Post-Tyranny-Tech-Infrastru.../tofu/variables.tf

# Hetzner Cloud API Token
variable "hcloud_token" {
  description = "Hetzner Cloud API Token (Read & Write)"
  type        = string
  sensitive   = true
}

# Hetzner DNS API Token (can be same as Cloud token)
variable "hetznerdns_token" {
  description = "Hetzner DNS API Token"
  type        = string
  sensitive   = true
}

# SSH keys are now per-client, stored in keys/ssh/<client>.pub
# No global ssh_public_key variable needed

# Base Domain (optional - only needed if using DNS)
variable "base_domain" {
  description = "Base domain for client subdomains (e.g., platform.nl) - leave empty if not using DNS"
  type        = string
  default     = ""
}

# Client Configurations
variable "clients" {
  description = "Map of client configurations"
  type = map(object({
    server_type            = string       # e.g., "cx22" (2 vCPU, 4 GB RAM)
    location               = string       # e.g., "fsn1" (Falkenstein), "nbg1" (Nuremberg), "hel1" (Helsinki)
    subdomain              = string       # e.g., "alpha" for alpha.platform.nl
    apps                   = list(string) # e.g., ["zitadel", "nextcloud"]
    nextcloud_volume_size  = number       # Size in GB for Nextcloud data volume (min 10, max 10000)
  }))
  default = {}
}

# Enable automated snapshots
variable "enable_snapshots" {
  description = "Enable automated daily snapshots (20% of server cost)"
  type        = bool
  default     = true
}
Implement OpenTofu infrastructure provisioning (#1) Completed: - ✅ Hetzner Cloud provider configuration - ✅ VPS server provisioning with for_each pattern - ✅ Cloud firewall rules (SSH, HTTP, HTTPS) - ✅ SSH key management - ✅ Outputs for Ansible dynamic inventory - ✅ Variable structure and documentation - ✅ Test server successfully provisioned Deferred: - DNS configuration (commented out, waiting for domain) Files added: - tofu/versions.tf - Provider versions - tofu/variables.tf - Input variable definitions - tofu/main.tf - Core infrastructure resources - tofu/dns.tf - DNS configuration (optional) - tofu/outputs.tf - Outputs for Ansible integration - tofu/terraform.tfvars.example - Configuration template - tofu/README.md - Comprehensive setup guide Closes #1 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-27 13:48:42 +01:00			`# Hetzner Cloud API Token`
			`variable "hcloud_token" {`
			`description = "Hetzner Cloud API Token (Read & Write)"`
			`type = string`
			`sensitive = true`
			`}`

			`# Hetzner DNS API Token (can be same as Cloud token)`
			`variable "hetznerdns_token" {`
			`description = "Hetzner DNS API Token"`
			`type = string`
			`sensitive = true`
			`}`

feat: Implement per-client SSH key isolation Resolves #14 Each client now gets a dedicated SSH key pair, ensuring that compromise of one client server does not grant access to other client servers. ## Changes ### Infrastructure (OpenTofu) - Replace shared `hcloud_ssh_key.default` with per-client `hcloud_ssh_key.client` - Each client key read from `keys/ssh/<client_name>.pub` - Server recreated with new key (dev server only, acceptable downtime) ### Key Management - Created `keys/ssh/` directory for SSH keys - Added `.gitignore` to protect private keys from git - Generated ED25519 key pair for dev client - Private key gitignored, public key committed ### Scripts - `scripts/generate-client-keys.sh` - Generate SSH key pairs for clients - Updated `scripts/deploy-client.sh` to check for client SSH key ### Documentation - `docs/ssh-key-management.md` - Complete SSH key management guide - `keys/ssh/README.md` - Quick reference for SSH keys directory ### Configuration - Removed `ssh_public_key` variable from `variables.tf` - Updated `terraform.tfvars` to remove shared SSH key reference - Updated `terraform.tfvars.example` with new key generation instructions ## Security Improvements ✅ Client isolation: Each client has dedicated SSH key ✅ Granular rotation: Rotate keys per-client without affecting others ✅ Defense in depth: Minimize blast radius of key compromise ✅ Proper key storage: Private keys gitignored, backups documented ## Testing - ✅ Generated new SSH key for dev client - ✅ Applied OpenTofu changes (server recreated) - ✅ Tested SSH access: `ssh -i keys/ssh/dev root@78.47.191.38` - ✅ Verified key isolation: Old shared key removed from Hetzner ## Migration Notes For existing clients: 1. Generate key: `./scripts/generate-client-keys.sh <client>` 2. Apply OpenTofu: `cd tofu && tofu apply` (will recreate server) 3. Deploy: `./scripts/deploy-client.sh <client>` For new clients: 1. Generate key first 2. Deploy as normal 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-17 19:50:30 +01:00			`# SSH keys are now per-client, stored in keys/ssh/<client>.pub`
			`# No global ssh_public_key variable needed`
Implement OpenTofu infrastructure provisioning (#1) Completed: - ✅ Hetzner Cloud provider configuration - ✅ VPS server provisioning with for_each pattern - ✅ Cloud firewall rules (SSH, HTTP, HTTPS) - ✅ SSH key management - ✅ Outputs for Ansible dynamic inventory - ✅ Variable structure and documentation - ✅ Test server successfully provisioned Deferred: - DNS configuration (commented out, waiting for domain) Files added: - tofu/versions.tf - Provider versions - tofu/variables.tf - Input variable definitions - tofu/main.tf - Core infrastructure resources - tofu/dns.tf - DNS configuration (optional) - tofu/outputs.tf - Outputs for Ansible integration - tofu/terraform.tfvars.example - Configuration template - tofu/README.md - Comprehensive setup guide Closes #1 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-27 13:48:42 +01:00
			`# Base Domain (optional - only needed if using DNS)`
			`variable "base_domain" {`
			`description = "Base domain for client subdomains (e.g., platform.nl) - leave empty if not using DNS"`
			`type = string`
			`default = ""`
			`}`

