David Bunting

Self Hosting with Hetzner and Coolify

Coolify IO

Coolify is an amazing open source project that effectively aims to emulate the one-click deployment of services such as Vercel or Netlify, but keeping the control in the hands of the developer. You will need a VPS (Virtual Private Server) or if you're particularly savvy, you can install Coolify on any machine running a Debian flavour of Linux, even a Pi!

Setting Up Your VPS

I chose to use Hetzner as my VPS provider for no other reason that they were recommended by Coolify, but I'm very impressed. They seem to be incredibly dedicated to their customers' needs. For once, it's great to see a server provider show their prizing in max price per month, rather than hiding the boogieman behind a pay-as-you-go model. They're also very affordable and offer a great range of plans to suit different needs. Happy days!

Keep in mind that the minimum specs just to run Coolify are 2 CPU cores and 4GB of RAM, so you'll need at least one step up from there to host anything on your instance. This isn't a problem though, you can spin up a server with 4 cores and 8Gb of memory for €8.10 (more or less) per month which will be more than adequate for most people. Depending on your config, storage varies but mine came with 80Gb, plenty for me. All of the VPS packages come with a 20Tb bandwidth limit, but I mean come on, if you're exceeding that you probably shouldn't be using VPSs any more.

During set up, you'll pick a location, set up an SSH key and apply any cloud configs you want. If you don't set up SSH, an email will be sent with a default root password, but that gives me the shivers, so I'm not doing that.

After porting into your server:

ssh root@some.ip.address

All you need to do is run the standard:

sudo apt update && sudo apt upgrade

To ensure your server is all ready to run and you can run your BASH script!

I strongly recommend creating a new user, however, with SU privileges and locking down your root (remove password login), then creating a password for your private SSH key. This helps prevent bot nets simply trying to brute force your password and is in keeping with least-privilege. To break that without some sneaky man-in-the-middle attack, a bad actor would need access to your private SSH key, know your password to use said key and need to know your user password for your server to run any commands with SU privileges. Overkill? Maybe, but ostensibly we're doing this to practice and minimising threat surface and ensuring least-privilege is standard security practice we should probably get used to if you're going to be deploying on your own server.

Any way, after that little tangent, you can run the following command:

curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash

which will download the correct BASH script and run it. This script will handle all of the necessary dependencies such as Docker Engine and subsequently spin up your instance of Coolify.

Once Coolify is up and running, you'll need to register an email and password and log in. From here, we have some housekeeping.

You'll want to have a domain available and pointing at your server with two A records:

  • The first is @ with a TTL of 60 seconds
  • The second is * (wildcard) with a TTL of 60 seconds

This ensures that when you deploy services, you can have sets of subdomains pointing at your Coolify instance. From here, you'll need to hop back into Coolify settings and set the instance domain to something.yourdomain.whatever, from there you can set the local host server wildcard domain to: https://yourdomain.whatever. You should now be able to access your Coolify instance at the instance domain! This may take a minute or two to propagate, so be patient before taking the next step.

Now you can access your instance over HTTPS, it would be best to start closing off any unused ports on your server with a firewall. As standard practice, you'll have inbound rules for TCP on ports 22 (SSH) 80 and 443 (HTTPS). This means the firewall will allow traffic through these ports with TCP. The eagle eyed would have noticed that up until now, you will have been accessing Coolify via your.ip.address:8000, but now that we have a firewall up, refreshing this page will not work, as we have no inbound rule for port 8000. Just like that, you've helped secure your server. I suggest resetting your Coolify password as your traffic up until now has been unencrypted.

You should now have a well secured instance of Coolify running on your chosen server and you can start deploying some services!

But that's for another post.

Coolify's documentation is pretty great, but there's also an awesome video from Syntax explaining everything in detail.