Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • tpa-rfc-80-merge-tor-and-tails-support-policies
  • puppet-merge-costs
  • rfc-77-improv
  • tails-merge-admin-mailing-lists
  • mkdocs
  • new-blog-doc
7 results
Blame Permalink
new-machine-hetzner-robot.md 11.75 KiB

How to install a new bare metal server at Hetzner

This is for setting up physical metal at Hetzner.

Order

  1. get approval for the server, picking the specs from the main website

  2. head to the order page and pick the right server. pay close attention to the location, you might want to put it alongside other TPO servers (or not!) depending on redundancy or traffic requirements. Click Add to shopping cart, leaving all other fields as default.

  3. in the Server login details page, you should leave Type set to Public key. If you do not recognize your public SSH key in there, head to the server list and click on key management to add your public keys

  4. when you're certain of everything, click Checkout in the cart, review the order again and click Order in obligation.

A confirmation email will be sent by Hetzner at the TPA alias when the order is filed. Then you wait for the order to complete before being able to proceed with the install.

Ordering physical servers from Hetzner can be very fast: we've seen 2 minutes turn around times, but it can also take a lot more time in some situations, see their status page for estimates.

Automated install procedure

At this point you should have received an email from Hetzner with a subject like:

Subject: Your ordered SX62 server

It should contain the SSH fingerprint, and IP address of the new host which we'll use below. The machine can be bootstrapped with a basic Debian installer with the howto/Fabric code in the tsa-misc git repository. Here's an example of a commandline:

./install -H root@88.99.194.57 \
          --fingerprint 0d:4a:c0:85:c4:e1:fe:03:15:e0:99:fe:7d:cc:34:f7 \
          hetzner-robot \
          --fqdn=HOSTNAME.torproject.org \
          --fai-disk-config=installer/disk-config/gnt-fsn-NVMe \
          --package-list=installer/packages \
          --post-scripts-dir=installer/post-scripts/ \
          --mirror=https://mirror.hetzner.de/debian/packages/

Taking that apart:

  • -H root@88.99.194.57: the IP address provided by Hetzner in the confirmation email
  • --fingerprint: the ed25519 MD5 fingerprint from the same email
  • hetzner-robot: the install job type (only robot supported for now)
  • --fqdn=HOSTNAME.torproject.org: the Fully Qualified Domain Name to set on the machine, it is used in a few places, but the hostname is correctly set to the HOSTNAME part only
  • --fai-disk-config=installer/disk-config/gnt-fsn-NVMe: the disk configuration, in fai-setup-storage(8) format
  • --package-list=installer/packages: the base packages to isntall
  • --post-scripts-dir=installer/post-scripts/: post-install scripts, magic glue that does everything

The last two are passed to grml-debootstrap and should rarely be changed (although they could be converted in to Fabric tasks themselves).

Note that the script will show you lines like:

STEP 1: SSH into server with fingerprint ...

Those correspond to the manual install procedure, below. If the procedure stops before the last step (currently STEP 12), there was a problem in the procedure, but the remaining steps can still be performed by hand.

If a problem occurs in the install, you can login to the rescue shell with:

ssh -o FingerprintHash=md5 -o UserKnownHostsFile=~/.ssh/authorized_keys.hetzner-rescue root@88.99.194.57

... and check the fingerprint against the email provided by Hetzner.

Do a reboot before continuing with the install:

reboot

You will need to enter the LUKS passphrase generated by the installer through SSH and the dropbear-initramfs setup. The LUKS password and the SSH keys should be available in the installer backlog. If that fails, then you can either try to recover from the out of band management (KVM, or serial if available), or scrutinize the logs for errors that could hint at a problem, and try a reinstall.

See howto/new-machine for post-install configuration steps, then follow howto/new-machine-mandos for setting up the mandos client on this host.

Manual install procedure

WARNING: this procedure is kept for historical reference, and in case the automatic procedure above fails for some reason. It should not be used.

At this point you should have received an email from Hetzner with a subject like:

Subject: Your ordered SX62 server

It should contain the SSH fingerprint, and IP address of the new host which we'll use below.