			`# Client Configurations`
			`variable "clients" {`
			`description = "Map of client configurations"`
			`type = map(object({`
feat: Use Hetzner Volumes for Nextcloud data storage (issue #18) Implement persistent block storage for Nextcloud user data, separating application and data layers: OpenTofu Changes: - tofu/volumes.tf: Create and attach Hetzner Volumes per client - Configurable size per client (default 100 GB for dev) - ext4 formatted, attached but not auto-mounted - tofu/variables.tf: Add nextcloud_volume_size to client config - tofu/terraform.tfvars: Set volume size for dev client (100 GB ~€5.40/mo) Ansible Changes: - ansible/roles/nextcloud/tasks/mount-volume.yml: New mount tasks - Detect volume device automatically - Format if needed, mount at /mnt/nextcloud-data - Add to fstab for persistence - Set correct permissions for www-data - ansible/roles/nextcloud/tasks/main.yml: Include volume mounting - ansible/roles/nextcloud/templates/docker-compose.nextcloud.yml.j2: - Use host mount /mnt/nextcloud-data/data instead of Docker volume - Keep app code in Docker volume (nextcloud-app) - User data now on Hetzner Volume Scripts: - scripts/resize-client-volume.sh: Online volume resizing - Resize via Hetzner API - Expand filesystem automatically - Show cost impact - Verify new size Documentation: - docs/storage-architecture.md: Complete storage guide - Architecture diagrams - Volume specifications - Sizing guidelines - Operations procedures - Performance considerations - Troubleshooting guide - docs/volume-migration.md: Step-by-step migration - Safe migration from Docker volumes - Rollback procedures - Verification checklist - Timeline estimates Benefits: ✅ Data independent from server instance ✅ Resize storage without rebuilding server ✅ Easy data migration between servers ✅ Better separation of concerns (app vs data) ✅ Simplified backup strategy ✅ Cost-optimized (pay for what you use) Volume Pricing: - 50 GB: ~€2.70/month - 100 GB: ~€5.40/month - 250 GB: ~€13.50/month - Resizable online, no downtime Note: Existing clients require manual migration Follow docs/volume-migration.md for safe migration procedure Closes #18 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-17 21:07:48 +01:00			`server_type = string # e.g., "cx22" (2 vCPU, 4 GB RAM)`
			`location = string # e.g., "fsn1" (Falkenstein), "nbg1" (Nuremberg), "hel1" (Helsinki)`
			`subdomain = string # e.g., "alpha" for alpha.platform.nl`
			`apps = list(string) # e.g., ["zitadel", "nextcloud"]`
			`nextcloud_volume_size = number # Size in GB for Nextcloud data volume (min 10, max 10000)`
Implement OpenTofu infrastructure provisioning (#1) Completed: - ✅ Hetzner Cloud provider configuration - ✅ VPS server provisioning with for_each pattern - ✅ Cloud firewall rules (SSH, HTTP, HTTPS) - ✅ SSH key management - ✅ Outputs for Ansible dynamic inventory - ✅ Variable structure and documentation - ✅ Test server successfully provisioned Deferred: - DNS configuration (commented out, waiting for domain) Files added: - tofu/versions.tf - Provider versions - tofu/variables.tf - Input variable definitions - tofu/main.tf - Core infrastructure resources - tofu/dns.tf - DNS configuration (optional) - tofu/outputs.tf - Outputs for Ansible integration - tofu/terraform.tfvars.example - Configuration template - tofu/README.md - Comprehensive setup guide Closes #1 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-27 13:48:42 +01:00			`}))`
			`default = {}`
			`}`

			`# Enable automated snapshots`
			`variable "enable_snapshots" {`
			`description = "Enable automated daily snapshots (20% of server cost)"`
			`type = bool`
			`default = true`
			`}`