sjat
b0511179cb
The Hetzner Cloud Firewall SSH rule is now conditional on a non-empty ssh_admin_cidrs (default []); askari sets it empty so the WAN :22 rule is removed on the next apply. SSH is reached over wt0; break-glass is the Hetzner console. Apply is the live cutover (Task 5). Mesh-hardening 1/3. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
42 lines
1,007 B
HCL
42 lines
1,007 B
HCL
variable "name" {
|
|
description = "Server name (and hostname)"
|
|
type = string
|
|
}
|
|
|
|
variable "server_type" {
|
|
description = "Hetzner server type, e.g. cx23 (x86) or cax11 (ARM)"
|
|
type = string
|
|
}
|
|
|
|
variable "location" {
|
|
description = "Hetzner location, e.g. hel1"
|
|
type = string
|
|
}
|
|
|
|
variable "image" {
|
|
description = "OS image slug, e.g. debian-13"
|
|
type = string
|
|
}
|
|
|
|
variable "ansible_ssh_pubkey" {
|
|
description = "Public SSH key provisioned for the ansible user via cloud-init"
|
|
type = string
|
|
}
|
|
|
|
variable "ssh_admin_cidrs" {
|
|
description = "Source CIDRs allowed to reach SSH over the WAN. Empty = no WAN SSH rule (mesh-only)."
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "public_web" {
|
|
description = "Open the public web/NetBird ports (80/443 TCP, 3478 UDP) to the internet"
|
|
type = bool
|
|
default = false
|
|
}
|
|
|
|
variable "labels" {
|
|
description = "Hetzner resource labels (metadata only)"
|
|
type = map(string)
|
|
default = {}
|
|
}
|