Status
Accepted
Context
The broker needs a public HTTPS endpoint (claude.ai connects in; Notion OAuth callbacks land
there). Options that open no inbound ports: Cloudflare-Tunnel (custom domain) or
Tailscale Funnel (*.ts.net, no domain). The endpoint is machine-facing, so a pretty URL
is cosmetic — but a custom domain was wanted.
Decision
Use Cloudflare Tunnel on a dedicated domain (gcp-mcp-standalone/adr/0003-dedicated-domain-for-the-tunnel). Tailscale still carries admin/SSH privately.
Consequences
- A stable custom URL (
https://bobsmcp.uk) + Cloudflare's WAF/Access available later. - Adds a vendor + a
cloudflaredsystemd service on the box. - Tailscale Funnel would have been zero-extra-vendor and domain-free, but lands on an
unbranded
*.ts.nethost — rejected for the custom-domain preference.
Compiled from
wiki/projects/gcp-mcp-standalone/adr/0001-cloudflare-tunnel-over-tailscale-funnel.md · git is the source of truth