--- name: hetzner-bootstrap description: > Bootstrap a Hetzner-hosted Ubuntu/Debian node for sovereign operations: base packages, sovereign user, hostname, UFW, SSH hardening (reload-safe), cloudflared install, and WireGuard scaffold. Plan/apply/rollback with DRY_RUN. Triggers: 'bootstrap hetzner', 'server prep', 'hetzner node a', 'wireguard setup', 'install cloudflared', 'ufw + ssh hardening'. version: 1.1.0 --- # Hetzner Bootstrap (Node A) This skill turns a fresh Hetzner server into a VaultMesh-ready node using the exact safe sequence you specified: - Update + install dependencies - Install **cloudflared** (Cloudflare repo) - Create `sovereign` user + SSH authorized key - Set hostname - Configure UFW (WireGuard port opened **before** enable) - Harden SSH (disable root + passwords) using **reload** (not restart) - Scaffold WireGuard keys + `wg0.conf` ## Safety model - **DRY_RUN=1** by default; apply scripts refuse unless `DRY_RUN=0`. - **CONFIRM_PHRASE** required for apply steps. - SSH changes use `sshd -t` validation and `systemctl reload` to avoid session loss. - WireGuard private key is root-owned and `0600`. ## Quick Start Run as **root** on the server: ```bash cd ~/.codex/skills/hetzner-bootstrap # or ~/.codex/skills/hetzner-bootstrap # or ~/.claude/skills/hetzner-bootstrap export SERVER_IP="46.224.119.129" export NODE_NAME="vm-de-op" export SOVEREIGN_USER="sovereign" export SSH_PUBLIC_KEY="ssh-ed25519 AAAA... hetzner-sovereign-YYYYMMDD" # Optional tuning export WG_PORT="51820" export WG_CIDR="10.200.0.1/24" ./scripts/00_preflight.sh ./scripts/10_plan.sh export DRY_RUN=0 ./scripts/11_apply.sh # Optional: scaffold WireGuard (root) ./scripts/20_wireguard_plan.sh export DRY_RUN=0 ./scripts/21_wireguard_apply.sh ./scripts/90_verify.sh ./scripts/99_report.sh ``` ## Inputs | Parameter | Required | Default | Description | |---|---:|---|---| | NODE_NAME | Yes | (none) | Hostname to set (e.g. vm-de-op) | | SOVEREIGN_USER | No | sovereign | User to create | | SSH_PUBLIC_KEY | Yes | (none) | Public key to authorize for sovereign | | SSH_PORT | No | 22 | SSH port to allow in UFW (auto-detected if unset) | | ALLOW_SSH_FALLBACK_22 | No | true | Safety: keep 22/tcp open if SSH_PORT != 22 | | WG_PORT | No | 51820 | WireGuard listen port | | WG_CIDR | No | 10.200.0.1/24 | WireGuard interface address | | INSTALL_CLOUDFLARED | No | true | Install cloudflared from Cloudflare apt repo | | INSTALL_WIREGUARD | No | true | Install wireguard package | | DRY_RUN | No | 1 | Apply refuses unless DRY_RUN=0 | | REQUIRE_CONFIRM | No | 1 | Require confirmation phrase | | CONFIRM_PHRASE | No | I UNDERSTAND THIS CAN AFFECT REMOTE ACCESS | Safety phrase | ## Outputs - `outputs/status_matrix.json` - `outputs/audit_report.md` - `outputs/backups/*` (sshd_config, ufw before, etc.) ## Notes - After Phase 11 apply, **open a second SSH session** as the sovereign user. - Only after confirming sovereign access should you close the root session.