I run Home Assistant container on a Debian VM and have it working with Cloudflare Tunnel (used to be Argo). I moved to this a few months back after some of the older non-Cloudflare maintained containers stopped working properly without workarounds.
Here are some basic instructions on how I got it working. There are probably easier ways, but throwing this out there in case it points someone in the right direction. This does not cover setting up Cloudflare Teams / Access rules. It only gets the tunnel working.
On any computer, install cloudflared, login (to get a cert.pem file), and create a tunnel (to get a .json). This only needs to happen once and you can use the login (cert.pem) to manage your tunnels (create/delete). The tunnel file and a config are really the only files you need on your Docker machine.
Pay attention to where your .json file lives. You will have to move it to your server. It will look something like this:
On your Docker host, make a folder for the docker container, in my case this is /srv/docker/cftunnel
Move your tunnel json there and create a config.yml.
- hostname: "homeassistant.mydomain.com"
service: http://<machine ip>:8123
- service: http_status:404
Note: Dont use the docker container name in place of local ip. Since Home Assistant container usually runs in host mode, you have to specify the local machine ip. Also note that Cloudflare tunnel will not route to a host outside of the local machine, so it has to be installed on the same machine as Home Assistant.
docker-compose.yaml entry - I call mine cftunnel
command: tunnel --config /etc/cloudflared/config.yml run 12345678-1234-1234-1234-123456789012
Start your container with docker-compose up -d. Check log output to make sure it started correctly.
Final step, make a CNAME entry on Cloudflare to point to the tunnel.
There are multiple ways to do this:
Access your Home Assistant instance from https://homeassistant.mydomain.com
This doesnt make dynamic tunnels like some of the other containers out there, but you do have a lot of flexibility in the config.yml to create additional ingress rules for other services on the same machine if you like (SEE HERE). Anything on a different machine requires a new tunnel (and associated .json file).