From 8306229dc1e3e8b168b3ae93f6a0190595f934ee Mon Sep 17 00:00:00 2001
From: Jezza Hehn <jezza.hehn@wikitribune.com>
Date: Mon, 13 Apr 2026 22:22:25 +0000
Subject: [PATCH] Add lock file, example tfvars, fix .gitignore

- Track .terraform.lock.hcl for reproducible provider versions
- Add terraform.tfvars.example as a template for sensitive values
- Fix .gitignore to not exclude lock file
- Add default value for ssh_public_key variable
---
 terraform/.gitignore               |  2 +-
 terraform/.terraform.lock.hcl      | 23 +++++++++++++++++++++++
 terraform/terraform.tfvars.example |  6 ++++++
 terraform/variables.tf             |  1 +
 4 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 terraform/.terraform.lock.hcl
 create mode 100644 terraform/terraform.tfvars.example

diff --git a/terraform/.gitignore b/terraform/.gitignore
index 459b0d2..5ed0055 100644
--- a/terraform/.gitignore
+++ b/terraform/.gitignore
@@ -9,7 +9,7 @@
 *.tfvars.backup
 
 # Local state
-.terraform.lock.hcl
+# (keep .terraform.lock.hcl in version control)
 
 # SSH keys
 *.pem
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000..3beca2c
--- /dev/null
+++ b/terraform/.terraform.lock.hcl
@@ -0,0 +1,23 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hetznercloud/hcloud" {
+  version     = "1.60.1"
+  constraints = "~> 1.47"
+  hashes = [
+    "h1:aFTtCV6KIyK8QpkQrJZfAyjx+GXNVaBm4qN3Vvqmwlc=",
+    "zh:0a746671e3f149b998a2abf730a5401a07305c67f93d5bbfdcf60aa19fdebb4d",
+    "zh:156273b900a006253841727387671dd67c7c5c502998d6a9af5a5abbf5717fdf",
+    "zh:2daa1290c50c081bb6a6cfa76b2872ea9fd9658eb3f2e81deab58b1ee48cf348",
+    "zh:36d6dac96ac6389f35bb1f19f40c4263bf78fa36fa7468971cf646c69eeae663",
+    "zh:5d0040a11470ced3eddf7d3e8e823982f80f8eb127cf285cd351bfc26a4d1108",
+    "zh:60ac7d3d948d7280a6e53088d5c41c444712f05e4274e37b0f4a81da9dcd1edb",
+    "zh:9fe5dd114ebb6f8da0dc9b5485c42d01cd41ed61a6fe2fc92bb3038fe4d708ea",
+    "zh:ae755ea4faca6ee410a397702a2c74f10ea28ec1ab95e1656be7a6f5908d1d23",
+    "zh:b3edcf6ea0f6498bcbdcbac8ec69dfb79278c64c7ea46c3050cd361a603302b0",
+    "zh:c6059fad0c4d2ecc3475c1767779a8e8adfcb1168101aae57ba7783510a24ae2",
+    "zh:dfdeb297e97d5b97b04d16ded3f8ef6779fc22cbd0322a16aeff3b5feee36fe2",
+    "zh:e38d04e7a5d0dbc3858eaa678167b6ec5e73035dae3479c7a61e6d971e58c765",
+    "zh:fd60acd9f16b4eb7b442a557d19294a89f6a8a05f7ca57f4aa689a2a554e74bd",
+  ]
+}
diff --git a/terraform/terraform.tfvars.example b/terraform/terraform.tfvars.example
new file mode 100644
index 0000000..a68c93d
--- /dev/null
+++ b/terraform/terraform.tfvars.example
@@ -0,0 +1,6 @@
+# terraform.tfvars.example
+# Copy this to terraform.tfvars and fill in your values.
+
+hcloud_token     = "your-hetzner-api-token"
+ssh_public_key    = "ssh-ed25519 AAAA... your-key-here"
+ssh_allowed_ips   = ["0.0.0.0/0", "::/0"]
diff --git a/terraform/variables.tf b/terraform/variables.tf
index ddb64dc..3a960a4 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -23,6 +23,7 @@ variable "domain" {
 variable "ssh_public_key" {
   description = "Your SSH public key (contents of ~/.ssh/id_ed25519.pub or similar)."
   type        = string
+  default     = ""
 }
 
 variable "ssh_allowed_ips" {