cloudflare — community cloudflare, vps, jkrumm, community, ai agent skill, ide skills, agent automation, AI agent skills, Claude Code, Cursor, Windsurf

v1.0.0
GitHub

About this Skill

Ideal for Infrastructure Management Agents requiring streamlined Cloudflare DNS and tunnel operations for VPS-hosted apps. Production Docker Compose stack for a VPS — RollHook, Traefik, Postgres, Valkey, OTel

jkrumm jkrumm
[0]
[0]
Updated: 3/18/2026

Quality Score

Top 5%
39
Excellent
Based on code quality & docs
Installation
SYS Universal Install (Auto-Detect)
> npx killer-skills add jkrumm/vps/cloudflare
Supports 19+ Platforms
Cursor
Windsurf
VS Code
Trae
Claude
OpenClaw
+12 more

Agent Capability Analysis

The cloudflare skill by jkrumm is an open-source community AI agent skill for Claude Code and other IDE workflows, helping agents execute tasks with better context, repeatability, and domain-specific guidance.

Ideal Agent Persona

Ideal for Infrastructure Management Agents requiring streamlined Cloudflare DNS and tunnel operations for VPS-hosted apps.

Core Value

Empowers agents to seamlessly manage Cloudflare infrastructure using Doppler and Traefik, handling Cloudflare DNS and tunnel operations via secure API calls, leveraging `CF_API_TOKEN` and `CF_TUNNEL_ID` for authentication and tunnel management.

Capabilities Granted for cloudflare

Automating Cloudflare DNS updates for VPS-hosted applications
Configuring Cloudflare Tunnels for secure and efficient traffic routing
Debugging Cloudflare integration issues using Doppler and Traefik logs

! Prerequisites & Limits

  • Requires Cloudflare API token (`CF_API_TOKEN`) stored in Doppler
  • Needs SSH access to VPS for executing API calls
  • Limited to VPS-hosted apps with a single Cloudflare Tunnel
Project
SKILL.md
7.2 KB
.cursorrules
1.2 KB
package.json
240 B
Ready
UTF-8

# Tags

[No tags]
SKILL.md
Readonly

Cloudflare API Skill

Handle any Cloudflare DNS or tunnel operation for VPS-hosted apps.

Execution model: All API calls run on the VPS via ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'...'"'"''. The API token (CF_API_TOKEN) stays in Doppler — never passed as a CLI argument, never visible to Claude Code, never logged.

Infrastructure Context

VPS Tunnel

The VPS has a single Cloudflare Tunnel. Its ID is stored in Doppler as CF_TUNNEL_ID.

Current tunnel IDs visible in jkrumm.com DNS:

  • 13f91961-... — VPS (this server)
  • f270cecf-... — HomeLab
  • b99c010f-... — other server

Wildcard ingress rule: *.DOMAIN → https://traefik:443 (TLS verify: off)

  • Set once after provisioning
  • Catches all subdomains that have a CNAME DNS record pointing to this tunnel
  • Does NOT affect other Cloudflare tunnels — each tunnel evaluates its own ingress rules independently

To reach a new app publicly:

  1. Add a DNS CNAME record pointing the subdomain to ${CF_TUNNEL_ID}.cfargotunnel.com
  2. The wildcard ingress rule already routes it to Traefik
  3. Traefik routes based on the Host() label on the container

Doppler Secrets (project: vps, config: prod)

SecretWhat it is
CF_API_TOKENAPI token — Zone:Read + DNS:Edit (all zones) + Tunnel:Edit (all accounts). Passed to Traefik as CF_DNS_API_TOKEN (lego requires that name)
CF_ACCOUNT_IDCloudflare account ID (same for all zones/tunnels)
CF_ZONE_IDZone ID for DOMAIN (jkrumm.com)
CF_TUNNEL_IDUUID of the VPS Cloudflare Tunnel
DOMAINPrimary domain

Multi-Domain / Multi-Zone Support

Domains accessible with this token: basalt-ui.com, jkrumm.com, rollhook.com, shutterflow.app. For any domain not stored as CF_ZONE_ID, look up its zone ID first (see below).

