From 84ae0dd9e73adaaad743efe8cc22412b9ace4348 Mon Sep 17 00:00:00 2001
From: Kostiantyn Bukliei <madundead@gmail.com>
Date: Sun, 28 Sep 2025 22:53:03 +0300
Subject: [PATCH] docs(dns): explain Cloudflare deployment

---
 cloudflare/README.md | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/cloudflare/README.md b/cloudflare/README.md
index a052594..8d53e86 100644
--- a/cloudflare/README.md
+++ b/cloudflare/README.md
@@ -1,13 +1,23 @@
 # README
+Cloudflare infrastructure to (safely) expose the homelab services to the outside internet via [Cloudflare Zero Trust Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/).
+
+## Initial Setup
+0. (pre-req) Cloudflare account and a domain name
+1. Transfer domain from registrar to Cloudflare by creating the NS records
+    - `NS lloyd.ns.cloudflare.com`
+    - `NS meadow.ns.cloudflare.com`
+2. Create an [API token](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/) with the following access rules
+    - DNS:Edit
+    - Cloudflare Tunnel:Edit
+    - Zero Trust:Edit
+    - Access: Apps and Policies:Edit
+
+## Usage
+To add a new app/service and expose it:
+0. (pre-req) have a `cloudflared` authorized and running
+1. deploy the app
+2. describe it in the [services](https://git.madunde.ad/madundead/homelab/src/branch/master/cloudflare/services/services.tf)
+3. `tofu apply`
 
 ## TODO
-- don't forget to mention namecheap -> cloudflare NS
-NS lloyd.ns.cloudflare.com
-NS meadow.ns.cloudflare.com
-
-Create token
-https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/
-
-Token access
-Kostiantyn Bukliei - Cloudflare Tunnel:Edit, Zero Trust:Edit, Access: Apps and Policies:Edit
-    madunde.ad - DNS:Edit
+- [ ] Automate token creation and/or deployment of `cloudflared`.