name: cloudflare-access-setup description: | Configures Cloudflare Access authentication with Google OAuth for protected services. Use when you need to set up authentication, configure Google OAuth, protect services with Cloudflare Access, enable remote access security, or troubleshoot Access issues. Triggers on "setup cloudflare access", "configure access authentication", "enable google oauth", "protect services", "fix access denied", "add users to access", or "why can't I login remotely". Works with cf-access-setup.sh, .env OAuth credentials, and Cloudflare Zero Trust dashboard. allowed-tools:

Read
Bash
Grep
Glob

Cloudflare Access Setup Skill

Configure Cloudflare Access with Google OAuth to protect services with secure authentication.

Quick Start

To set up Cloudflare Access authentication:

# 1. Verify prerequisites
./scripts/cf-access-setup.sh list

# 2. If OAuth credentials missing, configure .env first (see Section 3.2)

# 3. Run automated setup
./scripts/cf-access-setup.sh setup

After setup, test by visiting https://pihole.temet.ai - you should see Google login.

When to Use This Skill
What This Skill Does
Instructions
- 3.1 Verify Prerequisites
- 3.2 Configure Google OAuth (if needed)
- 3.3 Run Automated Setup
- 3.4 Verify Applications Created
- 3.5 Test Authentication Flow
- 3.6 Access Monitoring
Supporting Files
Expected Outcomes
Integration Points
Requirements
Red Flags to Avoid

When to Use This Skill

Explicit Triggers:

"Set up Cloudflare Access"
"Configure Google OAuth for access"
"Protect my services with authentication"
"Enable remote access authentication"
"Run cf-access-setup"

Implicit Triggers:

Setting up a new service that needs protection
First-time infrastructure setup
After adding new services to domains.toml

Debugging Triggers:

"I get Access Denied when accessing services"
"Google login isn't working"
"Can't access pihole remotely"
"OAuth redirect error"
"Session expired errors"

What This Skill Does

Verifies Prerequisites - Checks OAuth credentials exist in .env
Guides OAuth Setup - Provides Google Console instructions if credentials missing
Runs Automation - Executes cf-access-setup.sh to configure everything
Creates Applications - Sets up Access apps for all protected services
Configures Policies - Creates allow policies for authorized users
Tests Authentication - Verifies Google login flow works
Provides Monitoring - Shows access logs URL for audit trail

Instructions

3.1 Verify Prerequisites

Check required environment variables:

cd /home/dawiddutoit/projects/network && source .env && echo "Checking OAuth credentials..."
[ -n "$GOOGLE_OAUTH_CLIENT_ID" ] && echo "GOOGLE_OAUTH_CLIENT_ID: Set" || echo "GOOGLE_OAUTH_CLIENT_ID: MISSING"
[ -n "$GOOGLE_OAUTH_CLIENT_SECRET" ] && echo "GOOGLE_OAUTH_CLIENT_SECRET: Set" || echo "GOOGLE_OAUTH_CLIENT_SECRET: MISSING"
[ -n "$ACCESS_ALLOWED_EMAIL" ] && echo "ACCESS_ALLOWED_EMAIL: $ACCESS_ALLOWED_EMAIL" || echo "ACCESS_ALLOWED_EMAIL: MISSING"
[ -n "$CLOUDFLARE_ACCESS_API_TOKEN" ] && echo "CLOUDFLARE_ACCESS_API_TOKEN: Set" || echo "CLOUDFLARE_ACCESS_API_TOKEN: MISSING"

If any are missing, proceed to 3.2. Otherwise, skip to 3.3.

3.2 Configure Google OAuth (if needed)

Guide the user through Google Console setup:

Step 1: Access Google Cloud Console

URL: https://console.cloud.google.com/apis/credentials
Sign in with the Google Workspace account (e.g., dawiddutoit@temet.ai)

Step 2: Create OAuth Consent Screen (if first time)

User Type: Internal (for organization only) or External (for personal Gmail)
App name: "Cloudflare Access - Home Network"
Support email: Your email
Developer contact: Your email

Step 3: Create OAuth Client ID

Click "Create Credentials" -> "OAuth client ID"
Application type: Web application
Name: "Cloudflare Access - Home Network"
Authorized redirect URI: https://temetai.cloudflareaccess.com/cdn-cgi/access/callback
Click "Create"

Step 4: Update .env

GOOGLE_OAUTH_CLIENT_ID=<client-id>.apps.googleusercontent.com
GOOGLE_OAUTH_CLIENT_SECRET=<client-secret>
ACCESS_ALLOWED_EMAIL=your-email@domain.com

