chore(nix): infra polish — bake cc-ci IP, mark stale Incus config, park nginx vhost

- SSH config: replace REPLACE_WITH_CC_CI_HETZNER_TAILNET_IP placeholder with
  the real tailnet IP 100.95.31.88 (so a fresh re-provision is correct).
- nix/configuration.nix + nix/README.md: mark HISTORICAL/dead (old Incus VM,
  superseded by the Hetzner host) to prevent a wrong-host deploy.
- nginx oc.commoninternet.net vhost: note it's PARKED alongside opencode-web
  (kept for one-step re-enable, not deleted).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

nix/README.md

@@ -1,5 +1,10 @@
 # cc-ci-orchestrator
 
+> ⚠️ **HISTORICAL.** This README describes the retired **Incus VM** (`100.116.55.106`). The
+> orchestrator now runs on **Hetzner** — the live host config is
+> `nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix`. See
+> `cc-ci-plan/plan-orchestrator-hetzner-migration.md` for the current setup. Kept for history.
+
 NixOS config for the **`cc-ci-orchestrator`** Incus VM (b1, project `terraform-ci`, tailnet
 `100.116.55.106`) — the reboot-resilient host for the cc-ci Builder/Adversary loops + watchdog +
 orchestrator session, moved off the unstable 905 MiB Pi.

nix/configuration.nix

@@ -1,3 +1,9 @@
+# ⚠️ HISTORICAL / DEAD CONFIG — DO NOT DEPLOY. (superseded 2026-05-31)
+# This is the OLD Incus VM (`cc-ci-orchestrator`, tailnet 100.116.55.106) config. The orchestrator
+# now runs on Hetzner — the LIVE config is nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix.
+# Kept only for historical comparison; it runs loops as root and hard-codes the dead cc-ci IP.
+# Delete once the old Incus VM is torn down.
+#
 # cc-ci-orchestrator VM — NixOS config (channel-based: nixos-24.11; deployed to /etc/nixos/configuration.nix)
 #
 # Purpose: a reboot-resilient host for the cc-ci Builder/Adversary loops + watchdog + the orchestrator

nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix

@@ -79,14 +79,14 @@
     "/home/loops/.local/bin:/run/current-system/sw/bin:/run/wrappers/bin:/usr/bin:/bin";
 
   # SSH config for the loops user — points to the cc-ci Hetzner server via tailnet.
-  # HostName is updated post-cutover to the Hetzner cc-ci tailnet IP.
+  # HostName is the Hetzner cc-ci server's tailnet IP (cutover settled 2026-05-31).
   system.activationScripts.loopsSshConfig = ''
     mkdir -p /home/loops/.ssh && chown loops:users /home/loops/.ssh && chmod 700 /home/loops/.ssh
     # Only write if not already present (preserves manual customisation).
     if [ ! -f /home/loops/.ssh/config ]; then
       cat > /home/loops/.ssh/config <<'SSHCFG'
 Host cc-ci
-    HostName REPLACE_WITH_CC_CI_HETZNER_TAILNET_IP
+    HostName 100.95.31.88
     User root
     IdentityFile /home/loops/.ssh/cc-ci-root-ed25519
     IdentitiesOnly yes
@@ -145,7 +145,11 @@ SSHCFG
 
   # nginx — reverse-proxy oc.commoninternet.net → opencode web server.
   # Bound to the tailscale IP so it is only reachable on the tailnet.
-  # DNS: add A record  oc.commoninternet.net → 100.84.190.30  (operator step).
+  # PARKED 2026-06-01 alongside opencode-web (loops are on claude now): this vhost just proxies to
+  # the now-stopped :4096 server, so it's harmless but dormant. Kept (not deleted) so re-enabling
+  # opencode-web restores the UI in one step. If opencode is dropped for good, remove this block
+  # and the DNS step below.
+  # DNS: add A record  oc.commoninternet.net → 100.84.190.30  (operator step; only needed if re-enabled).
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;