Cloud Engineer for Cloudflare ZTNA Security on Coolify Deployment on Hetzner Bare-Metal Servers
Objective
We are seeking an experienced Cloud Engineer to design, deploy, secure, and document two Coolify-based environments on Hetzner bare-metal servers.
The focus is to completely lock down the servers from the Internet and expose access only through Cloudflare Tunnel (Zero Trust), with authentication via Microsoft Entra ID (Azure AD) SSO and Cloudflare WARP agents installed on staff devices.
A video handover tutorial and a 1-hour follow-up video call will complete the project to ensure smooth internal adoption.
Scope of Work
1. Infrastructure Provisioning (Hetzner)
Server Setup
Deploy two Hetzner bare-metal servers:Primary Server (Coolify Central System) – running Coolify’s management dashboard and orchestration.
Secondary Server (VPN & Services) – running a Dockerised WireGuard (WG-Easy or equivalent) for company VPN access and to host additional services in the future.
Hetzner Firewall Configuration
Use Hetzner Robot stateless firewall for both servers.
Default: all incoming traffic blocked unless explicitly allowed
Configure ordered rule sets (max. 10 per direction) with protocol, IP, port, and action
Allow return traffic via TCP ACK ephemeral ports 32768–65535
Permit outbound traffic required for Cloudflare Tunnel and updates.
2. Coolify Installation & Hardening
Deploy the latest Coolify self-hosted release using Docker on the Primary Server.
During setup, open necessary ports (22 SSH, 80/443 for SSL issuance, 8000/6001/6002 for initial UI), then close them once configured.
Ensure Docker NAT bypass is accounted for: restrict exposure using the Hetzner firewall.
Integrate Coolify services with Cloudflare Tunnel to expose only via Zero Trust access.
3. Cloudflare Tunnel & Zero Trust Integration
Deploy
cloudflaredon both servers.Configure outbound rules to allow port 7844 TCP/UDP – required by Cloudflare Tunnel.
Bind tunnels to Cloudflare Zero Trust, ensuring no inbound ports are left open.
Set up Zero Trust policies restricting access to company staff authenticated with Microsoft Entra ID (Azure AD) SSO.
Integrate Entra ID as the identity provider: provide Application ID, Tenant ID, and Secret, and configure in Cloudflare Dashboard.
4. VPN Deployment (Secondary Server)
Deploy WG-Easy (Dockerised WireGuard UI):
Provides web-based management for WireGuard VPN.
Simplifies creation/revocation of VPN users and configuration of devices.
Expose WireGuard UDP port (51820/51821) only via Cloudflare Tunnel.
Ensure VPN access is bound to Zero Trust identity and device policies.
5. Documentation & Training
Deliver a comprehensive recorded video walkthrough covering:
Firewall rules and Hetzner Robot configuration.
Coolify installation, app deployment, and adding/removing servers.
Cloudflare Tunnel and Zero Trust policy configuration.
VPN management with WG-Easy.
Conduct a 1-hour video handover call to:
Answer questions.
Validate internal understanding.
Ensure the organisation can operate and extend the setup independently.
Deliverables
Deployment Manual and Demo video showing:
Two Hetzner bare-metal servers configured:
Coolify Central system (primary).
VPN/Services system (secondary).
Cloudflare Tunnel Zero Trust integration:
Microsoft Entra ID (Azure AD) SSO.
WARP device-based enforcement.
Dockerised WireGuard VPN (WG-Easy) deployed and secured.
Firewall rules documented and scripted for reproducibility.
Training package:
One-hour live Q&A handover session.
Candidate Requirements
Demonstrated expertise with Hetzner bare-metal server deployments.
Deep knowledge of Hetzner Robot firewall configuration.
Strong Linux, Docker, and Coolify experience.
Proven track record with Cloudflare Tunnel, Zero Trust, WARP, and Microsoft Entra ID (Azure AD) SSO.
Experience with WireGuard / WG-Easy VPN deployments.
Excellent documentation and communication skills.
External resources:
Hetzner Firewall: docs.hetzner.com
Coolify Firewall: coolify.io
Cloudflare Tunnel with firewall: developers.cloudflare.com
Microsoft Entra ID: developers.cloudflare.com
Current freelance projects in the category Software & Server Configuration
Consultation on data storage serviceHello! I need an online consultation in Zoom format (up to one hour) on two tasks. You need to have experience and propose solutions. At the end, outline the mechanics of solving the tasks. Task 1: Organize automatic backup of project data stored on Google Drive, ensuring file… System & Network Administration, Software & Server Configuration ∙ 3 hours 35 minutes back ∙ 4 proposals |
Setting up the UkrSklad programRestart (recover) the program. The program was working, but then the database crashed (all information about the product). Software & Server Configuration ∙ 2 days 6 hours back ∙ 5 proposals |
Setting up the Android environment on PC for fintech: installing an emulator/anti-detect and Nige proxyHello! I need to prepare a workstation on a PC for working with banking applications in Nigeria (fintech, mobile banking) from Ukraine. The task is technically delicate, so I am looking for a specialist with experience in traffic arbitration, bypassing anti-fraud systems, or… Software & Server Configuration ∙ 3 days 2 hours back ∙ 1 proposal |
Comprehensive check and protection of the office server + email setup
90 USD
A specialist is needed for a comprehensive check and adjustment of the server infrastructure in the office. Currently, several virtual machines on Ubuntu are running through Proxmox, with the main database and virtual machines for Laravel websites. There were previous issues… System & Network Administration, Software & Server Configuration ∙ 6 days 5 hours back ∙ 14 proposals |
Set up remote drives on hetzner.comThere is a strong desire to use hetzner.com as a remote server for file storage and the ability to work with them from various PCs and mobile devices. Help is needed in setting this up and a brief tutorial for a beginner user on how to configure everything directly on the users'… System & Network Administration, Software & Server Configuration ∙ 6 days 8 hours back ∙ 17 proposals |
Dublin