Server provisioning scripts: clean Ubuntu VPS → hardened Coolify + Tailscale + Cloudflare Tunnel in ~15 min

[jroth1111]

Implementation: https://github.com//pull/8548

The problem

Most Coolify guides end at curl -fsSL https://get.coolify.io | bash. That gets Coolify running — but it leaves the server in a state few people would accept in production:

• Root SSH open with password authentication
• No firewall (all ports reachable from the internet)
• Coolify dashboard on port 8000, publicly accessible
• Docker bypasses UFW by default — containers can open ports to the internet regardless of firewall rules
• No audit logging, no intrusion detection, no automatic security patches

Closing all of these gaps manually means understanding UFW, iptables DOCKER-USER chains, sshd_config hardening, auditd, fail2ban, sysctl kernel parameters, Tailscale, and Cloudflare Tunnel — then correctly wiring them together. Most guides either skip the hard parts or treat each as a separate tutorial with no automation.

The solution

A set of bash scripts that take a completely clean Ubuntu 24.04 VPS and automate the entire journey — from first SSH to production-ready — in ~15 minutes:

clean VPS (root SSH, no firewall)
  → SSH hardening: key-only, admin user, root login disabled
  → UFW default-deny + DOCKER-USER chain (closes the Docker bypass)
  → Auditd, fail2ban, kernel hardening, unattended-upgrades
  → Tailscale VPN: SSH and dashboard accessible only via VPN
  → Docker + Coolify installed
  → Cloudflare Tunnel: zero open inbound ports
  → Wildcard DNS: *.example.com → Traefik → containers
  → Coolify dashboard bound to Tailscale IP only
  → Validation gate: 94 checks, 0 failures

Two entry points — choose based on where you are:

• deploy.sh — run from your laptop; give it the VPS IP, root password, Tailscale auth key, and Cloudflare API token. SSHes in and handles everything. No manual server access needed.
• setup.sh — same, but run directly on the server if you are already SSHed in.

Both support interactive (prompt-driven) and non-interactive (--yes) modes and are idempotent — safe to re-run if interrupted.

Inputs

Five things you need before running the script:

Input	Example	Where to get it
VPS public IP	203.0.113.1	VPS provider control panel (Hetzner, DigitalOcean, etc.)
Root password		VPS provider control panel
Tailscale auth key	tskey-auth-xxx...	tailscale.com/admin/settings/keys — Reusable, Ephemeral
Domain on Cloudflare	coolify.example.com	Any domain managed in Cloudflare DNS
Cloudflare API token		dash.cloudflare.com/profile/api-tokens — needs Zone:DNS:Edit + Account:Cloudflare Tunnel:Edit

Your SSH public key is read automatically. All other options (admin username, swap size, deployment mode) have sensible defaults.

Output

Phase progress (deploy.sh, abridged):

[1/5] Upload scripts and harden server
  PASS Hardening completed
  PASS Server Tailscale IP: 100.64.1.42

[2/5] Gate checks
  PASS Gate A: SSH reachable via Tailscale
  PASS Gate C: validate_hardening.sh — 0 failures

[3/5] Install Docker and Coolify
  PASS Docker installed
  PASS Coolify installed

[4/5] Configure Cloudflare DNS and Tunnel
  PASS Cloudflare token verified
  PASS CNAME: coolify.example.com → tunnel
  PASS CNAME: *.example.com → tunnel
  PASS Cloudflare Tunnel created

[5/5] Final verification
  PASS Gate E: dashboard reachable on Tailscale (HTTP 302)
  PASS Gate F: https://coolify.example.com responds (HTTP 302)
  PASS Gate G: validate_hardening.sh — 0 failures

Completion summary:

