M0: flake + base NixOS config, rebuilt from repo on cc-ci

Pins nixpkgs to the rev cc-ci already ran (no-op-then-base); deploy via
switch --flake on-host. System healthy (gen 3) post-switch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-26 21:25:48 +01:00
parent c21cce51b9
commit 9bffb55b28
9 changed files with 186 additions and 17 deletions

View File

@ -12,10 +12,17 @@ Architecture decisions and dead-ends. One line of rationale each. (§0, §8)
## Open (defaults from §8, to confirm as reality lands)
- **Deploy mechanism:** TBD in M0. Leaning `nixos-rebuild switch --flake` run *on cc-ci itself*
(repo cloned on host) rather than `--target-host`/deploy-rs from the sandbox, to avoid copying
large Nix closures over the userspace-tailscaled SOCKS proxy. Atomic-rollback is preserved by
Nix generations. Will record final choice + rationale when M0 lands.
- **Deploy mechanism — SETTLED (M0):** `nixos-rebuild switch --flake /root/cc-ci#cc-ci` run *on
cc-ci itself*, with the repo materialised on the host at `/root/cc-ci`. Chosen over
`--target-host`/deploy-rs to avoid pushing large closures over the userspace-tailscaled SOCKS
proxy (slow/fragile). Atomic rollback preserved by Nix generations (`nixos-rebuild --rollback`).
The switch is launched as a **detached transient systemd unit** (`systemd-run --unit=ccci-rebuild
--collect`) so it survives a momentary ssh-over-tailscale drop during activation. For the build
loop the host copy is synced from the sandbox clone via `tar | ssh` (rsync absent on host);
source of truth stays the git repo. D8/install.md will document the from-scratch path (clone repo
on a fresh host, then `nixos-rebuild switch --flake .#cc-ci`).
- **nixpkgs pin:** flake pins the exact rev cc-ci already ran (`50ab793…`) so the first rebuild
is a true no-op-then-base. Bump deliberately, never drift.
- **Webhook scope:** default per-repo via enroll script.
- **Drone runner type:** default exec (must drive host abra).
- **Secret tool:** default sops-nix.
@ -25,9 +32,11 @@ Architecture decisions and dead-ends. One line of rationale each. (§0, §8)
## Risks
- **Disk:** cc-ci has only ~3.8 GiB free on an 8.9 GiB root. Multiple recipe images + volumes may
exhaust it during M6.5 breadth. Mitigation: aggressive teardown + image prune; if insufficient,
request operator grow the VM disk (Incus, recreatable per the incus skill). Not yet blocking.
- **Disk — RESOLVED 2026-05-26.** Original 8.9 GiB root had only ~3.8 GiB free *and* a hard
**inode** ceiling (586k total, ~6k free) — the flake's nixpkgs fetch (~50k files) hit ENOSPC on
inodes before bytes. Operator grew the VM to **28 GiB** (22 GiB free, 1.78M inodes / 1.21M free);
the ext4 fs auto-resized (new block groups carry proportional inodes). Keep aggressive teardown +
periodic `docker image prune` to avoid regressing during M6.5 breadth.
## Dead-ends
- (none yet)