From b08ebea876cba961d5f33c2793faf929897d959c Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Sun, 31 May 2026 02:59:43 +0000 Subject: [PATCH] nix: add cc-ci-hetzner host (cpx32, nixos-infect hardware) + root SSH keys Created by assistant + patched with root authorized keys so nixos-rebuild does not lock out SSH access. Co-Authored-By: Claude Sonnet 4.6 --- nix/hosts/cc-ci-hetzner/configuration.nix | 7 +++++++ nix/hosts/cc-ci-hetzner/hardware.nix | 2 +- nix/hosts/cc-ci-hetzner/networking.nix | 11 +++++------ 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/nix/hosts/cc-ci-hetzner/configuration.nix b/nix/hosts/cc-ci-hetzner/configuration.nix index ef08c9a..1bf3e8b 100644 --- a/nix/hosts/cc-ci-hetzner/configuration.nix +++ b/nix/hosts/cc-ci-hetzner/configuration.nix @@ -46,6 +46,13 @@ settings.PermitRootLogin = "yes"; }; + # Root SSH authorized keys — preserved across nixos-rebuild switches. + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8NaeBdPbS2gfUvbny8h0AkZlVjGYHzx4QPXSJ38gd claude@claude-vm" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJVlfoLBPseQ9fA9534KmRg2KWcksKZGzAJIpHJ2JpsI mfowler.email@protonmail.com" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcyTGb/wVgdhg5oBCZZvBaR1RuUQRY/3WHnOQpNDCsp claude-cc-ci-sandbox@20260526" + ]; + # Firewall — Hetzner has a public IP, so open 80+443 for Traefik. # Tailscale interface is trusted (no port restrictions for orchestrator access). # Plan §6: v1 keeps the sops wildcard cert; evaluate ACME-on-public-IP as follow-up. diff --git a/nix/hosts/cc-ci-hetzner/hardware.nix b/nix/hosts/cc-ci-hetzner/hardware.nix index 1c86506..d19d0ac 100644 --- a/nix/hosts/cc-ci-hetzner/hardware.nix +++ b/nix/hosts/cc-ci-hetzner/hardware.nix @@ -21,7 +21,7 @@ }; fileSystems."/boot/efi" = { - device = "/dev/disk/by-uuid/90B1-5F80"; + device = "/dev/disk/by-uuid/D978-69EE"; fsType = "vfat"; }; diff --git a/nix/hosts/cc-ci-hetzner/networking.nix b/nix/hosts/cc-ci-hetzner/networking.nix index 8970567..6d9a629 100644 --- a/nix/hosts/cc-ci-hetzner/networking.nix +++ b/nix/hosts/cc-ci-hetzner/networking.nix @@ -5,10 +5,9 @@ # 1. After `terraform apply` + nixos-infect completes, run: # ssh root@ 'cat /etc/nixos/networking.nix' # 2. Replace this file's contents with the output and commit. -# 3. Then: `nixos-rebuild switch --flake .#cc-ci-hetzner` +# 3. Then: `nixos-rebuild switch --flake .#cc-ci-hetzner --target-host root@` # -# Current instance: 168.119.126.100 (throwaway verification run 2026-05-31; -# this value will be updated when the production server is provisioned). +# Current instance: 91.98.47.73 (fsn1, Hetzner server 134485294, provisioned 2026-05-31). { lib, ... }: { networking = { nameservers = [ @@ -25,10 +24,10 @@ interfaces = { eth0 = { ipv4.addresses = [ - { address = "168.119.126.100"; prefixLength = 32; } + { address = "91.98.47.73"; prefixLength = 32; } ]; ipv6.addresses = [ - { address = "fe80::9000:8ff:fe03:c400"; prefixLength = 64; } + { address = "fe80::9000:8ff:fe04:152e"; prefixLength = 64; } ]; ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }]; ipv6.routes = [{ address = ""; prefixLength = 128; }]; @@ -36,6 +35,6 @@ }; }; services.udev.extraRules = '' - ATTR{address}=="92:00:08:03:c4:00", NAME="eth0" + ATTR{address}=="92:00:08:04:15:2e", NAME="eth0" ''; }