Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • tpa-rfc-80-merge-tor-and-tails-support-policies
  • puppet-merge-costs
  • rfc-77-improv
  • tails-merge-admin-mailing-lists
  • mkdocs
  • new-blog-doc
7 results
Blame Permalink
new-machine-hetzner-cloud.md 2.73 KiB

Go to the Heztner console and clikety on the web interface to get a new instance. Credentials are in tor-passwords.git in hosts-extra-info under hetzner.

TODO: consider using the hcloud command instead.

Pick the following settings:

  1. Location: depends on the project, a monitoring server might be better in a different location than the other VMs
  2. Image: Debian 9
  3. Type: depends on the project
  4. Volume: only if extra space is required
  5. Additional features: nothing (no user data or backups)
  6. SSH key: enable all configured keys
  7. Name: FQDN picked from the doc/naming-scheme
  8. Create the server

Then, since we actually want our own Debian install, and since we want the root filesystem to be encrypted, continue with:

  1. Continue on Hetzner's web interface, select the server.
  2. Reboot into the rescue system ("Rescue, Enable rescue & Power cycle", pick linux64 and your SSH key). this will give you a root password
  3. open the console (the icon is near the top right) and login with the root password
  4. get the ssh-keygen -l -f /etc/ssh/ssh_host_*.pub output. NOTE: the Hetzner consoles use a different keyboard mapping than "US". Hint: - is on the / key, / is on shift-7 and * is on shift-]
  5. login to the new host: ssh root@$IPADDRESS, check the fingerprint matches above
  6. start a screen session
  7. clone fabric-tasks to the new host: git clone https://gitlab.torproject.org/tpo/tpa/fabric-tasks.git
  8. run ./fabric-tasks/installer/tor-install-hetzner (the ipv6 address prefix you find on the web interface. Make it end in ::1) TODO: merge script with the howto/new-machine-hetzner-robot procedure. WARNING: this procedure has been known to leave ping non-functional for regular users, see ticket 31781
  9. once done, note down all the info and reboot the VM: reboot
  10. ssh -o FingerprintHash=sha1 root@<ipaddr> to unlock the host, (to compare ssh's base64 output to dropbear's b16, you can use perl -MMIME::Base64 -e '$h = unpack("H*", decode_base64(<>)); $h =~ s/(..)(?=.)/\1:/g; print $h, "\n"' to convert base64 to base16.
  11. ssh root@<ipaddr> to access it once booted

Then

  1. Set the reverse DNS using hetzner's website. It's in the networking section for each virtual server. Set both ipv4 and ipv6 reverse entries.
  2. Document the LUKS passphrase and root password in tor-passwords,
  3. follow the rest of howto/new-machine.

See howto/new-machine-mandos for setting up the mandos client on this host.