Pro Church Tools — Company OS

Set up Cloudflare Pages + Cloudflare Access

4 min read

Set up Cloudflare Pages + Cloudflare Access

For Brady — one-time setup. Run setup-github first so the GitHub repo exists. These are dashboard steps; nothing here is automatable from a Code session.

Prerequisites

  • GitHub repo bradyshearer/company-os exists and has at least one commit
  • You own (or can manage) the pctos.com domain
  • You have a Cloudflare account
  • The 7 executive emails are handy (you’ll add them to the Access policy at the end)

Step 1 — Add pctos.com to Cloudflare DNS

If pctos.com isn’t already on Cloudflare:

  1. Cloudflare dashboard → Add a Site → enter pctos.com
  2. Choose the Free plan (Pages + Access basic features are free for small allow-lists)
  3. Cloudflare scans existing DNS records — confirm them
  4. Cloudflare gives you two nameservers (e.g., aria.ns.cloudflare.com, bob.ns.cloudflare.com)
  5. At your registrar (Namecheap / GoDaddy / wherever pctos.com is registered), update the nameservers to Cloudflare’s
  6. Wait for propagation. Usually 5–60 minutes; can be up to 24h. Confirm with dig NS pctos.com.

Skip this step if pctos.com is already on Cloudflare.

Step 2 — Create the Pages project

  1. Cloudflare dashboard → Workers & PagesCreate applicationPagesConnect to Git
  2. Authorize Cloudflare to read your GitHub account if prompted
  3. Select repository: bradyshearer/company-os
  4. Project name: pctos (or whatever — this becomes pctos.pages.dev while you set up the custom domain)
  5. Production branch: main (or master if that’s what you pushed)
  6. Build settings:
    • Framework preset: None (Quartz isn’t in their preset list)
    • Build command: cd .quartz && npm ci && npx quartz build -d ../ -o ./public
    • Build output directory: .quartz/public
    • Root directory: (leave blank — defaults to repo root)
  7. Environment variables:
    • NODE_VERSION = 22 (Quartz requires Node ≥ 22)
  8. Save and Deploy

The first build takes ~2–4 minutes. Watch the build log — if it fails, see runbook → “Cloudflare Pages build fails.”

When the build succeeds, your site is live at https://pctos.pages.dev. Open it and click around to verify content + that / redirects to /INDEX.

Step 3 — Bind the custom domain

  1. Inside the Pages project: Custom domainsSet up a custom domain
  2. Enter pctos.com → Cloudflare auto-creates a CNAME record on the zone
  3. Confirm. SSL/TLS provisions automatically (a few minutes).
  4. Verify https://pctos.com loads the site.

Optional: redirect www.pctos.com to pctos.com via a Page Rule or just point both at the Pages project.

Step 4 — Configure Cloudflare Access (the auth gate)

This is what restricts the site to the 7 execs.

  1. Cloudflare dashboard → Zero Trust (might be branded “Cloudflare One”) → if first time, run through the team setup (free tier supports up to 50 users)
  2. AccessApplicationsAdd an applicationSelf-hosted
  3. Application configuration:
    • Application name: Company OS — pctos.com
    • Session duration: 24 hours (long enough not to be annoying; short enough that revocation is fast)
    • Application domain: pctos.com
    • (Optional) Application logo URL: a PCT logo if you have one
  4. Identity providers: keep defaults (One-time PIN — email magic link). You don’t need Google/Microsoft SSO for 7 people.
  5. Add policy:
    • Policy name: Executive 7
    • Action: Allow
    • Configure rules → IncludeEmails → enter all 7 exec emails (one per line)
  6. Save the application.

Step 5 — Test the gate

  1. Open an Incognito / Private browsing window
  2. Visit https://pctos.com
  3. You should be prompted: “Sign in with your email”
  4. Enter one of the 7 emails → magic-link code arrives → enter the code → land on the site
  5. Try with an email NOT on the list → should be denied

Step 6 — Notify the team

Send each of the 7 a short message — Brady-voice, drafted via the appropriate skill (do NOT freehand). Suggested skills from bradyshearer/content-engine:

  • For Slack/email: no specific skill exists for short internal-team messaging. Either freehand a one-liner (“pctos.com is the new home for the Company OS — sign in with your work email; questions, ping me”) or write it yourself.

The message should cover:

  • The URL: pctos.com
  • The login flow: enter your email, get a magic-link code, paste, in
  • That it’s read-only (Brady edits in Clearly; site updates hourly)
  • Where to start: INDEX

Ongoing — Adding or removing a team member

  1. Zero Trust → AccessApplicationsCompany OS — pctos.comEdit
  2. Find the Executive 7 policy → edit the email list
  3. Save
  4. Removed users lose access on their next session expiry (≤ 24 hours per Step 4 setting). For immediate revocation, use Zero Trust → My TeamUsers → revoke that user’s session.

Graph View

Backlinks