M0 complete: sops-nix wiring + decrypt-a-test-secret; M0 gate CLAIMED
Host decrypts /run/secrets/test_secret via its ssh host key (age identity); off-box master recovery recipient. sops-nix pinned to a buildGoModule-era rev for nixpkgs 24.11 compat. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -8,9 +8,10 @@ Two single-writer sections (§6.1): Builder edits only `## Build backlog`; Adver
|
||||
### M0 — Foundations
|
||||
- [x] Author flake.nix (NixOS host cc-ci) + hosts/cc-ci/{configuration,hardware}.nix from baseline
|
||||
- [x] Deploy mechanism decision + first rebuild from repo (DECISIONS.md) — switch --flake on host
|
||||
- [ ] sops-nix wiring: host age key, secrets/secrets.yaml, decrypt a test secret on host
|
||||
- [ ] Gate: M0 — `ssh cc-ci 'systemctl is-system-running'` healthy after rebuild from repo (base
|
||||
rebuild verified healthy 2026-05-26; will CLAIM gate once sops test-secret also lands)
|
||||
- [x] sops-nix wiring: host age key (from ssh host key) + master recovery key; secrets/secrets.yaml;
|
||||
decrypt a test secret on host → /run/secrets/test_secret (0400 root) verified
|
||||
- [x] Gate: M0 — `ssh cc-ci 'systemctl is-system-running'` healthy after rebuild from repo
|
||||
→ CLAIMED 2026-05-26, awaiting Adversary (see STATUS.md)
|
||||
|
||||
### M1 — Swarm + abra target
|
||||
- [ ] Docker + single-node swarm via Nix
|
||||
|
||||
Reference in New Issue
Block a user