recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4c7150d50283b4e929c65b466dba04d91a8dd591
cc-ci/terraform/variables.tf
autonomic-bot 4c7150d502 terraform: provision cc-ci on Hetzner Cloud via nixos-infect 
Adds terraform/ (hcloud provider, cpx32/nbg1/debian-12) and a new
nix/hosts/cc-ci-hetzner/ flake host to provision the cc-ci server on
Hetzner Cloud as an alternative to the Incus cc-nix-test VM.

Stage 1 (Terraform): creates a cpx32 server (4 vCPU / 8 GB / x86 AMD,
Nuremberg), runs nixos-infect (pinned rev 40f62a6, 2026-03-22) to convert
Debian 12 → NixOS 24.11, and reboots into bare NixOS.

Stage 2 (manual, per terraform/README.md): clone cc-ci --recursive,
provision the bootstrap age key, then `nixos-rebuild switch --flake
.#cc-ci-hetzner`.

Verified (throwaway run 2026-05-31, server 134464512, 168.119.126.100):
- terraform apply: cpx32 in nbg1 created in 17 s
- nixos-infect: NixOS 24.11.719113.50ab793786d9 (same nixpkgs pin as flake)
- nixos-rebuild build --flake .#cc-ci-hetzner: exit 0 on server
  (131 derivations; all cc-ci modules: tailscale, drone, drone-runner,
  bridge, dashboard, harness, swarm, abra, proxy, secrets)
- terraform plan: no changes (idempotent)
- terraform destroy: server + SSH key removed

Age key step (plan §4 Stage 2): operator-pending. Full switch/convergence
requires bootstrap age key at /var/lib/sops-nix/key.txt. Flake builds
without it; activation needs it.

No secrets committed: HCLOUD_TOKEN via env, tfstate gitignored,
networking.nix contains throwaway IP (update per README for production).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-31 01:11:56 +00:00

38 lines
1.2 KiB
HCL
Raw Blame History

variable "location" {
description = "Hetzner datacenter (nbg1=Nuremberg, fsn1=Falkenstein, hel1=Helsinki, ash=Ashburn, hil=Hillsboro)"
type = string
default = "nbg1"
}
variable "server_type" {
description = <<-EOT
Hetzner server type. Must be x86 the flake is x86_64-linux; NEVER use cax* (ARM).
cpx32 = AMD 4 vCPU / 8 GB (default; replaces cpx31 which is retired in some DCs).
cx33 = Intel 4 vCPU / 8 GB (alternative).
EOT
type = string
default = "cpx32"
validation {
condition = !startswith(var.server_type, "cax")
error_message = "ARM server types (cax*) are not supported — the cc-ci flake is x86_64-linux only."
}
}
variable "image" {
description = "Base OS image. nixos-infect supports debian-12 and ubuntu-24.04. debian-12 preferred."
type = string
default = "debian-12"
}
variable "ssh_public_key" {
description = "SSH public key content (the full line, e.g. 'ssh-ed25519 AAAA... comment'). Registered with Hetzner for root access post-infect. Pass via TF_VAR_ssh_public_key or terraform.tfvars (gitignored)."
type = string
}
variable "server_name" {
description = "Hetzner server name and initial NixOS hostname"
type = string
default = "cc-ci"
}
Reference in New Issue View Git Blame Copy Permalink