recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1c/W4: Step A done (cc-ci on keyFile config, izsmiajw byte-identical); Step B throwaway rebuild in flight

Browse Source 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-27 17:36:27 +01:00
parent dd710a6f56
commit 24fe11a98e
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
JOURNAL-1c.md
View File

@ -204,3 +204,26 @@ throwaway DOMAIN (keep DOMAIN=ci.commoninternet.net so the cert matches):
`ci2.commoninternet.net` + `*.ci2` → 100.126.124.86 for *plain* reachability only (not needed for TLS).
- DNS/gateway/cert are documented external INSTANCE preconditions; C4 proves the VM rebuilds from git
+ the single bootstrap age key. Don't skip/fake the TLS check.
## 2026-05-27 — W4 Step A DONE + Step B launched (throwaway rebuild in flight)
**Step A (cc-ci → final keyFile config):** provisioned cc-ci `/var/lib/sops-nix/key.txt` = host-derived
age key (pub == `age1h90utd…` == &host recipient, verified via age-keygen -y). Added
`sops.age.keyFile` to secrets.nix (9cc6788), synced, `nixos-rebuild build`→`izsmiajw…` (only
manifest+system rebuilt), switched (unit ccci-w4a-switch success). Verified: system running 0 failed,
**byte-identical build==running==`izsmiajw…` (ZERO DRIFT)**, cert still sha256 `c1d96d61…`. So cc-ci
activates cleanly with keyFile. NOTE: toplevel evolved `vh6vwxbl` (W2) → **`izsmiajw`** (final, +keyFile);
the published repo now builds to izsmiajw==running — this is the form the Adversary re-verifies for C4/DONE.
**Step B (throwaway live rebuild — IN FLIGHT):**
- Provisioned throwaway `/var/lib/sops-nix/key.txt` = **recovery key** (via stdin; pub == `age1cmk26…`
== &master recipient, verified) — the ONE out-of-band secret.
- `git clone --recursive` base (bot creds via http.extraHeader, the "given the repos" provisioning) →
/root/cc-ci, submodule `secrets`→2312f1c, secrets.yaml ENC. Confirmed clone has `age.keyFile` line.
- Launched `nixos-rebuild switch --flake 'git+file:///root/cc-ci?submodules=1#cc-ci'` as detached unit
`ccci-rebuild` (survives the tailscale re-up when cc-ci config activates). Monitoring via incus-agent
`exec` (vsock — survives network restart). Expect 10-30 min (builds sops-install-secrets/abra/etc).
C4/W5 standard (Adversary dd710a6 == orchestrator guidance): keep DOMAIN=ci.commoninternet.net, verify
TLS locally on the VM via `curl --resolve …:443:127.0.0.1` (SNI ci.commoninternet.net), served leaf
fingerprint must == git cert leaf `57:8D:67:9E:…:B8:A6`; oneshots converge; only age key out-of-band.