M1: Docker + single-node swarm via Nix (swarm-init + proxy overlay)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
23
JOURNAL.md
23
JOURNAL.md
@ -97,3 +97,26 @@ with M1 (independent infra build), without advancing to M2 until M0 shows PASS.
|
||||
|
||||
**Next:** M1 — Docker + single-node swarm via Nix (modules/swarm.nix), then Traefik (file provider
|
||||
→ /var/lib/ci-certs/live/) + abra, then a by-hand HTTPS deploy/teardown of a trivial recipe.
|
||||
|
||||
## 2026-05-26 — M1: Docker + single-node swarm via Nix
|
||||
|
||||
**modules/swarm.nix:** `virtualisation.docker.enable` + daily autoprune (--all --volumes until=24h
|
||||
to protect the 28 GiB root), `docker` in systemPackages, and a `swarm-init` oneshot
|
||||
(`docker swarm init --advertise-addr 127.0.0.1` if not active; `docker network create --driver
|
||||
overlay --attachable proxy` if absent). Imported into configuration.nix.
|
||||
|
||||
**Build + switch:** `nixos-rebuild build --flake .#cc-ci` → EXIT 0; `systemd-run … switch` →
|
||||
`Result=success`.
|
||||
|
||||
**Verify (commands + output):**
|
||||
- `systemctl show swarm-init -p Result` → `Result=success`
|
||||
- `docker info --format ...` → `Swarm=active Managers=1 Nodes=1`
|
||||
- `docker network ls --filter name=proxy` → `proxy overlay swarm`
|
||||
- `systemctl is-system-running` → `running`; `--failed` → none.
|
||||
|
||||
**Next:** Traefik as a swarm stack (Nix-declared compose + `docker stack deploy` oneshot): docker
|
||||
swarm provider + file provider serving /var/lib/ci-certs/live/{fullchain,privkey}.pem on :443,
|
||||
attached to `proxy`. Then abra install + by-hand HTTPS deploy/teardown of a trivial recipe (M1 gate).
|
||||
Rationale for swarm-service Traefik over a host `services.traefik`: a host process isn't on the
|
||||
`proxy` overlay, so it can't reach swarm service VIPs; coop-cloud recipes assume an on-`proxy`
|
||||
Traefik watching swarm labels.
|
||||
|
||||
Reference in New Issue
Block a user