Skip to content
Snippets Groups Projects
new-machine-hetzner-cloud.md 2.74 KiB
Newer Older
  • Learn to ignore specific revisions
  • anarcat's avatar
    anarcat committed
    Go to the [Heztner console][] and clikety on the web interface to get
    a new instance. Credentials are in `tor-passwords.git` in
    `hosts-extra-info` under `hetzner`.
    
    
    anarcat's avatar
    anarcat committed
    TODO: consider using the [`hcloud`](https://github.com/hetznercloud/cli) command insted.
    
    
    anarcat's avatar
    anarcat committed
     [Heztner console]: https://console.hetzner.cloud/
    
    Pick the following settings:
    
     1. Location: depends on the project, a monitoring server might be
        better in a different location than the other VMs
    
    Peter Palfrader's avatar
    Peter Palfrader committed
     1. Image: Debian 9
     1. Type: depends on the project
     1. Volume: only if extra space is required
     1. Additional features: nothing (no user data or backups)
     1. SSH key: enable all configured keys
    
    anarcat's avatar
    anarcat committed
     1. Name: FQDN picked from the [doc/naming-scheme](doc/naming-scheme)
    
    Peter Palfrader's avatar
    Peter Palfrader committed
     1. Create the server
    
    Peter Palfrader's avatar
    Peter Palfrader committed
    Then, since we actually want our own Debian install, and since we want the root filesystem to be encrypted,
    continue with:
    
     1. Continue on Hetzner's web interface, select the server.
    
     2. Reboot into the rescue system ("Rescue, Enable rescue & Power
        cycle", pick linux64 and your SSH key). this will give you a root
        password
     3. open the console (the icon is near the top right) and login with
        the root password
     4. get the `ssh-keygen -l -f /etc/ssh/ssh_host_*.pub` output. NOTE: the Hetzner
        consoles use a different keyboard mapping than "US". Hint: `-` is
        on the `/` key, `/` is on shift-7 and `*` is on shift-`]`
     5. login to the new host: `ssh root@$IPADDRESS`, check the
        fingerprint matches above
     6. start a `screen` session
     7. clone `tsa-misc` to the new host: `git clone
        https://git.torproject.org/admin/tsa-misc`
    
     8. run `./tsa-misc/installer/tor-install-hetzner` (the ipv6 address
        prefix you find on the web interface.  Make it end in `::1`)
    
    anarcat's avatar
    anarcat committed
        TODO: merge script with the [howto/new-machine-hetzner-robot](howto/new-machine-hetzner-robot)
    
        WARNING: this procedure has been known to leave `ping`
    
        non-functional for regular users, see [ticket 31781](https://bugs.torproject.org/31781)
    
     9. once done, note down all the info and reboot the VM: `reboot`
     10. `ssh -o FingerprintHash=sha1 root@<ipaddr>`  to unlock the host, (to compare ssh's base64 output to dropbear's b16, you can use `perl -MMIME::Base64 -e '$h = unpack("H*", decode_base64(<>)); $h =~ s/(..)(?=.)/\1:/g; print $h, "\n"'` to convert base64 to base16.
     11. `ssh root@<ipaddr>` to access it once booted
    
    Then
    
     1. Set the reverse DNS using hetzner's website.  It's in the networking section for each virtual server.  Set both ipv4 and ipv6 reverse entries.
    
    Peter Palfrader's avatar
    Peter Palfrader committed
     1. Document the LUKS passphrase and root password in tor-passwords,
    
    anarcat's avatar
    anarcat committed
     1. follow the rest of [howto/new-machine](howto/new-machine).
    
    Peter Palfrader's avatar
    Peter Palfrader committed
    
    To setup autoboot using mandos:
    
    
    anarcat's avatar
    anarcat committed
    See [howto/new-machine-mandos](howto/new-machine-mandos) for setting up the mandos client on this host.