recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4237cc03f52c4ece304bbfcd941a622eb8dfd60b
cc-ci/nix/hosts/cc-ci-hetzner/configuration.nix
autonomic-bot 4237cc03f5 nix: add cc-ci-hetzner host (cpx32, nixos-infect hardware, all root SSH keys) 
Port from terraform-hetzner branch. Adds the Hetzner cc-ci flake host with
all 3 root authorized keys so nixos-rebuild doesn't lock out SSH access.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-31 03:00:36 +00:00

76 lines
2.6 KiB
Nix
Raw Blame History

# cc-ci on Hetzner Cloud — NixOS configuration.
# Extends the shared cc-ci modules (same services as the Incus host) with
# Hetzner-specific hardware + networking. Run in parallel with the Incus cc-ci
# host during transition; make this the canonical cc-ci after cutover (plan §7).
#
# To apply after `terraform apply` + nixos-infect:
# git clone --recursive https://git.autonomic.zone/recipe-maintainers/cc-ci.git /etc/cc-ci
# install -m600 <age-private-key> /var/lib/sops-nix/key.txt
# nixos-rebuild switch --flake /etc/cc-ci#cc-ci-hetzner
{ pkgs, lib, ... }:
{
imports = [
./hardware.nix
./networking.nix
../../modules/packages.nix
../../modules/secrets.nix
../../modules/swarm.nix
../../modules/docker-prune.nix
../../modules/abra.nix
../../modules/proxy.nix
../../modules/drone.nix
../../modules/drone-runner.nix
../../modules/bridge.nix
../../modules/dashboard.nix
../../modules/backupbot.nix
../../modules/harness.nix
../../modules/warm-keycloak.nix
../../modules/nightly-sweep.nix
];
# Timezone (same as Incus host — see configuration.nix there for rationale).
time.timeZone = "UTC";
environment.etc."timezone".text = "UTC\n";
# Tailscale — keeps the orchestrator→cc-ci access path unchanged (direct peer).
# On the Hetzner host the auth key is also seeded via /etc/ts-auth-key.
services.tailscale = {
enable = true;
authKeyFile = "/etc/ts-auth-key";
extraUpFlags = [ "--hostname=cc-ci" ];
};
# SSH — allow root login over tailscale (same as Incus host).
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
# Root SSH authorized keys — preserved across nixos-rebuild switches.
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8NaeBdPbS2gfUvbny8h0AkZlVjGYHzx4QPXSJ38gd claude@claude-vm"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJVlfoLBPseQ9fA9534KmRg2KWcksKZGzAJIpHJ2JpsI mfowler.email@protonmail.com"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcyTGb/wVgdhg5oBCZZvBaR1RuUQRY/3WHnOQpNDCsp claude-cc-ci-sandbox@20260526"
];
# Firewall — Hetzner has a public IP, so open 80+443 for Traefik.
# Tailscale interface is trusted (no port restrictions for orchestrator access).
# Plan §6: v1 keeps the sops wildcard cert; evaluate ACME-on-public-IP as follow-up.
networking.firewall = {
enable = true;
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = [ 22 80 443 ];
};
environment.systemPackages = with pkgs; [
curl
git
jq
openssh
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "24.11";
}
Reference in New Issue View Git Blame Copy Permalink