docs: add Cloudflare Tunnel guidance for self-hosting

[sure-admin]

Summary

• add a focused Cloudflare Tunnel section to the Docker self-hosting guide
• document the required RAILS_ASSUME_SSL setting behind TLS termination
• show a minimal cloudflared service and the http://web:3000 origin setting

Why

People self-hosting Sure commonly want remote access without opening router ports, and Cloudflare Tunnel is a practical path for that setup.

Summary by CodeRabbit

• Documentation
  • Added a new optional section to the self-hosting guide covering Cloudflare Tunnel integration, including configuration steps for environment variables, Docker Compose updates, tunnel service setup, and hostname management with security recommendations.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds an optional Cloudflare Tunnel configuration section to the self-hosting documentation. The new content guides users through configuring tunnel credentials via environment variables, updating Docker Compose settings, deploying the cloudflared service, and routing public traffic to the internal web application while managing security considerations.

Changes

Cloudflare Tunnel Configuration Guide

Layer / File(s)	Summary
Cloudflare Tunnel setup documentation self-hosting.mdx	Adds optional Cloudflare Tunnel configuration steps covering environment variable setup (CLOUDFLARE_TUNNEL_TOKEN), Docker Compose updates (RAILS_ASSUME_SSL: "true"), cloudflared service definition with networking, public hostname routing to http://web:3000, startup commands, and security notes about internal HTTP communication and port exposure.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A tunnel through clouds, so snug and so neat,
Cloudflare's connectors make hosting complete!
No ports exposed, just sweet internal flow,
SSL assumed, and your service will glow! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding Cloudflare Tunnel documentation to the self-hosting guide.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/cloudflare-tunnel-self-hosting

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request adds documentation for optionally exposing a self-hosted Sure instance using a Cloudflare Tunnel. The review feedback suggests improving the documentation by providing more context for the RAILS_ASSUME_SSL environment variable in compose.yml, pinning a specific stable version for the cloudflared image instead of using latest, and explicitly advising users to remove the published ports from the web service to enhance security.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

To make it clearer for users where to add this environment variable in their compose.yml, it is recommended to show the context of the web service environment block.\n\nFor example:\nyaml\nservices:\n web:\n environment:\n RAILS_ASSUME_SSL: "true"\n

[gemini-code-assist]

Using the latest tag for the cloudflared image is discouraged for production/self-hosting environments as it can introduce unexpected breaking changes when the image is updated. It is highly recommended to pin a specific, stable version of the image.\n\nFor example:\nyaml\n image: cloudflare/cloudflared:2024.12.2\n

[gemini-code-assist]

When using a Cloudflare Tunnel, you can completely remove the ports section (e.g., - "3000:3000") from the web service in compose.yml. Since the cloudflared container and the web container share the same Docker network (sure_net), they can communicate internally. Removing the published ports ensures that the application is not exposed directly on the host, which is the primary security benefit of using a tunnel.\n\nConsider updating the warning to explicitly suggest removing the ports mapping from the web service.

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@self-hosting.mdx`:
- Around line 126-132: The instruction is ambiguous about where to add
RAILS_ASSUME_SSL in compose.yml; update the docs to instruct users to add
RAILS_ASSUME_SSL: "true" inside the existing x-rails-env: &rails_env section
(the shared rails environment anchor) so the variable is applied to the Rails
service definitions that extend &rails_env; mention the anchor name x-rails-env:
&rails_env and the RAILS_ASSUME_SSL key so maintainers can find and place the
setting correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f51b0493-59fd-4ef3-81a5-4b4240a659db

📥 Commits

Reviewing files that changed from the base of the PR and between 9a6d71f and ed75f3d.

📒 Files selected for processing (1)

• self-hosting.mdx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify where in compose.yml to set RAILS_ASSUME_SSL.

The instruction "Edit compose.yml and set:" doesn't specify the location within the file. Based on the troubleshooting guide, this should be set in the x-rails-env: &rails_env section. Users unfamiliar with the compose file structure may not know where to place this configuration.

📝 Suggested improvement

-3. Edit `compose.yml` and set:
+3. Edit `compose.yml` in the `x-rails-env: &rails_env` section and set:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@self-hosting.mdx` around lines 126 - 132, The instruction is ambiguous about
where to add RAILS_ASSUME_SSL in compose.yml; update the docs to instruct users
to add RAILS_ASSUME_SSL: "true" inside the existing x-rails-env: &rails_env
section (the shared rails environment anchor) so the variable is applied to the
Rails service definitions that extend &rails_env; mention the anchor name
x-rails-env: &rails_env and the RAILS_ASSUME_SSL key so maintainers can find and
place the setting correctly.

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
sure	🟢 Ready	View Preview	Jun 12, 2026, 9:16 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.