Post-Tyranny-Tech-Infrastru.../tofu/terraform.tfvars.example

# Copy this file to terraform.tfvars and fill in your values
# terraform.tfvars is gitignored and will not be committed

# Hetzner API Tokens
hcloud_token     = "YOUR_HETZNER_CLOUD_API_TOKEN"
hetznerdns_token = "YOUR_HETZNER_DNS_API_TOKEN"  # Can be same as cloud token

# SSH keys are now per-client
# Generate keys with: ./scripts/generate-client-keys.sh <client_name>
# Keys stored in: keys/ssh/<client_name> and keys/ssh/<client_name>.pub

# Base domain (must be registered and added to Hetzner DNS)
base_domain = "example.com"

# Client configurations
clients = {
  # Example client - uncomment and modify when ready to provision
  # alpha = {
  #   server_type = "cx22"        # 2 vCPU, 4 GB RAM, 40 GB SSD - €6.25/month
  #   location    = "fsn1"        # Falkenstein, Germany
  #   subdomain   = "alpha"       # Will create alpha.example.com
  #   apps        = ["zitadel", "nextcloud"]
  # }
}

# Enable automated snapshots (20% of server cost)
enable_snapshots = true
Implement OpenTofu infrastructure provisioning (#1) Completed: - ✅ Hetzner Cloud provider configuration - ✅ VPS server provisioning with for_each pattern - ✅ Cloud firewall rules (SSH, HTTP, HTTPS) - ✅ SSH key management - ✅ Outputs for Ansible dynamic inventory - ✅ Variable structure and documentation - ✅ Test server successfully provisioned Deferred: - DNS configuration (commented out, waiting for domain) Files added: - tofu/versions.tf - Provider versions - tofu/variables.tf - Input variable definitions - tofu/main.tf - Core infrastructure resources - tofu/dns.tf - DNS configuration (optional) - tofu/outputs.tf - Outputs for Ansible integration - tofu/terraform.tfvars.example - Configuration template - tofu/README.md - Comprehensive setup guide Closes #1 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-27 13:48:42 +01:00			`# Copy this file to terraform.tfvars and fill in your values`
			`# terraform.tfvars is gitignored and will not be committed`

			`# Hetzner API Tokens`
			`hcloud_token = "YOUR_HETZNER_CLOUD_API_TOKEN"`
			`hetznerdns_token = "YOUR_HETZNER_DNS_API_TOKEN" # Can be same as cloud token`

feat: Implement per-client SSH key isolation Resolves #14 Each client now gets a dedicated SSH key pair, ensuring that compromise of one client server does not grant access to other client servers. ## Changes ### Infrastructure (OpenTofu) - Replace shared `hcloud_ssh_key.default` with per-client `hcloud_ssh_key.client` - Each client key read from `keys/ssh/<client_name>.pub` - Server recreated with new key (dev server only, acceptable downtime) ### Key Management - Created `keys/ssh/` directory for SSH keys - Added `.gitignore` to protect private keys from git - Generated ED25519 key pair for dev client - Private key gitignored, public key committed ### Scripts - `scripts/generate-client-keys.sh` - Generate SSH key pairs for clients - Updated `scripts/deploy-client.sh` to check for client SSH key ### Documentation - `docs/ssh-key-management.md` - Complete SSH key management guide - `keys/ssh/README.md` - Quick reference for SSH keys directory ### Configuration - Removed `ssh_public_key` variable from `variables.tf` - Updated `terraform.tfvars` to remove shared SSH key reference - Updated `terraform.tfvars.example` with new key generation instructions ## Security Improvements ✅ Client isolation: Each client has dedicated SSH key ✅ Granular rotation: Rotate keys per-client without affecting others ✅ Defense in depth: Minimize blast radius of key compromise ✅ Proper key storage: Private keys gitignored, backups documented ## Testing - ✅ Generated new SSH key for dev client - ✅ Applied OpenTofu changes (server recreated) - ✅ Tested SSH access: `ssh -i keys/ssh/dev root@78.47.191.38` - ✅ Verified key isolation: Old shared key removed from Hetzner ## Migration Notes For existing clients: 1. Generate key: `./scripts/generate-client-keys.sh <client>` 2. Apply OpenTofu: `cd tofu && tofu apply` (will recreate server) 3. Deploy: `./scripts/deploy-client.sh <client>` For new clients: 1. Generate key first 2. Deploy as normal 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-17 19:50:30 +01:00			`# SSH keys are now per-client`
			`# Generate keys with: ./scripts/generate-client-keys.sh <client_name>`
			`# Keys stored in: keys/ssh/<client_name> and keys/ssh/<client_name>.pub`
Implement OpenTofu infrastructure provisioning (#1) Completed: - ✅ Hetzner Cloud provider configuration - ✅ VPS server provisioning with for_each pattern - ✅ Cloud firewall rules (SSH, HTTP, HTTPS) - ✅ SSH key management - ✅ Outputs for Ansible dynamic inventory - ✅ Variable structure and documentation - ✅ Test server successfully provisioned Deferred: - DNS configuration (commented out, waiting for domain) Files added: - tofu/versions.tf - Provider versions - tofu/variables.tf - Input variable definitions - tofu/main.tf - Core infrastructure resources - tofu/dns.tf - DNS configuration (optional) - tofu/outputs.tf - Outputs for Ansible integration - tofu/terraform.tfvars.example - Configuration template - tofu/README.md - Comprehensive setup guide Closes #1 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-27 13:48:42 +01:00
			`# Base domain (must be registered and added to Hetzner DNS)`
			`base_domain = "example.com"`

			`# Client configurations`
			`clients = {`
			`# Example client - uncomment and modify when ready to provision`
			`# alpha = {`
			`# server_type = "cx22" # 2 vCPU, 4 GB RAM, 40 GB SSD - €6.25/month`
			`# location = "fsn1" # Falkenstein, Germany`
			`# subdomain = "alpha" # Will create alpha.example.com`
			`# apps = ["zitadel", "nextcloud"]`
			`# }`
			`}`

			`# Enable automated snapshots (20% of server cost)`
			`enable_snapshots = true`