feat: add config cloudflared, env for db port

.env.cloudflared.example

@@ -0,0 +1,5 @@
+# Used only by docker-compose.cloudflared.yml (cloudflared service).
+# Copy to .env.cloudflared and paste your connector token.
+#
+# Cloudflare Zero Trust → Networks → Tunnels → (your tunnel) → Install connector
+TUNNEL_TOKEN=

.env.example

@@ -9,9 +9,23 @@ GOCLAW_GATEWAY_TOKEN=
 GOCLAW_ENCRYPTION_KEY=
 POSTGRES_PASSWORD=
 
-# --- Database (only for non-Docker deployments) ---
-# Docker Compose auto-builds this from POSTGRES_USER/PASSWORD/DB.
-# GOCLAW_POSTGRES_DSN=postgres://user:pass@host:5432/dbname?sslmode=disable
+# --- PostgreSQL (Docker Compose) ---
+# Published host port for the postgres service (default 5432). Change if something
+# else already binds 5432 on your machine (e.g. a local PostgreSQL install).
+# POSTGRES_PORT=5433
+#
+# Optional overrides (defaults: user/db goclaw):
+# POSTGRES_USER=goclaw
+# POSTGRES_DB=goclaw
+
+# --- Database (non-Docker, or host tools connecting to Compose Postgres) ---
+# Inside Compose, goclaw uses the internal DSN (postgres:5432) automatically.
+# From your host (./goclaw, psql), use localhost and POSTGRES_PORT, e.g.:
+# GOCLAW_POSTGRES_DSN=postgres://goclaw:YOUR_PASSWORD@127.0.0.1:5433/goclaw?sslmode=disable
+
+# --- Cloudflare Tunnel (only when using docker-compose.cloudflared.yml) ---
+# Create `.env.cloudflared` next to this file (not tracked in git). Copy from `.env.cloudflared.example`.
+# TUNNEL_TOKEN=<paste token from Zero Trust → Networks → Tunnels → Install connector>
 
 # --- Sandbox (only when using docker-compose.sandbox.yml) ---
 # Docker socket GID: 999 on Linux, 0 on Windows/macOS Docker Desktop.

.gitignore

@@ -16,6 +16,7 @@ pkg-helper
 # Environment
 .env*
 !.env.example
+!.env.cloudflared.example
 
 app
 browser-poc

Makefile

@@ -27,6 +27,8 @@ version:
 # ── Docker Compose ──
 # Default: backend (with embedded web UI) + Postgres. No separate nginx needed.
 # Add WITH_WEB_NGINX=1 for separate nginx on :3000 (custom SSL, reverse proxy).
+# Cloudflare Tunnel: if `.env.cloudflared` exists it is merged automatically (same as
+# docker-compose.cloudflared.yml). Set WITH_CLOUDFLARED=0 to skip.
 COMPOSE_BASE = docker compose -f docker-compose.yml -f docker-compose.postgres.yml
 ifdef WITH_WEB_NGINX
 COMPOSE_BASE += -f docker-compose.selfservice.yml
@@ -51,6 +53,11 @@ endif
 ifdef WITH_CLAUDE_CLI
 COMPOSE_EXTRA += -f docker-compose.claude-cli.yml
 endif
+ifneq ($(WITH_CLOUDFLARED),0)
+ifneq ($(wildcard .env.cloudflared),)
+COMPOSE_EXTRA += -f docker-compose.cloudflared.yml
+endif
+endif
 COMPOSE = $(COMPOSE_BASE) $(COMPOSE_EXTRA)
 UPGRADE = docker compose -f docker-compose.yml -f docker-compose.postgres.yml -f docker-compose.upgrade.yml
 

README.md

@@ -187,6 +187,9 @@ chmod +x prepare-env.sh && ./prepare-env.sh
 # Add at least one GOCLAW_*_API_KEY to .env, then:
 make up
 
+# If Postgres fails to start ("port 5432 already allocated"), set another host
+# port in .env, e.g. POSTGRES_PORT=5433 (see .env.example).
+
 # Web Dashboard at http://localhost:18790 (built-in)
 # Health check: curl http://localhost:18790/health
 

docker-compose.cloudflared.yml

@@ -0,0 +1,30 @@
+# Cloudflare Tunnel (cloudflared) — expose the gateway via Cloudflare without opening host ports.
+#
+# Usage:
+#   make up  — includes this file automatically when `.env.cloudflared` exists (see Makefile).
+#   docker compose -f docker-compose.yml -f docker-compose.postgres.yml -f docker-compose.cloudflared.yml up -d
+#   WITH_CLOUDFLARED=0 make up  — skip tunnel even if `.env.cloudflared` exists
+#
+# Required: file `.env.cloudflared` (see `.env.cloudflared.example`) with:
+#   TUNNEL_TOKEN=<token from Zero Trust → Networks → Tunnels → your tunnel → Install connector>
+#
+# We use a separate file so the token is not injected into the goclaw container (goclaw loads all of `.env` via env_file).
+#
+# Ingress target in the Cloudflare dashboard must reach this stack on the Docker network, e.g.:
+#   http://goclaw:18790
+# (not http://localhost:18790 — that is the host, not the goclaw container from cloudflared’s view.)
+
+services:
+  cloudflared:
+    image: cloudflare/cloudflared:latest
+    restart: unless-stopped
+    command: tunnel --no-autoupdate run
+    env_file:
+      - path: .env.cloudflared
+        required: true
+    networks:
+      - goclaw-net
+    depends_on:
+      - goclaw
+    security_opt:
+      - no-new-privileges:true

docker-compose.postgres.yml

@@ -7,6 +7,9 @@
 # Required env vars (set in .env or shell):
 #   GOCLAW_OPENROUTER_API_KEY (or another provider key)
 #   POSTGRES_PASSWORD (defaults to "goclaw" for dev)
+#
+# If host port 5432 is already in use, set POSTGRES_PORT (e.g. 5433) in .env.
+# The goclaw container still connects via postgres:5432 on the Docker network.
 
 services:
   postgres: