M0: flake + base NixOS config, rebuilt from repo on cc-ci
Pins nixpkgs to the rev cc-ci already ran (no-op-then-base); deploy via switch --flake on-host. System healthy (gen 3) post-switch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
42
hosts/cc-ci/configuration.nix
Normal file
42
hosts/cc-ci/configuration.nix
Normal file
@ -0,0 +1,42 @@
|
||||
# cc-ci machine config. M0 = faithful reproduction of the baseline (docs/baseline.md)
|
||||
# so the first flake rebuild is a no-op-then-base. Services (swarm/Traefik/Drone/
|
||||
# bridge/dashboard) are layered in via ./modules/* in later milestones.
|
||||
{ pkgs, lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
./hardware.nix
|
||||
];
|
||||
|
||||
# --- Tailscale (ACCESS-CRITICAL: do not break, this is the only route in) ---
|
||||
# Baseline read the hostname from /etc/ts-hostname at eval time; that is impure
|
||||
# under flakes, so we pin the known hostname. The reusable auth-key file persists.
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = "/etc/ts-auth-key";
|
||||
extraUpFlags = [ "--hostname=cc-nix-test" ];
|
||||
};
|
||||
|
||||
# --- SSH (root login over tailscale) ---
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings.PermitRootLogin = "yes";
|
||||
};
|
||||
|
||||
# --- Firewall: trust tailscale, allow SSH ---
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedTCPPorts = [ 22 ];
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
curl
|
||||
git
|
||||
jq
|
||||
openssh
|
||||
];
|
||||
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
|
||||
system.stateVersion = "24.11";
|
||||
}
|
||||
21
hosts/cc-ci/hardware.nix
Normal file
21
hosts/cc-ci/hardware.nix
Normal file
@ -0,0 +1,21 @@
|
||||
# Hardware / platform for cc-ci: an Incus VM (x86_64) on the autonomic infra.
|
||||
# Mirrors the pre-flake baseline (docs/baseline.md).
|
||||
{ modulesPath, ... }:
|
||||
{
|
||||
imports = [
|
||||
"${modulesPath}/virtualisation/incus-virtual-machine.nix"
|
||||
];
|
||||
|
||||
# incus-agent for `incus exec`
|
||||
virtualisation.incus.agent.enable = true;
|
||||
|
||||
# cloud-init seeded the VM (network + /etc/ts-* files); keep it enabled.
|
||||
services.cloud-init = {
|
||||
enable = true;
|
||||
network.enable = true;
|
||||
};
|
||||
|
||||
# DHCP from the incus bridge; bridge provides no resolver, so set our own.
|
||||
networking.useDHCP = true;
|
||||
networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
|
||||
}
|
||||
Reference in New Issue
Block a user