Project · gcp-mcp-standalone · ADRs

0001 — Cloudflare Tunnel over Tailscale Funnel for the public endpoint

type adrstatus activegcp · networking · decision

Status

Accepted

Context

The broker needs a public HTTPS endpoint (claude.ai connects in; Notion OAuth callbacks land there). Options that open no inbound ports: Cloudflare-Tunnel (custom domain) or Tailscale Funnel (*.ts.net, no domain). The endpoint is machine-facing, so a pretty URL is cosmetic — but a custom domain was wanted.

Decision

Use Cloudflare Tunnel on a dedicated domain (gcp-mcp-standalone/adr/0003-dedicated-domain-for-the-tunnel). Tailscale still carries admin/SSH privately.

Consequences

  • A stable custom URL (https://bobsmcp.uk) + Cloudflare's WAF/Access available later.
  • Adds a vendor + a cloudflared systemd service on the box.
  • Tailscale Funnel would have been zero-extra-vendor and domain-free, but lands on an unbranded *.ts.net host — rejected for the custom-domain preference.
Compiled from wiki/projects/gcp-mcp-standalone/adr/0001-cloudflare-tunnel-over-tailscale-funnel.md · git is the source of truth