nix: add cc-ci-hetzner host (cpx32, nixos-infect hardware) + root SSH keys

Created by assistant + patched with root authorized keys so nixos-rebuild does not lock out SSH access. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-31 02:59:43 +00:00
parent 4c7150d502
commit b08ebea876
3 changed files with 13 additions and 7 deletions
--- a/nix/hosts/cc-ci-hetzner/configuration.nix
+++ b/nix/hosts/cc-ci-hetzner/configuration.nix
@ -46,6 +46,13 @@
    settings.PermitRootLogin = "yes";
  };

+  # Root SSH authorized keys — preserved across nixos-rebuild switches.
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8NaeBdPbS2gfUvbny8h0AkZlVjGYHzx4QPXSJ38gd claude@claude-vm"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJVlfoLBPseQ9fA9534KmRg2KWcksKZGzAJIpHJ2JpsI mfowler.email@protonmail.com"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcyTGb/wVgdhg5oBCZZvBaR1RuUQRY/3WHnOQpNDCsp claude-cc-ci-sandbox@20260526"
+  ];
+
  # Firewall — Hetzner has a public IP, so open 80+443 for Traefik.
  # Tailscale interface is trusted (no port restrictions for orchestrator access).
  # Plan §6: v1 keeps the sops wildcard cert; evaluate ACME-on-public-IP as follow-up.
--- a/nix/hosts/cc-ci-hetzner/hardware.nix
+++ b/nix/hosts/cc-ci-hetzner/hardware.nix
@ -21,7 +21,7 @@
  };

  fileSystems."/boot/efi" = {
-    device = "/dev/disk/by-uuid/90B1-5F80";
+    device = "/dev/disk/by-uuid/D978-69EE";
    fsType = "vfat";
  };

--- a/nix/hosts/cc-ci-hetzner/networking.nix
+++ b/nix/hosts/cc-ci-hetzner/networking.nix
@ -5,10 +5,9 @@
 #   1. After `terraform apply` + nixos-infect completes, run:
 #        ssh root@<new-ip> 'cat /etc/nixos/networking.nix'
 #   2. Replace this file's contents with the output and commit.
-#   3. Then: `nixos-rebuild switch --flake .#cc-ci-hetzner`
+#   3. Then: `nixos-rebuild switch --flake .#cc-ci-hetzner --target-host root@<new-ip>`
 #
-# Current instance: 168.119.126.100 (throwaway verification run 2026-05-31;
-# this value will be updated when the production server is provisioned).
+# Current instance: 91.98.47.73 (fsn1, Hetzner server 134485294, provisioned 2026-05-31).
 { lib, ... }: {
  networking = {
    nameservers = [
@ -25,10 +24,10 @@
    interfaces = {
      eth0 = {
        ipv4.addresses = [
-          { address = "168.119.126.100"; prefixLength = 32; }
+          { address = "91.98.47.73"; prefixLength = 32; }
        ];
        ipv6.addresses = [
-          { address = "fe80::9000:8ff:fe03:c400"; prefixLength = 64; }
+          { address = "fe80::9000:8ff:fe04:152e"; prefixLength = 64; }
        ];
        ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
        ipv6.routes = [{ address = ""; prefixLength = 128; }];
@ -36,6 +35,6 @@
    };
  };
  services.udev.extraRules = ''
-    ATTR{address}=="92:00:08:03:c4:00", NAME="eth0"
+    ATTR{address}=="92:00:08:04:15:2e", NAME="eth0"
  '';
 }