this repo has no description
docs(deploy): replace ufw with Hetzner Cloud Firewall
- Debian 13 doesn't include ufw by default
- Docker bypasses ufw/iptables rules anyway
- Hetzner Cloud Firewall works at network level, cleaner solution
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
+21
-15
+21
-15
DEPLOY.md
+21
-15
DEPLOY.md
···
62
62
# Set timezone (optional)
63
63
timedatectl set-timezone UTC
64
64
65
-
# Enable firewall
66
-
ufw allow 22/tcp # SSH
67
-
ufw allow 80/tcp # HTTP (for SSL verification)
68
-
ufw allow 443/tcp # HTTPS
69
-
ufw allow 8000/tcp # Coolify UI (temporary, remove later)
70
-
ufw --force enable
71
-
72
65
# Reboot to apply kernel updates
73
66
reboot
74
67
```
68
+
69
+
### Firewall (Optional)
70
+
71
+
Use **Hetzner Cloud Firewall** instead of host-based firewalls:
72
+
73
+
1. In Hetzner Console → **Firewalls** → **Create Firewall**
74
+
2. Add inbound rules:
75
+
- TCP 22 (SSH)
76
+
- TCP 80 (HTTP - for Let's Encrypt)
77
+
- TCP 443 (HTTPS)
78
+
- TCP 8000 (Coolify UI - remove after setup)
79
+
3. Apply to your server
80
+
81
+
This is cleaner than ufw/iptables, which Docker often bypasses anyway.
75
82
76
83
---
77
84
···
239
246
240
247
Once everything works, restrict Coolify UI access:
241
248
242
-
```bash
243
-
# Remove public access to Coolify
244
-
ufw delete allow 8000/tcp
245
-
246
-
# Access Coolify through SSH tunnel instead:
247
-
# ssh -L 8000:localhost:8000 root@YOUR_SERVER_IP
248
-
# Then open http://localhost:8000
249
-
```
249
+
1. In Hetzner Console → **Firewalls** → Edit your firewall
250
+
2. Remove the TCP 8000 rule
251
+
3. Access Coolify through SSH tunnel instead:
252
+
```bash
253
+
ssh -L 8000:localhost:8000 root@YOUR_SERVER_IP
254
+
# Then open http://localhost:8000
255
+
```
250
256
251
257
### Enable Auto-Deploy
252
258