Go to the [Heztner console][] and clikety on the web interface to get
a new instance. Credentials are in `tor-passwords.git` in
`hosts-extra-info` under `hetzner`.
[Heztner console]: https://console.hetzner.cloud/
Pick the following settings:
1. Location: depends on the project, a monitoring server might be
better in a different location than the other VMs
1. Image: Debian 9
1. Type: depends on the project
1. Volume: only if extra space is required
1. Additional features: nothing (no user data or backups)
1. SSH key: enable all configured keys
1. Name: FQDN picked from the [[doc/naming-scheme]]
1. Create the server
Then, since we actually want our own Debian install, and since we want the root filesystem to be encrypted,
continue with:
1. Continue on Hetzner's web interface, select the server.
1. ISO-Images: Mount SystemRescueCD (2018-04-02)
1. open the console (the icon is near the top right)
1. reboot the system (either using Ctrl-Alt-Del at the console or using the Power tab on the web interface) and it will boot into the rescue system
1. set a root password in the rescue system
1. get the `ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub` output
1. on your host, ssh-copy-id root@<ipaddr> (find the ip address either on the web interface, or ask `ip a`)
1. then copy over `/usr/share/keyrings/debian-archive-keyring.gpg` and `tor-install-hetzner` to the new host,
1. log into the host and run `./tor-install-hetzner` (the ipv6 address prefix you find on the web interface. Make it end in ::1.)
1. once done, note down all the info and poweroff the VM (from the shell is fine)
1. you might have to kill this terminal since the rescue system has done weird copy-paste settings to your terminal (you will know once the passphrase is not accepted in the initrd when you copy/paste it a few steps down)
1. unmount the iso (ISO Images tab), start the VM (power tab or top right).
1. `ssh -o FingerprintHash=sha1 root@<ipaddr>` to unlock the host, (to compare ssh's base64 output to dropbear's b16, you can use `perl -MMIME::Base64 -e '$h = unpack("H*", decode_base64(<>)); $h =~ s/(..)(?=.)/\1:/g; print $h, "\n"'` to convert base64 to base16.
1. `ssh root@<ipaddr>` to access it once booted and then
Then
1. Document the LUKS passphrase and root password in tor-passwords,
1. follow the rest of [[new-machine]].
To setup autoboot using mandos:
See [[new-machine-mandos]] for setting up the mandos client on this host.