Skip to main content
Cloudflare is the front door for Lucia: DNS, SSL, WAF, and private-access control for staging.

Runbook phase mapping

  • Phase 1 — service account access, MFA, dashboard ownership
  • Phase 2 — private staging front door, DNS, SSL/TLS, and Cloudflare Access
  • Phase 9 — rollback support if DNS/access needs to be reversed
Primary runbook page: 08 - Live Transition Runbook

Why Cloudflare is in the stack

Cloudflare should own:
  • domain DNS
  • TLS / SSL
  • traffic protection
  • basic perimeter security
  • private staging access before Lucia is public

Lucia role

Right now

Use Cloudflare to protect a private hosted staging environment.

Later

Use Cloudflare as the stable front layer for public Lucia infrastructure.

What Cloudflare should do for Lucia

  • DNS for Lucia domains/subdomains
  • SSL/TLS
  • WAF baseline protection
  • rate limiting if needed
  • Cloudflare Access in front of private staging
  • future edge/routing control if Lucia grows into more distributed services

Suggested Lucia subdomains

UseSuggested HostnameNotes
private staging adminstaging-admin.protected behind Cloudflare Access
private staging engine/apistaging-api.locked down, not public
future public appapp.later
future public apiapi.later
status / healthstatus.optional later

Domain notes

  • Primary Lucia domain:
  • Current registrar:
  • DNS currently managed by:
  • Planned cutover date:

Setup checklist

Stage 1 — account + domain control

  • confirm Cloudflare account owner
  • confirm domain is in Cloudflare
  • confirm nameservers
  • confirm SSL/TLS mode
  • confirm WAF baseline enabled

Stage 2 — private staging

  • create staging subdomains
  • point staging DNS to Render services
  • enable Cloudflare Access policy
  • restrict staging to approved email identities
  • verify protected login flow works

Stage 3 — hardening

  • add rate limiting if needed
  • review bot protection
  • document firewall rules
  • document allowed origins / callback URLs

Credentials + account reference

Prefer storing references here, not naked secrets.

Account access

ItemValue
Account email
Account owner name
Team / org name
Dashboard URL
Recovery email / backup notes
MFA method
MFA backup codes location

Domain / zone details

ItemValue
Zone name
Registrar
Nameservers
DNSSEC status
Primary domain
Staging subdomain(s)
Public app subdomain
Public API subdomain

API + token references

Secret / TokenValue or 1Password ReferenceNotesRotated
API token
Account ID
Zone ID
Access app client ID
Access app client secret
Tunnel token (if used later)

Access policies

Private staging policy

  • Allowed email(s):
  • Allowed domain(s):
  • Session duration:
  • Exceptions:
  • Notes:

DNS records tracker

TypeNameValue / TargetProxy StatusNotes
CNAME / A
CNAME / A
TXT
MX

Notes / gotchas

  • Private staging should be private for real, not “unguessable URL private.”
  • Cloudflare Access is the clean move here.
  • Keep the setup boring. Boring is good. Boring ships.