Authentication Pattern

Use single-quote wrapping so ${VARS} are expanded by the VPS shell after doppler injects them:

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'
2  curl -s "https://api.cloudflare.com/client/v4/zones" \
3    -H "Authorization: Bearer ${CF_API_TOKEN}" \
4    | python3 -m json.tool
5'"'"''

Why: Double-quote SSH commands cause the local shell to expand ${CF_API_TOKEN} before it reaches the VPS (producing empty string and an auth error). The '...' '"'"' '...' pattern passes the inner string literally to the VPS where doppler has already injected the secrets.

Common Operations

List all zones

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s "https://api.cloudflare.com/client/v4/zones" -H "Authorization: Bearer ${CF_API_TOKEN}" | python3 -c "import json,sys; r=json.load(sys.stdin); [print(z[\"name\"],z[\"id\"]) for z in r[\"result\"]] if r[\"success\"] else print(\"ERR:\",r[\"errors\"])"'"'"''

Check current tunnel ingress config

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/cfd_tunnel/${CF_TUNNEL_ID}/configurations" -H "Authorization: Bearer ${CF_API_TOKEN}" | python3 -c "import json,sys; r=json.load(sys.stdin); [print(i.get(\"hostname\",\"catch-all\"),\"\",i[\"service\"]) for i in r[\"result\"][\"config\"][\"ingress\"]] if r[\"success\"] else print(\"ERR:\",r[\"errors\"])"'"'"''

List DNS records for a zone

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records?per_page=100" -H "Authorization: Bearer ${CF_API_TOKEN}" | python3 -c "import json,sys; r=json.load(sys.stdin); [print(rec[\"type\"],rec[\"name\"],\"\",rec[\"content\"]) for rec in r[\"result\"]] if r[\"success\"] else print(\"ERR:\",r[\"errors\"])"'"'"''

Add a DNS CNAME record (new app subdomain on primary domain)

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s -X POST "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records" -H "Authorization: Bearer ${CF_API_TOKEN}" -H "Content-Type: application/json" --data "{\"type\":\"CNAME\",\"name\":\"SUBDOMAIN\",\"content\":\"${CF_TUNNEL_ID}.cfargotunnel.com\",\"proxied\":true}" | python3 -c "import json,sys; r=json.load(sys.stdin); print(\"OK:\",r[\"result\"][\"name\"]) if r[\"success\"] else print(\"ERR:\",r[\"errors\"])"'"'"''

Replace SUBDOMAIN with the actual subdomain before running.

Delete a DNS record

First list records to find the ID, then:

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/dns_records/RECORD_ID" -H "Authorization: Bearer ${CF_API_TOKEN}" | python3 -c "import json,sys; r=json.load(sys.stdin); print(\"OK\" if r[\"success\"] else r[\"errors\"])"'"'"''

Look up Zone ID for a secondary domain

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s "https://api.cloudflare.com/client/v4/zones?name=other-domain.com" -H "Authorization: Bearer ${CF_API_TOKEN}" | python3 -c "import json,sys; r=json.load(sys.stdin)[\"result\"]; print(r[0][\"id\"],r[0][\"name\"]) if r else print(\"not found\")"'"'"''

Set/update wildcard tunnel ingress rule

bash
1ssh vps 'doppler run --project vps --config prod -- bash -c '"'"'curl -s -X PUT "https://api.cloudflare.com/client/v4/accounts/${CF_ACCOUNT_ID}/cfd_tunnel/${CF_TUNNEL_ID}/configurations" -H "Authorization: Bearer ${CF_API_TOKEN}" -H "Content-Type: application/json" --data "{\"config\":{\"ingress\":[{\"hostname\":\"*.${DOMAIN}\",\"service\":\"https://traefik:443\",\"originRequest\":{\"noTLSVerify\":true}},{\"service\":\"http_status:404\"}]}}" | python3 -c "import json,sys; r=json.load(sys.stdin); print(\"OK — version\",r[\"result\"][\"version\"]) if r[\"success\"] else print(\"ERR:\",r[\"errors\"])"'"'"''

