From 689913b1401a3a62d7ba663b3c41a10d2ba73038 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 06:42:37 +0100 Subject: [PATCH] =?UTF-8?q?DECISIONS:=20D10=20#6=20bluesky-pds=20(TLS-pass?= =?UTF-8?q?through)=20swapped=20to=20n8n=20=E2=80=94=20caddy=20self-ACME?= =?UTF-8?q?=20conflicts=20with=20no-ACME=20design?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.7 (1M context) --- DECISIONS.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/DECISIONS.md b/DECISIONS.md index 8df9f76..6dec56a 100644 --- a/DECISIONS.md +++ b/DECISIONS.md @@ -90,6 +90,21 @@ Architecture decisions and dead-ends. One line of rationale each. (§0, §8) - Optional `concurrency: {limit: 1}` in the recipe-CI `.drone.yml` is a redundant belt — primary mechanism is `DRONE_RUNNER_CAPACITY`. (Wired when the recipe-CI pipeline lands — see backlog.) +- **D10 recipe #6: bluesky-pds (TLS-passthrough) SWAPPED → n8n — SETTLED (2026-05-27, plan §4.0 + sanctions this swap-with-reason).** bluesky-pds routes via a Traefik **TCP router with + `tls.passthrough=true`** to an in-container **caddy** that terminates TLS itself and obtains its own + cert via **ACME**. cc-ci's design is the opposite: the operator gateway passes wildcard TLS through + to cc-ci's Traefik, which **terminates** it with the pre-issued static wildcard cert, and **ACME is + hard-forbidden** for commoninternet.net (no DNS token on the box — §4.0/§9). Serving bluesky-pds + would require either (a) ACME inside caddy (forbidden), or (b) injecting the wildcard cert into + caddy + a per-host TCP-passthrough router on cc-ci Traefik (recipe-internal surgery + a bespoke + proxy mode — not a clean shared-harness absorb). This is a genuine design conflict, not a harness + gap. Per the plan's explicit allowance, **bluesky-pds is a documented non-CI'd recipe** (reason + here), and **n8n** takes the 6th slot. The 5 required D10 categories are already covered by recipes + 1–5 (simple=custom-html, single-DB+SSO=keycloak, stateful/no-DB=cryptpad, DB+media/large-volume= + matrix-synapse, multi-service+S3/object-storage=lasuite-docs); n8n adds a 6th real deployable app + (workflow automation) behind the normal terminate-at-Traefik path. + ## Open (defaults from §8, to confirm as reality lands) - **Deploy mechanism — SETTLED (M0):** `nixos-rebuild switch --flake /root/cc-ci#cc-ci` run *on