Can I manage both uploaded and managed certificates?

Yes. The skill covers creating and labeling both uploaded and managed certificates via the hcloud certificate commands.

How do labels help with governance and security?

Labels enable filtering, grouping, and policy enforcement across resources. They can be added or updated via dedicated label commands to support audits and compliance.

hcloud-security

npx machina-cli add skill danjdewhurst/hcloud-skills/hcloud-security --openclaw

Files (1)

SKILL.md

7.0 KB

Hetzner Cloud Security

SSH Keys

Create an SSH Key

hcloud ssh-key create [options] --name <name> (--public-key <key> | --public-key-from-file <file>)

Flag	Description
`--name`	Key name (required)
`--public-key`	Public key string
`--public-key-from-file`	Path to file containing the public key
`--label`	User-defined labels as `key=value` (repeatable)
`-o, --output`	Output options: `json\|yaml`

List SSH Keys

hcloud ssh-key list [options]

Columns: id, name, fingerprint, public_key, age, created, labels

Flag	Description
`-l, --selector`	Filter by label selector
`-s, --sort`	Sort results
`-o, --output`	Output options: `noheader\|columns=...\|json\|yaml`

Describe an SSH Key

hcloud ssh-key describe [options] <ssh-key>

Flag	Description
`-o, --output`	Output options: `json\|yaml\|format`

Delete SSH Keys

hcloud ssh-key delete <ssh-key>...

Accepts one or more SSH keys by name or ID.

Update an SSH Key

hcloud ssh-key update [options] <ssh-key>

Flag	Description
`--name`	New SSH key name

Labels

hcloud ssh-key add-label [--overwrite] <ssh-key> <label>...
hcloud ssh-key remove-label <ssh-key> (--all | <label>...)

Certificates

Create a Certificate (Uploaded)

hcloud certificate create --name <name> --type uploaded --cert-file <file> --key-file <file>

Flag	Description
`--name`	Certificate name (required)
`-t, --type`	Certificate type: `uploaded` or `managed` (default: `uploaded`)
`--cert-file`	File containing the PEM encoded certificate (required for `uploaded`)
`--key-file`	File containing the PEM encoded private key (required for `uploaded`)
`--label`	User-defined labels as `key=value` (repeatable)
`-o, --output`	Output options: `json\|yaml`

Create a Certificate (Managed)

hcloud certificate create --name <name> --type managed --domain <domain>

Flag	Description
`--name`	Certificate name (required)
`-t, --type`	Must be `managed`
`--domain`	Domain the certificate is valid for (repeatable for multiple domains)
`--label`	User-defined labels as `key=value` (repeatable)
`-o, --output`	Output options: `json\|yaml`

Retry Managed Certificate Issuance

hcloud certificate retry <certificate>

Retries issuance of a managed certificate that failed.

List Certificates

hcloud certificate list [options]

Columns: id, name, type, domain_names, not_valid_after, not_valid_before, fingerprint, issuance_status, renewal_status, age, created, labels

Flag	Description
`-l, --selector`	Filter by label selector
`-s, --sort`	Sort results
`-o, --output`	Output options: `noheader\|columns=...\|json\|yaml`

Describe a Certificate

hcloud certificate describe [options] <certificate>

Flag	Description
`-o, --output`	Output options: `json\|yaml\|format`

Delete Certificates

hcloud certificate delete <certificate>...

Accepts one or more certificates by name or ID.

Update a Certificate

hcloud certificate update [options] <certificate>

Flag	Description
`--name`	New certificate name

Labels

hcloud certificate add-label [--overwrite] <certificate> <label>...
hcloud certificate remove-label <certificate> (--all | <label>...)

Cross-Resource Protection

Protection prevents accidental deletion (and rebuild for servers). Enable or disable protection per resource type:

Server Protection

hcloud server enable-protection <server> (delete|rebuild)...
hcloud server disable-protection <server> (delete|rebuild)...

Servers support two protection types: delete and rebuild. Specify one or both.

Other Resource Protection

Networks, volumes, floating IPs, primary IPs, load balancers, and images support delete protection:

hcloud network enable-protection <network> delete
hcloud network disable-protection <network> delete

hcloud volume enable-protection <volume> delete
hcloud volume disable-protection <volume> delete

hcloud floating-ip enable-protection <floating-ip> delete
hcloud floating-ip disable-protection <floating-ip> delete

hcloud primary-ip enable-protection <primary-ip> delete
hcloud primary-ip disable-protection <primary-ip> delete

hcloud load-balancer enable-protection <load-balancer> delete
hcloud load-balancer disable-protection <load-balancer> delete

hcloud image enable-protection <image> delete
hcloud image disable-protection <image> delete

Cross-Resource Reverse DNS

Set reverse DNS (PTR) records on resources with public IP addresses. Use --ip to target a specific address when the resource has multiple IPs.

