Newer
Older
Go to the [Heztner console][] and clikety on the web interface to get
a new instance. Credentials are in `tor-passwords.git` in
`hosts-extra-info` under `hetzner`.
TODO: consider using the [`hcloud`](https://github.com/hetznercloud/cli) command insted.
Pick the following settings:
1. Location: depends on the project, a monitoring server might be
better in a different location than the other VMs
1. Image: Debian 9
1. Type: depends on the project
1. Volume: only if extra space is required
1. Additional features: nothing (no user data or backups)
1. SSH key: enable all configured keys
1. Name: FQDN picked from the [[doc/naming-scheme]]
1. Create the server
Then, since we actually want our own Debian install, and since we want the root filesystem to be encrypted,
continue with:
1. Continue on Hetzner's web interface, select the server.
2. Reboot into the rescue system ("Rescue, Enable rescue & Power
cycle", pick linux64 and your SSH key). this will give you a root
password
3. open the console (the icon is near the top right) and login with
the root password
4. get the `ssh-keygen -l -f /etc/ssh/ssh_host_*.pub` output. NOTE: the Hetzner
consoles use a different keyboard mapping than "US". Hint: `-` is
on the `/` key, `/` is on shift-7 and `*` is on shift-`]`
5. login to the new host: `ssh root@$IPADDRESS`, check the
fingerprint matches above
6. start a `screen` session
7. clone `tsa-misc` to the new host: `git clone
https://git.torproject.org/admin/tsa-misc`
8. run `./tsa-misc/installer/tor-install-hetzner` (the ipv6 address prefix you find on the web interface. Make it end in `::1`)
9. once done, note down all the info and reboot the VM: `reboot`
10. `ssh -o FingerprintHash=sha1 root@<ipaddr>` to unlock the host, (to compare ssh's base64 output to dropbear's b16, you can use `perl -MMIME::Base64 -e '$h = unpack("H*", decode_base64(<>)); $h =~ s/(..)(?=.)/\1:/g; print $h, "\n"'` to convert base64 to base16.
11. `ssh root@<ipaddr>` to access it once booted
1. Set the reverse DNS using hetzner's website. It's in the networking section for each virtual server. Set both ipv4 and ipv6 reverse entries.
1. Document the LUKS passphrase and root password in tor-passwords,
See [[new-machine-mandos]] for setting up the mandos client on this host.