recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1c/W2a: mount cc-ci-secrets as submodule at secrets/; cert+key now sops-decrypted to /var/lib/ci-certs/live
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source 
- secrets/ is now the private cc-ci-secrets repo (submodule). defaultSopsFile path unchanged.
- secrets.nix: add wildcard_cert/wildcard_key sops secrets -> path=/var/lib/ci-certs/live/*.
- proxy.nix: cert is sops-from-git, not an operator file drop (reframed; FATAL guard kept as decrypt-path check).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-27 16:31:34 +01:00
parent c36052021c
commit f79e542149
5 changed files with 26 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
modules/secrets.nix
View File

@ -1,7 +1,8 @@
# sops-nix wiring (D6 infra secrets). cc-ci decrypts secrets at activation using its own
# ed25519 SSH host key as the age identity (no separate key file to manage on the box).
# Encrypted material lives in ../secrets/*.yaml, committed and readable only by recipients
# listed in /.sops.yaml (host key + off-box master recovery key).
# Encrypted material lives in ../secrets/secrets.yaml — Phase-1c moved this into the private
# `cc-ci-secrets` repo, mounted here as a git SUBMODULE at ../secrets/ (so the path is unchanged).
# Readable only by the recipients in secrets/.sops.yaml (host key + off-box master recovery key).
{ config, ... }:
{
sops = {
@ -27,6 +28,18 @@
secrets.bridge_drone_token = { };
secrets.bridge_gitea_token = { };
# Phase-1c C2: the wildcard TLS cert+key are now sops secrets (in cc-ci-secrets), decrypted at
# activation to /var/lib/ci-certs/live/{fullchain.pem,privkey.pem} — the exact path the traefik
# reconcile (modules/proxy.nix) already reads. Replaces the prior operator-drops-a-cert-file step.
secrets.wildcard_cert = {
path = "/var/lib/ci-certs/live/fullchain.pem";
mode = "0444"; # leaf+intermediate chain — not secret
};
secrets.wildcard_key = {
path = "/var/lib/ci-certs/live/privkey.pem";
mode = "0400"; # private key — root only
};
# EnvironmentFile for the host exec runner: DRONE_RPC_SECRET rendered from the sops secret.
templates."drone-runner.env".content = ''
DRONE_RPC_SECRET=${config.sops.placeholder.drone_rpc_secret}