vm-skills/hetzner-bootstrap/SKILL.md

---
name: hetzner-bootstrap
description: >
  Bootstrap a Hetzner-hosted Ubuntu/Debian node for sovereign operations:
  base packages, sovereign user, hostname, UFW, SSH hardening (reload-safe),
  cloudflared install, and WireGuard scaffold. Plan/apply/rollback with DRY_RUN.
  Triggers: 'bootstrap hetzner', 'server prep', 'hetzner node a', 'wireguard setup',
  'install cloudflared', 'ufw + ssh hardening'.
version: 1.1.0
---

# Hetzner Bootstrap (Node A)

This skill turns a fresh Hetzner server into a VaultMesh-ready node using the
exact safe sequence you specified:

- Update + install dependencies
- Install **cloudflared** (Cloudflare repo)
- Create `sovereign` user + SSH authorized key
- Set hostname
- Configure UFW (WireGuard port opened **before** enable)
- Harden SSH (disable root + passwords) using **reload** (not restart)
- Scaffold WireGuard keys + `wg0.conf`

## Safety model
- **DRY_RUN=1** by default; apply scripts refuse unless `DRY_RUN=0`.
- **CONFIRM_PHRASE** required for apply steps.
- SSH changes use `sshd -t` validation and `systemctl reload` to avoid session loss.
- WireGuard private key is root-owned and `0600`.

## Quick Start

Run as **root** on the server:

```bash
cd ~/.codex/skills/hetzner-bootstrap  # or ~/.codex/skills/hetzner-bootstrap  # or ~/.claude/skills/hetzner-bootstrap

export SERVER_IP="46.224.119.129"
export NODE_NAME="vm-de-op"
export SOVEREIGN_USER="sovereign"
export SSH_PUBLIC_KEY="ssh-ed25519 AAAA... hetzner-sovereign-YYYYMMDD"

# Optional tuning
export WG_PORT="51820"
export WG_CIDR="10.200.0.1/24"

./scripts/00_preflight.sh
./scripts/10_plan.sh

export DRY_RUN=0
./scripts/11_apply.sh

# Optional: scaffold WireGuard (root)
./scripts/20_wireguard_plan.sh
export DRY_RUN=0
./scripts/21_wireguard_apply.sh

./scripts/90_verify.sh
./scripts/99_report.sh
```

## Inputs

| Parameter | Required | Default | Description |
|---|---:|---|---|
| NODE_NAME | Yes | (none) | Hostname to set (e.g. vm-de-op) |
| SOVEREIGN_USER | No | sovereign | User to create |
| SSH_PUBLIC_KEY | Yes | (none) | Public key to authorize for sovereign |
| SSH_PORT | No | 22 | SSH port to allow in UFW (auto-detected if unset) |
| ALLOW_SSH_FALLBACK_22 | No | true | Safety: keep 22/tcp open if SSH_PORT != 22 |
| WG_PORT | No | 51820 | WireGuard listen port |
| WG_CIDR | No | 10.200.0.1/24 | WireGuard interface address |
| INSTALL_CLOUDFLARED | No | true | Install cloudflared from Cloudflare apt repo |
| INSTALL_WIREGUARD | No | true | Install wireguard package |
| DRY_RUN | No | 1 | Apply refuses unless DRY_RUN=0 |
| REQUIRE_CONFIRM | No | 1 | Require confirmation phrase |
| CONFIRM_PHRASE | No | I UNDERSTAND THIS CAN AFFECT REMOTE ACCESS | Safety phrase |

## Outputs

- `outputs/status_matrix.json`
- `outputs/audit_report.md`
- `outputs/backups/*` (sshd_config, ufw before, etc.)

## Notes
- After Phase 11 apply, **open a second SSH session** as the sovereign user.
- Only after confirming sovereign access should you close the root session.