cloudflare — community cloudflare, hetzner-vps, community, ide skills, Claude Code, Cursor, Windsurf

v1.0.0
GitHub

About this Skill

Ideal for DevOps Agents requiring secure Cloudflare DNS and tunnel management for VPS-hosted applications. Production Docker Compose stack for Hetzner VPS — RollHook, Traefik, Postgres, Valkey, OTel

jkrumm jkrumm
[0]
[0]
Updated: 3/1/2026

Agent Capability Analysis

The cloudflare skill by jkrumm is an open-source community AI agent skill for Claude Code and other IDE workflows, helping agents execute tasks with better context, repeatability, and domain-specific guidance.

Ideal Agent Persona

Ideal for DevOps Agents requiring secure Cloudflare DNS and tunnel management for VPS-hosted applications.

Core Value

Empowers agents to handle Cloudflare DNS and tunnel operations via the Cloudflare API, leveraging Doppler for secure token management and Traefik for reverse proxy configuration, all within a Production Docker Compose stack on Hetzner VPS.

Capabilities Granted for cloudflare

Automating Cloudflare Tunnel setup for VPS-hosted apps
Managing Cloudflare DNS records for custom domains
Debugging Cloudflare Tunnel connectivity issues using OTel

! Prerequisites & Limits

  • Requires Cloudflare API token stored in Doppler
  • Limited to VPS-hosted applications with Docker Compose
  • Dependent on ssh access for execution via Doppler
Labs Demo

Browser Sandbox Environment

⚡️ Ready to unleash?

Experience this Agent in a zero-setup browser environment powered by WebContainers. No installation required.

Boot Container Sandbox

cloudflare

Install cloudflare, an AI agent skill for AI agent workflows and automation. Works with Claude Code, Cursor, and Windsurf with one-command setup.

SKILL.md
Readonly

Cloudflare API Skill

Handle any Cloudflare DNS or tunnel operation for VPS-hosted apps.

Execution model: All API calls run on the VPS via ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'...'"'"''. The API token (CF_API_TOKEN) stays in Doppler — never passed as a CLI argument, never visible to Claude Code, never logged.

Infrastructure Context

VPS Tunnel

The VPS has a single Cloudflare Tunnel. Its ID is stored in Doppler as CF_TUNNEL_ID.

Current tunnel IDs visible in jkrumm.com DNS:

  • 13f91961-... — VPS (this server)
  • f270cecf-... — HomeLab
  • b99c010f-... — other server

Wildcard ingress rule: *.DOMAIN → https://traefik:443 (TLS verify: off)

  • Set once after provisioning
  • Catches all subdomains that have a CNAME DNS record pointing to this tunnel
  • Does NOT affect other Cloudflare tunnels — each tunnel evaluates its own ingress rules independently

To reach a new app publicly:

  1. Add a DNS CNAME record pointing the subdomain to ${CF_TUNNEL_ID}.cfargotunnel.com
  2. The wildcard ingress rule already routes it to Traefik
  3. Traefik routes based on the Host() label on the container

Doppler Secrets (project: vps, config: prod)

SecretWhat it is
CF_API_TOKENAPI token — Zone:Read + DNS:Edit (all zones) + Tunnel:Edit (all accounts). Passed to Traefik as CF_DNS_API_TOKEN (lego requires that name)
CF_ACCOUNT_IDCloudflare account ID (same for all zones/tunnels)
CF_ZONE_IDZone ID for DOMAIN (jkrumm.com)
CF_TUNNEL_IDUUID of the VPS Cloudflare Tunnel
DOMAINPrimary domain

Multi-Domain / Multi-Zone Support

Domains accessible with this token: basalt-ui.com, jkrumm.com, rollhook.com, shutterflow.app. For any domain not stored as CF_ZONE_ID, look up its zone ID first (see below).

