1c/W4 DONE: genuine throwaway-VM live rebuild (single switch, 0 failed, byte-identical, TLS leaf==git cert); Gate W4 CLAIMED + install.md updated
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -266,3 +266,27 @@ This is the LAST planned config change before W4 completes (config stable ld19aj
|
||||
live → traefik swarm secret → served leaf. The rebuilt host serves the git-sourced cert.
|
||||
|
||||
Next: recreate throwaway FRESH with fixed config to prove SINGLE nixos-rebuild switch converges (0 failed).
|
||||
|
||||
## 2026-05-27 — W4 DONE: genuine throwaway-VM live rebuild, SINGLE switch converges (Gate W4 CLAIMED)
|
||||
|
||||
**Authoritative C4 proof on a FRESH blank VM** (destroyed the pre-fix VM, recreated clean; cloud-init
|
||||
used the LIVE TS_AUTH_KEY so it auto-joined the tailnet — no manual tailscale step):
|
||||
- Provisioned ONLY `/var/lib/sops-nix/key.txt` = recovery age key (pub == `age1cmk26…` == &master) —
|
||||
the single out-of-band secret. `git clone --recursive` base+secrets (submodule 2312f1c, secrets ENC).
|
||||
- **One** `nixos-rebuild switch --flake 'git+file:///root/cc-ci?submodules=1#cc-ci'` (detached
|
||||
--no-block) → `ccci-rebuild` Result=**success** (~15 min, 2.8 G peak < 4 GB).
|
||||
- **`systemctl is-system-running` → running, 0 failed units** (the serialization fix works: single
|
||||
switch converges, no manual re-runs). Toplevel **`ld19aj2…` == cc-ci** (byte-identical).
|
||||
- **All 6 stacks 1/1**: traefik app+socket-proxy, drone, ccci-bridge, ccci-dashboard, backups.
|
||||
- **All secrets decrypted via the recovery key**; wildcard cert sops-decrypted from git →
|
||||
`/var/lib/ci-certs/live/fullchain.pem` (symlink→/run/secrets, sha256 `c1d96d61…`).
|
||||
- **TLS from git cert (local, per C4 standard):** `curl --resolve probe.ci.commoninternet.net:443:
|
||||
127.0.0.1` → http=404 (no route, expected) **ssl_verify=0**; served leaf sha256 fingerprint
|
||||
**== git-cert leaf == `57:8D:67:9E:FE:89:…:B8:A6`** (Adversary reference). Full chain of custody.
|
||||
|
||||
So: blank NixOS host + the two git repos + the one bootstrap age key + external DNS/gateway → one
|
||||
`nixos-rebuild switch` → working cc-ci. No undocumented manual step. This closes D8 honestly (static
|
||||
byte-identical closure + live throwaway rebuild). install.md updated to this validated procedure.
|
||||
|
||||
Destroying the throwaway now (frees RAM for the Adversary's independent W5 cold rebuild; C6 no-leftover).
|
||||
Gate W4 CLAIMED — awaiting Adversary cold W5 (their own fresh VM).
|
||||
|
||||
Reference in New Issue
Block a user