From e2551f3d79323cc343034f17fb67db18c58989d1 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Tue, 2 Jun 2026 00:07:05 +0000 Subject: [PATCH] =?UTF-8?q?chore(nix):=20infra=20polish=20=E2=80=94=20bake?= =?UTF-8?q?=20cc-ci=20IP,=20mark=20stale=20Incus=20config,=20park=20nginx?= =?UTF-8?q?=20vhost?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - SSH config: replace REPLACE_WITH_CC_CI_HETZNER_TAILNET_IP placeholder with the real tailnet IP 100.95.31.88 (so a fresh re-provision is correct). - nix/configuration.nix + nix/README.md: mark HISTORICAL/dead (old Incus VM, superseded by the Hetzner host) to prevent a wrong-host deploy. - nginx oc.commoninternet.net vhost: note it's PARKED alongside opencode-web (kept for one-step re-enable, not deleted). Co-Authored-By: Claude Opus 4.8 --- nix/README.md | 5 +++++ nix/configuration.nix | 6 ++++++ nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix | 10 +++++++--- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/nix/README.md b/nix/README.md index aeb89de..bda6616 100644 --- a/nix/README.md +++ b/nix/README.md @@ -1,5 +1,10 @@ # cc-ci-orchestrator +> ⚠️ **HISTORICAL.** This README describes the retired **Incus VM** (`100.116.55.106`). The +> orchestrator now runs on **Hetzner** — the live host config is +> `nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix`. See +> `cc-ci-plan/plan-orchestrator-hetzner-migration.md` for the current setup. Kept for history. + NixOS config for the **`cc-ci-orchestrator`** Incus VM (b1, project `terraform-ci`, tailnet `100.116.55.106`) — the reboot-resilient host for the cc-ci Builder/Adversary loops + watchdog + orchestrator session, moved off the unstable 905 MiB Pi. diff --git a/nix/configuration.nix b/nix/configuration.nix index 8e3b84a..8a73b1b 100644 --- a/nix/configuration.nix +++ b/nix/configuration.nix @@ -1,3 +1,9 @@ +# ⚠️ HISTORICAL / DEAD CONFIG — DO NOT DEPLOY. (superseded 2026-05-31) +# This is the OLD Incus VM (`cc-ci-orchestrator`, tailnet 100.116.55.106) config. The orchestrator +# now runs on Hetzner — the LIVE config is nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix. +# Kept only for historical comparison; it runs loops as root and hard-codes the dead cc-ci IP. +# Delete once the old Incus VM is torn down. +# # cc-ci-orchestrator VM — NixOS config (channel-based: nixos-24.11; deployed to /etc/nixos/configuration.nix) # # Purpose: a reboot-resilient host for the cc-ci Builder/Adversary loops + watchdog + the orchestrator diff --git a/nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix b/nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix index ae8e82b..7036192 100644 --- a/nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix +++ b/nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix @@ -79,14 +79,14 @@ "/home/loops/.local/bin:/run/current-system/sw/bin:/run/wrappers/bin:/usr/bin:/bin"; # SSH config for the loops user — points to the cc-ci Hetzner server via tailnet. - # HostName is updated post-cutover to the Hetzner cc-ci tailnet IP. + # HostName is the Hetzner cc-ci server's tailnet IP (cutover settled 2026-05-31). system.activationScripts.loopsSshConfig = '' mkdir -p /home/loops/.ssh && chown loops:users /home/loops/.ssh && chmod 700 /home/loops/.ssh # Only write if not already present (preserves manual customisation). if [ ! -f /home/loops/.ssh/config ]; then cat > /home/loops/.ssh/config <<'SSHCFG' Host cc-ci - HostName REPLACE_WITH_CC_CI_HETZNER_TAILNET_IP + HostName 100.95.31.88 User root IdentityFile /home/loops/.ssh/cc-ci-root-ed25519 IdentitiesOnly yes @@ -145,7 +145,11 @@ SSHCFG # nginx — reverse-proxy oc.commoninternet.net → opencode web server. # Bound to the tailscale IP so it is only reachable on the tailnet. - # DNS: add A record oc.commoninternet.net → 100.84.190.30 (operator step). + # PARKED 2026-06-01 alongside opencode-web (loops are on claude now): this vhost just proxies to + # the now-stopped :4096 server, so it's harmless but dormant. Kept (not deleted) so re-enabling + # opencode-web restores the UI in one step. If opencode is dropped for good, remove this block + # and the DNS step below. + # DNS: add A record oc.commoninternet.net → 100.84.190.30 (operator step; only needed if re-enabled). services.nginx = { enable = true; recommendedProxySettings = true;