M1: proxy via real coop-cloud/traefik (abra, wildcard/no-ACME); recipe deploy+teardown; M1 CLAIMED

Orchestrator decision: deploy canonical coop-cloud traefik via abra instead of a hand-rolled module. abra packaged in Nix (pinned). custom-html deployed over HTTPS (200) via the gateway and torn down clean. docs/install.md seeded. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 22:21:12 +01:00
parent c006083967
commit 12f86fd3fb
10 changed files with 224 additions and 106 deletions
--- a/modules/swarm.nix
+++ b/modules/swarm.nix
@ -15,6 +15,10 @@

  environment.systemPackages = [ pkgs.docker ];

+  # Gateway forwards 80/443 to cc-ci over the public interface (enp5s0); the coop-cloud
+  # traefik stack (deployed via abra, see docs/install.md) publishes these ports.
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
  # Bring up a single-node swarm + the shared `proxy` overlay network. Idempotent:
  # safe to re-run every boot/rebuild. advertise-addr 127.0.0.1 is fine for a lone node.
  systemd.services.swarm-init = {