diff --git a/terraform/environments/offsite/terraform.tfvars.example b/terraform/environments/offsite/terraform.tfvars.example index b7f5bc0..0849b69 100644 --- a/terraform/environments/offsite/terraform.tfvars.example +++ b/terraform/environments/offsite/terraform.tfvars.example @@ -7,4 +7,7 @@ # State is local (see backend.tf). ansible_ssh_pubkey = "ssh-ed25519 AAAA... ansible@ubongo" -ssh_admin_cidrs = ["10.20.10.151/32"] # ubongo's LAN address (ADR-021) +# The Hetzner Cloud Firewall filters PUBLIC traffic, so this is ubongo's WAN/egress +# IP (the perimeter analog of OPNsense, ADR-020) — NOT its LAN address. Find it with +# `curl -s ifconfig.me` from ubongo. Narrows to the NetBird `wt0` path once M5 lands. +ssh_admin_cidrs = ["203.0.113.10/32"] # placeholder — ubongo's WAN/egress IP diff --git a/terraform/modules/hetzner_vm/main.tf b/terraform/modules/hetzner_vm/main.tf index 038e236..2228a9b 100644 --- a/terraform/modules/hetzner_vm/main.tf +++ b/terraform/modules/hetzner_vm/main.tf @@ -1,18 +1,20 @@ # cloud-init: create the unprivileged `ansible` user with ubongo's key + sudo. # (Mirrors the proxmox_vm module's user_account; Hetzner has no structured field.) locals { + # Indentation matches the closing EOT (2 spaces) so `<<-` strips to column 0 — + # cloud-config requires `#cloud-config` as the first line with no leading space. user_data = <<-EOT - #cloud-config - users: - - name: ansible - groups: [sudo] - sudo: "ALL=(ALL) NOPASSWD:ALL" - shell: /bin/bash - ssh_authorized_keys: - - ${var.ansible_ssh_pubkey} - package_update: true - packages: - - python3 + #cloud-config + users: + - name: ansible + groups: [sudo] + sudo: "ALL=(ALL) NOPASSWD:ALL" + shell: /bin/bash + ssh_authorized_keys: + - ${var.ansible_ssh_pubkey} + package_update: true + packages: + - python3 EOT }