071ed083f7
Resolves #14 Each client now gets a dedicated SSH key pair, ensuring that compromise of one client server does not grant access to other client servers. ## Changes ### Infrastructure (OpenTofu) - Replace shared `hcloud_ssh_key.default` with per-client `hcloud_ssh_key.client` - Each client key read from `keys/ssh/<client_name>.pub` - Server recreated with new key (dev server only, acceptable downtime) ### Key Management - Created `keys/ssh/` directory for SSH keys - Added `.gitignore` to protect private keys from git - Generated ED25519 key pair for dev client - Private key gitignored, public key committed ### Scripts - **`scripts/generate-client-keys.sh`** - Generate SSH key pairs for clients - Updated `scripts/deploy-client.sh` to check for client SSH key ### Documentation - **`docs/ssh-key-management.md`** - Complete SSH key management guide - **`keys/ssh/README.md`** - Quick reference for SSH keys directory ### Configuration - Removed `ssh_public_key` variable from `variables.tf` - Updated `terraform.tfvars` to remove shared SSH key reference - Updated `terraform.tfvars.example` with new key generation instructions ## Security Improvements ✅ Client isolation: Each client has dedicated SSH key ✅ Granular rotation: Rotate keys per-client without affecting others ✅ Defense in depth: Minimize blast radius of key compromise ✅ Proper key storage: Private keys gitignored, backups documented ## Testing - ✅ Generated new SSH key for dev client - ✅ Applied OpenTofu changes (server recreated) - ✅ Tested SSH access: `ssh -i keys/ssh/dev root@78.47.191.38` - ✅ Verified key isolation: Old shared key removed from Hetzner ## Migration Notes For existing clients: 1. Generate key: `./scripts/generate-client-keys.sh <client>` 2. Apply OpenTofu: `cd tofu && tofu apply` (will recreate server) 3. Deploy: `./scripts/deploy-client.sh <client>` For new clients: 1. Generate key first 2. Deploy as normal 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
42 lines
1.2 KiB
HCL
42 lines
1.2 KiB
HCL
# Hetzner Cloud API Token
|
|
variable "hcloud_token" {
|
|
description = "Hetzner Cloud API Token (Read & Write)"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
# Hetzner DNS API Token (can be same as Cloud token)
|
|
variable "hetznerdns_token" {
|
|
description = "Hetzner DNS API Token"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
# SSH keys are now per-client, stored in keys/ssh/<client>.pub
|
|
# No global ssh_public_key variable needed
|
|
|
|
# Base Domain (optional - only needed if using DNS)
|
|
variable "base_domain" {
|
|
description = "Base domain for client subdomains (e.g., platform.nl) - leave empty if not using DNS"
|
|
type = string
|
|
default = ""
|
|
}
|
|
|
|
# Client Configurations
|
|
variable "clients" {
|
|
description = "Map of client configurations"
|
|
type = map(object({
|
|
server_type = string # e.g., "cx22" (2 vCPU, 4 GB RAM)
|
|
location = string # e.g., "fsn1" (Falkenstein), "nbg1" (Nuremberg), "hel1" (Helsinki)
|
|
subdomain = string # e.g., "alpha" for alpha.platform.nl
|
|
apps = list(string) # e.g., ["zitadel", "nextcloud"]
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
# Enable automated snapshots
|
|
variable "enable_snapshots" {
|
|
description = "Enable automated daily snapshots (20% of server cost)"
|
|
type = bool
|
|
default = true
|
|
}
|