From b0511179cbffc239005ec737107b0b728a3bc638 Mon Sep 17 00:00:00 2001
From: sjat <sjat@ziethen.dk>
Date: Wed, 17 Jun 2026 20:51:24 +0200
Subject: [PATCH] feat(tf/offsite): retire askari's WAN :22 (mesh-only SSH)

The Hetzner Cloud Firewall SSH rule is now conditional on a non-empty
ssh_admin_cidrs (default []); askari sets it empty so the WAN :22 rule is
removed on the next apply. SSH is reached over wt0; break-glass is the Hetzner
console. Apply is the live cutover (Task 5). Mesh-hardening 1/3.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 terraform/environments/offsite/main.tf    |  2 +-
 terraform/modules/hetzner_vm/main.tf      | 17 +++++++++++------
 terraform/modules/hetzner_vm/variables.tf |  3 ++-
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/terraform/environments/offsite/main.tf b/terraform/environments/offsite/main.tf
index 0b0666e..494c84d 100644
--- a/terraform/environments/offsite/main.tf
+++ b/terraform/environments/offsite/main.tf
@@ -11,7 +11,7 @@ module "askari" {
   location           = "hel1" # Helsinki
   image              = "debian-13"
   ansible_ssh_pubkey = var.ansible_ssh_pubkey
-  ssh_admin_cidrs    = var.ssh_admin_cidrs
+  ssh_admin_cidrs    = []   # mesh-only: SSH is reached over wt0; WAN :22 retired (mesh-hardening 1/3)
   public_web         = true # Caddy 80/443 + NetBird 3478 (M4)
   labels = {
     env        = "offsite"
diff --git a/terraform/modules/hetzner_vm/main.tf b/terraform/modules/hetzner_vm/main.tf
index f360dce..df26757 100644
--- a/terraform/modules/hetzner_vm/main.tf
+++ b/terraform/modules/hetzner_vm/main.tf
@@ -26,12 +26,17 @@ resource "hcloud_ssh_key" "ansible" {
 resource "hcloud_firewall" "this" {
   name = "${var.name}-fw"
 
-  # SSH from the control node only.
-  rule {
-    direction  = "in"
-    protocol   = "tcp"
-    port       = "22"
-    source_ips = var.ssh_admin_cidrs
+  # SSH from the control node only — and only when admin CIDRs are set. An empty
+  # ssh_admin_cidrs removes the WAN :22 rule entirely (mesh-only SSH; reach the host over
+  # wt0, break-glass = Hetzner console). Mesh-hardening 1/3.
+  dynamic "rule" {
+    for_each = length(var.ssh_admin_cidrs) > 0 ? [1] : []
+    content {
+      direction  = "in"
+      protocol   = "tcp"
+      port       = "22"
+      source_ips = var.ssh_admin_cidrs
+    }
   }
 
   # Public web (Caddy 80/443) + NetBird STUN/TURN (3478/udp) — only when public_web
diff --git a/terraform/modules/hetzner_vm/variables.tf b/terraform/modules/hetzner_vm/variables.tf
index 15b3ba4..ca6b3ea 100644
--- a/terraform/modules/hetzner_vm/variables.tf
+++ b/terraform/modules/hetzner_vm/variables.tf
@@ -24,8 +24,9 @@ variable "ansible_ssh_pubkey" {
 }
 
 variable "ssh_admin_cidrs" {
-  description = "Source CIDRs allowed to reach SSH (e.g. ubongo's address/32)"
+  description = "Source CIDRs allowed to reach SSH over the WAN. Empty = no WAN SSH rule (mesh-only)."
   type        = list(string)
+  default     = []
 }
 
 variable "public_web" {