eac77ef7b4
Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2.9 KiB
2.9 KiB
name, description, version
| name | description | version |
|---|---|---|
| hetzner-bootstrap | Bootstrap a Hetzner-hosted Ubuntu/Debian node for sovereign operations: base packages, sovereign user, hostname, UFW, SSH hardening (reload-safe), cloudflared install, and WireGuard scaffold. Plan/apply/rollback with DRY_RUN. Triggers: 'bootstrap hetzner', 'server prep', 'hetzner node a', 'wireguard setup', 'install cloudflared', 'ufw + ssh hardening'. | 1.1.0 |
Hetzner Bootstrap (Node A)
This skill turns a fresh Hetzner server into a VaultMesh-ready node using the exact safe sequence you specified:
- Update + install dependencies
- Install cloudflared (Cloudflare repo)
- Create
sovereignuser + SSH authorized key - Set hostname
- Configure UFW (WireGuard port opened before enable)
- Harden SSH (disable root + passwords) using reload (not restart)
- Scaffold WireGuard keys +
wg0.conf
Safety model
- DRY_RUN=1 by default; apply scripts refuse unless
DRY_RUN=0. - CONFIRM_PHRASE required for apply steps.
- SSH changes use
sshd -tvalidation andsystemctl reloadto avoid session loss. - WireGuard private key is root-owned and
0600.
Quick Start
Run as root on the server:
cd ~/.codex/skills/hetzner-bootstrap # or ~/.codex/skills/hetzner-bootstrap # or ~/.claude/skills/hetzner-bootstrap
export SERVER_IP="46.224.119.129"
export NODE_NAME="vm-de-op"
export SOVEREIGN_USER="sovereign"
export SSH_PUBLIC_KEY="ssh-ed25519 AAAA... hetzner-sovereign-YYYYMMDD"
# Optional tuning
export WG_PORT="51820"
export WG_CIDR="10.200.0.1/24"
./scripts/00_preflight.sh
./scripts/10_plan.sh
export DRY_RUN=0
./scripts/11_apply.sh
# Optional: scaffold WireGuard (root)
./scripts/20_wireguard_plan.sh
export DRY_RUN=0
./scripts/21_wireguard_apply.sh
./scripts/90_verify.sh
./scripts/99_report.sh
Inputs
| Parameter | Required | Default | Description |
|---|---|---|---|
| NODE_NAME | Yes | (none) | Hostname to set (e.g. vm-de-op) |
| SOVEREIGN_USER | No | sovereign | User to create |
| SSH_PUBLIC_KEY | Yes | (none) | Public key to authorize for sovereign |
| SSH_PORT | No | 22 | SSH port to allow in UFW (auto-detected if unset) |
| ALLOW_SSH_FALLBACK_22 | No | true | Safety: keep 22/tcp open if SSH_PORT != 22 |
| WG_PORT | No | 51820 | WireGuard listen port |
| WG_CIDR | No | 10.200.0.1/24 | WireGuard interface address |
| INSTALL_CLOUDFLARED | No | true | Install cloudflared from Cloudflare apt repo |
| INSTALL_WIREGUARD | No | true | Install wireguard package |
| DRY_RUN | No | 1 | Apply refuses unless DRY_RUN=0 |
| REQUIRE_CONFIRM | No | 1 | Require confirmation phrase |
| CONFIRM_PHRASE | No | I UNDERSTAND THIS CAN AFFECT REMOTE ACCESS | Safety phrase |
Outputs
outputs/status_matrix.jsonoutputs/audit_report.mdoutputs/backups/*(sshd_config, ufw before, etc.)
Notes
- After Phase 11 apply, open a second SSH session as the sovereign user.
- Only after confirming sovereign access should you close the root session.