Newer
Older
Go to the [Heztner console][] and clikety on the web interface to get
a new instance. Credentials are in `tor-passwords.git` in
`hosts-extra-info` under `hetzner`.
TODO: consider using the [`hcloud`](https://github.com/hetznercloud/cli) command insted.
Pick the following settings:
1. Location: depends on the project, a monitoring server might be
better in a different location than the other VMs
1. Image: Debian 9
1. Type: depends on the project
1. Volume: only if extra space is required
1. Additional features: nothing (no user data or backups)
1. SSH key: enable all configured keys
1. Name: FQDN picked from the [doc/naming-scheme](doc/naming-scheme)
Then, since we actually want our own Debian install, and since we want the root filesystem to be encrypted,
continue with:
1. Continue on Hetzner's web interface, select the server.
2. Reboot into the rescue system ("Rescue, Enable rescue & Power
cycle", pick linux64 and your SSH key). this will give you a root
password
3. open the console (the icon is near the top right) and login with
the root password
4. get the `ssh-keygen -l -f /etc/ssh/ssh_host_*.pub` output. NOTE: the Hetzner
consoles use a different keyboard mapping than "US". Hint: `-` is
on the `/` key, `/` is on shift-7 and `*` is on shift-`]`
5. login to the new host: `ssh root@$IPADDRESS`, check the
fingerprint matches above
6. start a `screen` session
7. clone `tsa-misc` to the new host: `git clone
https://git.torproject.org/admin/tsa-misc`
8. run `./tsa-misc/installer/tor-install-hetzner` (the ipv6 address
prefix you find on the web interface. Make it end in `::1`)
TODO: merge script with the [howto/new-machine-hetzner-robot](howto/new-machine-hetzner-robot)
WARNING: this procedure has been known to leave `ping`
non-functional for regular users, see [ticket 31781](https://bugs.torproject.org/31781)
9. once done, note down all the info and reboot the VM: `reboot`
10. `ssh -o FingerprintHash=sha1 root@<ipaddr>` to unlock the host, (to compare ssh's base64 output to dropbear's b16, you can use `perl -MMIME::Base64 -e '$h = unpack("H*", decode_base64(<>)); $h =~ s/(..)(?=.)/\1:/g; print $h, "\n"'` to convert base64 to base16.
11. `ssh root@<ipaddr>` to access it once booted
1. Set the reverse DNS using hetzner's website. It's in the networking section for each virtual server. Set both ipv4 and ipv6 reverse entries.
1. Document the LUKS passphrase and root password in tor-passwords,
1. follow the rest of [howto/new-machine](howto/new-machine).
See [howto/new-machine-mandos](howto/new-machine-mandos) for setting up the mandos client on this host.