fix(tf): cloud-init heredoc column-0 + firewall uses ubongo's WAN IP

Review catches: (1) <<-EOT strips by the closing marker's indent, so the
cloud-config body must match it (2 spaces) for '#cloud-config' to land at column
0; (2) the Hetzner Cloud Firewall filters public traffic, so ssh_admin_cidrs is
ubongo's WAN/egress IP, not its LAN address — a private CIDR would lock SSH out of
the live VPS.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-06-14 12:19:45 +02:00
parent 3588904528
commit 09b0aad342
2 changed files with 17 additions and 12 deletions

View file

@ -7,4 +7,7 @@
# State is local (see backend.tf).
ansible_ssh_pubkey = "ssh-ed25519 AAAA... ansible@ubongo"
ssh_admin_cidrs = ["10.20.10.151/32"] # ubongo's LAN address (ADR-021)
# The Hetzner Cloud Firewall filters PUBLIC traffic, so this is ubongo's WAN/egress
# IP (the perimeter analog of OPNsense, ADR-020) — NOT its LAN address. Find it with
# `curl -s ifconfig.me` from ubongo. Narrows to the NetBird `wt0` path once M5 lands.
ssh_admin_cidrs = ["203.0.113.10/32"] # placeholder — ubongo's WAN/egress IP

View file

@ -1,18 +1,20 @@
# cloud-init: create the unprivileged `ansible` user with ubongo's key + sudo.
# (Mirrors the proxmox_vm module's user_account; Hetzner has no structured field.)
locals {
# Indentation matches the closing EOT (2 spaces) so `<<-` strips to column 0
# cloud-config requires `#cloud-config` as the first line with no leading space.
user_data = <<-EOT
#cloud-config
users:
- name: ansible
groups: [sudo]
sudo: "ALL=(ALL) NOPASSWD:ALL"
shell: /bin/bash
ssh_authorized_keys:
- ${var.ansible_ssh_pubkey}
package_update: true
packages:
- python3
#cloud-config
users:
- name: ansible
groups: [sudo]
sudo: "ALL=(ALL) NOPASSWD:ALL"
shell: /bin/bash
ssh_authorized_keys:
- ${var.ansible_ssh_pubkey}
package_update: true
packages:
- python3
EOT
}