3.3 Run Automated Setup

Execute the setup script:

cd /home/dawiddutoit/projects/network && ./scripts/cf-access-setup.sh setup

The script will:

Verify all prerequisites
Configure Google OAuth identity provider
Create Access applications for protected services
Create allow policies for authorized users
Create bypass policy for webhook

Protected Services:

pihole.temet.ai
jaeger.temet.ai
langfuse.temet.ai
sprinkler.temet.ai
ha.temet.ai
temet.ai (root)

Bypass Service:

webhook.temet.ai (no auth for GitHub)

3.4 Verify Applications Created

List all configured applications:

./scripts/cf-access-setup.sh list

Expected output shows all services with App IDs and session durations.

3.5 Test Authentication Flow

Manual Test:

Open incognito/private browser window
Navigate to: https://pihole.temet.ai
Expected: Redirect to Cloudflare Access login page
Click "Google" to authenticate
Sign in with authorized email
After authentication: Access to Pi-hole admin

CLI Test (webhook bypass):

curl -I https://webhook.temet.ai/hooks/health
# Should return HTTP response without authentication

Verify unauthorized access blocked:

Try accessing with different Google account
Should see "Access Denied" message

3.6 Access Monitoring

Access Logs Dashboard: https://one.dash.cloudflare.com -> Logs -> Access

View information:

Who accessed which service
Timestamp of access attempts
Allow/deny decisions
Source IP addresses

Quick command to show dashboard URL:

echo "Access Logs: https://one.dash.cloudflare.com"
echo "Navigate to: Logs -> Access"

Supporting Files

File	Purpose
`references/reference.md`	Complete API reference, troubleshooting guide, advanced configuration
`examples/examples.md`	Common scenarios and configuration examples

Expected Outcomes

Success:

Google OAuth identity provider configured
Access applications created for all protected services
Allow policies set for authorized email(s)
Bypass policy configured for webhook
Authentication flow working (Google login redirects)
Access logs visible in Cloudflare dashboard

Partial Success:

Applications created but OAuth not working (check redirect URI)
Some services missing (re-run setup - idempotent)

Failure Indicators:

"Missing GOOGLE_OAUTH_CLIENT_ID" -> Configure .env first
"Missing CLOUDFLARE_ACCESS_API_TOKEN" -> Create API token
API errors -> Check token permissions
Redirect loop -> Clear cookies and retry

Integration Points

Cloudflare Tunnel:

Access works with existing tunnel configuration
Tunnel routes traffic, Access provides authentication layer

domains.toml:

Services with require_auth = true should have Access applications
Run after adding new services: ./scripts/cf-access-setup.sh setup

manage-domains.sh:

Automatically syncs Access applications via sync-cloudflare-access.py
Use ./scripts/manage-domains.sh apply for full sync

Requirements

Environment Variables (in .env):

GOOGLE_OAUTH_CLIENT_ID - From Google Console
GOOGLE_OAUTH_CLIENT_SECRET - From Google Console
ACCESS_ALLOWED_EMAIL - Email(s) to authorize
CLOUDFLARE_ACCESS_API_TOKEN - API token with Zero Trust permissions
CLOUDFLARE_ACCOUNT_ID - Cloudflare account ID
CLOUDFLARE_TEAM_NAME - Zero Trust team name

API Token Permissions:

Account -> Zero Trust -> Edit
Account -> Access: Apps and Policies -> Edit
Account -> Access: Organizations, Identity Providers, and Groups -> Edit

Tools:

Bash (for running setup script)
Read (for checking .env and script output)

Red Flags to Avoid

Do not run setup without verifying OAuth credentials exist
Do not use wrong redirect URI (must match exactly)
Do not set consent screen to "Internal" if using personal Gmail accounts
Do not delete webhook bypass policy (breaks GitHub deployments)
Do not forget to test in incognito (cached sessions cause confusion)
Do not skip verifying applications were created
Do not ignore "Access Denied" errors (check allowed emails)
Do not expose API tokens in logs or output

Notes

Setup script is idempotent - safe to run multiple times
OAuth redirect URI must be exactly: https://temetai.cloudflareaccess.com/cdn-cgi/access/callback
Session duration is 24 hours by default
Multiple emails can be authorized: ACCESS_ALLOWED_EMAIL="email1@domain.com,email2@domain.com"
Local network access bypasses Cloudflare Access (only remote access requires auth)
Pi-hole may block Google domains needed for OAuth - whitelist if issues occur

ナビゲーション

Skillsとは？

リンク

cloudflare-access-setup