Go to the Heztner console and clikety on the web interface to get
a new instance. Credentials are in
TODO: consider using the
hcloud command insted.
Pick the following settings:
- Location: depends on the project, a monitoring server might be better in a different location than the other VMs
- Image: Debian 9
- Type: depends on the project
- Volume: only if extra space is required
- Additional features: nothing (no user data or backups)
- SSH key: enable all configured keys
- Name: FQDN picked from the doc/naming-scheme
- Create the server
Then, since we actually want our own Debian install, and since we want the root filesystem to be encrypted, continue with:
- Continue on Hetzner's web interface, select the server.
- Reboot into the rescue system ("Rescue, Enable rescue & Power cycle", pick linux64 and your SSH key). this will give you a root password
- open the console (the icon is near the top right) and login with the root password
- get the
ssh-keygen -l -f /etc/ssh/ssh_host_*.puboutput. NOTE: the Hetzner consoles use a different keyboard mapping than "US". Hint:
-is on the
/is on shift-7 and
*is on shift-
- login to the new host:
ssh root@$IPADDRESS, check the fingerprint matches above
- start a
tsa-miscto the new host:
git clone https://git.torproject.org/admin/tsa-misc
./tsa-misc/installer/tor-install-hetzner(the ipv6 address prefix you find on the web interface. Make it end in
::1) TODO: merge script with the howto/new-machine-hetzner-robot procedure. WARNING: this procedure has been known to leave
pingnon-functional for regular users, see ticket 31781
- once done, note down all the info and reboot the VM:
ssh -o FingerprintHash=sha1 root@<ipaddr>to unlock the host, (to compare ssh's base64 output to dropbear's b16, you can use
perl -MMIME::Base64 -e '$h = unpack("H*", decode_base64(<>)); $h =~ s/(..)(?=.)/\1:/g; print $h, "\n"'to convert base64 to base16.
ssh root@<ipaddr>to access it once booted
- Set the reverse DNS using hetzner's website. It's in the networking section for each virtual server. Set both ipv4 and ipv6 reverse entries.
- Document the LUKS passphrase and root password in tor-passwords,
- follow the rest of howto/new-machine.
To setup autoboot using mandos:
See howto/new-machine-mandos for setting up the mandos client on this host.