fix(tf): cloud-init heredoc column-0 + firewall uses ubongo's WAN IP

Review catches: (1) <<-EOT strips by the closing marker's indent, so the
cloud-config body must match it (2 spaces) for '#cloud-config' to land at column
0; (2) the Hetzner Cloud Firewall filters public traffic, so ssh_admin_cidrs is
ubongo's WAN/egress IP, not its LAN address — a private CIDR would lock SSH out of
the live VPS.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

terraform/environments/offsite/terraform.tfvars.example

@@ -7,4 +7,7 @@
 # State is local (see backend.tf).
 
 ansible_ssh_pubkey = "ssh-ed25519 AAAA... ansible@ubongo"
-ssh_admin_cidrs    = ["10.20.10.151/32"] # ubongo's LAN address (ADR-021)
+# The Hetzner Cloud Firewall filters PUBLIC traffic, so this is ubongo's WAN/egress
+# IP (the perimeter analog of OPNsense, ADR-020) — NOT its LAN address. Find it with
+# `curl -s ifconfig.me` from ubongo. Narrows to the NetBird `wt0` path once M5 lands.
+ssh_admin_cidrs    = ["203.0.113.10/32"] # placeholder — ubongo's WAN/egress IP

terraform/modules/hetzner_vm/main.tf

@@ -1,18 +1,20 @@
 # cloud-init: create the unprivileged `ansible` user with ubongo's key + sudo.
 # (Mirrors the proxmox_vm module's user_account; Hetzner has no structured field.)
 locals {
+  # Indentation matches the closing EOT (2 spaces) so `<<-` strips to column 0 —
+  # cloud-config requires `#cloud-config` as the first line with no leading space.
   user_data = <<-EOT
-    #cloud-config
-    users:
-      - name: ansible
-        groups: [sudo]
-        sudo: "ALL=(ALL) NOPASSWD:ALL"
-        shell: /bin/bash
-        ssh_authorized_keys:
-          - ${var.ansible_ssh_pubkey}
-    package_update: true
-    packages:
-      - python3
+  #cloud-config
+  users:
+    - name: ansible
+      groups: [sudo]
+      sudo: "ALL=(ALL) NOPASSWD:ALL"
+      shell: /bin/bash
+      ssh_authorized_keys:
+        - ${var.ansible_ssh_pubkey}
+  package_update: true
+  packages:
+    - python3
   EOT
 }