recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

M1: proxy via real coop-cloud/traefik (abra, wildcard/no-ACME); recipe deploy+teardown; M1 CLAIMED

Browse Source 
Orchestrator decision: deploy canonical coop-cloud traefik via abra instead of a
hand-rolled module. abra packaged in Nix (pinned). custom-html deployed over HTTPS
(200) via the gateway and torn down clean. docs/install.md seeded.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-26 22:21:12 +01:00
parent c006083967
commit 12f86fd3fb
10 changed files with 224 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
docs/install.md Normal file
View File

@ -0,0 +1,54 @@
# Installing cc-ci from scratch
> WORK IN PROGRESS — grows with each milestone; the full from-scratch rebuild is verified at M9 (D8).
cc-ci is declared as a NixOS flake (this repo) plus a reproducible proxy-deploy step. Target:
a NixOS 24.11 host reachable as `cc-ci` over SSH (root), with the operator preconditions in place.
## Operator preconditions (class-A1, see DECISIONS.md / docs/baseline.md)
- Wildcard TLS cert at `/var/lib/ci-certs/live/{fullchain.pem,privkey.pem}`
(`*.ci.commoninternet.net` + `ci.commoninternet.net`). **Renewed out-of-band; never ACME here.**
- DNS: `*.ci.commoninternet.net` (+ bare) → the **gateway**, which TLS-passthroughs (SNI) to cc-ci.
- Firewall path: gateway reaches cc-ci on tcp/80+443 (opened by `modules/swarm.nix`).
## 1. Apply the NixOS flake
The flake (`flake.nix`, `hosts/cc-ci/`, `modules/`) declares: base host, sops-nix (decrypts via the
host SSH key), Docker + single-node Swarm + the `proxy` overlay (`modules/swarm.nix`), and abra
(`modules/abra.nix`).
```sh
# materialise the repo on the host (the build runs on cc-ci itself — see DECISIONS.md deploy mech)
# e.g. git clone <repo> /root/cc-ci (or sync it)
nixos-rebuild switch --flake /root/cc-ci#cc-ci
# verify
systemctl is-system-running # -> running
docker info --format '{{.Swarm.LocalNodeState}}' # -> active
docker network ls | grep proxy # -> proxy ... overlay swarm
```
> Tip: when driving the switch over an SSH session that rides Tailscale, run it as a detached unit so
> it survives a momentary drop, and **use the absolute flake path** (systemd units run with cwd `/`):
> `systemd-run --unit=ccci-sw --property=Type=oneshot nixos-rebuild switch --flake /root/cc-ci#cc-ci`
## 2. Deploy the reverse proxy (coop-cloud traefik, wildcard/file-provider, no ACME)
```sh
bash /root/cc-ci/scripts/deploy-proxy.sh
```
This idempotently deploys the canonical Co-op Cloud `traefik` recipe via abra in wildcard mode,
serving the pre-issued cert as the `ssl_cert`/`ssl_key` swarm secrets, with `LETS_ENCRYPT_ENV` empty
so no ACME ever runs (see DECISIONS.md "Proxy: real coop-cloud/traefik via abra"). Verify:
```sh
docker service ls | grep traefik # app + socket-proxy, 1/1
# wildcard cert served end-to-end via the gateway:
curl -ksv --resolve probe.ci.commoninternet.net:443:<gateway-ip> https://probe.ci.commoninternet.net/ \
2>&1 | grep -E 'subject:|HTTP/' # -> CN=*.ci.commoninternet.net, HTTP 404 (no app router yet)
```
## 3. (later milestones) Drone, comment-bridge, dashboard, recipe enrollment
See `docs/enroll-recipe.md` (D5), `docs/secrets.md` (D6), `docs/runbook.md`. Added as those land.