Server

hcloud server set-rdns [--ip <ip>] (--hostname <hostname> | --reset) <server>

Floating IP

hcloud floating-ip set-rdns [--ip <ip>] (--hostname <hostname> | --reset) <floating-ip>

Primary IP

hcloud primary-ip set-rdns [--ip <ip>] (--hostname <hostname> | --reset) <primary-ip>

Load Balancer

hcloud load-balancer set-rdns [--ip <ip>] (--hostname <hostname> | --reset) <load-balancer>

Reverse DNS Flags

Flag	Description
`-i, --ip`	IP address for which the reverse DNS entry should be set
`-r, --hostname`	Hostname to set as a reverse DNS PTR entry
`--reset`	Reset the reverse DNS entry to the default value

Cross-Resource Labels

All managed resources support labels for organisation and filtering.

Add Labels

hcloud <resource> add-label [--overwrite] <id-or-name> <label>...

Labels use key=value format. Use --overwrite (-o) to replace an existing label key.

Supported resources: server, network, volume, floating-ip, primary-ip, load-balancer, firewall, image, ssh-key, certificate, placement-group

Remove Labels

hcloud <resource> remove-label <id-or-name> (--all | <label>...)

Flag	Description
`-a, --all`	Remove all labels from the resource

Filtering by Labels

Use label selectors on any list command to filter results:

hcloud server list -l env=production
hcloud server list -l 'env=production,team=backend'
hcloud server list -l 'env!=staging'
hcloud network list -l project=myapp

Labels for Firewall Targeting

Firewalls can target servers by label selector instead of individual server IDs:

hcloud firewall apply-to-resource --type label_selector --label-selector 'env=production' <firewall>
hcloud firewall remove-from-resource --type label_selector --label-selector 'env=production' <firewall>

Source

git clone https://github.com/danjdewhurst/hcloud-skills/blob/main/skills/hcloud-security/SKILL.mdView on GitHub

Overview

This skill centralizes security tasks for Hetzner Cloud resources, including SSH keys, TLS/SSL certificates (uploaded or managed), resource protection, reverse DNS, and labeling. It helps enforce policy, streamline audits, and simplify secure deployments across your infrastructure.

How This Skill Works

The skill leverages the Hetzner Cloud CLI to perform create/list/describe/delete/update operations for SSH keys and certificates, including managing labels on each resource. It also incorporates cross-resource protection to guard against accidental deletions and supports reverse DNS as part of a secure resource workflow.

When to Use It

You need to add or rotate an SSH public key across your Hetzner Cloud resources.
You want to issue, renew, or manage TLS certificates (uploaded or managed) for domains.
You must prevent accidental deletions of critical resources with protection policies.
You need to attach reverse DNS records to IPs or servers for proper hostname resolution.
You want to organize and govern resources using labels across SSH keys, certificates, and other resources.

Quick Start

Step 1: hcloud ssh-key create --name prod-key --public-key <key> --label env=prod
Step 2: hcloud certificate create --name prod-cert --type managed --domain example.com --label env=prod
Step 3: Verify governance by listing labeled resources (e.g., hcloud ssh-key list -o json, hcloud certificate list -o json) and ensure protection and labels are in place.

Best Practices

Use consistent labeling (key=value) across all security resources to simplify filtering and auditing.
Prefer managed certificates for automated renewal and reduced manual certificate handling.
Rotate SSH keys regularly and store private keys securely; avoid reusing keys across projects.
Enable cross-resource protection on production resources to guard against deletion or rebuild actions.
Export command outputs in JSON or YAML for automated auditing and compliance reporting.

Example Use Cases

Create an SSH key for a project, then label it with env=prod and app=myapp for easy filtering.
Create a managed certificate for example.com and tag it with env=prod and team=security.
Add labels to SSH keys and certificates and list them with a label selector to audit governance.
Enable protection on a production server to prevent accidental deletion or rebuild actions.
Configure reverse DNS for a server's IP and verify the hostname resolution through DNS records.

Frequently Asked Questions

Add this skill to your agents

hcloud-security

Hetzner Cloud Security

SSH Keys

Create an SSH Key

List SSH Keys

Describe an SSH Key

Delete SSH Keys

Update an SSH Key

Labels

Certificates

Create a Certificate (Uploaded)

Create a Certificate (Managed)

Retry Managed Certificate Issuance

List Certificates

Describe a Certificate

Delete Certificates

Update a Certificate

Labels

Cross-Resource Protection

Server Protection

Other Resource Protection

Cross-Resource Reverse DNS

Server

Floating IP

Primary IP

Load Balancer

Reverse DNS Flags

Cross-Resource Labels

Add Labels

Remove Labels

Filtering by Labels

Labels for Firewall Targeting

Source

Overview

How This Skill Works

When to Use It

Quick Start

Best Practices

Example Use Cases

Frequently Asked Questions

What can this skill manage in Hetzner Cloud?

Can I manage both uploaded and managed certificates?

How do labels help with governance and security?