recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b676d61df4bf12e2899813809c78f36dcdc5e484
cc-ci/terraform/user-data.sh
autonomic-bot e37a7df496
Some checks failed
continuous-integration/drone/push Build is failing
Details
terraform: IaC-of-record for the cc-ci Hetzner host (salvaged from PR#2) 
The cc-ci server already runs on Hetzner (migration done; nix/hosts/cc-ci-hetzner
landed directly on main 2026-05-31). PR#2's host config was superseded by newer
main commits, but its terraform/ provisioning scaffolding (cpx32 + nixos-infect)
was never preserved. Add it here as the infrastructure-of-record so the box is
reproducible. .gitignore keeps tfstate + secret tfvars out; HCLOUD_TOKEN is an
env var at apply time (no secrets committed). PR#2 closed as superseded.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 21:09:02 +00:00

26 lines
1.3 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# Stage 1 — convert Debian 12 → NixOS via nixos-infect (pinned revision).
#
# nixos-infect generates /etc/nixos/{configuration.nix,hardware-configuration.nix,networking.nix}
# with Hetzner-correct bootloader (GRUB, not systemd-boot) and networking, then reboots into NixOS.
#
# After the reboot:
# - SSH as root is available (key registered with Hetzner survives infect)
# - Run Stage 2 per terraform/README.md: clone cc-ci + cc-ci-secrets, provision the bootstrap
# age key, then `nixos-rebuild switch --flake .#cc-ci-hetzner`
#
# Logs are written to /var/log/nixos-infect.log on the server for post-mortem inspection.
# The server reboots automatically at the end of infect — wait ~5 min before sshing in.
set -euo pipefail
# Pinned nixos-infect revision (2026-03-22: "fixes errors for non efi systems").
# Update deliberately; verify Hetzner still supported before bumping.
INFECT_SHA="40f62a680bb0e8f2f607d79abfaaecd99d59401c"
export NIX_CHANNEL="nixos-24.11"
export PROVIDER="hetzner" # tells nixos-infect to use GRUB + Hetzner networking
export NIXOS_IMPORT="" # no extra imports at infect time; we apply the real flake in Stage 2
curl -fsSL "https://raw.githubusercontent.com/elitak/nixos-infect/${INFECT_SHA}/nixos-infect" \
| bash -x 2>&1 | tee /var/log/nixos-infect.log
Reference in New Issue View Git Blame Copy Permalink