Cloudflare Stack¶
What lives in Casey's Cloudflare account and how the pieces connect. The account became load-bearing for warehouse infrastructure on 2026-05-04 (R2 backups, Tunnel for UI, OTQCheckinAgent Worker).
Account¶
| Field | Value |
|---|---|
| Account ID | a20a70bee90d635ffad79328f3edcd5f |
| manoscasey@gmail.com | |
| Created | 2023-09-13 |
| Plan | Free (zone), Workers paid where applicable |
| Zone | caseymanos.com (Full DNS) |
Active subdomains: voice, docs, findash, h2h, www,
warehouse, plus auto-managed _vercel, _domainconnect.
R2 — backup target¶
Bucket: garmin-warehouse-data (region WNAM, Standard).
| Path prefix | What | Cadence |
|---|---|---|
kb/<DATE>/kb.duckdb + kb/latest/kb.duckdb |
DuckDB kb (52MB) | daily |
state/<DATE>/{applied,dismissed,watches}.yaml + completion_log.jsonl + state/latest/... |
Triage state files (small) | daily |
healthdata/<DATE>/garmin_activities.db |
GarminDB activities (1.1GB) | Sunday only |
state/cache/{yesterday,query_cache}.json |
Worker cache | daily |
state/<date>/completion_log_worker_<msgId>.jsonl |
Worker check-in replies | per-reply |
state/<date>/corrections_<msgId>.jsonl |
Worker correction replies | per-reply |
Critical: rclone, NOT aws s3 cp¶
The AWS CLI's Python SSL impl hits SSLV3_ALERT_BAD_RECORD_MAC partway
through R2 multipart uploads on macOS. Use rclone for anything >100MB.
Also: rclone needs no_check_bucket = true because the R2 token is
bucket-scoped (no CreateBucket permission). Without that flag, every
operation tries to HEAD / on the bucket, which 401s.
Config at ~/.config/rclone/rclone.conf, [r2] remote.
Credentials¶
3 R2 S3-style creds in ~/.zshrc:
- R2_ACCESS_KEY_ID
- R2_SECRET_ACCESS_KEY
- R2_ENDPOINT (account-specific URL)
Token is bucket-scoped (no global ListBuckets). Generate in CF dashboard → R2 → Manage R2 API Tokens.
Cost¶
~$0/mo at this scale (1.17 GiB total in 10GB free tier).
Tunnel — UI exposure¶
| Field | Value |
|---|---|
| Hostname | https://warehouse.caseymanos.com |
| Tunnel name | warehouse |
| Tunnel ID | edae87c6-61b1-4f84-a776-87d8732693ea |
| Local target | http://localhost:8765 (uvicorn) |
| Config | ~/.cloudflared/config.yml |
| Auth | ~/.cloudflared/cert.pem (OAuth, NOT API token) |
DNS route created via cloudflared tunnel route dns warehouse warehouse.caseymanos.com
— produces an auto-managed CNAME in the caseymanos.com zone.
Access policy¶
Cloudflare Access protects the URL. Policy: email PIN, allow only
manoscasey@gmail.com. Browser hits the URL → Access challenge → PIN
to email → uvicorn proxy.
Tunnel lifecycle¶
- Tunnel-as-service NOT enabled. That would need uvicorn always-on too, which is the harder problem.
- Currently:
kbuizsh alias →~/garmin-warehouse/scripts/run_ui.sh→ uvicorn + tunnel together, cleanup trap kills uvicorn on tunnel exit.
Workers (9 deployed as of 2026-05-04)¶
| Worker | What it does |
|---|---|
autobiography-parse |
Autobiography pipeline stage |
autobiography-build |
Autobiography pipeline stage |
autobiography-write |
Autobiography pipeline stage |
autobiography-analyze |
Autobiography pipeline stage |
autobiography-api |
Autobiography pipeline API |
metriq-dsstar |
Metriq workload |
edge-review-worker |
Edge code review automation |
video-editor-proxy |
Video editor proxy |
otq-checkin |
Telegram bot — see systems/otq-checkin-worker.md |
R2 buckets (3 deployed)¶
autobiography-files— autobiography projectreplicate-videos— video projectgarmin-warehouse-data— warehouse (this work)
Pages projects¶
casey-system-docs— this docs site. MkDocs Material built from~/casey-system-docs/, deployed via GHA on push to main (deploy-docs.yml). Currently athttps://casey-system-docs.pages.dev/. Custom domain (docs.caseymanos.com) added via dashboard. See ADR 006.
MCPs configured¶
Plugin installed via Claude Code: /plugin install cloudflare@cloudflare.
| MCP | Auth | Purpose |
|---|---|---|
cloudflare-docs |
unauthenticated | Search canonical CF docs. Replaces WebFetch for any CF question. |
cloudflare-bindings |
OAuth | Manage R2/D1/KV/Workers/DOs/AI from in-editor (skip dashboard hops) |
cloudflare-api |
(Code Mode) | API exec + search. Auth as needed. |
cloudflare-builds |
OAuth | Workers Builds. Auth as needed. |
cloudflare-observability |
OAuth | Logs / analytics. Auth as needed. |
13 hosted MCP servers exist at *.mcp.cloudflare.com/mcp; see
~/garmin-warehouse/docs/cloudflare-deep-dive.md for the full table.
Wrangler¶
CLI for Workers + D1 + R2 (in part). Auth via wrangler login (OAuth,
not API token). Token expired ~Jan 2026 once during this work; if
deploy fails with 400 on auth, re-run wrangler login.
Common commands:
- npx wrangler deploy — push current dir's Worker
- npx wrangler tail — live log stream
- npx wrangler secret put NAME — set Worker secret (prompts for value)
- npx wrangler dev — local dev with miniflare
Related pages¶
reference/r2-layout.mdreference/secrets.mdrunbooks/tunnel-recovery.mdrunbooks/worker-deploy.mddecisions/001-r2-not-aws-cli.md- Memory:
cloudflare_setup.md - Source:
~/garmin-warehouse/docs/cloudflare-deep-dive.md