Skip to content
Ikamet OS Docs

Cloudflare Access Setup

All documentation under /internal/ is protected by Cloudflare Access using Google Workspace authentication. This is the zero-trust access layer for Ikamet operational intelligence.

Architecture

User requests /internal/*
      
Cloudflare Access intercepts
      
Google OAuth login required
      
Email domain checked: @ikamet.com or @ikametsigorta.com
      
Access granted or denied

Setup steps

1. Cloudflare Access — create application

In the Cloudflare dashboard:

  1. Go to Zero TrustAccessApplications
  2. Click Add an application
  3. Select Self-hosted
  4. Configure:
    • Application name: Ikamet Internal Docs
    • Application domain: docs.ikamet.com/internal
    • Session duration: 24 hours

2. Create access policy

Under the application, add a policy:

  • Policy name: Ikamet Workspace
  • Action: Allow
  • Rules:
    • Rule 1: Emails ending in @ikamet.com
    • Rule 2: Emails ending in @ikametsigorta.com

3. Configure Google Workspace identity provider

In Zero TrustSettingsAuthentication:

  1. Add identity provider: Google Workspace
  2. Enter your Google Workspace domain: ikamet.com
  3. Create OAuth 2.0 credentials in Google Cloud Console
  4. Enter Client ID and Client Secret
  5. Test the connection

4. Verify protection

After setup, visit docs.ikamet.com/internal/ in an incognito window. You should see the Cloudflare Access login screen — not the documentation.

Sign in with your @ikamet.com Google account. You should be granted access.

What is protected

All routes under:

docs.ikamet.com/internal/*

This covers:

  • /internal/architecture/* — system architecture internals
  • /internal/workflows/* — operational workflow procedures
  • /internal/operations/* — operational systems documentation
  • /internal/providers/* — provider intelligence and quirks
  • /internal/sops/* — standard operating procedures
  • /internal/ai/* — AI prompts and automation logic
  • /internal/compliance/* — compliance procedures
  • /internal/security/* — security implementation docs
  • /internal/incidents/* — incident response procedures

What is public

All routes NOT under /internal/ remain public:

  • / — home page
  • /public/* — public guides, help, API reference

Future access tiers

Cloudflare Access supports multiple policies on the same application. Future access tiers:

TierAccessPolicy
Full internal@ikamet.com, @ikametsigorta.comCurrent setup
ContractorNamed email addressesAdd to allowlist
Partner API accessNamed email addressesSeparate application

Session management

  • Sessions expire after 24 hours — users re-authenticate via Google
  • Revoke access immediately for departing team members by removing from Google Workspace
  • Cloudflare Access logs all access events — reviewable in the Zero Trust dashboard