From 4ffcdda9da06c12249b10b5fa39b172108d551a6 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Tue, 26 May 2026 22:49:49 +0100 Subject: [PATCH] =?UTF-8?q?plan=20=C2=A79:=20infra=20bring-up=20=3D=20decl?= =?UTF-8?q?arative=20idempotent=20reconciliation,=20not=20manual/run-once?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Strengthen the idempotency guardrail: every infra piece (swarm, traefik recipe deploy, drone, bridge, dashboard) is a systemd oneshot that re-runs each activation/boot and converges to desired state (like swarm-init) — no manual post-steps, no run-once sentinels. Goal: from-scratch install = clone + nixos-rebuild switch + preconditions. Co-Authored-By: Claude Opus 4.7 (1M context) --- cc-ci-plan/plan.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cc-ci-plan/plan.md b/cc-ci-plan/plan.md index 67b7d4b..2bdbd94 100644 --- a/cc-ci-plan/plan.md +++ b/cc-ci-plan/plan.md @@ -653,6 +653,13 @@ Each default stands until the Adversary or reality forces a change; record the c - **No mocks for the e2e stages.** D2 means real deploys. If something can't be tested for real, it's a finding, not a pass. - **Idempotent + reversible.** Anything done to the server must be re-derivable from the repo. + Infra bring-up is **declarative idempotent reconciliation in Nix** — not manual post-steps and not + run-once scripts. Each piece (swarm + `proxy` net, the traefik recipe deploy, Drone, the + comment-bridge, the dashboard) is a systemd **oneshot that re-runs on every activation/boot** and + *converges* to the desired state (inspect → act only if needed → no-op if already correct), like + `swarm-init`. **No `/var/lib/.bootstrapped`-style sentinels** (they don't self-heal drift). The + goal: a from-scratch install is `git clone` + `nixos-rebuild switch` + the operator preconditions + — `docs/install.md` must never accumulate manual post-rebuild steps. - **Stop on missing *external* infra inputs** (class-A1 in §4.4: cc-ci SSH/root access, the Tailscale auth key, Gitea bot creds, the pre-issued wildcard cert at `/var/lib/ci-certs/live/`, registry creds — and the preconfigured DNS/gateway facts) rather than improvising around them;