terraform: provision cc-ci on Hetzner Cloud via nixos-infect

Adds terraform/ (hcloud provider, cpx32/nbg1/debian-12) and a new
nix/hosts/cc-ci-hetzner/ flake host to provision the cc-ci server on
Hetzner Cloud as an alternative to the Incus cc-nix-test VM.

Stage 1 (Terraform): creates a cpx32 server (4 vCPU / 8 GB / x86 AMD,
Nuremberg), runs nixos-infect (pinned rev 40f62a6, 2026-03-22) to convert
Debian 12 → NixOS 24.11, and reboots into bare NixOS.

Stage 2 (manual, per terraform/README.md): clone cc-ci --recursive,
provision the bootstrap age key, then `nixos-rebuild switch --flake
.#cc-ci-hetzner`.

Verified (throwaway run 2026-05-31, server 134464512, 168.119.126.100):
- terraform apply: cpx32 in nbg1 created in 17 s
- nixos-infect: NixOS 24.11.719113.50ab793786d9 (same nixpkgs pin as flake)
- nixos-rebuild build --flake .#cc-ci-hetzner: exit 0 on server
  (131 derivations; all cc-ci modules: tailscale, drone, drone-runner,
  bridge, dashboard, harness, swarm, abra, proxy, secrets)
- terraform plan: no changes (idempotent)
- terraform destroy: server + SSH key removed

Age key step (plan §4 Stage 2): operator-pending. Full switch/convergence
requires bootstrap age key at /var/lib/sops-nix/key.txt. Flake builds
without it; activation needs it.

No secrets committed: HCLOUD_TOKEN via env, tfstate gitignored,
networking.nix contains throwaway IP (update per README for production).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

nix/hosts/cc-ci-hetzner/configuration.nix

@@ -0,0 +1,68 @@
+# cc-ci on Hetzner Cloud — NixOS configuration.
+# Extends the shared cc-ci modules (same services as the Incus host) with
+# Hetzner-specific hardware + networking. Run in parallel with the Incus cc-ci
+# host during transition; make this the canonical cc-ci after cutover (plan §7).
+#
+# To apply after `terraform apply` + nixos-infect:
+#   git clone --recursive https://git.autonomic.zone/recipe-maintainers/cc-ci.git /etc/cc-ci
+#   install -m600 <age-private-key> /var/lib/sops-nix/key.txt
+#   nixos-rebuild switch --flake /etc/cc-ci#cc-ci-hetzner
+{ pkgs, lib, ... }:
+{
+  imports = [
+    ./hardware.nix
+    ./networking.nix
+    ../../modules/packages.nix
+    ../../modules/secrets.nix
+    ../../modules/swarm.nix
+    ../../modules/docker-prune.nix
+    ../../modules/abra.nix
+    ../../modules/proxy.nix
+    ../../modules/drone.nix
+    ../../modules/drone-runner.nix
+    ../../modules/bridge.nix
+    ../../modules/dashboard.nix
+    ../../modules/backupbot.nix
+    ../../modules/harness.nix
+    ../../modules/warm-keycloak.nix
+    ../../modules/nightly-sweep.nix
+  ];
+
+  # Timezone (same as Incus host — see configuration.nix there for rationale).
+  time.timeZone = "UTC";
+  environment.etc."timezone".text = "UTC\n";
+
+  # Tailscale — keeps the orchestrator→cc-ci access path unchanged (direct peer).
+  # On the Hetzner host the auth key is also seeded via /etc/ts-auth-key.
+  services.tailscale = {
+    enable = true;
+    authKeyFile = "/etc/ts-auth-key";
+    extraUpFlags = [ "--hostname=cc-ci" ];
+  };
+
+  # SSH — allow root login over tailscale (same as Incus host).
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "yes";
+  };
+
+  # Firewall — Hetzner has a public IP, so open 80+443 for Traefik.
+  # Tailscale interface is trusted (no port restrictions for orchestrator access).
+  # Plan §6: v1 keeps the sops wildcard cert; evaluate ACME-on-public-IP as follow-up.
+  networking.firewall = {
+    enable = true;
+    trustedInterfaces = [ "tailscale0" ];
+    allowedTCPPorts = [ 22 80 443 ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    curl
+    git
+    jq
+    openssh
+  ];
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  system.stateVersion = "24.11";
+}

nix/hosts/cc-ci-hetzner/hardware.nix

@@ -0,0 +1,35 @@
+# Hardware configuration for cc-ci on Hetzner Cloud (cpx32: AMD 4 vCPU / 8 GB / x86_64).
+# Generated by nixos-infect from a Debian 12 base image, then committed here.
+#
+# nixos-infect uses GRUB + EFI on Hetzner (not systemd-boot), with a qemu-guest profile
+# because Hetzner Cloud uses KVM virtualisation.
+#
+# IMPORTANT: networking.nix (below) contains the server's static public IP.
+# When provisioning a new server via `terraform apply`, copy the fresh networking.nix
+# from /etc/nixos/networking.nix on the new host and commit it here before rebuilding.
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.loader = {
+    efi.efiSysMountPoint = "/boot/efi";
+    grub = {
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      device = "nodev";
+    };
+  };
+
+  fileSystems."/boot/efi" = {
+    device = "/dev/disk/by-uuid/90B1-5F80";
+    fsType = "vfat";
+  };
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+
+  fileSystems."/" = {
+    device = "/dev/sda1";
+    fsType = "ext4";
+  };
+}

nix/hosts/cc-ci-hetzner/networking.nix

@@ -0,0 +1,41 @@
+# Hetzner static networking — generated by nixos-infect at provision time.
+#
+# This file is server-specific: the IP, gateway, and MAC address are tied to a
+# particular Hetzner instance. When provisioning a new server:
+#   1. After `terraform apply` + nixos-infect completes, run:
+#        ssh root@<new-ip> 'cat /etc/nixos/networking.nix'
+#   2. Replace this file's contents with the output and commit.
+#   3. Then: `nixos-rebuild switch --flake .#cc-ci-hetzner`
+#
+# Current instance: 168.119.126.100 (throwaway verification run 2026-05-31;
+# this value will be updated when the production server is provisioned).
+{ lib, ... }: {
+  networking = {
+    nameservers = [
+      "185.12.64.1"
+      "185.12.64.2"
+    ];
+    defaultGateway = "172.31.1.1";
+    defaultGateway6 = {
+      address = "";
+      interface = "eth0";
+    };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [
+          { address = "168.119.126.100"; prefixLength = 32; }
+        ];
+        ipv6.addresses = [
+          { address = "fe80::9000:8ff:fe03:c400"; prefixLength = 64; }
+        ];
+        ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
+        ipv6.routes = [{ address = ""; prefixLength = 128; }];
+      };
+    };
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="92:00:08:03:c4:00", NAME="eth0"
+  '';
+}