Dev mode — no Cloudflare Access header present. Authenticated as dev@local.
EPL
dev@local

Workshop Prerequisites & Domain Setup Guide

Updated 2026-05-05. The in-class path is shared parent zone with ACM: each student gets a slot under eplabs.cloud and a scoped CF API token from their assignment card. The instructor manages all DNS records on the parent zone; you do not need a Cloudflare account for class. This guide is the take-home BYO-domain track — how to graduate from the shared slot to your own zone after the workshop.

Two paths

In-class (default)Take-home (this guide)
Domain<slot>.eplabs.cloud (assigned)a domain you own
Cost$0 during class$10–15/year
Setup time0 (instructor pre-provisions)30–60 min on your bench
wrangler authAPI token on your cardOAuth or your own token
Lifetimerevoked after the cohort windowyours forever

If you only need the in-class flow, your assignment card has everything; see also handouts/workshop_onboarding_guide.md.


BYO-domain setup

Pick a registrar and a name, add the zone to your own free Cloudflare account, point your registrar’s nameservers at CF, then re-deploy your Worker against the new zone. ~30 minutes total.

1. Register a domain

Any registrar works; integration is easiest if you also use Cloudflare for DNS afterwards.

RegistrarNotes
Cloudflare Registrarbest integration; at-cost pricing; one-step zone hand-off
Namecheap, Porkbuncompetitive pricing; fine for non-CF zones
Google Domains / Squarespaceacceptable; UI changed since the GD acquisition

Typical pricing: .dev $12–15/yr, .com $10–12/yr, .cloud $8–20/yr.

Avoid trademarked names, hard-to-spell names, and long names with mixed digits and hyphens (you will type it a lot).

2. Add the domain to Cloudflare (free plan)

# Cloudflare dashboard → Add a Site → enter your domain
# → Free plan → CF scans existing DNS → continue.
# CF returns two assigned nameservers (e.g. xxx.ns.cloudflare.com).
# Update the NS records at your registrar to those two values.
# Activation usually completes in 5–60 minutes.

Verify activation:

dig NS yourdomain.com
# Expected: two *.ns.cloudflare.com hostnames

3. Create the same DNS records the workshop’s slot has

Substitute yourdomain.com for <slot>.eplabs.cloud everywhere in the labs.

TypeNameContentProxy
A@ (apex)192.0.2.1Proxied (orange)
A* (wildcard)192.0.2.1Proxied (orange)
Atest1.2.3.4DNS only (gray)

Lab 04 validate.sh checks these three.

4. Re-deploy the Worker against your zone

cd labs/lab07-first-worker/worker
sed -i "s/YOUR_DOMAIN/yourdomain.com/g; s/YOUR_PARENT_ZONE/yourdomain.com/g" wrangler.toml
npx wrangler deploy

For the take-home variant YOUR_DOMAIN and YOUR_PARENT_ZONE are the same value (your own zone). The in-class form has them differ (slot vs. parent zone).

5. Re-issue secrets that were tied to the in-class slot

  • GitHub fine-grained PAT (Lab 11)
  • GitHub webhook secret (Lab 11)
  • CF Access service token (Lab 08, only if you wired CF Access in)
  • Tailscale auth keys (Lab 05; new keys for new tag scope)

Account checklist

You need three accounts for the take-home version:

  • Cloudflare (free) — cloudflare.com/sign-up. Enable 2FA.
  • Tailscale (free) — tailscale.com/start. Enable MagicDNS in the admin console.
  • GitHub (free) — for Workers source control + the Lab 11 ChatOps webhook target.

Plus: a registrar account for the domain itself (or Cloudflare Registrar to keep it under one roof).


Verification

export DOMAIN=yourdomain.com
bash labs/lab04-domain-verification/validate.sh

If Lab 04 hard-passes, your zone is ready for the rest of the labs. SSL provisioning for new proxied subdomains can take 5–30 minutes; validate.sh soft-passes that window with a [WARN].

If you hit a failure: the in-class path uses Advanced Certificate Manager (paid) on eplabs.cloud for nested-subdomain SSL. On your own free zone, free Universal SSL covers the apex and one wildcard level — that is enough for everything labs 04–14 actually need. The ACM dependency is specific to the shared-zone setup.


Help

  • DNS propagation: dig NS yourdomain.com @1.1.1.1 from a non-cached resolver.
  • Cloudflare zone won’t activate: registrar nameserver update may not have saved; re-enter and wait 30 min.
  • Worker deploy fails on routes: the route’s zone_name must be your apex zone; not a subdomain.

For workshop-specific questions: ask during the cohort or email workshop@eplabs.cloud.