diff --git a/docs/todo.md b/docs/todo.md
index 0549338f..737c8845 100644
--- a/docs/todo.md
+++ b/docs/todo.md
@@ -2,21 +2,22 @@
 
 - [Better Terraform provider inheritance](../infra/terraform.tf#L8)
 - [(bug) Apply LXD VMs in parallel](../infra/Makefile#L12)
-- [(bug) Investigate why --noconfirm is not working](../tools/Dockerfile#L3)
 - [(bug) Should be posible to put it in the profile instead lxd_profile.master_profile.config, and make it a variable](../infra/modules/kubernetes-cluster/main.tf#L145)
 - [(bug) Use containers instead of virtual machines for Kubernetes nodes https](../infra/modules/kubernetes-cluster/main.tf#L155)
 - [(feature) Automatic ingress and tunnel for all services](../infra/modules/kubernetes-bootstrap/main.tf#L85)
 - [(feature) Enable etcd authentication and generate terraform backend config variables](../metal/roles/tfstate/tasks/main.yml#L43)
 - [(feature) Generate endpoint automatically (terragrunt for variable)](../infra/terraform.tf#L2)
+- [(feature) Get cloudflare tunnel credentials automatically](../infra/modules/vpn/ansible/roles/cloudflared/tasks/main.yml#L10)
 - [(feature) Upgrade hosts kernel to use Wireguard in container](../infra/modules/vpn/main.tf#L15)
+- [ http](../infra/modules/vpn/ansible/roles/cloudflared/templates/config.yml.j2#L6)
 - [(optimize) Change to /var/lib/lxd/server.crt after https](../metal/roles/lxd/tasks/main.yml#L26)
 - [(optimize) Convert to YAML for Terraform yamldecode](../metal/hosts.ini#L1)
-- [(optimize) Decide if VPN should be inside Kubernetes](../infra/base.tf#L1)
 - [(optimize) DRY master and worker definition](../infra/modules/kubernetes-cluster/main.tf#L135)
 - [(optimize) HA Vault and auto unseal Vault](../infra/modules/kubernetes-bootstrap/main.tf#L82)
 - [(optimize) LXD node firewall](../metal/roles/lxd/tasks/main.yml#L6)
 - [(optimize) LXD node SELinux](../metal/roles/lxd/tasks/main.yml#L1)
-- [(optimize) Make parent interface a variable](../infra/modules/vpn/main.tf#L38)
+- [(optimize) Make parent interface a variable](../infra/modules/vpn/main.tf#L39)
+- [(optimize) Put Wireguard allowed public keys somewhere else](../infra/modules/vpn/ansible/roles/wireguard/defaults/main.yml#L2)
 - [(optimize) Use btrfs in k8s 1.19.8 https](../metal/roles/lxd/templates/leader.yaml.j2#L17)
 - [(optimize) Use metal values for MetalLB values](../infra/modules/kubernetes-bootstrap/values/metallb.yaml#L6)
 - [(optimize) Use template for tfvars](../metal/roles/lxd/tasks/main.yml#L38)
diff --git a/tools/Dockerfile b/tools/Dockerfile
index 63fde33a..b076f25a 100644
--- a/tools/Dockerfile
+++ b/tools/Dockerfile
@@ -1,6 +1,5 @@
 FROM archlinux
 
-# TODO (bug) Investigate why --noconfirm is not working
 RUN yes | pacman --sync --refresh \
         ansible \
         curl \
diff --git a/tools/Makefile b/tools/Makefile
index 078341e0..c7c92e23 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -5,7 +5,6 @@ TAG = homelab-tools
 default: check build run
 
 check:
-	command -v docker
 	docker info --format '{{ .Plugins.Network }}' | grep 'host'
 
 build: