feat: add Cloudflare tunnel hosting

README.md

@@ -32,14 +32,16 @@ Useful commands:
 - `./scripts/deploy-do [jet@noisebell-do]` redeploys the DigitalOcean remote host
 - `./scripts/nhs` redeploys the old Hetzner host using the local checkout as the flake input
 - `scripts/deploy-pios-pi.sh pi@100.66.45.36` redeploys the Raspberry Pi OS machine
+- `scripts/share-grafana-public-dashboard jet@noisebell-do` repairs or prints the deterministic public-safe Grafana dashboard link
 
-The full Home Assistant relay workflow is documented in `pi/README.md`.
+The full Home Assistant relay workflow is documented in `pi/README.md`. Public hosting, Cloudflare Tunnel, firewall, and Grafana sharing details are documented in `docs/hosting.md`.
 
 ## Observability
 
-The DigitalOcean host runs Prometheus, Loki, Grafana, Alloy, node_exporter, and blackbox_exporter via `hosts/noisebell-do/observability.nix`. Grafana provisions the `Noisebell DO + Pi` dashboard from code, with Prometheus panels for both hosts, detailed DO-to-Pi poll health, and Loki journal panels for both hosts.
+The DigitalOcean host runs Prometheus, Loki, Grafana, Alloy, node_exporter, and blackbox_exporter via `hosts/noisebell-do/observability.nix`. Grafana provisions `Noisebell Full Debug` for authenticated operators and `Noisebell Public` for externally shared, Prometheus-only status.
 
-- Grafana: `http://noisebell-do:3030/` over Tailscale
+- Grafana: `https://grafana-noisebell.extremist.software/` through Cloudflare Tunnel, login required
+- Public-safe Grafana dashboard: `https://grafana-noisebell.extremist.software/public-dashboards/6e6f69736562656c6c7075626c696330`
 - Prometheus: `http://noisebell-do:9090/` over Tailscale
 - Loki: `http://noisebell-do:3100/` over Tailscale