Hetzner Cloud

Primary cloud provider for the Hydra ecosystem. Hosts most infrastructure, manages all DNS zones.

CLI Setup

The hcloud CLI is the primary management tool.

hcloud version    # v1.54+ required for DNS support

Contexts

Each Hetzner project has its own API token, managed as a context. Never use hcloud context use — it modifies the global config and affects all terminals. Instead, use per-terminal environment variables:

export HCLOUD_CONTEXT=hydraexperiencenet
export HCLOUD_CONTEXT=nimsforest
export HCLOUD_CONTEXT=cederik

Available contexts:

| Context | Project | Primary use | |---------|---------|-------------| | hydraexperiencenet | ExperienceNet | Streaming infrastructure, HydraGuard, release server | | nimsforest | NimsForest | Land servers, NimsForest platform, neoremote | | cederik | Cederik | Personal sites, Hugo static hosting |

DNS Management

All DNS is managed through Hetzner DNS regardless of where the server lives (including OVHcloud instances).

# List zones
hcloud zone list

# List records for a zone
hcloud zone rrset list <zone>
hcloud zone rrset list <zone> --type A    # Filter by type

# Create A record
hcloud zone rrset create --name <subdomain> --type A --record <ip> <zone>

# Update existing record
hcloud zone rrset set-records --record <ip> <zone> <name> <type>

# Delete record
hcloud zone rrset delete <zone> <name> <type>

Key DNS Zones

| Zone | Zone ID | Context | Nameservers | |------|---------|---------|-------------| | experiencenet.com | 788422 | hydraexperiencenet | hydrogen/oxygen/helium.ns.hetzner | | hydrahardware.io | 788543 | hydraexperiencenet | hydrogen/oxygen/helium.ns.hetzner | | mynimsforest.com | 986638 | nimsforest | hydrogen/oxygen/helium.ns.hetzner |

All domains use Hetzner nameservers. Domains are registered on Namecheap (user: HaverbekeC) with NS records pointing to Hetzner.

Server Types

| Type | vCPU | RAM | Disk | Use case | |------|------|-----|------|----------| | cx22 | 2 | 4 GB | 40 GB | Avoid — use cx23 instead | | cx23 | 2 | 4 GB | 40 GB | Standard for lightweight services | | cx32 | 4 | 8 GB | 80 GB | Medium workloads |

Always use cx23 as the minimum (not cx22).

Firewall

Hetzner has two firewall layers:

1. Hetzner Cloud Firewall — managed via hcloud firewall or web console. Applied at the network level before traffic reaches the instance.
2. UFW on the instance — standard Linux firewall. Both layers must allow a port for traffic to pass.

When opening a port, check both:

# Hetzner firewall (if applied to the server)
hcloud firewall describe <firewall-name>

# UFW on the instance
ssh root@<ip> 'ufw status'

SSH Access

Two key types used across Hetzner:

| Key | File | Use | |-----|------|-----| | hydra_admin | ~/.ssh/hydra_admin_new.pem | Legacy Hetzner servers | | neoremote (id_ed25519) | ~/.ssh/id_ed25519 | GitHub + newer servers |

For servers without SSH access, use Hetzner rescue mode:

export HCLOUD_CONTEXT=<context>
hcloud server enable-rescue --ssh-key <key-name> <server>
hcloud server reboot <server>
# SSH in, mount disk, add key to /mnt/root/.ssh/authorized_keys
# Then disable rescue and reboot back to normal
hcloud server disable-rescue <server>
hcloud server reboot <server>

Key Servers

| Server | IP | Context | Purpose | |--------|-----|---------|---------| | hydracluster | 46.224.29.125 | hydraexperiencenet | Node fleet management | | releases | 46.225.120.7 | hydraexperiencenet | Release file server | | dashboard | 78.47.174.83 | hydraexperiencenet | hydrastreamingmonitor, hydranorthstar, hydrabodystatus, hydraissue, hydrabooks | | land-shared-one | 46.225.164.179 | nimsforest | Land server (NimsForest containers) | | neoremote | neo.nims.nimsforest.com | nimsforest | Headless Claude hub | | cederik-web | 188.245.221.34 | cederik | Hugo static sites | | hydraguard (old) | 89.167.57.232 | hydraexperiencenet | Former WireGuard hub (migrated to OVHcloud Brussels) | | hydraneckwebrtc (old) | 46.225.220.240 | hydraexperiencenet | Former WebRTC relay (migrated to OVHcloud Brussels) |