nix: add cc-ci-hetzner host (cpx32, nixos-infect hardware, all root SSH keys)

Port from terraform-hetzner branch. Adds the Hetzner cc-ci flake host with all 3 root authorized keys so nixos-rebuild doesn't lock out SSH access. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-31 03:00:36 +00:00
parent 707752cd14
commit 4237cc03f5
4 changed files with 161 additions and 0 deletions
--- a/nix/hosts/cc-ci-hetzner/networking.nix
+++ b/nix/hosts/cc-ci-hetzner/networking.nix
@ -0,0 +1,40 @@
+# Hetzner static networking — generated by nixos-infect at provision time.
+#
+# This file is server-specific: the IP, gateway, and MAC address are tied to a
+# particular Hetzner instance. When provisioning a new server:
+#   1. After `terraform apply` + nixos-infect completes, run:
+#        ssh root@<new-ip> 'cat /etc/nixos/networking.nix'
+#   2. Replace this file's contents with the output and commit.
+#   3. Then: `nixos-rebuild switch --flake .#cc-ci-hetzner --target-host root@<new-ip>`
+#
+# Current instance: 91.98.47.73 (fsn1, Hetzner server 134485294, provisioned 2026-05-31).
+{ lib, ... }: {
+  networking = {
+    nameservers = [
+      "185.12.64.1"
+      "185.12.64.2"
+    ];
+    defaultGateway = "172.31.1.1";
+    defaultGateway6 = {
+      address = "";
+      interface = "eth0";
+    };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [
+          { address = "91.98.47.73"; prefixLength = 32; }
+        ];
+        ipv6.addresses = [
+          { address = "fe80::9000:8ff:fe04:152e"; prefixLength = 64; }
+        ];
+        ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
+        ipv6.routes = [{ address = ""; prefixLength = 128; }];
+      };
+    };
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="92:00:08:04:15:2e", NAME="eth0"
+  '';
+}