# cc-ci-orchestrator

NixOS config for the **`cc-ci-orchestrator`** Incus VM (b1, project `terraform-ci`, tailnet
`100.116.55.106`) — the reboot-resilient host for the cc-ci Builder/Adversary loops + watchdog +
orchestrator session, moved off the unstable 905 MiB Pi.

See `cc-ci-plan/plan-orchestrator-migration.md` for the full migration.

## Files
- `configuration.nix` — the VM's NixOS config (channel-based, `nixos-24.11`). Deployed to
  `/etc/nixos/configuration.nix` on the VM. Provides: nix-ld (so the standalone Claude Code Bun binary
  runs), tmux/git/python/jq + tools, a 4 GB swapfile, direct ssh to cc-ci (the VM is a tailnet peer —
  no SOCKS proxy needed, unlike the Pi), an idempotent `claude-install` oneshot, and the
  `cc-ci-loops` supervisor service (defined, **enabled in Phase D** once the workspace is staged).

## Deploy (until this is wired to a flake/auto-pull)
```
# copy configuration.nix to the VM, then:
ssh cc-ci-orchestrator 'nixos-rebuild switch'    # or run detached: see below
```
Over the (currently flaky) Pi→VM link, run the rebuild **detached** on the VM so an ssh/proxy drop
doesn't abort it, e.g. `systemd-run --unit=orch-rebuild --collect nixos-rebuild switch` then poll
`journalctl -u orch-rebuild`.

## Status
- Phase A: VM created (2 GB / 2 vCPU / 30 GB), on tailnet, ssh-able. ✅
- Phase B: this config (DRAFT) — nix-ld/claude validation pending on the VM.
- Operator step pending (Phase C): `claude auth login` on the VM (device-code; can't be scripted).
- Secrets to stage (Phase C, out-of-band): `/srv/cc-ci/.testenv`, `~/.ssh/cc-ci-root-ed25519`,
  Incus mTLS certs, the sops master age key.