4c7150d502
Adds terraform/ (hcloud provider, cpx32/nbg1/debian-12) and a new nix/hosts/cc-ci-hetzner/ flake host to provision the cc-ci server on Hetzner Cloud as an alternative to the Incus cc-nix-test VM. Stage 1 (Terraform): creates a cpx32 server (4 vCPU / 8 GB / x86 AMD, Nuremberg), runs nixos-infect (pinned rev 40f62a6, 2026-03-22) to convert Debian 12 → NixOS 24.11, and reboots into bare NixOS. Stage 2 (manual, per terraform/README.md): clone cc-ci --recursive, provision the bootstrap age key, then `nixos-rebuild switch --flake .#cc-ci-hetzner`. Verified (throwaway run 2026-05-31, server 134464512, 168.119.126.100): - terraform apply: cpx32 in nbg1 created in 17 s - nixos-infect: NixOS 24.11.719113.50ab793786d9 (same nixpkgs pin as flake) - nixos-rebuild build --flake .#cc-ci-hetzner: exit 0 on server (131 derivations; all cc-ci modules: tailscale, drone, drone-runner, bridge, dashboard, harness, swarm, abra, proxy, secrets) - terraform plan: no changes (idempotent) - terraform destroy: server + SSH key removed Age key step (plan §4 Stage 2): operator-pending. Full switch/convergence requires bootstrap age key at /var/lib/sops-nix/key.txt. Flake builds without it; activation needs it. No secrets committed: HCLOUD_TOKEN via env, tfstate gitignored, networking.nix contains throwaway IP (update per README for production). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
26 lines
1.3 KiB
Bash
26 lines
1.3 KiB
Bash
#!/usr/bin/env bash
|
|
# Stage 1 — convert Debian 12 → NixOS via nixos-infect (pinned revision).
|
|
#
|
|
# nixos-infect generates /etc/nixos/{configuration.nix,hardware-configuration.nix,networking.nix}
|
|
# with Hetzner-correct bootloader (GRUB, not systemd-boot) and networking, then reboots into NixOS.
|
|
#
|
|
# After the reboot:
|
|
# - SSH as root is available (key registered with Hetzner survives infect)
|
|
# - Run Stage 2 per terraform/README.md: clone cc-ci + cc-ci-secrets, provision the bootstrap
|
|
# age key, then `nixos-rebuild switch --flake .#cc-ci-hetzner`
|
|
#
|
|
# Logs are written to /var/log/nixos-infect.log on the server for post-mortem inspection.
|
|
# The server reboots automatically at the end of infect — wait ~5 min before sshing in.
|
|
set -euo pipefail
|
|
|
|
# Pinned nixos-infect revision (2026-03-22: "fixes errors for non efi systems").
|
|
# Update deliberately; verify Hetzner still supported before bumping.
|
|
INFECT_SHA="40f62a680bb0e8f2f607d79abfaaecd99d59401c"
|
|
|
|
export NIX_CHANNEL="nixos-24.11"
|
|
export PROVIDER="hetzner" # tells nixos-infect to use GRUB + Hetzner networking
|
|
export NIXOS_IMPORT="" # no extra imports at infect time; we apply the real flake in Stage 2
|
|
|
|
curl -fsSL "https://raw.githubusercontent.com/elitak/nixos-infect/${INFECT_SHA}/nixos-infect" \
|
|
| bash -x 2>&1 | tee /var/log/nixos-infect.log
|