Authentication Pattern

Use single-quote wrapping so ${VARS} are expanded by the VPS shell after doppler injects them:

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'
2  curl -s "https://api.cloudflare.com/client/v4/zones" \
3    -H "Authorization: Bearer ${CF_API_TOKEN}" \
4    | python3 -m json.tool
5'"'"''

Why: Double-quote SSH commands cause the local shell to expand ${CF_API_TOKEN} before it reaches the VPS (producing empty string and an auth error). The '...' '"'"' '...' pattern passes the inner string literally to the VPS where doppler has already injected the secrets.

Common Operations

List all zones

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s "https://api.cloudflare.com/client/v4/zones" -H "Authorization: Bearer ${CF_API_TOKEN}" | python3 -c "import json,sys; r=json.load(sys.stdin); [print(z[\"name\"],z[\"id\"]) for z in r[\"result\"]] if r[\"success\"] else print(\"ERR:\",r[\"errors\"])"'"'"''

Check current tunnel ingress config

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/cfd_tunnel/${CF_TUNNEL_ID}/configurations" -H "Authorization: Bearer ${CF_API_TOKEN}" | python3 -c "import json,sys; r=json.load(sys.stdin); [print(i.get(\"hostname\",\"catch-all\"),\"\",i[\"service\"]) for i in r[\"result\"][\"config\"][\"ingress\"]] if r[\"success\"] else print(\"ERR:\",r[\"errors\"])"'"'"''

List DNS records for a zone

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records?per_page=100" -H "Authorization: Bearer ${CF_API_TOKEN}" | python3 -c "import json,sys; r=json.load(sys.stdin); [print(rec[\"type\"],rec[\"name\"],\"\",rec[\"content\"]) for rec in r[\"result\"]] if r[\"success\"] else print(\"ERR:\",r[\"errors\"])"'"'"''

Add a DNS CNAME record (new app subdomain on primary domain)

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s -X POST "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records" -H "Authorization: Bearer ${CF_API_TOKEN}" -H "Content-Type: application/json" --data "{\"type\":\"CNAME\",\"name\":\"SUBDOMAIN\",\"content\":\"${CF_TUNNEL_ID}.cfargotunnel.com\",\"proxied\":true}" | python3 -c "import json,sys; r=json.load(sys.stdin); print(\"OK:\",r[\"result\"][\"name\"]) if r[\"success\"] else print(\"ERR:\",r[\"errors\"])"'"'"''

Replace SUBDOMAIN with the actual subdomain before running.

Delete a DNS record

First list records to find the ID, then:

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records/RECORD_ID" -H "Authorization: Bearer ${CF_API_TOKEN}" | python3 -c "import json,sys; r=json.load(sys.stdin); print(\"OK\" if r[\"success\"] else r[\"errors\"])"'"'"''

Look up Zone ID for a secondary domain

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s "https://api.cloudflare.com/client/v4/zones?name=other-domain.com" -H "Authorization: Bearer ${CF_API_TOKEN}" | python3 -c "import json,sys; r=json.load(sys.stdin)[\"result\"]; print(r[0][\"id\"],r[0][\"name\"]) if r else print(\"not found\")"'"'"''

Set/update wildcard tunnel ingress rule

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s -X PUT "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/cfd_tunnel/${CF_TUNNEL_ID}/configurations" -H "Authorization: Bearer ${CF_API_TOKEN}" -H "Content-Type: application/json" --data "{\"config\":{\"ingress\":[{\"hostname\":\"*.${DOMAIN}\",\"service\":\"https://traefik:443\",\"originRequest\":{\"noTLSVerify\":true}},{\"service\":\"http_status:404\"}]}}" | python3 -c "import json,sys; r=json.load(sys.stdin); print(\"OK — version\",r[\"result\"][\"version\"]) if r[\"success\"] else print(\"ERR:\",r[\"errors\"])"'"'"''

Workflow: Add a New Public App

  1. Deploy the app compose to VPS (confirm running: make ps)
  2. Add DNS CNAME record (subdomain → VPS tunnel)
  3. Verify: curl -I https://myapp.<DOMAIN>/health
  4. No tunnel config changes needed — wildcard ingress already catches it

