# cc-ci on Hetzner Cloud — NixOS configuration.
# Extends the shared cc-ci modules (same services as the Incus host) with
# Hetzner-specific hardware + networking. Run in parallel with the Incus cc-ci
# host during transition; make this the canonical cc-ci after cutover (plan §7).
#
# To apply after `terraform apply` + nixos-infect:
#   git clone --recursive https://git.autonomic.zone/recipe-maintainers/cc-ci.git /etc/cc-ci
#   install -m600 <age-private-key> /var/lib/sops-nix/key.txt
#   nixos-rebuild switch --flake /etc/cc-ci#cc-ci-hetzner
{ pkgs, ... }:
{
  imports = [
    ./hardware.nix
    ./networking.nix
    ../../modules/packages.nix
    ../../modules/secrets.nix
    ../../modules/swarm.nix
    ../../modules/docker-prune.nix
    ../../modules/abra.nix
    ../../modules/proxy.nix
    ../../modules/drone.nix
    ../../modules/drone-runner.nix
    ../../modules/bridge.nix
    ../../modules/dashboard.nix
    ../../modules/reports.nix
    ../../modules/backupbot.nix
    ../../modules/harness.nix
    ../../modules/warm-keycloak.nix
    ../../modules/nightly-sweep.nix
  ];

  # Timezone (same as Incus host — see configuration.nix there for rationale).
  time.timeZone = "UTC";
  environment.etc."timezone".text = "UTC\n";

  # Tailscale — keeps the orchestrator→cc-ci access path unchanged (direct peer).
  # On the Hetzner host the auth key is also seeded via /etc/ts-auth-key.
  services.tailscale = {
    enable = true;
    authKeyFile = "/etc/ts-auth-key";
    extraUpFlags = [ "--hostname=cc-ci" ];
  };

  # SSH — allow root login over tailscale (same as Incus host).
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "yes";
  };

  # Root SSH authorized keys — preserved across nixos-rebuild switches.
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8NaeBdPbS2gfUvbny8h0AkZlVjGYHzx4QPXSJ38gd claude@claude-vm"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJVlfoLBPseQ9fA9534KmRg2KWcksKZGzAJIpHJ2JpsI mfowler.email@protonmail.com"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcyTGb/wVgdhg5oBCZZvBaR1RuUQRY/3WHnOQpNDCsp claude-cc-ci-sandbox@20260526"
  ];

  # Firewall — Hetzner has a public IP, so open 80+443 for Traefik.
  # Tailscale interface is trusted (no port restrictions for orchestrator access).
  # Plan §6: v1 keeps the sops wildcard cert; evaluate ACME-on-public-IP as follow-up.
  networking.firewall = {
    enable = true;
    trustedInterfaces = [ "tailscale0" ];
    allowedTCPPorts = [ 22 80 443 ];
  };

  environment.systemPackages = with pkgs; [
    curl
    git
    git-lfs
    jq
    openssh
  ];

  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  system.stateVersion = "24.11";
}