cloudflared:
image: cloudflare/cloudflared:latest
command: tunnel run
environment:
  - TUNNEL_TOKEN=my-super-secred-tunnel-token
restart: unless-stopped
network_mode: "host"

Then whatever can run in its network with bridge driver:

networks:
  nextcloud:
    driver: bridge
....
services:
  nextcloud:
    networks:
      - nextcloud
	ports:
	  - "1234:80"

And then in the cloudflare zero trust UI add a tunnel from localhost:1234.

Neat thing is that tunnel type HTTP refers to the connection to the host running cloudflared, but the thing is accessible through cloudflare’s servers as both http and https. No need to manually do any certs stuff!