Review catches: (1) <<-EOT strips by the closing marker's indent, so the cloud-config body must match it (2 spaces) for '#cloud-config' to land at column 0; (2) the Hetzner Cloud Firewall filters public traffic, so ssh_admin_cidrs is ubongo's WAN/egress IP, not its LAN address — a private CIDR would lock SSH out of the live VPS. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
13 lines
737 B
Text
13 lines
737 B
Text
# offsite environment — non-secret values. Copy to terraform.tfvars and fill in.
|
|
#
|
|
# Secret is exported as an env var (never in this file); the make tf-* targets do this
|
|
# automatically for TF_ENV=offsite, sourcing vault.hetzner.token:
|
|
# export TF_VAR_hcloud_token="...from vault.hetzner.token..."
|
|
#
|
|
# State is local (see backend.tf).
|
|
|
|
ansible_ssh_pubkey = "ssh-ed25519 AAAA... ansible@ubongo"
|
|
# The Hetzner Cloud Firewall filters PUBLIC traffic, so this is ubongo's WAN/egress
|
|
# IP (the perimeter analog of OPNsense, ADR-020) — NOT its LAN address. Find it with
|
|
# `curl -s ifconfig.me` from ubongo. Narrows to the NetBird `wt0` path once M5 lands.
|
|
ssh_admin_cidrs = ["203.0.113.10/32"] # placeholder — ubongo's WAN/egress IP
|