diff --git a/JOURNAL-1c.md b/JOURNAL-1c.md index c700684..b40a7fd 100644 --- a/JOURNAL-1c.md +++ b/JOURNAL-1c.md @@ -204,3 +204,26 @@ throwaway DOMAIN (keep DOMAIN=ci.commoninternet.net so the cert matches): `ci2.commoninternet.net` + `*.ci2` → 100.126.124.86 for *plain* reachability only (not needed for TLS). - DNS/gateway/cert are documented external INSTANCE preconditions; C4 proves the VM rebuilds from git + the single bootstrap age key. Don't skip/fake the TLS check. + +## 2026-05-27 — W4 Step A DONE + Step B launched (throwaway rebuild in flight) + +**Step A (cc-ci → final keyFile config):** provisioned cc-ci `/var/lib/sops-nix/key.txt` = host-derived +age key (pub == `age1h90utd…` == &host recipient, verified via age-keygen -y). Added +`sops.age.keyFile` to secrets.nix (9cc6788), synced, `nixos-rebuild build`→`izsmiajw…` (only +manifest+system rebuilt), switched (unit ccci-w4a-switch success). Verified: system running 0 failed, +**byte-identical build==running==`izsmiajw…` (ZERO DRIFT)**, cert still sha256 `c1d96d61…`. So cc-ci +activates cleanly with keyFile. NOTE: toplevel evolved `vh6vwxbl` (W2) → **`izsmiajw`** (final, +keyFile); +the published repo now builds to izsmiajw==running — this is the form the Adversary re-verifies for C4/DONE. + +**Step B (throwaway live rebuild — IN FLIGHT):** +- Provisioned throwaway `/var/lib/sops-nix/key.txt` = **recovery key** (via stdin; pub == `age1cmk26…` + == &master recipient, verified) — the ONE out-of-band secret. +- `git clone --recursive` base (bot creds via http.extraHeader, the "given the repos" provisioning) → + /root/cc-ci, submodule `secrets`→2312f1c, secrets.yaml ENC. Confirmed clone has `age.keyFile` line. +- Launched `nixos-rebuild switch --flake 'git+file:///root/cc-ci?submodules=1#cc-ci'` as detached unit + `ccci-rebuild` (survives the tailscale re-up when cc-ci config activates). Monitoring via incus-agent + `exec` (vsock — survives network restart). Expect 10-30 min (builds sops-install-secrets/abra/etc). + +C4/W5 standard (Adversary dd710a6 == orchestrator guidance): keep DOMAIN=ci.commoninternet.net, verify +TLS locally on the VM via `curl --resolve …:443:127.0.0.1` (SNI ci.commoninternet.net), served leaf +fingerprint must == git cert leaf `57:8D:67:9E:…:B8:A6`; oneshots converge; only age key out-of-band.