┌─────────────────────────────────────────────────────────────┐
│                    DEPLOYMENT COMPLETE                      │
├─────────────────────────────────────────────────────────────┤
│  Server Public IP : 203.0.113.1                            │
│  Tailscale IP     : 100.64.1.42                            │
│  Admin User       : coolifyadmin                           │
│  Deploy Mode      : tunnel                                 │
│  Domain           : coolify.example.com                    │
│  Dashboard URL    : http://100.64.1.42:8000                │
│  SSH Access       : ssh coolifyadmin@100.64.1.42           │
├─────────────────────────────────────────────────────────────┤
│  DNS              : CNAME coolify.example.com              │
│  Wildcard DNS     : CNAME *.example.com                    │
│  Tunnel ID        : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx   │
│  WebSocket (Soketi): ws.coolify.example.com → tunnel       │
│  Terminal         : terminal.coolify.example.com → tunnel  │
└─────────────────────────────────────────────────────────────┘

Validation output (validate_hardening.sh):

[PASS] ssh: PermitRootLogin=no
[PASS] ssh: PasswordAuthentication=no
[PASS] ssh: external root login denied
[PASS] ufw: active
[PASS] ufw: SSH NOT on WAN
[PASS] ufw: SSH on tailscale0
[PASS] ufw: Coolify dashboard (8000) on tailscale0
[PASS] docker-user: IPv4 wan-drop
[PASS] docker-user: IPv6 wan-drop6
[PASS] sysctl: kernel.randomize_va_space=2
[PASS] sysctl: net.ipv4.tcp_syncookies=1
[PASS] sysctl: kernel.yama.ptrace_scope=1
[PASS] fail2ban: active
[PASS] fail2ban: ignoreip includes Tailscale CIDR
[PASS] auditd: identity rules loaded
[PASS] cloudflared: tunnel /ready OK (4 connections)
[PASS] cloudflared: ingress routes apps via Traefik (port 80)
... 77 more checks ...
{"pass":94,"fail":0,"info":3}

Security architecture

                         Internet
                            │
                    ┌───────┴───────┐
                    │  Cloudflare   │  ← Universal SSL (*.example.com)
                    │     Edge      │
                    └───────┬───────┘
                            │
         ┌──────────────────┼──────────────────┐
         │ Tunnel (default) │   Standard       │
         │  Outbound-only   │   Ports 80/443   │
         └──────────────────┼──────────────────┘
                            │
                    ┌───────┴───────┐
                    │    Server     │
                    │  ┌─────────┐  │
                    │  │ Traefik │  │  ← Host-header routing
                    │  └─────────┘  │
                    │  Tailscale ◄──┼── Admin SSH + Dashboard (100.x.x.x)
                    └───────────────┘
                  No public SSH. No public dashboard.

Before and after

	Before	After
SSH	Root + password, public IP	Key-only, admin user, Tailscale VPN only
Coolify dashboard	Port 8000, public internet	Tailscale IP only (100.x.x.x:8000)
App traffic	—	Cloudflare edge SSL → tunnel → Traefik → containers
Docker ports	Bypass UFW by default	DOCKER-USER chain blocks WAN ingress
Firewall	None	UFW default-deny
Audit logging	None	Auditd: identity changes, sudo, Docker socket
Security patches	Manual	Unattended-upgrades with scheduled reboots
Public attack surface	SSH + 8000 + Docker bypass	Zero management surface on public IP

Every new app deployed in Coolify automatically gets: auto-assigned subdomain → wildcard DNS → Cloudflare edge SSL → tunnel → Traefik → container. No per-app DNS or TLS configuration needed.

