diff --git a/.env.secret b/.env.secret
index f6653db..4ab8e6e 100644
--- a/.env.secret
+++ b/.env.secret
Binary files differ
diff --git a/.gitsecret/paths/mapping.cfg b/.gitsecret/paths/mapping.cfg
index fd6ba91..5fba0d9 100644
--- a/.gitsecret/paths/mapping.cfg
+++ b/.gitsecret/paths/mapping.cfg
@@ -1,2 +1,2 @@
-.env:221a7702774fdc6c4a5fa42a1f0787c10d34e347ff57a1c3ee841021c32caba5
+.env:d83f3294d1d7b8c20b32e8de08b10f160e1ff2944c3d3cba86ef7f3dc4ef2566
 wg-server/initial_config/wg-server.conf:5d4fe70ae728a4fd41dbd0323899057884e12d1dd55fb5e0f440562ebaacc34b
diff --git a/docker-compose.yml b/docker-compose.yml
index e8c8e18..682102d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,16 +1,29 @@
 services:
-  # http proxy
-  http-proxy:
+  # cloudflared (to public)
+  cloudflared-tunnel:
+    image: cloudflare/cloudflared:latest
+    command: tunnel run
+
+    environment:
+      - TUNNEL_TOKEN=${CLOUDFLARED_TUNNEL_TOKEN}
+    
+    networks:
+      - web-public
+
+    restart: unless-stopped
+
+  # http gateway
+  http-gateway:
     image: traefik:v2.6
     volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
 
      - ./data/http-proxy-acme:/acme:rw
 
-    ports:
-     - 80:80
     networks:
+     - web-public
      - web
+
     command: 
       --providers.docker
 
@@ -73,6 +86,10 @@
       - traefik.http.services.wiki-server.loadbalancer.server.port=3000
 
 networks:
-  # global network for web services
+  # global internal network for web services
   web:
     name: "web"
+
+  # public interface (through tunnel)
+  web-public:
+    name: "web-public"
diff --git a/wg-server/initial_config/wg-server.conf.secret b/wg-server/initial_config/wg-server.conf.secret
index c8efa31..2806994 100644
--- a/wg-server/initial_config/wg-server.conf.secret
+++ b/wg-server/initial_config/wg-server.conf.secret
Binary files differ