sjat
b0511179cb
The Hetzner Cloud Firewall SSH rule is now conditional on a non-empty ssh_admin_cidrs (default []); askari sets it empty so the WAN :22 rule is removed on the next apply. SSH is reached over wt0; break-glass is the Hetzner console. Apply is the live cutover (Task 5). Mesh-hardening 1/3. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
21 lines
854 B
HCL
21 lines
854 B
HCL
# offsite/main.tf — off-site Hetzner hosts. Terraform owns VM existence (ADR-006,
|
|
# generalized to Hetzner). ALWAYS `make tf-plan TF_ENV=offsite` and review before
|
|
# `make tf-apply TF_ENV=offsite`.
|
|
|
|
module "askari" {
|
|
source = "../../modules/hetzner_vm"
|
|
|
|
name = "askari"
|
|
server_type = "cx23" # x86, 2 vCPU / 4 GB / 40 GB (CAX11/ARM was out of stock in
|
|
# every EU location 2026-06-14; cx23 is same-spec + cheaper)
|
|
location = "hel1" # Helsinki
|
|
image = "debian-13"
|
|
ansible_ssh_pubkey = var.ansible_ssh_pubkey
|
|
ssh_admin_cidrs = [] # mesh-only: SSH is reached over wt0; WAN :22 retired (mesh-hardening 1/3)
|
|
public_web = true # Caddy 80/443 + NetBird 3478 (M4)
|
|
labels = {
|
|
env = "offsite"
|
|
group = "offsite_hosts"
|
|
managed-by = "terraform"
|
|
}
|
|
}
|