// install & deploy / cloudflare tunnel

Install PlikShare with Cloudflare Tunnel.

Run PlikShare without exposing a single port to the internet. cloudflared opens an outbound connection to Cloudflare, and every request flows back through that tunnel. TLS termination, DDoS protection and routing all live on Cloudflare's side.

one-line install
sudo /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/damian-krychowski/plikshare/refs/heads/main/deployment/plikshare-install-cloudflare-tunnel.sh)"

Prefer to read before you run? Inspect the script on GitHub first.

Before you run it

You will need to do the full Cloudflare setup before running the script. The script consumes the tunnel token and assumes the route is already configured on Cloudflare's side. Walk through:

  1. A Cloudflare account with your domain on it. DNS must be managed by Cloudflare so the published hostname can resolve back through the tunnel.
  2. Create a Tunnel. In the Cloudflare Zero Trust dashboard go to Networks → Connectors → Cloudflare Tunnels → Create a tunnel, pick the Cloudflared connector type, give it a name (e.g. plikshare).
  3. Copy the Tunnel token. On the "Install and run a connector" screen pick the Docker tab. Cloudflare shows a docker run … --token eyJhIjoi… command. Do not run it yourself — the install script handles cloudflared. Just copy the long token value after --token (starts with ey); the script will ask for it.
  4. Add a published application route. On the next screen, click Add a published application route and fill in:
    • Subdomain — the leftmost label (e.g. plikshare)
    • Domain — your domain from the dropdown
    • Path — leave empty
    • Service TypeHTTP
    • URLplikshare:8080
  5. Save the tunnel. Cloudflare creates a CNAME record for the hostname automatically — no DNS A record needed.
In the URL field, use plikshare:8080 — not localhost:8080 as the placeholder text suggests.cloudflared runs as its own container on the Compose network. plikshare is the service name that resolves to the PlikShare container; localhost would be cloudflared's own loopback, where nothing is listening.

What the script does

  1. Installs prerequisites - Docker. No firewall rules for 80 / 443 are added — those ports are never opened to the internet.
  2. Collects setup details - admin email, initial admin password, encryption passwords, storage volumes and the Cloudflare Tunnel token.
  3. Installs PlikShare - generates a Docker Compose file with two services (PlikShare and cloudflared).
  4. Starts the stack - cloudflared connects outbound to Cloudflare using the token. Cloudflare routes traffic to PlikShare through the published application route you set up.
  5. Sets up cron jobs - optional nightly PlikShare updates.

When the script finishes, visit your hostname — PlikShare is live. TLS is terminated at Cloudflare's edge and traffic flows over the tunnel to your server. No inbound ports were ever opened.

See the installation in action

Want to adjust the configuration?

Every environment variable, volume layout and the update procedure are documented on the manual configuration page.

Manual configuration →
// talk to a human

Rather not run it yourself?

If you'd like a hand getting PlikShare running, or you want it fully managed by someone else, let's have a quick chat.

  • Initial setup on your server - Docker, SSL, reverse proxy
  • Storage (S3 / R2 / B2 / Azure / GCS) and email provider
  • Ongoing updates, backups and migrations