AI-powered content curation and publishing infrastructure.
hetzner-setup.sh — provisions a fully hardened Ubuntu server accessible only via Tailscale. No SSH exposed on public IP.
Connection stack: Tailscale + Mosh/SSH + Termius + sshid.io hardware keys
What you get:
- Ubuntu 24.04 with unattended security upgrades (auto-reboot at 02:00)
- Tailscale mesh VPN (private SSH + Mosh access)
- Docker Engine + Compose plugin
- Mosh, curl, jq, tmux, git
- Hetzner HW firewall (80/443 only, no public SSH)
- UFW: Cloudflare-only HTTP/S (default) + all traffic on tailscale0
- SSH bound to Tailscale IP only (key-only, no root, no passwords)
- fail2ban, sysctl hardening, 180-day log retention
- sshid.io hardware keys for Termius mobile access
- Ephemeral Tailscale node (auto-removed on server destroy)
