boma/terraform/environments/offsite/terraform.tfvars.example
sjat 09b0aad342 fix(tf): cloud-init heredoc column-0 + firewall uses ubongo's WAN IP
Review catches: (1) <<-EOT strips by the closing marker's indent, so the
cloud-config body must match it (2 spaces) for '#cloud-config' to land at column
0; (2) the Hetzner Cloud Firewall filters public traffic, so ssh_admin_cidrs is
ubongo's WAN/egress IP, not its LAN address — a private CIDR would lock SSH out of
the live VPS.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 12:19:45 +02:00

13 lines
737 B
Text

# offsite environment — non-secret values. Copy to terraform.tfvars and fill in.
#
# Secret is exported as an env var (never in this file); the make tf-* targets do this
# automatically for TF_ENV=offsite, sourcing vault.hetzner.token:
# export TF_VAR_hcloud_token="...from vault.hetzner.token..."
#
# State is local (see backend.tf).
ansible_ssh_pubkey = "ssh-ed25519 AAAA... ansible@ubongo"
# The Hetzner Cloud Firewall filters PUBLIC traffic, so this is ubongo's WAN/egress
# IP (the perimeter analog of OPNsense, ADR-020) — NOT its LAN address. Find it with
# `curl -s ifconfig.me` from ubongo. Narrows to the NetBird `wt0` path once M5 lands.
ssh_admin_cidrs = ["203.0.113.10/32"] # placeholder — ubongo's WAN/egress IP