Cloudflare Tunnel is a wonderful thing. In fact, Cloudflare itself is fantastic for homelabbers because it gives you so much for free. I used to just host direct on my own home IP, but nowadays I find it easier to just `cloudflared`. Don't have to worry about the firewall and any breaches into my network and all of that stuff.
I started from a similar place as you and then eventually now my IaaC for my homelab is just idempotent bash scripts written by Claude. The pattern I find with dependencies is that they have the property that someone wants to change some attribute and so the program needs to evolve for the attribute to be changeable. This means programs evolve to have many hinges and the interactions cause bugs one cannot reason about.
My needs for the homelab are fairly simple and the script can encode all the information it needs. As a human, writing such a script is tedious. As a human with an AI assistant, I've found that this is so much easier to worry about because bash is a fairly stable target.
How do you feel about the privacy implications of Cloudflare theoretically being able to read all your data? I guess this theoretical downside is outweighed by the practical upsides?
I don't have a homelab for privacy so much as convenience. And I accept the risk of trusting vendors. I also have a datacenter cabinet and the techs there have a key to the cabinet. That's even more dangerous access theoretically. I suppose if someone compromised cloudflared (more possible in this era of supply-chain attacks and Cloudflare's renewed commitment to vibe-coding) there's a risk. C'est la vie.
FWIW: Depending on your use case, Cloudflare doesn't have visibility into to cleartext. In my setup, I use their arbitrary TCP tunneling feature to tunnel SSH for a remote host, which works great.
That said: I do also tunnel HTTP, and I've come to terms with the privacy risk. Being able to setup enforcement of things like mTLS at the edge is quite nice.
Same question from me too - I do have a few services on my homelab at home - stuff like a NAS, synology surveillance, homeassistant, few lxc containers hosting random services on Proxmox - and it all works just fine for my needs with standard WireGuard vpn setup on all my devices (macbook/ipad/iphone/android). What would cloudflare tunnel get me?
It's free and simple and handles HTTPS termination and can be set up easily using terraform/pulumi.
Interestingly, in the early hours of this morning I switched from Cloudflare Tunnels to a rathole/traefik based solution (well, currently it's port forwarding and a low grade home-baked dyndns solution until I get paid and can afford a cheap hetzner box because I spent all of my money again).
I switched back because I didn't like the added complexity of having to manage the routes, what I'm using it for is technically against ToS, and I like the self-contained nature of my microk8s cluster.
I understand a lot of people run services locally for other reasons, but HTTPS termination defeats any privacy argument.
Cloudflare are essentially the largest MitM data collector in the world. A few people started moving their data out of the cloud and they saw the gap. Now they're plugging that gap "for free".
I use them for different purposes. The wiki I linked there is exposed via `cloudflared`. Its purpose is to be public. I can't see myself using Wireguard for that.
I started from a similar place as you and then eventually now my IaaC for my homelab is just idempotent bash scripts written by Claude. The pattern I find with dependencies is that they have the property that someone wants to change some attribute and so the program needs to evolve for the attribute to be changeable. This means programs evolve to have many hinges and the interactions cause bugs one cannot reason about.
My needs for the homelab are fairly simple and the script can encode all the information it needs. As a human, writing such a script is tedious. As a human with an AI assistant, I've found that this is so much easier to worry about because bash is a fairly stable target.
Anyway, apart from that, I landed on using systemd's containers that use podman but otherwise not too different. My (far less polished) version of this post as a memory aid to myself: https://wiki.roshangeorge.dev/w/One_Quick_Way_To_Host_A_WebA...