I personally prefer that the private key for https remain local within my network. That ensures end-to-end privacy. That's not an option when using Cloudflare.
I do use Cloudflare for public sites that don't require a login. And I have the same zero trust services running locally for accessing non-public data. My reverse proxy authenticates/authorizes each request so that I don't need to use a VPN.
I use Ansible+git to push changes to remote servers. And use ssh+vim sometimes too.