M0 complete: sops-nix wiring + decrypt-a-test-secret; M0 gate CLAIMED

Host decrypts /run/secrets/test_secret via its ssh host key (age identity); off-box master recovery recipient. sops-nix pinned to a buildGoModule-era rev for nixpkgs 24.11 compat. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 21:41:45 +01:00
parent 9bffb55b28
commit deb4a0fbed
12 changed files with 154 additions and 11 deletions
--- a/DECISIONS.md
+++ b/DECISIONS.md
@ -25,7 +25,12 @@ Architecture decisions and dead-ends. One line of rationale each. (§0, §8)
    is a true no-op-then-base. Bump deliberately, never drift.
 - **Webhook scope:** default per-repo via enroll script.
 - **Drone runner type:** default exec (must drive host abra).
- **Secret tool:** default sops-nix.
+- **Secret tool — SETTLED (M0):** sops-nix. cc-ci decrypts at activation using its **ed25519 SSH
+  host key** as the age identity (`sops.age.sshKeyPaths`), so no extra key file to manage on the box.
+  Recipients in `/.sops.yaml`: the host age key (`age1h90ut…`, from ssh-to-age) + an off-box
+  **master recovery key** (`age1cmk26t…`; private half only at `/srv/cc-ci/.sops/master-age.txt` on
+  the build host, never in the repo) for re-keying if cc-ci is lost. Encrypt new secrets by writing
+  plaintext into `secrets/<f>.yaml` then `sops -e -i` (run inside the repo so `.sops.yaml` is found).
 - **D10 recipe set:** lock six early. Candidates favouring already-mirrored: custom-html (simple),
  cryptpad (stateful no-DB), keycloak (SSO/DB), matrix-synapse (DB+media), lasuite-docs (multi+S3),
  bluesky-pds (TLS-passthrough) — covers all five categories. Confirm during M4–M6.5.