# Cloudflare dashboard setup — chat.saiden.dev (token-based)

Two artefacts get created in the Zero Trust dashboard:
1. **A tunnel** (`chat-saiden`) with its public hostname.
2. **An Access application** with Google IdP + whitelist.

Both are token/UI-managed (no local config files for tunnel ingress) to match the
existing `cloudflared-mesh` and `cloudflared-tensors-art` pattern on junkpile.

---

## Part A — Create the tunnel (5 minutes)

### 1. Open the Networks → Tunnels page

Zero Trust → **Networks** → **Tunnels** → **Create a tunnel**.

### 2. Pick connector type

Choose **Cloudflared**. Click Next.

### 3. Name + save

Tunnel name: `chat-saiden`. Click **Save tunnel**.

### 4. Get the token (DO NOT close this page)

The wizard shows install instructions for several platforms. The token is the
long base64 string inside the displayed command, e.g.:

```
cloudflared.exe service install eyJhIjoiOTVhZDNiYWEyYTRlY2RhMWUzODM0MmRm... # ← THIS PART
```

**Copy just the token string** (everything after `service install` for the
Windows command, or after `--token` for the Linux command — same string either
way). Save it for the next step.

### 5. Place the token on junkpile

```bash
ssh junkpile
sudo mkdir -p /etc/cloudflared
sudo tee /etc/cloudflared/chat-saiden.env > /dev/null <<'EOF'
TUNNEL_TOKEN=PASTE_THE_LONG_TOKEN_HERE
EOF
sudo chown root:chi /etc/cloudflared/chat-saiden.env
sudo chmod 0640 /etc/cloudflared/chat-saiden.env
```

⚠ Verify the file looks right:
```bash
sudo ls -la /etc/cloudflared/chat-saiden.env   # should be -rw-r----- root:chi
```

### 6. Configure the public hostname

Back in the wizard → **Next** → **Public Hostname** tab → **Add a public hostname**:

| Field | Value |
|-------|-------|
| Subdomain | `chat` |
| Domain | `saiden.dev` |
| Path | (leave blank) |
| Type | `HTTP` |
| URL | `localhost:7681` |

**Additional application settings → TLS → No TLS Verify** can stay off (localhost).
**Additional application settings → Connection → Disable Chunked Encoding** must stay OFF.

Click **Save hostname**.

CF will auto-create the `chat.saiden.dev` proxy CNAME for you.

### 7. Verify the tunnel page

The tunnel page should now show:
- Connector: **Healthy** (or "No connectors yet" if you haven't started the service)
- Public hostname: `chat.saiden.dev → http://localhost:7681`

---

## Part B — CF Access application (5 minutes)

### 1. Add the Access application

Zero Trust → **Access** → **Applications** → **Add an application** → **Self-hosted**.

| Field | Value |
|-------|-------|
| Application name | `chat-saiden` |
| Session duration | `24 hours` |
| Application domain | `chat.saiden.dev` |
| Path | (leave blank) |
| Identity providers | Google |
| Instant Auth | enabled |

Save → continue to policies.

### 2. Add the whitelist policy (THE SECURITY BOUNDARY)

| Field | Value |
|-------|-------|
| Policy name | `pilot-whitelist` |
| Action | **Allow** |
| Include rule | **Emails** = `adam.ladachowski@gmail.com` |

Save policy.

### 3. WebSocket support

Application **Settings → Advanced → WebSocket support** → enable.

This is mandatory; ttyd is WS-based.

### 4. Default deny (implicit, but verify)

With only one Allow rule, anyone not matching is denied by default — no extra
deny rule needed. To double-check, look at the policies list: it should show
**one** policy (`pilot-whitelist`, Allow) and nothing else.

---

## Part C — Google IdP setup (one-time, skip if already done)

Zero Trust → **Settings → Authentication → Login methods → Add new → Google**.

OAuth client ID + secret come from
https://console.cloud.google.com → APIs & Services → Credentials.

Authorized redirect URI:
```
https://<your-team>.cloudflareaccess.com/cdn-cgi/access/callback
```

Replace `<your-team>` with the team domain shown at the top of the Zero Trust
dashboard. Save in CF wizard → click **Test**. Must succeed before moving on.

---

## Operational hygiene

- The TUNNEL_TOKEN is a long-lived bearer credential. If junkpile is compromised
  or you suspect the token leaked: dashboard → tunnel → **Refresh token**.
  Update `/etc/cloudflared/chat-saiden.env` and `systemctl restart
  cloudflared-chat-saiden`.
- Audit access logs weekly: Zero Trust → **Logs → Access**.
- To revoke a whitelist entry: edit `pilot-whitelist` policy, save. Existing
  sessions are cut on next request (session lifetime ≤ 24h by config).