1c/W2a: mount cc-ci-secrets as submodule at secrets/; cert+key now sops-decrypted to /var/lib/ci-certs/live

- secrets/ is now the private cc-ci-secrets repo (submodule). defaultSopsFile path unchanged.
- secrets.nix: add wildcard_cert/wildcard_key sops secrets -> path=/var/lib/ci-certs/live/*.
- proxy.nix: cert is sops-from-git, not an operator file drop (reframed; FATAL guard kept as decrypt-path check).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

modules/proxy.nix

@@ -1,6 +1,8 @@
 # Reverse proxy = the canonical Co-op Cloud `traefik` recipe, deployed via abra in
-# wildcard / file-provider mode (operator's pre-issued cert as ssl_cert/ssl_key swarm secrets,
+# wildcard / file-provider mode (wildcard cert as ssl_cert/ssl_key swarm secrets,
 # LETS_ENCRYPT_ENV empty => NO ACME, no DNS token). See DECISIONS.md "Proxy: real coop-cloud/traefik".
+# Phase-1c: the cert at CERT_DIR is sops-decrypted from git (cc-ci-secrets) at activation
+# (modules/secrets.nix wildcard_cert/wildcard_key), NOT an out-of-band operator file drop.
 #
 # Declared as an idempotent-RECONCILE systemd oneshot (like swarm-init): it inspects current
 # state and converges every activation/boot, self-healing drift (redeploys if the stack is gone,
@@ -16,9 +18,11 @@ let
       CERT_DIR="/var/lib/ci-certs/live"
       ENV_FILE="$HOME/.abra/servers/default/$PROXY_DOMAIN.env"
 
-      # Fail visibly (failed unit) if the operator cert is missing — do NOT silently skip.
+      # Fail visibly (failed unit) if the cert is missing — do NOT silently skip. It is
+      # sops-decrypted from git (cc-ci-secrets) at activation; a miss here means the sops decrypt
+      # path is broken (e.g. age identity not present), which must surface, not be papered over.
       if [ ! -r "$CERT_DIR/fullchain.pem" ] || [ ! -r "$CERT_DIR/privkey.pem" ]; then
-        echo "FATAL: wildcard cert missing at $CERT_DIR (operator precondition)" >&2
+        echo "FATAL: wildcard cert missing at $CERT_DIR (sops decrypt from cc-ci-secrets failed?)" >&2
         exit 1
       fi
 

modules/secrets.nix

@@ -1,7 +1,8 @@
 # sops-nix wiring (D6 infra secrets). cc-ci decrypts secrets at activation using its own
 # ed25519 SSH host key as the age identity (no separate key file to manage on the box).
-# Encrypted material lives in ../secrets/*.yaml, committed and readable only by recipients
-# listed in /.sops.yaml (host key + off-box master recovery key).
+# Encrypted material lives in ../secrets/secrets.yaml — Phase-1c moved this into the private
+# `cc-ci-secrets` repo, mounted here as a git SUBMODULE at ../secrets/ (so the path is unchanged).
+# Readable only by the recipients in secrets/.sops.yaml (host key + off-box master recovery key).
 { config, ... }:
 {
   sops = {
@@ -27,6 +28,18 @@
     secrets.bridge_drone_token = { };
     secrets.bridge_gitea_token = { };
 
+    # Phase-1c C2: the wildcard TLS cert+key are now sops secrets (in cc-ci-secrets), decrypted at
+    # activation to /var/lib/ci-certs/live/{fullchain.pem,privkey.pem} — the exact path the traefik
+    # reconcile (modules/proxy.nix) already reads. Replaces the prior operator-drops-a-cert-file step.
+    secrets.wildcard_cert = {
+      path = "/var/lib/ci-certs/live/fullchain.pem";
+      mode = "0444"; # leaf+intermediate chain — not secret
+    };
+    secrets.wildcard_key = {
+      path = "/var/lib/ci-certs/live/privkey.pem";
+      mode = "0400"; # private key — root only
+    };
+
     # EnvironmentFile for the host exec runner: DRONE_RPC_SECRET rendered from the sops secret.
     templates."drone-runner.env".content = ''
       DRONE_RPC_SECRET=${config.sops.placeholder.drone_rpc_secret}