1c/W3 DONE: throwaway reachable (100.126.124.86); keyFile-missing-aborts finding -> W4 design locked
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -17,8 +17,8 @@ Method W1–W6 from the phase plan §5. Each milestone ends with an Adversary ga
|
||||
- [x] **Gate W2 CLAIMED** → Adversary verifies byte-identical + TLS-from-git-cert.
|
||||
- [x] **W1 — Headroom.** Resized `cc-nix-test` 6→4 GB (stop→PATCH→start via Incus API); healthy at 4 GB,
|
||||
0 failed units, all stacks 1/1, cert survived reboot via sops, TLS 200. Running RAM 8 GB.
|
||||
- [ ] **W3 — Throwaway VM.** Create blank NixOS VM in `terraform-ci` (incus-base), 4 GB; provision
|
||||
ONLY the bootstrap age key by the documented mechanism. Accept: VM reachable.
|
||||
- [x] **W3 — Throwaway VM.** `ccci-throwaway` (incus-base, 4 GB/20 GB) reachable at 100.126.124.86
|
||||
(used live TS_AUTH_KEY; workspace key stale). Bootstrap age key provisioned in W4.
|
||||
- [ ] **W4 — Reproducible live rebuild.** On throwaway VM: clone base+secrets, `nixos-rebuild switch`,
|
||||
watch oneshots converge, secrets+cert decrypt. Accept: fully up, no step outside docs/install.md;
|
||||
capture evidence. **Gate W4 CLAIMED.**
|
||||
|
||||
@ -167,3 +167,25 @@ NOTE: cc-nix-test was terraform-created (`projects/cc-nix-test`); my W1 API resi
|
||||
3. **Bridge side effect:** throwaway's bridge would poll Gitea with the real token (fresh state ⇒ could
|
||||
re-trigger already-`!testme`'d PRs). Mitigate: run W4 when no `!testme` is pending; destroy promptly.
|
||||
- Adding keyFile changes the closure again (W2 byte-identical was at `vh6vwxbl`); re-verify after.
|
||||
|
||||
## 2026-05-27 — W3 DONE (VM reachable) + keyFile finding
|
||||
|
||||
**W3 reachable:** throwaway base boot initially failed tailscale auth — the incus-workspace
|
||||
`.test.env` key is **stale** ("invalid key: API key does not exist"). Fixed by writing the **current
|
||||
`TS_AUTH_KEY` from /srv/cc-ci/.testenv** (same tailnet `taila4a0bf.ts.net`) to /etc/ts-auth-key and
|
||||
`tailscale up`. VM now at **100.126.124.86**; `ssh -i vm_ssh_key` via the 1055 proxy works → NixOS
|
||||
24.11 (rev 50ab793, == cc-ci), nix 2.24 flakes, 4 GB / 20 GB (13 G free). *(install.md/Adversary note:
|
||||
provision the live TS key, not the stale workspace one.)*
|
||||
|
||||
**keyFile finding (decisive):** read sops-install-secrets main.go (sops-nix 77c423a, store
|
||||
`hm2xjph…-source/pkgs/sops-install-secrets/main.go`): when `age.keyFile` is set, line ~1349
|
||||
`os.ReadFile(AgeKeyFile)` and **returns a fatal error if the file is missing** → activation fails.
|
||||
⇒ Adding `keyFile` to cc-ci's config FORCES the file to exist on cc-ci. Also: `sshKeyPaths` reads
|
||||
`/etc/ssh/ssh_host_ed25519_key` (exists on any host; non-recipient keys are simply unused), so keeping
|
||||
both is safe on both hosts.
|
||||
|
||||
**W4 design (locked):** secrets.nix gets `sops.age.keyFile = "/var/lib/sops-nix/key.txt"` (keep
|
||||
sshKeyPaths). Provision that file = the host's bootstrap age key: on **cc-ci** = its host-derived age
|
||||
key (ssh-to-age of the host SSH key — no new secret exposure); on the **throwaway** = the **recovery
|
||||
key** (/srv/cc-ci/.sops/master-age.txt). cc-ci must get the file BEFORE the keyFile config deploys.
|
||||
Adding keyFile changes the closure (supersedes W2 `vh6vwxbl`) → re-verify byte-identical after.
|
||||
|
||||
Reference in New Issue
Block a user