Infrastructure¶
Why Hetzner¶
Hetzner Cloud provides the best price-to-performance ratio in Europe for small-scale infrastructure:
- Location: FSN1 (Falkenstein, Germany) -- EU data sovereignty, low latency from Belgium
- x86 and ARM: CX-line (Intel/AMD shared vCPU) and CAX-line (Ampere Altra ARM64)
- Hourly billing: Beast VM costs only when running
- API-first: Full Terraform/OpenTofu provider support
- Private networking: Free VLAN between VMs in the same project
VM Specifications¶
cx33 Hub -- Management Node¶
| Property | Value |
|---|---|
| Type | cx33 (Intel/AMD, shared vCPU) |
| vCPU | 4 |
| RAM | 8 GB (51% used with full stack) |
| Disk | 80 GB NVMe |
| IPv4 | 91.98.121.97 (static) |
| IPv6 | /64, included |
| Location | FSN1 |
| Monthly | EUR 6.49 |
| Role | K3s server, Rancher, observability |
RAM Budget (cx33 -- 8 GB, 51% observed)
| Component | Allocation |
|---|---|
| OS + system | 512 MB |
| K3s server process | 1024 MB |
| Rancher (cattle-system) | 1536 MB |
| VictoriaMetrics | 512 MB |
| Grafana | 256 MB |
| Loki + Alloy | 512 MB |
| vmalert + alertmanager | 128 MB |
| kube-state-metrics + node_exporter | 128 MB |
| WireGuard | 32 MB |
| CrowdSec | 128 MB |
| Observed total | ~4.1 GB (51%) |
| Headroom | ~3.9 GB |
cx23 DMZ -- Public-Facing Node¶
| Property | Value |
|---|---|
| Type | cx23 (Intel/AMD, shared vCPU) |
| vCPU | 2 |
| RAM | 4 GB |
| Disk | 40 GB NVMe |
| IPv4 | 178.104.134.113 (static) |
| IPv6 | /64, included |
| Location | FSN1 |
| Monthly | EUR 3.99 |
| Role | K3s agent, Caddy ingress, Authelia, ttyd |
RAM Budget (cx23 -- 4 GB)
| Component | Allocation |
|---|---|
| OS + system | 512 MB |
| K3s agent process | 512 MB |
| Caddy reverse proxy | 128 MB |
| Authelia | 128 MB |
| ttyd | 64 MB |
| CrowdSec | 128 MB |
| Alloy (log collector) | 256 MB |
| node_exporter | 64 MB |
| Headroom | ~2.2 GB |
cx53 Beast -- Ephemeral x86 Dev Node¶
| Property | Value |
|---|---|
| Type | cx53 (Intel/AMD x86_64, shared vCPU) |
| vCPU | 16 |
| RAM | 32 GB |
| Disk | 160 GB NVMe |
| IPv4 | Dynamic (hourly) |
| Location | FSN1 |
| Hourly | EUR 0.0360 |
| Monthly (40h) | ~EUR 1.44 |
| Role | K3s agent, dev workloads, builds |
ARM to x86 switch (2026-04-15)
Originally planned as cax31 (ARM64), switched to cx53 (x86) after first deployment. The cx53 is cheaper per hour for ephemeral use AND eliminates ARM compatibility issues with Docker images. See ADR-009 (revised).
Beast is cattle, not a pet
The Beast VM is destroyed and recreated from scratch each time. No persistent state lives on it. See Beast Lifecycle.
IaC Resource List¶
All infrastructure is defined in tofu/ using OpenTofu (Terraform-compatible):
| Resource | Type | Purpose |
|---|---|---|
hcloud_server.hub |
Server | cx33 management node |
hcloud_server.dmz |
Server | cx23 public-facing node |
hcloud_server.beast |
Server | cx53 ephemeral dev node |
hcloud_network.lron |
Network | Private 10.0.0.0/16 |
hcloud_network_subnet.nodes |
Subnet | 10.0.1.0/24 node subnet |
hcloud_server_network.hub |
Attachment | Hub -> private network |
hcloud_server_network.dmz |
Attachment | DMZ -> private network |
hcloud_server_network.beast |
Attachment | Beast -> private network |
hcloud_firewall.hub |
Firewall | Hub ingress rules |
hcloud_firewall.dmz |
Firewall | DMZ ingress rules |
hcloud_firewall.beast |
Firewall | Beast ingress rules |
hcloud_ssh_key.deploy |
SSH Key | Deployment key |
hetznerdns_zone.vdhome |
DNS Zone | vdhome.be zone |
hetznerdns_record.* |
DNS Records | A/AAAA/CNAME records |
State management
OpenTofu state is stored locally and encrypted with SOPS+age. See Secrets Management.