Workflow: Add App on a Secondary Domain

  1. Look up the zone ID for the secondary domain
  2. Use it directly in the curl call — zone IDs are not secret (visible in the Cloudflare dashboard)
  3. If the secondary domain isn't covered by the wildcard ingress, add a specific hostname rule to the tunnel config before the http_status:404 catch-all

Useful Reference

CF API base: https://api.cloudflare.com/client/v4

EndpointMethodPurpose
/zonesGETList zones (filter: ?name=domain.com)
/zones/{zone_id}/dns_recordsGETList DNS records
/zones/{zone_id}/dns_recordsPOSTCreate DNS record
/zones/{zone_id}/dns_records/{id}PUTUpdate DNS record
/zones/{zone_id}/dns_records/{id}DELETEDelete DNS record
/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurationsGETGet tunnel ingress config
/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurationsPUTReplace tunnel ingress config
/accounts/{account_id}/cfd_tunnelGETList all tunnels

All responses: {"success": bool, "result": ..., "errors": [...]}.

FAQ & Installation Steps

These questions and steps mirror the structured data on this page for better search understanding.

? Frequently Asked Questions

What is cloudflare?

Ideal for DevOps Agents requiring secure Cloudflare DNS and tunnel management for VPS-hosted applications. Production Docker Compose stack for Hetzner VPS — RollHook, Traefik, Postgres, Valkey, OTel

How do I install cloudflare?

Run the command: npx killer-skills add jkrumm/hetzner-vps/cloudflare. It works with Cursor, Windsurf, VS Code, Claude Code, and 19+ other IDEs.

What are the use cases for cloudflare?

Key use cases include: Automating Cloudflare Tunnel setup for VPS-hosted apps, Managing Cloudflare DNS records for custom domains, Debugging Cloudflare Tunnel connectivity issues using OTel.

Which IDEs are compatible with cloudflare?

This skill is compatible with Cursor, Windsurf, VS Code, Trae, Claude Code, OpenClaw, Aider, Codex, OpenCode, Goose, Cline, Roo Code, Kiro, Augment Code, Continue, GitHub Copilot, Sourcegraph Cody, and Amazon Q Developer. Use the Killer-Skills CLI for universal one-command installation.

Are there any limitations for cloudflare?

Requires Cloudflare API token stored in Doppler. Limited to VPS-hosted applications with Docker Compose. Dependent on ssh access for execution via Doppler.

How To Install

  1. 1. Open your terminal

    Open the terminal or command line in your project directory.

  2. 2. Run the install command

    Run: npx killer-skills add jkrumm/hetzner-vps/cloudflare. The CLI will automatically detect your IDE or AI agent and configure the skill.

  3. 3. Start using the skill

    The skill is now active. Your AI agent can use cloudflare immediately in the current project.

Related Skills

Looking for an alternative to cloudflare or another community skill for your workflow? Explore these related open-source skills.

View All

widget-generator

Logo of f
f

f.k.a. Awesome ChatGPT Prompts. Share, discover, and collect prompts from the community. Free and open source — self-host for your organization with complete privacy.

149.6k
0
AI

flags

Logo of vercel
vercel

flags is a Next.js feature management skill that enables developers to efficiently add or modify framework feature flags, streamlining React application development.

138.4k
0
Browser

zustand

Logo of lobehub
lobehub

The ultimate space for work and life — to find, build, and collaborate with agent teammates that grow with you. We are taking agent harness to the next level — enabling multi-agent collaboration, effortless agent team design, and introducing agents as the unit of work interaction.

72.8k
0
AI

data-fetching

Logo of lobehub
lobehub

The ultimate space for work and life — to find, build, and collaborate with agent teammates that grow with you. We are taking agent harness to the next level — enabling multi-agent collaboration, effortless agent team design, and introducing agents as the unit of work interaction.

72.8k
0
AI