Threat model

Threat	Mitigation
SSH brute-force	fail2ban + key-only auth + Tailscale-only access
Docker bypasses UFW	DOCKER-USER iptables chain with explicit DROP
Root compromise via SSH	Root login disabled globally; only from localhost (for Coolify container→host)
Kernel exploits	ASLR full, ptrace restricted, BPF disabled, kexec disabled
Unpatched vulnerabilities	Unattended-upgrades with auto-reboot for kernel updates
Dashboard exposure	UFW restricts port 8000 to tailscale0 only; binding-guard timer re-applies on reboot
Direct IP bypass (tunnel mode)	Cloudflare Tunnel is outbound-only; origin IP never exposed

LLM-assisted deployment

The scripts are designed to work with an AI assistant. Share your deployment parameters with Claude, ChatGPT, or another LLM and point it at AGENTS_DEPLOY.md — it can guide you through or run the entire deployment autonomously:

• Structured phases with explicit gates — each phase has defined inputs, outputs, and a verification step the LLM can check before proceeding
• Machine-readable validation — validate_hardening.sh --json emits {"pass":N,"fail":N,"checks":[...]} so an LLM can parse results and decide whether to continue or diagnose a failure
• Idempotent operations — every step is safe to re-run, so an LLM can retry without risk
• Resume support — --ts-ip <ip> resumes from phase 2 if phase 1 already completed, without repeating destructive steps

What if something goes wrong?

The most common concern with a script that hardens SSH is getting locked out.

Locked out after hardening? Most VPS providers (Hetzner, DigitalOcean, Linode) offer a web-based console that bypasses network rules entirely. Use that to recover or diagnose.

Lost the Tailscale IP? Check your Tailscale admin panel — the server appears there with its assigned 100.x.x.x address. Resume with deploy.sh --ts-ip <ip> to continue without re-running hardening.

UFW blocking something unexpected? Via VPS console: sudo ufw status numbered to inspect rules, or sudo ufw disable to temporarily drop all rules while you investigate.

Important: These scripts are additive only — they do not provide rollback. Snapshot your VPS before running if you want a clean recovery path.

Comparison

Approach	Zero to production	Security posture	Notes
These scripts	~15 min automated	Defense-in-depth	Requires Cloudflare + Tailscale (both free tier)
Manual hardening	Hours to days	Depends on skill	Full control; easy to miss the Docker bypass
Coolify default install	~5 min	Dashboard exposed on :8000	No firewall, no VPN, no audit logging
Managed hosting	Instant	Provider-dependent	Higher cost, less control

Quality

• BATS test suite — unit and integration tests covering hardening controls and validation logic
• ShellCheck-clean — all scripts pass static analysis
• Idempotent — safe to re-run on an already-provisioned server at every step
• Validated on a live deployment — validate_hardening.sh --json reports 0 failures across 94 checks on a real server

Proposed addition to Coolify repo

Add a scripts/provisioning/ directory alongside the existing scripts/ install and upgrade scripts:

scripts/provisioning/
├── deploy.sh                    # Laptop-side orchestrator
├── setup.sh                     # Server-side orchestrator
├── bootstrap_hardening.sh       # 15 security controls (1,854 lines)
├── validate_hardening.sh        # Post-hardening gate check, JSON output
├── configure_coolify_binding.sh # Binds dashboard to Tailscale IP
└── lib/
    └── coolify-common.sh        # Shared: Cloudflare API, logging, prompts

No PHP, Laravel, Livewire, or database changes. Purely additive bash scripts.

Requirements

• Ubuntu 24.04 VPS (2GB+ RAM, 40GB+ disk)
• Domain managed on Cloudflare (free plan works)
• Tailscale account + auth key (free for personal use)
• Cloudflare API token with Zone:DNS:Edit + Account:Cloudflare Tunnel:Edit

Existing implementation

Fully implemented and tested against a live deployment: https://github.com/jroth1111/secure_coolify_ubuntu

Note on feature freeze

I understand Coolify is prioritising stability right now. Since this is purely additive — new files in a new directory, touching nothing existing — happy to discuss whether it falls outside the freeze scope, or simply wait for the right window.

