terraform: provision cc-ci on Hetzner Cloud via nixos-infect

Adds terraform/ (hcloud provider, cpx32/nbg1/debian-12) and a new nix/hosts/cc-ci-hetzner/ flake host to provision the cc-ci server on Hetzner Cloud as an alternative to the Incus cc-nix-test VM. Stage 1 (Terraform): creates a cpx32 server (4 vCPU / 8 GB / x86 AMD, Nuremberg), runs nixos-infect (pinned rev 40f62a6, 2026-03-22) to convert Debian 12 → NixOS 24.11, and reboots into bare NixOS. Stage 2 (manual, per terraform/README.md): clone cc-ci --recursive, provision the bootstrap age key, then `nixos-rebuild switch --flake .#cc-ci-hetzner`. Verified (throwaway run 2026-05-31, server 134464512, 168.119.126.100): - terraform apply: cpx32 in nbg1 created in 17 s - nixos-infect: NixOS 24.11.719113.50ab793786d9 (same nixpkgs pin as flake) - nixos-rebuild build --flake .#cc-ci-hetzner: exit 0 on server (131 derivations; all cc-ci modules: tailscale, drone, drone-runner, bridge, dashboard, harness, swarm, abra, proxy, secrets) - terraform plan: no changes (idempotent) - terraform destroy: server + SSH key removed Age key step (plan §4 Stage 2): operator-pending. Full switch/convergence requires bootstrap age key at /var/lib/sops-nix/key.txt. Flake builds without it; activation needs it. No secrets committed: HCLOUD_TOKEN via env, tfstate gitignored, networking.nix contains throwaway IP (update per README for production). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-31 01:11:56 +00:00
parent 8d689d6c32
commit 4c7150d502
12 changed files with 424 additions and 0 deletions
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -0,0 +1,32 @@
+resource "hcloud_ssh_key" "cc_ci" {
+  name       = "cc-ci-deploy"
+  public_key = var.ssh_public_key
+
+  labels = {
+    project = "cc-ci"
+    managed = "terraform"
+  }
+}
+
+resource "hcloud_server" "cc_ci" {
+  name        = var.server_name
+  server_type = var.server_type
+  image       = var.image
+  location    = var.location
+  ssh_keys    = [hcloud_ssh_key.cc_ci.id]
+
+  # Stage 1: cloud-init runs nixos-infect on first boot, converting Ubuntu to NixOS,
+  # then reboots. See user-data.sh for the pinned infect revision.
+  user_data = file("${path.module}/user-data.sh")
+
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = false
+  }
+
+  labels = {
+    project = "cc-ci"
+    managed = "terraform"
+    stage   = "infect"
+  }
+}