
 
 ### helsinki-a (Linux)
 
@@ -46,13 +44,9 @@ No custom rc.d scripts — all services installed via `pkg`. The `rc.conf` captu
 | Prometheus | `prometheus_enable="YES"` | Metrics collection |
 | node_exporter | `node_exporter_enable="YES"` | Host metrics exporter |
 | Tailscale | `tailscaled_enable="YES"` | Mesh VPN |
-| cloudflared | `cloudflared_enable="YES"` | Cloudflare tunnel (tunnel ID in rc.conf) |
 | InfluxDB | `influxd_enable="YES"` | Time-series database |
 | libvirtd | `libvirtd_enable="YES"` | Virtualisation daemon |
 | Redis | `redis_enable="YES"` | In-memory data store |
 | PostgreSQL | `postgresql_enable="YES"` | Relational database |
 
-## Security
 
-- The cloudflared token on copenhagen-a has been **redacted** in the committed unit file. The live service uses the real token.
-- The cloudflare tunnel ID on london-a is committed as-is (it's not a secret — the tunnel token is separate).

ansible/services/systemd/copenhagen-a/cloudflared.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=cloudflared
-After=network.target
-
-[Service]
-TimeoutStartSec=0
-Type=notify
-ExecStart=/usr/bin/cloudflared --no-autoupdate tunnel run --token ${CLOUDFLARED_TOKEN}
-Restart=on-failure
-RestartSec=5s
-
-[Install]
-WantedBy=multi-user.target

ansible/services/systemd/london-b/cloudflared.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=cloudflared
-After=network.target
-
-[Service]
-TimeoutStartSec=0
-Type=notify
-ExecStart=/usr/bin/cloudflared --no-autoupdate tunnel run
-Restart=on-failure
-RestartSec=5s
-
-[Install]
-WantedBy=multi-user.target

docs/hosts/copenhagen-a.md

@@ -50,16 +50,6 @@ WoW 1.12 (Vanilla) private server using the MaNGOS Zero emulator. Runs natively
 
 Both `mangos-realmd` and `mangos-world` start automatically on boot via systemd.
 
-### Cloudflare Tunnel
-
-| | |
-|---|---|
-| Binary | `/usr/bin/cloudflared` |
-| Managed by | systemd |
-| Unit file | `ansible/services/systemd/copenhagen-a/cloudflared.service` |
-
-Provides Cloudflare Tunnel access to the host. Token-based authentication configured directly in the systemd unit.
-
 ### Monitoring
 
 | Service | Port | Managed by |

docs/hosts/london-a.md

@@ -28,7 +28,6 @@ Old gaming PC, now perfectly happy as a monitoring host. Very lightly loaded —
 | Prometheus | 9090 | Active | prometheus.pez.sh |
 | Grafana | 3000 | Active | grafana.pez.sh |
 | node_exporter | 9100 | Active | Metrics exporter |
-| cloudflared | — | Active | Tunnel 168eccae-... proxying Grafana/Prometheus |
 | Tailscale | — | Active | Mesh networking |
 
 Both Prometheus and Grafana are behind Authelia (auth handled by Caddy on helsinki-a).

docs/hosts/london-b.md

@@ -86,7 +86,6 @@ The media automation suite and several supporting services run as native systemd
 | Samba | smbd | Package-managed |
 | Ollama | ollama | /usr/local/bin, custom unit |
 | Promtail | promtail | Custom unit, ships logs to Loki |
-| Cloudflared | cloudflared | Tunnel to Cloudflare |
 | vsftpd | vsftpd | FTP server for /hdd/ftp |
 | systemd_exporter | systemd_exporter | Ansible-managed |
 | node_exporter | node_exporter | Ansible-managed |