Hardening checklist

What validate_hardening.sh checks (94 checks, 0 failures on live deployment)

Time sync

• NTP service active
• NTPSynchronized=yes

Swap

• Swap active at configured size
• /swapfile permissions 0600
• Single fstab entry

Service cleanup

• rpcbind, avahi-daemon, cups disabled and stopped

Login banner

• /etc/issue.net present

SSH hardening

• Key-only auth (PasswordAuthentication no)
• Root login disabled globally (PermitRootLogin no)
• Admin user in AllowUsers
• Modern cipher/MAC/Kex restrictions
• Match Address block: root login allowed from localhost + Docker bridge only (required for Coolify container→host SSH)
• Match Address block: AllowUsers root scoped to localhost

Auditd

• Service active
• Identity-change rules loaded (su, useradd, groupadd, passwd, usermod)
• Sudoers rules loaded

Kernel hardening (sysctl)

• net.ipv4.tcp_syncookies=1 — SYN flood protection
• net.ipv4.tcp_max_syn_backlog=2048
• net.ipv4.tcp_synack_retries=2
• net.ipv4.conf.all.rp_filter=2 — reverse path filtering
• net.ipv4.ip_forward=1
• fs.protected_hardlinks=1
• fs.protected_symlinks=1
• fs.suid_dumpable=0
• kernel.randomize_va_space=2 — ASLR full randomisation
• kernel.yama.ptrace_scope=1 — ptrace restricted
• kernel.kptr_restrict=2 — kernel pointer leak prevention
• kernel.dmesg_restrict=1
• kernel.perf_event_paranoid=3
• kernel.unprivileged_bpf_disabled=1
• kernel.kexec_load_disabled=1
• kernel.sysrq=4
• vm.swappiness=10
• net.ipv4.tcp_congestion_control=bbr — BBR congestion control
• net.core.default_qdisc=fq

UFW firewall

• Active with default-deny incoming
• SSH blocked on WAN
• SSH allowed on Tailscale interface
• SSH allowed from Docker bridge (for container→host)
• Coolify dashboard (8000) only on Tailscale interface
• Coolify Soketi (6001) only on Tailscale interface
• Coolify terminal (6002) only on Tailscale interface
• Tunnel mode: port 80 not open on WAN
• Tunnel mode: port 443 not open on WAN

Docker daemon

• daemon.json present
• log-driver=json-file with max-size rotation
• live-restore=true

DOCKER-USER iptables chain (prevents Docker bypassing UFW)

• Systemd unit file present, PartOf=docker.service
• Service completed successfully
• IPv4 WAN drop rule active
• IPv4 bridge-docker0 return rule active
• IPv6 WAN drop rule active
• Tunnel mode: no WAN web traffic bypass

Fail2ban

• Service active
• SSH jail enabled
• banaction=ufw
• Tailscale CIDR (100.64.0.0/10) in ignoreip
• f2b-sshd iptables chain present

Journald

• Persistent storage configured
• Disk usage within limit

Unattended-upgrades

• Local config present
• Ubuntu security origin covered
• Docker CE origin covered
• Reboot policy configured
• Timer active

Tailscale VPN

• CLI installed
• tailscale0 interface present
• BackendState=Running
• IPv4 address assigned

Admin user

• User exists
• In sudo group
• Passwordless sudo configured
• authorized_keys exists, non-empty, valid format

Coolify dashboard binding

• Port 8000 listening
• UFW restricts port 8000 to Tailscale interface
• UFW binding-guard timer active (re-applies on reboot)
• SSH key exists and readable
• Key in root's authorized_keys
• root@127.0.0.1 SSH functional (required for Coolify deployments)
• Container→host SSH via host.docker.internal

Cloudflare Tunnel (if installed)

• Config file present
• Tunnel ID configured
• cloudflared service active
• Tunnel /ready endpoint responding
• Ingress: wildcard app domains → Traefik (port 80)
• Ingress: dashboard hostname → Coolify (port 8000)
• Ingress: Soketi → port 6001
• Ingress: terminal → port 6002 via /terminal/ws path
• Terminal rule before catch-all (correct ingress order)

AppArmor

• Enabled
• aa-status reachable