recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1c/C7: docs — secrets.md + architecture.md updated to the 1c model (cc-ci-secrets submodule, cert-in-git, bootstrap age key, Drone-token injection, verified D8)

Browse Source 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-27 19:52:03 +01:00
parent bb09f00a18
commit b700cd2fda
2 changed files with 55 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
docs/architecture.md
View File

@ -11,14 +11,18 @@ reports the result back. Everything on the `cc-ci` host is declared in this repo
| **Drone server** | `modules/drone.nix` — coop-cloud `drone` recipe via abra (`drone.ci.commoninternet.net`, Gitea SSO) | CI engine. Holds the `recipe-ci` (custom-event) and `self-test` (push) pipelines (`.drone.yml`). |
| **Drone exec runner** | `modules/drone-runner.nix` — host systemd service | Runs pipeline steps **on the host** so they can drive `abra`/Docker. `DRONE_RUNNER_CAPACITY=1` (MAX_TESTS) caps concurrent builds; the rest queue natively. |
| **harness** | `runner/run_recipe_ci.py` + `runner/harness/` + `tests/` | Orchestrates per run: fetch recipe at the PR head → install → upgrade → backup/restore → recipe-local (D4) → guaranteed teardown. pytest + Playwright via the Nix `cc-ci-run` env. |
| **swarm + traefik** | `modules/swarm.nix`, `modules/proxy.nix` — coop-cloud `traefik` recipe via abra | Single-node Docker Swarm + `proxy` overlay; traefik terminates TLS with the pre-issued wildcard cert (file provider, **no ACME**). The real deploy target for recipes-under-test. |
| **swarm + traefik** | `modules/swarm.nix`, `modules/proxy.nix` — coop-cloud `traefik` recipe via abra | Single-node Docker Swarm + `proxy` overlay; traefik terminates TLS with the wildcard cert (**sops-decrypted from git** to `/var/lib/ci-certs/live`, file provider, **no ACME**). The real deploy target for recipes-under-test. |
| **backup-bot-two** | `modules/backupbot.nix` | restic-based volume/DB backups; `abra app backup/restore` drive it. |
| **dashboard** | `dashboard/dashboard.py`, `modules/dashboard.nix` (`ci.commoninternet.net`) | YunoHost-CI-like overview: latest run per recipe + status badges + run links; `/badge/<recipe>.svg`. |
| **secrets** | `modules/secrets.nix` + `secrets/secrets.yaml` (sops-nix) | Infra secrets, decrypted at activation via the host SSH key as the age identity. See `secrets.md`. |
| **secrets** | `modules/secrets.nix` + `secrets/` = **`cc-ci-secrets` submodule** (sops-nix) | ALL secrets incl. the **wildcard cert** are sops-encrypted in the private `cc-ci-secrets` repo (a submodule); decrypted at activation via the bootstrap age key (`sops.age.keyFile` + host SSH key). The base repo holds no secrets. See `secrets.md`. |
All swarm infra (traefik, drone, bridge, dashboard, backupbot) is brought up by **idempotent-reconcile
systemd oneshots** that converge on every activation/boot (no run-once sentinels) — so a from-scratch
install is `git clone` + `nixos-rebuild switch` + the operator preconditions (`install.md`).
systemd oneshots** that converge on every activation/boot (no run-once sentinels), **serialized**
(proxy→drone→bridge→dashboard→backupbot) so a single switch converges on a blank host — so a
from-scratch install is `git clone --recursive` + provision the one bootstrap age key +
`nixos-rebuild switch` + the external DNS/gateway (`install.md`). **Phase-1c verified this on a real
throwaway VM (D8): blank host + the two repos + the age key → a fully-converged cc-ci that serves a
real `!testme` run end-to-end over the public domain.**
## The `!testme` flow
@ -37,8 +41,9 @@ PR comment "!testme"
## Network & TLS (see install.md §domain)
`*.ci.commoninternet.net` (and bare `ci.commoninternet.net`) resolve to an operator **gateway** that
**TLS-passthroughs** by SNI to cc-ci. cc-ci's traefik terminates TLS with the **pre-issued wildcard
cert** at `/var/lib/ci-certs/live/` (no ACME, no DNS token on the box). Each run gets a unique short
**TLS-passthroughs** by SNI to cc-ci. cc-ci's traefik terminates TLS with the **wildcard cert
sops-decrypted from git** (`cc-ci-secrets`) to `/var/lib/ci-certs/live/` (no ACME, no DNS token on the
box; operator re-issues + re-commits to rotate). Each run gets a unique short
subdomain `<recipe[:4]>-<6hex>.ci.commoninternet.net` (covered by the wildcard) so concurrent/serial
runs never collide; it's torn down at run end.