Chapter 15 / 40
Cloudflare
Cloudflare manages all four Sodimo domains (sodimo.eu, sodimonet.fr, yallafood.eu, cavisteduliban.fr) and runs every public-facing service.
Public websites — done:
All four sites run on Cloudflare Pages. The main sodimo.eu was migrated from WordPress in Week 1 — 20 pages, French and English, zero hosting cost. The three sibling domains follow the same pattern. Contact forms and newsletter signups route to Slack and the admin email — no third-party form service.
Internal tools — gated by email:
The changelog and manual (this site) and internal dashboards (dash.sodimo.eu) run on Cloudflare, protected by Cloudflare Access. Access is controlled by email address: only sodimo.eu addresses and thomas@leger.run can log in. No separate password — login uses your work email.
Cloudflare Tunnel — employee access to on-prem services:
The on-prem services running on the Framework Desktop — Cockpit, OpenWebUI, Paperclip, the Twenty CRM, Piler, the vault — are reached through a Cloudflare Tunnel terminated on the harness by cloudflared. Each service gets a *.sodimo.eu hostname; the same Cloudflare Access policy that gates the internal dashboards gates the tunnel hostnames.
The tunnel is a pure outbound-dial from the Framework Desktop — no inbound ports are opened on the Fedora side. Authentication is handled at the Cloudflare edge against Google Workspace; by the time traffic arrives at the harness it is already authorised. Employees install nothing and configure nothing on their laptops — a Google login is the credential.
This is Pivot 3 from the Wednesday strategic pivots: the Cloudflare Tunnel adds an HTTP-access surface for humans, alongside the existing Worker MCP surface for agents. See chapter Three design principles for how this reconciles with Principle 3.
Data:
The D1 database holds all Sodiwin data and updates every night. Four storage buckets hold backups, the mail archive, rendered reports, and public assets. These are not directly user-facing — they are what the AI tools and dashboards read from.
AI gateway — the MCP surface:
The AI tools (customer data queries, email archive access, CRM actions) are accessible through Cloudflare at mcp.sodimo.eu. This is the Worker — sodimo-core — and it is the single MCP endpoint Sodimo exposes. Claude.ai authenticates using a per-user token. The actual AI computation happens on the Framework Desktop at Gennevilliers — Cloudflare is the secure front door.
The MCP surface (this Worker) and the HTTP-access surface (the Cloudflare Tunnel above) are two different things: agents go through the Worker; humans go through the tunnel. Both terminate at Cloudflare; neither requires an inbound port on Fedora.
Account management:
The Cloudflare account is owned by admin@sodimo.eu — the Google Workspace super-admin — from day one of the engagement. During Week 1, before the mail server is live, the account is initialised under Thomas’s personal email and migrates to admin@sodimo.eu the same day the super-admin mailbox stands up (around day 10). Once migrated, the Sodimo-owned identity is the only one with ownership on the account; thomas@leger.run is an invited administrator with time-bound access that is revoked at engagement handoff.
This differs deliberately from the “personal Gmail for the master admin” shape the engagement started under. The rule is that nothing in Sodimo’s stack authenticates against an identity Sodimo cannot itself revoke — a personal Gmail drifts when the operator leaves; a role-based admin@sodimo.eu stays. The spine — Google Workspace first, then Cloudflare and every other SaaS federating against it — is documented in Baseline accounts playbook.
API tokens are split per concern rather than issued as a single master key. The four tokens Sodimo holds — pages-deploy, dns-admin, workers-deploy, tunnel-admin — are specified in Baseline accounts playbook. Each token is stored in Vaultwarden under the accounts/cloudflare/ collection; the rotation cadence per token class lives in Key rotation.
Break-glass recovery (TOTP device loss, locked-out super-admin, lost YubiKey) is handled by the paper-envelope mechanism in The vault: the sealed envelope in the office safe holds the Google Workspace recovery codes alongside the Vaultwarden bootstrap token. Nothing about Cloudflare-specific recovery is written down separately — if the super-admin account is reachable, every Cloudflare credential is self-serviceable from the vault; if the super-admin is locked out, the paper envelope is the recovery path regardless of which SaaS is blocking.
The four domains (sodimo.eu, sodimonet.fr, yallafood.eu, cavisteduliban.fr) are all held in the single admin@sodimo.eu-owned Cloudflare account — one billing surface, one set of zones, one Access policy. A second Cloudflare account for the sister brands was rejected during Week 1 (D-042) on the grounds that splitting identity across two CF accounts doubles the API-token audit surface without separating any operational concern.