Workflow: Add a New Public App

  1. Deploy the app compose to VPS (confirm running: make ps)
  2. Add DNS CNAME record (subdomain → VPS tunnel)
  3. Verify: curl -I https://myapp.<DOMAIN>/health
  4. No tunnel config changes needed — wildcard ingress already catches it

Workflow: Add App on a Secondary Domain

  1. Look up the zone ID for the secondary domain
  2. Use it directly in the curl call — zone IDs are not secret (visible in the Cloudflare dashboard)
  3. If the secondary domain isn't covered by the wildcard ingress, add a specific hostname rule to the tunnel config before the http_status:404 catch-all

Useful Reference

CF API base: https://api.cloudflare.com/client/v4

EndpointMethodPurpose
/zonesGETList zones (filter: ?name=domain.com)
/zones/{zone_id}/dns_recordsGETList DNS records
/zones/{zone_id}/dns_recordsPOSTCreate DNS record
/zones/{zone_id}/dns_records/{id}PUTUpdate DNS record
/zones/{zone_id}/dns_records/{id}DELETEDelete DNS record
/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurationsGETGet tunnel ingress config
/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurationsPUTReplace tunnel ingress config
/accounts/{account_id}/cfd_tunnelGETList all tunnels

All responses: {"success": bool, "result": ..., "errors": [...]}.

FAQ & Installation Steps

These questions and steps mirror the structured data on this page for better search understanding.

? Frequently Asked Questions

What is cloudflare?

Ideal for Infrastructure Management Agents requiring streamlined Cloudflare DNS and tunnel operations for VPS-hosted apps. Production Docker Compose stack for a VPS — RollHook, Traefik, Postgres, Valkey, OTel

How do I install cloudflare?

Run the command: npx killer-skills add jkrumm/vps/cloudflare. It works with Cursor, Windsurf, VS Code, Claude Code, and 19+ other IDEs.

What are the use cases for cloudflare?

Key use cases include: Automating Cloudflare DNS updates for VPS-hosted applications, Configuring Cloudflare Tunnels for secure and efficient traffic routing, Debugging Cloudflare integration issues using Doppler and Traefik logs.

Which IDEs are compatible with cloudflare?

This skill is compatible with Cursor, Windsurf, VS Code, Trae, Claude Code, OpenClaw, Aider, Codex, OpenCode, Goose, Cline, Roo Code, Kiro, Augment Code, Continue, GitHub Copilot, Sourcegraph Cody, and Amazon Q Developer. Use the Killer-Skills CLI for universal one-command installation.

Are there any limitations for cloudflare?

Requires Cloudflare API token (`CF_API_TOKEN`) stored in Doppler. Needs SSH access to VPS for executing API calls. Limited to VPS-hosted apps with a single Cloudflare Tunnel.

How To Install

  1. 1. Open your terminal

    Open the terminal or command line in your project directory.

  2. 2. Run the install command

    Run: npx killer-skills add jkrumm/vps/cloudflare. The CLI will automatically detect your IDE or AI agent and configure the skill.

  3. 3. Start using the skill

    The skill is now active. Your AI agent can use cloudflare immediately in the current project.

Related Skills

Looking for an alternative to cloudflare or another community skill for your workflow? Explore these related open-source skills.

View All

openclaw-release-maintainer

Logo of openclaw
openclaw

openclaw-release-maintainer is a specialized AI agent skill for automating release management workflows, ensuring consistency and accuracy in the release process.

333.8k
0
Data

widget-generator

Logo of f
f

Generate customizable widget plugins for the prompts.chat feed system

149.6k
0
Design

flags

Logo of vercel
vercel

The React Framework

138.4k
0
Browser

pr-review

Logo of pytorch
pytorch

Tensors and Dynamic neural networks in Python with strong GPU acceleration

98.6k
0
AI