Minimal Python (stdlib-only) helper to create a Hetzner Cloud server via the API. It sets up a non-root sudo user, disables root/password SSH, injects SSH keys, and runs a hardening script on first boot.
# optional: export HCLOUD_TOKEN=your-token
python provision.pyThis will:
- Create
devpush(typecpx31, locationhil, imageubuntu-24.04) - Create your user (defaults to your local login) with passwordless sudo; disable root/password SSH
- Inject your SSH key (auto-detected) or copy the Hetzner key attached to root when using
--ssh-key-name - Run
harden.shon first boot (UFW, fail2ban, unattended upgrades, SSH hardening) — default on
- Python 3.10+
- Hetzner API token (see Getting a Token below)
- At least one SSH key:
--pubkeyor--ssh-key-name
-
Create a Hetzner Cloud account (if you don't have one):
- Sign up at https://www.hetzner.com/cloud
-
Create a project:
- Log in to https://console.hetzner.cloud/
- Click "New Project" and give it a name (e.g., "devpush")
-
Generate an API token:
- In your project, go to "Security" → "API Tokens"
- Click "Generate API Token"
- Give it a name (e.g., "devpush-provisioning")
- Select permissions: "Read & Write" (or at minimum: "Servers" read/write)
- Copy the token immediately (it's only shown once)
-
Use the token:
- Set
HCLOUD_TOKENenvironment variable:export HCLOUD_TOKEN=your-token - Or pass via
--tokenflag:python provision.py --token your-token - Or enter it when prompted (input is hidden)
- Set
--nameserver name (defaultdevpush)--typeserver type (defaultcpx31)--locationlocation (defaulthil)--imageimage slug (defaultubuntu-24.04)--userremote username (default: your local login)--pubkeypath to SSH public key (auto-detected)--ssh-key-nameHetzner SSH key name/ID to attach (repeatable, uses Hetzner key seeded to root)--firewallfirewall ID to attach--no-hardenskip bundledharden.sh(default is hardened)--tokenHetzner API token (orHCLOUD_TOKEN)--dry-runprint cloud-init and payload instead of creating