Description
When setting up a new Hetzner VPS, the default security posture should be:
1. Install Tailscale immediately
2. Lock down the firewall to only accept:
- HTTPS (443) from Cloudflare IPs only (for web traffic)
- SSH (22) from Tailscale IP only
3. No direct public access to the VPS
Rationale: A VPS is exposed to the entire internet. By default, only the operator should be able to reach it (via Tailscale), and only Cloudflare should be allowed to proxy web traffic. This should be a standard part of every nimsforest VPS provisioning workflow.
Never expose a VPS directly to the public internet without a proxy like Cloudflare in front.
Nebula's reasoning: This is not a bug — it's a security hardening proposal for the VPS provisioning workflow. Moved to nimsforest since that's the infrastructure being discussed. Priority medium because security matters but this is aspirational (current setup with WireGuard/UFW already provides protection). Rewrote the title from a truncated sentence into a clear summary, and restructured the stream-of-consciousness description into a concrete checklist that can be implemented.