fix(flake): make Hetzner the canonical cc-ci host target
This commit is contained in:
autonomic-bot
12
README.md
12
README.md
@ -14,8 +14,9 @@ per-recipe test trees, and the docs to enroll a recipe or rebuild the box from s
|
|||||||
## Layout
|
## Layout
|
||||||
|
|
||||||
```
|
```
|
||||||
flake.nix NixOS entry point + devshells (stays at root; build ref #cc-ci)
|
flake.nix NixOS entry point + devshells (`#cc-ci` = live Hetzner host, `#cc-ci-incus` = legacy Incus host)
|
||||||
nix/hosts/cc-ci/ the cc-ci machine config
|
nix/hosts/cc-ci/ legacy Incus VM host config (fallback / historical)
|
||||||
|
nix/hosts/cc-ci-hetzner/ live Hetzner host config
|
||||||
nix/modules/ drone, comment-bridge, swarm, dashboard, secrets (Nix modules)
|
nix/modules/ drone, comment-bridge, swarm, dashboard, secrets (Nix modules)
|
||||||
secrets/ sops-encrypted infra secrets (cc-ci-secrets submodule)
|
secrets/ sops-encrypted infra secrets (cc-ci-secrets submodule)
|
||||||
bridge/ !testme webhook listener source
|
bridge/ !testme webhook listener source
|
||||||
@ -25,8 +26,11 @@ tests/<recipe>/ per-recipe install/upgrade/backup tests + playwright/
|
|||||||
docs/ install, enroll-recipe, secrets, architecture, runbook, baseline
|
docs/ install, enroll-recipe, secrets, architecture, runbook, baseline
|
||||||
```
|
```
|
||||||
|
|
||||||
All `.nix` code lives under `nix/`; `flake.nix`/`flake.lock` stay at the repo root so the build
|
All `.nix` code lives under `nix/`; `flake.nix`/`flake.lock` stay at the repo root. Host targets are:
|
||||||
reference (`nixos-rebuild switch --flake '…#cc-ci'`) is unchanged.
|
|
||||||
|
- `#cc-ci` = canonical live Hetzner server
|
||||||
|
- `#cc-ci-hetzner` = explicit alias for the same live Hetzner server
|
||||||
|
- `#cc-ci-incus` = legacy Incus VM definition only; do not use on Hetzner
|
||||||
|
|
||||||
## Docs
|
## Docs
|
||||||
|
|
||||||
|
|||||||
@ -5,11 +5,16 @@ reports the result back. Everything on the `cc-ci` host is declared in this repo
|
|||||||
|
|
||||||
## Repo layout
|
## Repo layout
|
||||||
|
|
||||||
All Nix code lives under **`nix/`** — `nix/hosts/cc-ci/` (the machine config) and `nix/modules/`
|
All Nix code lives under **`nix/`** — `nix/hosts/cc-ci-hetzner/` (the live machine config),
|
||||||
(the service modules). `flake.nix` / `flake.lock` stay at the **repo root** as the entry point, so
|
`nix/hosts/cc-ci/` (the legacy Incus config), and `nix/modules/` (the service modules).
|
||||||
the build reference is unchanged (`nixos-rebuild switch --flake '…#cc-ci'`). Application source sits
|
`flake.nix` / `flake.lock` stay at the **repo root** as the entry point. Host targets:
|
||||||
at the root (`bridge/`, `dashboard/`, `runner/`, `tests/`); encrypted secrets are the `secrets/`
|
|
||||||
submodule.
|
- `#cc-ci` = live Hetzner host
|
||||||
|
- `#cc-ci-hetzner` = explicit alias for the same live Hetzner host
|
||||||
|
- `#cc-ci-incus` = legacy Incus VM config only
|
||||||
|
|
||||||
|
Application source sits at the root (`bridge/`, `dashboard/`, `runner/`, `tests/`); encrypted secrets
|
||||||
|
are the `secrets/` submodule.
|
||||||
|
|
||||||
## Components
|
## Components
|
||||||
|
|
||||||
|
|||||||
@ -53,6 +53,7 @@ install -m700 -d /var/lib/sops-nix
|
|||||||
install -m600 /path/to/bootstrap-age-key /var/lib/sops-nix/key.txt
|
install -m600 /path/to/bootstrap-age-key /var/lib/sops-nix/key.txt
|
||||||
|
|
||||||
# 3. One nixos-rebuild switch. NOTE: ?submodules=1 so the git flake includes secrets/.
|
# 3. One nixos-rebuild switch. NOTE: ?submodules=1 so the git flake includes secrets/.
|
||||||
|
# `#cc-ci` is the canonical live Hetzner host target. The old Incus config is `#cc-ci-incus`.
|
||||||
nixos-rebuild switch --flake 'git+file:///root/cc-ci?submodules=1#cc-ci'
|
nixos-rebuild switch --flake 'git+file:///root/cc-ci?submodules=1#cc-ci'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|||||||
17
flake.nix
17
flake.nix
@ -31,7 +31,19 @@
|
|||||||
];
|
];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
# Canonical live host target: the Hetzner cc-ci server.
|
||||||
|
# Use `.#cc-ci` for the current production host.
|
||||||
nixosConfigurations.cc-ci = nixpkgs.lib.nixosSystem {
|
nixosConfigurations.cc-ci = nixpkgs.lib.nixosSystem {
|
||||||
|
inherit system;
|
||||||
|
modules = [
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
./nix/hosts/cc-ci-hetzner/configuration.nix
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Legacy Incus VM host definition retained only for historical comparison and fallback.
|
||||||
|
# Do NOT use this target on the live Hetzner server.
|
||||||
|
nixosConfigurations.cc-ci-incus = nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = [
|
modules = [
|
||||||
sops-nix.nixosModules.sops
|
sops-nix.nixosModules.sops
|
||||||
@ -39,9 +51,8 @@
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Hetzner Cloud host (cpx32, nbg1). Provisions via `terraform/` + nixos-infect.
|
# Explicit alias for the live Hetzner host. Kept alongside `cc-ci` so the intended host target
|
||||||
# Used in parallel with cc-ci (Incus) during transition; becomes canonical after cutover.
|
# remains obvious in recovery/migration workflows.
|
||||||
# See terraform/README.md for the full apply + Stage 2 (nixos-rebuild switch) workflow.
|
|
||||||
nixosConfigurations.cc-ci-hetzner = nixpkgs.lib.nixosSystem {
|
nixosConfigurations.cc-ci-hetzner = nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = [
|
modules = [
|
||||||
|
|||||||
Reference in New Issue
Block a user