Go to the Heztner console and clikety on the web interface to get a new instance. Credentials are in tor-passwords.git in hosts-extra-info under hetzner.

Pick the following settings:

  1. Location: depends on the project, a monitoring server might be better in a different location than the other VMs
  2. Image: Debian 9
  3. Type: depends on the project
  4. Volume: only if extra space is required
  5. Additional features: nothing (no user data or backups)
  6. SSH key: enable all configured keys
  7. Name: FQDN picked from the naming-scheme
  8. Create the server

Then, since we actually want our own Debian install, and since we want the root filesystem to be encrypted, continue with:

  1. Continue on Hetzner's web interface, select the server.
  2. ISO-Images: Mount SystemRescueCD (2018-04-02)
  3. open the console (the icon is near the top right)
  4. reboot the system (either using Ctrl-Alt-Del at the console or using the Power tab on the web interface) and it will boot into the rescue system
  5. set a root password in the rescue system
  6. get the ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub output
  7. on your host, ssh-copy-id root@<ipaddr> (find the ip address either on the web interface, or ask ip a)
  8. then copy over /usr/share/keyrings/debian-archive-keyring.gpg and tor-install-hetzner to the new host,
  9. log into the host and run ./tor-install-hetzner (the ipv6 address prefix you find on the web interface. Make it end in ::1.)
  10. once done, note down all the info and poweroff the VM (from the shell is fine)
  11. you might have to kill this terminal since the rescue system has done weird copy-paste settings to your terminal (you will know once the passphrase is not accepted in the initrd when you copy/paste it a few steps down)
  12. unmount the iso (ISO Images tab), start the VM (power tab or top right).
  13. ssh -o FingerprintHash=sha1 root@<ipaddr> to unlock the host, (to compare ssh's base64 output to dropbear's b16, you can use perl -MMIME::Base64 -e '$h = unpack("H*", decode_base64(<>)); $h =~ s/(..)(?=.)/\1:/g; print $h, "\n"' to convert base64 to base16.
  14. ssh root@<ipaddr> to access it once booted and then

Then

  1. Set the reverse DNS using hetzner's website. It's in the networking section for each virtual server. Set both ipv4 and ipv6 reverse entries.
  2. Document the LUKS passphrase and root password in tor-passwords,
  3. follow the rest of new-machine.

To setup autoboot using mandos:

See new-machine-mandos for setting up the mandos client on this host.