Hetzner doesn't provide on-demand KVM access for its servers but provides a rescue system and installimage tool which can be used to install a base OS image with customisations (source: https://github.com/hetzneronline/installimage). Among other proto-cloud init-like features the script supports partitioning, copying an SSH public key to the new system, and running a post-install script which we can use to add an RFC 3442 dhclient hook and setup dropbear.
From Hetzner Robot (robot.hetzner.com) select your server, enable the rescue system (selecting your SSH key), and reboot the server.
When you SSH into the server (as root) you will be presented with a summary of the hardware, for example:
Hardware data:
CPU1: AMD Ryzen 5 3600 6-Core Processor (Cores 12)
Memory: 64244 MB (Non-ECC)
Disk /dev/nvme0n1: 512 GB (=> 476 GiB)
Disk /dev/nvme1n1: 512 GB (=> 476 GiB)
Total capacity 953 GiB with 2 Disks
Network data:
eth0 LINK: yes
MAC: a8:a1:59:2f:ee:80
IP: 168.119.10.22
IPv6: 2a01:4f8:242:4090::2/64
Intel(R) Gigabit Ethernet Network Driver
Take note of the disk devices as you will need these to configure partitioning.
Using echo, vi, or nano, etc add your public SSH key to /tmp/authorized_keys:
ssh-ed25519 AAAAD3NzaC1lZDI1NTE5AAAAIAYz28KpTEiOOGqxW4oJrONv92n3w9nmBdo5ACNo/vm int16h@shuttle
Then create /tmp/debian.conf:
CRYPTPASSWORD yourverygoodpassword
DRIVE1 /dev/nvme0n1
DRIVE2 /dev/nvme1n1
SWRAID 1
SWRAIDLEVEL 1
BOOTLOADER grub
HOSTNAME voyager
PART /boot ext4 2G
PART lvm pve all crypt
LV pve root / ext4 100G
LV pve swap swap swap 8G
IMAGE /root/images/Debian-1300-trixie-amd64-base.tar.gz
SSHKEYS_URL /tmp/authorized_keys
This will create a software RAID 1 array on the two disks, a plain /boot partition, an encrypted LVM partition, and two logical volumes for root and swap. It also pulls in the base OS image (check the contents of the directory for the latest releases, else use Debian-stable-amd64-base.tar.gz), and grabs our authorized_keys file which can optionally be supplied over an HTTP URL.
The installimage script supports running a post-install script through the -x token, we will take advantage of this to setup DHCP and dropbear in /tmp/post-install.sh:
#!/bin/bash
add_rfc3442_hook() {
cat << EOF > /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
#!/bin/sh
PREREQ=""
prereqs()
{
echo "\$PREREQ"
}
case \$1 in
prereqs)
prereqs
exit 0
;;
esac
if [ ! -x /sbin/dhclient ]; then
exit 0
fi
. /usr/share/initramfs-tools/scripts/functions
. /usr/share/initramfs-tools/hook-functions
mkdir -p \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
cp -a /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
EOF
chmod +x /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
}
# Install RFC 3442 hook
add_rfc3442_hook
# Copy public SSH key for dropbear
mkdir -p /etc/dropbear-initramfs
cp -a /root/.ssh/authorized_keys /etc/dropbear-initramfs/authorized_keys
# Update debian and install dropbear and cryptsetup (initramfs)
apt-get update >/dev/null
apt-get -y install cryptsetup-initramfs dropbear-initramfs
Next we make the post-install script executable and install the image:
chmod +x /tmp/post-install.sh
installimage -a -c /tmp/debian.conf -x /tmp/post-install.sh
This installs the image in automatic mode with our config file and post-install script. A full list of command-line options can be seen at https://github.com/hetzneronline/installimage/blob/master/get_options.sh
After installation, reboot the server and ssh into it where you will be presented with the dropbear initramfs environment where you can unlock your encrypted partition:
cryptroot-unlock
You will be prompted for a password, the partition will be decrypted, and booting will resume.
Comment out the host in ~/.ssh/known_hosts and ssh back into the system and you should now be in the Debian proper rather than dropbear+initramfs.
From here you can convert your encrypted Debian system into a Proxmox VE system :)
Written for Cryogenix by int16h