Skip to main content
Frank Zhang | AI & I

Low Cost Cloudflare Tunnel + Mac mini build AI Infrastructure

·392 words·2 mins
AI Infrastructure Cloudflare Mac Mini Hugo
Author
Frank Zhang
Exploring AI, Network, Insurance, and Life.

This post documents how to use local hardware (Mac mini) combined with Cloudflare’s edge network to build a publicly accessible AI blog and backend service system—without opening any inbound ports on your router.

1. Infrastructure Cost & Component Selection
#

Domain Registration

  • Cost: Registering or transferring a domain to Cloudflare (e.g., frank-zhang.com) costs only $10.42/yr (wholesale price, no markup).
  • Advantage: Directly integrated into the Cloudflare ecosystem, simplifying DNSSEC and tunnel configuration.

Why Cloudflare?

  • Generous Free Plan: For individual engineers, the free tier already includes unlimited-traffic Tunnels, basic WAF, and CDN.
  • Zero Trust Security: Tunnels use outbound-only connections, hiding the origin server’s real IP and completely mitigating DDoS attacks.
  • Global CDN Acceleration: Via Anycast technology, mobile clients accessing www or ai subdomains automatically connect to the nearest edge node.

2. Logical Architecture
#

  • Endpoint: Mac mini (M-series)
  • Stack:
    • Port 1313: Hugo (Static Site)
    • Port 6180: FastAPI + uv (AI Agent Backend)
  • Tunnel: The cloudflared process acts as a Connector, mapping local ports to public-facing hostnames.

3. Deployment Steps (Step-by-Step)
#

A. Environment Setup
#

# 1. Install the driver
brew install cloudflared
cloudflared tunnel login

# 2. Create the tunnel
cloudflared tunnel create mac-vps

B. Ingress Rule Configuration (config.yml)
#

Edit the config file under ~/.cloudflared/ to define traffic routing:

tunnel: <TUNNEL_ID>
credentials-file: /Users/<USER>/.cloudflared/<TUNNEL_ID>.json

ingress:
  - hostname: www.frank-zhang.com
    service: http://localhost:1313
  - hostname: ai.frank-zhang.com
    service: http://localhost:6180
  - service: http_status:404

C. Activate DNS Routing
#

cloudflared tunnel route dns mac-vps www.frank-zhang.com
cloudflared tunnel route dns mac-vps ai.frank-zhang.com

4. Backend Persistence (Production Ready)
#

Manually running hugo server or uv run is only suitable for testing. In a production environment, services must restart automatically after a system reboot:

  • Tunnel: Run sudo cloudflared service install to register it as a system daemon.
  • App Layer: Use PM2 to manage the Python environment and static server:
pm2 start "uv run uvicorn main:app --port 6180" --name "ai-backend"
pm2 start "hugo server --bind 0.0.0.0 --port 1313" --name "hugo-blog"
pm2 save

5. Conclusion
#

This architecture maintains full data sovereignty (data never leaves your local machine) while leveraging Cloudflare for industrial-grade public connectivity. It provides a robust infrastructure foundation for deploying RAG-based knowledge bases or locally autonomous AI Agents.

Engineer’s Note Before running the hugo build command, always verify that baseURL in hugo.toml has been updated to https://www.frank-zhang.com/. If not, some static assets (JS/CSS) may fail to load in the public environment.