recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1138d77cbb807c46087e653f4f4fe8f555724df8
cc-ci/nix/hosts/cc-ci/configuration.nix
autonomic-bot 433ec9de30 refactor(1b): RL5 — consolidate Nix code under nix/ (modules->nix/modules, hosts->nix/hosts) 
flake.nix/flake.lock STAY at root so the build ref #cc-ci is unchanged; only flake's internal
configuration.nix path updated. Root-relative refs inside moved modules re-based ../X -> ../../X
(secrets/bridge/dashboard); configuration.nix's ../../modules imports unchanged (both dirs under nix/).
Living docs (README, architecture/install/secrets/enroll) + .drone.yml comment updated to nix/...;
append-only history logs left as-is. DECISIONS.md records RL5 + the deferred-coordinated RL6.

Verified on cc-ci: nixos-rebuild build 'path:#cc-ci' -> toplevel 8i3jcad9 (BYTE-IDENTICAL to the
pre-move build — store derivations are content-addressed on file contents, module .nix not in the
runtime closure); scripts/lint.sh -> lint: PASS.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 21:19:09 +01:00

54 lines
1.5 KiB
Nix
Raw Blame History

# cc-ci machine config. M0 = faithful reproduction of the baseline (docs/baseline.md)
# so the first flake rebuild is a no-op-then-base. Services (swarm/Traefik/Drone/
# bridge/dashboard) are layered in via ./modules/* in later milestones.
{ pkgs, ... }:
{
imports = [
./hardware.nix
../../modules/packages.nix
../../modules/secrets.nix
../../modules/swarm.nix
../../modules/abra.nix
../../modules/proxy.nix
../../modules/drone.nix
../../modules/drone-runner.nix
../../modules/bridge.nix
../../modules/dashboard.nix
../../modules/backupbot.nix
../../modules/harness.nix
];
# --- Tailscale (ACCESS-CRITICAL: do not break, this is the only route in) ---
# Baseline read the hostname from /etc/ts-hostname at eval time; that is impure
# under flakes, so we pin the known hostname. The reusable auth-key file persists.
services.tailscale = {
enable = true;
authKeyFile = "/etc/ts-auth-key";
extraUpFlags = [ "--hostname=cc-nix-test" ];
};
# --- SSH (root login over tailscale) ---
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
# --- Firewall: trust tailscale, allow SSH ---
networking.firewall = {
enable = true;
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = [ 22 ];
};
environment.systemPackages = with pkgs; [
curl
git
jq
openssh
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "24.11";
}
Reference in New Issue View Git Blame Copy Permalink