No description
Find a file
tegwick f977b74edb chore(consistency): sync task status from DB [auto]
Updated by fix-consistency on 2026-05-16:
  - update .custodian-brief.md for railiance-hosts
2026-05-16 05:18:03 +02:00
.githooks fix: Makefile target hooks makes precommit work finally 2025-09-13 21:58:19 +00:00
ansible feat(ansible): inject ops-bridge key in base role at bootstrap 2026-03-27 23:52:54 +01:00
cloudinit feat(relocate): receive cloudinit and railiance-plan-host from railiance-cluster 2026-03-10 00:34:50 +01:00
contrib chore(rename): railiance-hosts → railiance-infra 2026-03-10 00:34:18 +01:00
docs feat(infra): UFW k3s routing + full deploy runbook 2026-03-27 02:28:51 +01:00
goss fix: correct Goss test suite to match actual server state 2026-03-09 15:50:06 +00:00
hosteurope added information on nydus dependency 2026-03-08 22:55:38 +01:00
inventory feat(ansible): add swapfile + resource_limits roles; add CoulombCore to inventory 2026-03-27 01:49:35 +01:00
keys security: add admin ssh key 2025-09-14 00:39:03 +02:00
reports chore: Goss verification reports 2026-03-09T164529Z 2026-03-09 16:45:29 +00:00
scripts build: first successfull plan, apply, destroy of server 2025-09-14 01:20:54 +00:00
secrets security: added encrypted hetzner api token 2025-09-13 22:23:24 +00:00
spec fix: correct Goss test suite to match actual server state 2026-03-09 15:50:06 +00:00
state-hub-inbox chore: drain offline inbox — Railiance01 bootstrap milestone 2026-03-09 00:08:20 +01:00
terraform/hetzner feat: add terraform-providers targets 2025-09-14 01:31:03 +00:00
tools/cmd feat(backup): implement S1 integrated backup (Q3/D4) 2026-03-10 21:18:05 +01:00
workplans New workplan to migrate from gitea to forgejo 2026-05-14 14:55:28 +02:00
.custodian-brief.md chore(consistency): sync task status from DB [auto] 2026-05-16 05:18:03 +02:00
.gitignore chore: add .venv to .gitignore 2026-03-27 01:53:58 +01:00
.sops.yaml chores: configure sops with age masterkey 2025-09-13 21:34:04 +02:00
AGENTS.md Reviewed state and next todos 2026-05-03 00:03:29 +02:00
CLAUDE.md chore(rename): railiance-hosts → railiance-infra 2026-03-10 00:34:18 +01:00
Makefile fix(custodian-agent): dedicated playbook, correct working dir 2026-03-27 02:20:33 +01:00
README.md chore(rename): railiance-hosts → railiance-infra 2026-03-10 00:34:18 +01:00
sbom-tools.yaml chore(sbom): add system-level tool manifest for railiance-infra 2026-03-18 18:35:20 +01:00
SCOPE.md Scope update from repo-scoping refactor 2026-05-01 12:34:52 +02:00

RailianceHosts

Tagline: Git-driven automation for secure, self-reliant servers.

RailianceHosts is an open-source control repo that provisions and manages servers on Hosteurope and Hetzner Cloud entirely from Git. It combines Terraform for lifecycle management, cloud-init for first-boot configuration, and Ansible for convergence. All secrets live in-repo encrypted with SOPS and are unlocked with your single age master key (which you keep in your password manager). The minimal server registry in inventory/servers.yaml is the source of truth.

Quickstart

  1. Clone Repo: clone the repo
  2. Prerequisites: terraform >= 1.7, ansible >= 2.16, age, sops.
  3. Secrets Management: Generate master key (age), provide it to sops and provide your SSH key.
  4. Setup Provider: Create account, select payment option, establish API token.
  5. Provisioning: Plan and apply inventory/servers.yaml to add hosts with terraform.
  6. Convergence: Setup security and tooling with ansible.

🚀 0. Clone Repo

First, clone this repository to your workstation:

git clone https://<your-gitea-host>/coulomb/railliance-hosts.git
cd railiance-infra

📦 1. Prerequisites

To use RailianceHosts, make sure you have the following tools installed on your workstation:

Example installation (Ubuntu/Debian)

# System tools
sudo apt update
sudo apt install -y git make ansible

# Terraform
sudo apt install -y wget unzip
wget https://releases.hashicorp.com/terraform/1.9.5/terraform_1.9.5_linux_amd64.zip
unzip terraform_1.9.5_linux_amd64.zip
sudo mv terraform /usr/local/bin/

# age 
sudo apt install age 

# SOPS Get the latest release (example: v3.10.2 — check GitHub for updates)
wget https://github.com/getsops/sops/releases/download/v3.10.2/sops_3.10.2_amd64.deb
sudo apt install ./sops_3.10.2_amd64.deb

🔑 2. Secrets Management

Generate Age Masterkey and establish SOPS

This project uses SOPS with age for secret encryption.
To set up your own key and configure SOPS, follow the guide here:

➡️ Managing Age Keys

SSH Access Preparations

Learn how to add your SSH key and test connectivity after provisioning:

➡️ SSH Access & Connectivity Test

TL;DR

  • put your public key into keys/admin_ssh.pub

💻 3. Setup Provider

You need register an account and set it up for API access:

  • register
  • choose payment method
  • generate api-key
  • store api-key in secrets safely

🚀 4. Provisioning

How to declare hosts and bring them up on Hetzner:

➡️ Provisioning Servers

TL;DR

  • Define servers in inventory/servers.yaml (name, region, type, image, ssh_user, labels/role).
  • Provision with make tf-apply (or make apply to also run Ansible).
  • One-shot helper: scripts/hcloud_new_server.sh --type ... --region ....

💻 5. Convergence

After provisioning a server with Terraform, RailianceHosts uses Ansible to converge hosts into a secure, baseline state.
This includes admin user setup, SSH hardening, firewall rules, essential tooling, and secret handling.

📖 See the full guide here: Convergence Documentation

xxx