AI-as-Infrastructure/aiinfra-atlas: Cloudflare Zero Trust Tunnel Deployment

Add a Cloudflare Zero Trust Tunnel deployment option for running ATLAS on home servers or institutional VMs with no exposed ports.

What's New

Cloudflare Tunnel Deployment (make cf)

Deploy ATLAS behind a Cloudflare Zero Trust Tunnel with a single command. Traffic flows through Cloudflare's edge network (TLS, WAF, DDoS protection) and Zero Trust access policies (SSO, MFA) before reaching the server via an outbound-only tunnel. No ports are exposed to the internet.

New Makefile targets: make cf (deploy), make scf (graceful stop), make dcf (full cleanup). Multi-environment support via CLOUDFLARE_ENV.

Pre-Hardened Server Model

The deploy script does not install system packages, configures the firewall, or manages Redis authentication. These are server prerequisites handled by the operator before deployment. This avoids overwriting existing security hardening and eliminates sudo-related deployment failures. The script checks prerequisites exist and fails fast if anything is missing.

Architecture

Internet -> Cloudflare Edge (TLS, WAF, DDoS) -> Zero Trust Access (SSO, MFA) -> cloudflared (outbound-only tunnel) -> Nginx (127.0.0.1:80) -> Gunicorn (127.0.0.1:8000)

Documentation

See docs/cloudflare.md for the full deployment guide including server prerequisites, configuration, and troubleshooting.