Initial commit - Clean public release

Sanitized for public release:
- Removed all API keys, tokens, and secrets
- Removed personal Discord IDs from hermes-openclaw.json
- Updated git URLs to be generic placeholders
- All sensitive data uses environment variable interpolation

hetzner.tf

@@ -0,0 +1,124 @@
+# Hetzner Cloud Provider Resources
+# Conditionally created when var.cloud_provider == "hetzner"
+
+# =============================================================================
+# SSH KEY DATA SOURCE
+# =============================================================================
+
+data "hcloud_ssh_key" "keys" {
+  for_each = toset(var.ssh_key_names)
+  name     = each.key
+}
+
+# =============================================================================
+# NETWORK (Optional - for multi-server deployments)
+# =============================================================================
+
+resource "hcloud_network" "agent" {
+  count = var.create_network && local.is_hetzner ? 1 : 0
+
+  name      = "${var.server_name}-network"
+  ip_range  = var.network_ip_range
+}
+
+resource "hcloud_network_subnet" "agent" {
+  count = var.create_network && local.is_hetzner ? 1 : 0
+
+  network_id   = hcloud_network.agent[0].id
+  type         = "cloud"
+  network_zone = var.network_zone
+  ip_range     = cidrsubnet(var.network_ip_range, 8, 0)
+}
+
+# =============================================================================
+# FIREWALL
+# =============================================================================
+
+resource "hcloud_firewall" "agent" {
+  count = local.is_hetzner ? 1 : 0
+
+  name = "${var.server_name}-firewall"
+
+  # Inbound: SSH only
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = tostring(var.ssh_port)
+    source_ips = var.ssh_allowed_ips
+  }
+
+  # Outbound: Allow all
+  rule {
+    direction       = "out"
+    protocol        = "tcp"
+    port            = "1-65535"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction       = "out"
+    protocol        = "udp"
+    port            = "1-65535"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
+
+  rule {
+    direction       = "out"
+    protocol        = "icmp"
+    destination_ips = ["0.0.0.0/0", "::/0"]
+  }
+}
+
+# =============================================================================
+# SERVER
+# =============================================================================
+
+resource "hcloud_server" "agent" {
+  count = local.is_hetzner ? 1 : 0
+
+  name        = var.server_name
+  image       = var.server_image
+  server_type = var.server_type_hetzner
+  location    = var.location_hetzner
+
+  ssh_keys = [for key in data.hcloud_ssh_key.keys : key.id]
+
+  # Network attachment (if enabled)
+  dynamic "network" {
+    for_each = var.create_network ? [1] : []
+    content {
+      network_id = hcloud_network.agent[0].id
+    }
+  }
+
+  # Labels for organization
+  labels = {
+    project     = var.project_name
+    environment = var.environment
+    framework   = var.agent_framework
+    managed     = "terraform"
+  }
+
+  # Firewall attachment
+  firewall_ids = [hcloud_firewall.agent[0].id]
+
+  # Cloud-init user data
+  user_data = local.userdata
+
+  # Public IPv4 and IPv6 (enabled by default)
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = true
+  }
+}
+
+# =============================================================================
+# FIREWALL ATTACHMENT (Reference)
+# =============================================================================
+
+resource "hcloud_firewall_attachment" "agent" {
+  count = local.is_hetzner ? 1 : 0
+
+  firewall_id = hcloud_firewall.agent[0].id
+  server_ids  = [hcloud_server.agent[0].id]
+}