recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4c7150d50283b4e929c65b466dba04d91a8dd591
cc-ci/nix/hosts/cc-ci-hetzner/networking.nix
autonomic-bot 4c7150d502 terraform: provision cc-ci on Hetzner Cloud via nixos-infect 
Adds terraform/ (hcloud provider, cpx32/nbg1/debian-12) and a new
nix/hosts/cc-ci-hetzner/ flake host to provision the cc-ci server on
Hetzner Cloud as an alternative to the Incus cc-nix-test VM.

Stage 1 (Terraform): creates a cpx32 server (4 vCPU / 8 GB / x86 AMD,
Nuremberg), runs nixos-infect (pinned rev 40f62a6, 2026-03-22) to convert
Debian 12 → NixOS 24.11, and reboots into bare NixOS.

Stage 2 (manual, per terraform/README.md): clone cc-ci --recursive,
provision the bootstrap age key, then `nixos-rebuild switch --flake
.#cc-ci-hetzner`.

Verified (throwaway run 2026-05-31, server 134464512, 168.119.126.100):
- terraform apply: cpx32 in nbg1 created in 17 s
- nixos-infect: NixOS 24.11.719113.50ab793786d9 (same nixpkgs pin as flake)
- nixos-rebuild build --flake .#cc-ci-hetzner: exit 0 on server
  (131 derivations; all cc-ci modules: tailscale, drone, drone-runner,
  bridge, dashboard, harness, swarm, abra, proxy, secrets)
- terraform plan: no changes (idempotent)
- terraform destroy: server + SSH key removed

Age key step (plan §4 Stage 2): operator-pending. Full switch/convergence
requires bootstrap age key at /var/lib/sops-nix/key.txt. Flake builds
without it; activation needs it.

No secrets committed: HCLOUD_TOKEN via env, tfstate gitignored,
networking.nix contains throwaway IP (update per README for production).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-31 01:11:56 +00:00

42 lines
1.4 KiB
Nix
Raw Blame History

# Hetzner static networking — generated by nixos-infect at provision time.
#
# This file is server-specific: the IP, gateway, and MAC address are tied to a
# particular Hetzner instance. When provisioning a new server:
# 1. After `terraform apply` + nixos-infect completes, run:
# ssh root@<new-ip> 'cat /etc/nixos/networking.nix'
# 2. Replace this file's contents with the output and commit.
# 3. Then: `nixos-rebuild switch --flake .#cc-ci-hetzner`
#
# Current instance: 168.119.126.100 (throwaway verification run 2026-05-31;
# this value will be updated when the production server is provisioned).
{ lib, ... }: {
networking = {
nameservers = [
"185.12.64.1"
"185.12.64.2"
];
defaultGateway = "172.31.1.1";
defaultGateway6 = {
address = "";
interface = "eth0";
};
dhcpcd.enable = false;
usePredictableInterfaceNames = lib.mkForce false;
interfaces = {
eth0 = {
ipv4.addresses = [
{ address = "168.119.126.100"; prefixLength = 32; }
];
ipv6.addresses = [
{ address = "fe80::9000:8ff:fe03:c400"; prefixLength = 64; }
];
ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
ipv6.routes = [{ address = ""; prefixLength = 128; }];
};
};
};
services.udev.extraRules = ''
ATTR{address}=="92:00:08:03:c4:00", NAME="eth0"
'';
}
Reference in New Issue View Git Blame Copy Permalink