M1: proxy via real coop-cloud/traefik (abra, wildcard/no-ACME); recipe deploy+teardown; M1 CLAIMED

Orchestrator decision: deploy canonical coop-cloud traefik via abra instead of a
hand-rolled module. abra packaged in Nix (pinned). custom-html deployed over HTTPS
(200) via the gateway and torn down clean. docs/install.md seeded.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

JOURNAL.md

@@ -146,3 +146,43 @@ firewall 80/443 (gateway forwards over enp5s0).
 **Next:** install abra (M1 last task), `abra app new` a trivial recipe (custom-html) → deploy →
 reach over HTTPS at <app>.ci.commoninternet.net → teardown leaving no volumes. That completes M1
 → CLAIM M1 gate.
+
+## 2026-05-26 — M1: proxy pivot to real coop-cloud/traefik via abra; recipe deploy/teardown (M1 CLAIMED)
+
+**Orchestrator decision (mid-M1):** replace the hand-rolled Traefik with the canonical Co-op Cloud
+`traefik` recipe deployed via abra, wildcard/file-provider mode, no ACME/token. Removed custom
+`modules/traefik.nix`; moved firewall 80/443 into `modules/swarm.nix`. Recorded in DECISIONS.md.
+
+**Why the pivot also fixed a real bug:** my custom Traefik used entrypoint `websecure`; coop-cloud
+recipes label `entrypoints=web-secure`. While chasing that I also hit a sharp **systemd-run gotcha**:
+`systemd-run … nixos-rebuild switch --flake .#cc-ci` runs with cwd `/`, so `.#` → `/` → "could not
+find a flake.nix"; the switch silently failed while a post-`--collect` `systemctl show` returned a
+stale `Result=success`. Fix: always use the **absolute** flake path `/root/cc-ci#cc-ci`, and read the
+result before resetting. (rebuild6/7 had silently not applied; rebuild2–5 used the absolute path.)
+
+**abra packaged** (modules/abra.nix): release binary 0.13.0-beta, pinned by sha256, autoPatchelf'd.
+`abra --version` → `0.13.0-beta-06a57de`.
+
+**scripts/deploy-proxy.sh** (idempotent, pure-bash — host has no python3): ensure local abra server,
+fetch traefik, write wildcard/no-ACME env (`WILDCARDS_ENABLED=1`, `SECRET_WILDCARD_*_VERSION=v1`,
+`COMPOSE_FILE=compose.yml:compose.wildcard.yml`, `LETS_ENCRYPT_ENV=` empty), insert cert secrets via
+`abra app secret insert … -f` from /var/lib/ci-certs/live, deploy. Bugs fixed en route: multi-line
+PEM must use `-f` (not arg); secret-presence must check `docker secret ls` (abra's recipe list always
+shows the name with `created on server:false`).
+
+**Traefik deploy:** `abra app deploy` → `deploy succeeded 🟢` (traefik v3.6.15 + socket-proxy).
+Verify: `docker service ls` → app+socket-proxy 1/1; via gateway `curl --resolve probe.*:443:
+143.244.213.108` → `CN=*.ci.commoninternet.net` (LE E8); **0 ACME log lines**.
+
+**M1 gate (recipe over HTTPS + teardown):**
+- `abra app new custom-html -s default -D cchtml1.ci.commoninternet.net -S -n` then set
+  `LETS_ENCRYPT_ENV=` and `abra app deploy -n -C` → `🟢` (nginx 1.29.0).
+- `curl -ks --resolve cchtml1.ci.commoninternet.net:443:143.244.213.108 https://…/` →
+  `http_code=200 size=615`, served the nginx welcome page over HTTPS with the wildcard cert.
+- Teardown: `abra app undeploy -n` → 🟢; `abra app volume remove -f -n` → "1 volumes removed";
+  leak check → services 0 / volumes 0 / secrets 0 / containers 0. **Clean.**
+- Correct teardown syntax confirmed: `secret remove <d> --all -n` (not `--all-secrets`).
+
+**docs/install.md** seeded (flake apply + deploy-proxy + verify). M1 gate CLAIMED in STATUS.md.
+
+**Next:** M2 — Drone server + exec runner via Nix, Gitea OAuth app, hello-world .drone.yml green.