GitLab Behind Cloudflare Tunnel --- Removing Inbound SSH Exposure

Introduction In the previous lab , GitLab was placed behind Cloudflare Access and protected by identity. HTTPS traffic passed through Nginx, and access to the web interface required authentication at the edge. But one part of the system still relied on a traditional assumption: SSH was reachable via an open port. This lab continues the evolution. The goal is not to add another security layer for its own sake, but to change the exposure model itself. Instead of accepting inbound SSH connections, the host establishes an outbound tunnel to Cloudflare. Both HTTPS and SSH access are then mediated through identity. The trust boundary moves from ports to people. Goal Rework a self-hosted GitLab setup so that: HTTPS traffic flows through Cloudflare Tunnel. SSH access is gated by Cloudflare Access. No direct inbound SSH exposure is required. The GitLab VM remains disposable and isolated. This is not about eliminating SSH. It is about changing who gets to initiate it. Constraints / Assumptions T