From be4f451d3a318fb8a392f0596f024802cd4dc83e Mon Sep 17 00:00:00 2001
From: autonomic-bot <autonomic-bot@git.autonomic.zone>
Date: Mon, 1 Jun 2026 13:57:45 +0000
Subject: [PATCH] fix(flake): make Hetzner the canonical cc-ci host target

---
 README.md            | 12 ++++++++----
 docs/architecture.md | 15 ++++++++++-----
 docs/install.md      |  1 +
 flake.nix            | 17 ++++++++++++++---
 4 files changed, 33 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index ddd0327..81aec03 100644
--- a/README.md
+++ b/README.md
@@ -14,8 +14,9 @@ per-recipe test trees, and the docs to enroll a recipe or rebuild the box from s
 ## Layout
 
 ```
-flake.nix              NixOS entry point + devshells (stays at root; build ref #cc-ci)
-nix/hosts/cc-ci/       the cc-ci machine config
+flake.nix              NixOS entry point + devshells (`#cc-ci` = live Hetzner host, `#cc-ci-incus` = legacy Incus host)
+nix/hosts/cc-ci/       legacy Incus VM host config (fallback / historical)
+nix/hosts/cc-ci-hetzner/ live Hetzner host config
 nix/modules/           drone, comment-bridge, swarm, dashboard, secrets (Nix modules)
 secrets/               sops-encrypted infra secrets (cc-ci-secrets submodule)
 bridge/                !testme webhook listener source
@@ -25,8 +26,11 @@ tests/<recipe>/        per-recipe install/upgrade/backup tests + playwright/
 docs/                  install, enroll-recipe, secrets, architecture, runbook, baseline
 ```
 
-All `.nix` code lives under `nix/`; `flake.nix`/`flake.lock` stay at the repo root so the build
-reference (`nixos-rebuild switch --flake '…#cc-ci'`) is unchanged.
+All `.nix` code lives under `nix/`; `flake.nix`/`flake.lock` stay at the repo root. Host targets are:
+
+- `#cc-ci` = canonical live Hetzner server
+- `#cc-ci-hetzner` = explicit alias for the same live Hetzner server
+- `#cc-ci-incus` = legacy Incus VM definition only; do not use on Hetzner
 
 ## Docs
 
diff --git a/docs/architecture.md b/docs/architecture.md
index aa7a85f..03b47dc 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -5,11 +5,16 @@ reports the result back. Everything on the `cc-ci` host is declared in this repo
 
 ## Repo layout
 
-All Nix code lives under **`nix/`** — `nix/hosts/cc-ci/` (the machine config) and `nix/modules/`
-(the service modules). `flake.nix` / `flake.lock` stay at the **repo root** as the entry point, so
-the build reference is unchanged (`nixos-rebuild switch --flake '…#cc-ci'`). Application source sits
-at the root (`bridge/`, `dashboard/`, `runner/`, `tests/`); encrypted secrets are the `secrets/`
-submodule.
+All Nix code lives under **`nix/`** — `nix/hosts/cc-ci-hetzner/` (the live machine config),
+`nix/hosts/cc-ci/` (the legacy Incus config), and `nix/modules/` (the service modules).
+`flake.nix` / `flake.lock` stay at the **repo root** as the entry point. Host targets:
+
+- `#cc-ci` = live Hetzner host
+- `#cc-ci-hetzner` = explicit alias for the same live Hetzner host
+- `#cc-ci-incus` = legacy Incus VM config only
+
+Application source sits at the root (`bridge/`, `dashboard/`, `runner/`, `tests/`); encrypted secrets
+are the `secrets/` submodule.
 
 ## Components
 
diff --git a/docs/install.md b/docs/install.md
index a3d801e..dac40ea 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -53,6 +53,7 @@ install -m700 -d /var/lib/sops-nix
 install -m600 /path/to/bootstrap-age-key /var/lib/sops-nix/key.txt
 
 # 3. One nixos-rebuild switch. NOTE: ?submodules=1 so the git flake includes secrets/.
+#    `#cc-ci` is the canonical live Hetzner host target. The old Incus config is `#cc-ci-incus`.
 nixos-rebuild switch --flake 'git+file:///root/cc-ci?submodules=1#cc-ci'
 ```
 
diff --git a/flake.nix b/flake.nix
index 937f997..a1d9f58 100644
--- a/flake.nix
+++ b/flake.nix
@@ -31,7 +31,19 @@
       ];
     in
     {
+      # Canonical live host target: the Hetzner cc-ci server.
+      # Use `.#cc-ci` for the current production host.
       nixosConfigurations.cc-ci = nixpkgs.lib.nixosSystem {
+        inherit system;
+        modules = [
+          sops-nix.nixosModules.sops
+          ./nix/hosts/cc-ci-hetzner/configuration.nix
+        ];
+      };
+
+      # Legacy Incus VM host definition retained only for historical comparison and fallback.
+      # Do NOT use this target on the live Hetzner server.
+      nixosConfigurations.cc-ci-incus = nixpkgs.lib.nixosSystem {
         inherit system;
         modules = [
           sops-nix.nixosModules.sops
@@ -39,9 +51,8 @@
         ];
       };
 
-      # Hetzner Cloud host (cpx32, nbg1). Provisions via `terraform/` + nixos-infect.
-      # Used in parallel with cc-ci (Incus) during transition; becomes canonical after cutover.
-      # See terraform/README.md for the full apply + Stage 2 (nixos-rebuild switch) workflow.
+      # Explicit alias for the live Hetzner host. Kept alongside `cc-ci` so the intended host target
+      # remains obvious in recovery/migration workflows.
       nixosConfigurations.cc-ci-hetzner = nixpkgs.lib.nixosSystem {
         inherit system;
         modules = [