Cloudflare is the front door for Lucia: DNS, SSL, WAF, and private-access control for staging.
Runbook phase mapping
- Phase 1 — service account access, MFA, dashboard ownership
- Phase 2 — private staging front door, DNS, SSL/TLS, and Cloudflare Access
- Phase 9 — rollback support if DNS/access needs to be reversed
Primary runbook page: 08 - Live Transition Runbook
Why Cloudflare is in the stack
Cloudflare should own:
- domain DNS
- TLS / SSL
- traffic protection
- basic perimeter security
- private staging access before Lucia is public
Lucia role
Right now
Use Cloudflare to protect a private hosted staging environment.
Later
Use Cloudflare as the stable front layer for public Lucia infrastructure.
What Cloudflare should do for Lucia
Suggested Lucia subdomains
| Use | Suggested Hostname | Notes |
|---|
| private staging admin | staging-admin. | protected behind Cloudflare Access |
| private staging engine/api | staging-api. | locked down, not public |
| future public app | app. | later |
| future public api | api. | later |
| status / health | status. | optional later |
Domain notes
- Primary Lucia domain:
- Current registrar:
- DNS currently managed by:
- Planned cutover date:
Setup checklist
Stage 1 — account + domain control
Stage 2 — private staging
Stage 3 — hardening
Credentials + account reference
Prefer storing references here, not naked secrets.
Account access
| Item | Value |
|---|
| Account email | |
| Account owner name | |
| Team / org name | |
| Dashboard URL | |
| Recovery email / backup notes | |
| MFA method | |
| MFA backup codes location | |
Domain / zone details
| Item | Value |
|---|
| Zone name | |
| Registrar | |
| Nameservers | |
| DNSSEC status | |
| Primary domain | |
| Staging subdomain(s) | |
| Public app subdomain | |
| Public API subdomain | |
API + token references
| Secret / Token | Value or 1Password Reference | Notes | Rotated |
|---|
| API token | | | |
| Account ID | | | |
| Zone ID | | | |
| Access app client ID | | | |
| Access app client secret | | | |
| Tunnel token (if used later) | | | |
Access policies
Private staging policy
- Allowed email(s):
- Allowed domain(s):
- Session duration:
- Exceptions:
- Notes:
DNS records tracker
| Type | Name | Value / Target | Proxy Status | Notes |
|---|
| CNAME / A | | | | |
| CNAME / A | | | | |
| TXT | | | | |
| MX | | | | |
Notes / gotchas
- Private staging should be private for real, not “unguessable URL private.”
- Cloudflare Access is the clean move here.
- Keep the setup boring. Boring is good. Boring ships.
Related pages
