chore: bootstrap cc-ci loop state

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/baseline.md

@@ -0,0 +1,48 @@
+# Baseline — cc-ci starting environment (rollback reference)
+
+Captured at bootstrap, 2026-05-26, before any Builder changes. This is the state to roll back to.
+
+## Host
+
+- Hostname: `nixos` (Tailscale node `cc-nix-test`, tailnet IP **100.90.116.4**, tailnet
+  `taila4a0bf.ts.net`).
+- OS: **NixOS 24.11** `24.11.719113.50ab793786d9 (Vicuna)`.
+- Virtualisation: **Incus VM** (imports `virtualisation/incus-virtual-machine.nix`), incus agent on.
+- Resources: **2 vCPU, 3.5 GiB RAM, 8.9 GiB root disk (4.7 GiB used / 3.8 GiB free)**.
+- Access: SSH as **root** (PermitRootLogin yes), reached from sandbox via userspace-tailscaled
+  SOCKS proxy `127.0.0.1:1055` → `ssh cc-ci`.
+
+## Installed / present
+
+- Config: **channel-based**, no flake. `/etc/nixos/`:
+  - `configuration.nix` — incus VM module, cloud-init, tailscale (auth-key file), openssh,
+    base pkgs (curl git jq openssh), firewall (trust tailscale0, allow tcp/22), DHCP,
+    nameservers 1.1.1.1/8.8.8.8, `nix.settings.experimental-features = [nix-command flakes]`,
+    `system.stateVersion = "24.11"`.
+  - `incus-base.nix` — tailscale auth-key + hostname from `/etc/ts-hostname`.
+  - `setup.sh` — original provisioning script (channel add + `nixos-rebuild boot` + sysrq reboot).
+- **No** docker, **no** swarm, **no** abra installed.
+- Tailscale up and authenticated (state persists; reconnects without key).
+
+## Provided infra inputs (operator-owned, do not improvise — §4.4 class A1)
+
+- Wildcard TLS cert at **`/var/lib/ci-certs/live/{fullchain.pem,privkey.pem}`**
+  (`*.ci.commoninternet.net` + `ci.commoninternet.net`, LE 90-day, next renewal ~2026-08-24).
+  Agent serves it via Traefik file provider; **never** runs ACME for this domain.
+- DNS: wildcard `*.ci.commoninternet.net` (+ bare `ci.commoninternet.net`) → **gateway**
+  `143.244.213.108` (Gandi-hosted public zone). Gateway TLS-passthroughs the whole wildcard to
+  cc-ci by SNI; TLS terminates on cc-ci's Traefik. Per-run subdomains need no DNS/gateway/cert work.
+- Gitea bot `autonomic-bot` (id 64), admin on private org `recipe-maintainers`.
+- Tailscale auth key (reusable) — in `/srv/cc-ci/.testenv`.
+
+## Recipes already mirrored to recipe-maintainers (at bootstrap)
+
+`bluesky-pds`, `cryptpad`, `custom-html`, `custom-html-tiny`, `keycloak`, `lasuite-docs`,
+`lasuite-meet`, `matrix-synapse`, `n8n`. Others (hedgedoc, authentik, immich, lasuite-drive) are
+pulled from upstream git.coopcloud.tech and mirrored via the recipe mirror+PR flow (§4.1) as needed.
+
+## Rollback
+
+The original config is preserved above and in the host's Nix generations
+(`nixos-rebuild --rollback` / boot menu). To fully revert, restore `/etc/nixos/*` to the channel
+config above and `nixos-rebuild switch`.