recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1c/W2a: mount cc-ci-secrets as submodule at secrets/; cert+key now sops-decrypted to /var/lib/ci-certs/live
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source 
- secrets/ is now the private cc-ci-secrets repo (submodule). defaultSopsFile path unchanged.
- secrets.nix: add wildcard_cert/wildcard_key sops secrets -> path=/var/lib/ci-certs/live/*.
- proxy.nix: cert is sops-from-git, not an operator file drop (reframed; FATAL guard kept as decrypt-path check).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-27 16:31:34 +01:00
parent c36052021c
commit f79e542149
5 changed files with 26 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored Normal file
View File

@ -0,0 +1,3 @@
[submodule "secrets"]
path = secrets
url = https://git.autonomic.zone/recipe-maintainers/cc-ci-secrets.git

10
modules/proxy.nix
View File

@ -1,6 +1,8 @@
# Reverse proxy = the canonical Co-op Cloud `traefik` recipe, deployed via abra in # Reverse proxy = the canonical Co-op Cloud `traefik` recipe, deployed via abra in
# wildcard / file-provider mode (operator's pre-issued cert as ssl_cert/ssl_key swarm secrets, # wildcard / file-provider mode (wildcard cert as ssl_cert/ssl_key swarm secrets,
# LETS_ENCRYPT_ENV empty => NO ACME, no DNS token). See DECISIONS.md "Proxy: real coop-cloud/traefik". # LETS_ENCRYPT_ENV empty => NO ACME, no DNS token). See DECISIONS.md "Proxy: real coop-cloud/traefik".
# Phase-1c: the cert at CERT_DIR is sops-decrypted from git (cc-ci-secrets) at activation
# (modules/secrets.nix wildcard_cert/wildcard_key), NOT an out-of-band operator file drop.
# #
# Declared as an idempotent-RECONCILE systemd oneshot (like swarm-init): it inspects current # Declared as an idempotent-RECONCILE systemd oneshot (like swarm-init): it inspects current
# state and converges every activation/boot, self-healing drift (redeploys if the stack is gone, # state and converges every activation/boot, self-healing drift (redeploys if the stack is gone,
@ -16,9 +18,11 @@ let
CERT_DIR="/var/lib/ci-certs/live" CERT_DIR="/var/lib/ci-certs/live"
ENV_FILE="$HOME/.abra/servers/default/$PROXY_DOMAIN.env" ENV_FILE="$HOME/.abra/servers/default/$PROXY_DOMAIN.env"
# Fail visibly (failed unit) if the operator cert is missing do NOT silently skip. # Fail visibly (failed unit) if the cert is missing do NOT silently skip. It is
# sops-decrypted from git (cc-ci-secrets) at activation; a miss here means the sops decrypt
# path is broken (e.g. age identity not present), which must surface, not be papered over.
if [ ! -r "$CERT_DIR/fullchain.pem" ] || [ ! -r "$CERT_DIR/privkey.pem" ]; then if [ ! -r "$CERT_DIR/fullchain.pem" ] || [ ! -r "$CERT_DIR/privkey.pem" ]; then
echo "FATAL: wildcard cert missing at $CERT_DIR (operator precondition)" >&2 echo "FATAL: wildcard cert missing at $CERT_DIR (sops decrypt from cc-ci-secrets failed?)" >&2
exit 1 exit 1
fi fi

17
modules/secrets.nix
View File

@ -1,7 +1,8 @@
# sops-nix wiring (D6 infra secrets). cc-ci decrypts secrets at activation using its own # sops-nix wiring (D6 infra secrets). cc-ci decrypts secrets at activation using its own
# ed25519 SSH host key as the age identity (no separate key file to manage on the box). # ed25519 SSH host key as the age identity (no separate key file to manage on the box).
# Encrypted material lives in ../secrets/*.yaml, committed and readable only by recipients # Encrypted material lives in ../secrets/secrets.yaml — Phase-1c moved this into the private
# listed in /.sops.yaml (host key + off-box master recovery key). # `cc-ci-secrets` repo, mounted here as a git SUBMODULE at ../secrets/ (so the path is unchanged).
# Readable only by the recipients in secrets/.sops.yaml (host key + off-box master recovery key).
{ config, ... }: { config, ... }:
{ {
sops = { sops = {
@ -27,6 +28,18 @@
secrets.bridge_drone_token = { }; secrets.bridge_drone_token = { };
secrets.bridge_gitea_token = { }; secrets.bridge_gitea_token = { };
# Phase-1c C2: the wildcard TLS cert+key are now sops secrets (in cc-ci-secrets), decrypted at
# activation to /var/lib/ci-certs/live/{fullchain.pem,privkey.pem} — the exact path the traefik
# reconcile (modules/proxy.nix) already reads. Replaces the prior operator-drops-a-cert-file step.
secrets.wildcard_cert = {
path = "/var/lib/ci-certs/live/fullchain.pem";
mode = "0444"; # leaf+intermediate chain — not secret
};
secrets.wildcard_key = {
path = "/var/lib/ci-certs/live/privkey.pem";
mode = "0400"; # private key — root only
};
# EnvironmentFile for the host exec runner: DRONE_RPC_SECRET rendered from the sops secret. # EnvironmentFile for the host exec runner: DRONE_RPC_SECRET rendered from the sops secret.
templates."drone-runner.env".content = '' templates."drone-runner.env".content = ''
DRONE_RPC_SECRET=${config.sops.placeholder.drone_rpc_secret} DRONE_RPC_SECRET=${config.sops.placeholder.drone_rpc_secret}

1
secrets Submodule

Submodule secrets added at 2312f1cc67

35
secrets/secrets.yaml
View File

@ -1,35 +0,0 @@
test_secret: ENC[AES256_GCM,data:VOxNiRyeSQQPKeF2PUK9AtezhzX+Hdm9ji5ZYm+gNd2NJ+wwXc67En8=,iv:Bn1oQeBN98E2/To1KRAw3wsLUF0/HsQFBm8s28L5aqo=,tag:KPS5Y+25Elf3alSF2H6npw==,type:str]
drone_rpc_secret: ENC[AES256_GCM,data:pE+6nTpFaclRAQDBQZfki5WiMTOC6NkhBMcAkEfma9QjfOyBx9BbfyCyAB3a0ICo8NZj6kMHyw78GbrowU6RAg==,iv:3YgoLsXEQh6bOVMyVpSGopZFTP/Kxi20QdajNX9heVI=,tag:SNhRwTVzkygxZ10bN1yHlQ==,type:str]
drone_gitea_client_secret: ENC[AES256_GCM,data:kBYptCmAdFmAuZNa1moK3o5faYrKFDr5KEjDHzfZOKyrz47awRX9LwNejyWlej1ybE8rvv075Yc=,iv:fESd6OYoHKjoZS4YBajon0dibt0BuHD2f/WqjbljmiY=,tag:f7skoA5fizTXjYGI3u6Uig==,type:str]
bridge_drone_token: ENC[AES256_GCM,data:5n7x6S9a/OIoq2AyPX4iKNDmoQsk+WT8za2/4qVhZFQ=,iv:r0fAs1cAj/YEOq6AGPsjJnsApYM8bMimdJ6e5zzKIw0=,tag:YMyt5FNR9yd0Mj/i+FmmFQ==,type:str]
bridge_gitea_token: ENC[AES256_GCM,data:zyGrnq36o2RfIBEGsCGFpOg/wJucNDviEUdaJjJkOXJkAdV0+CYZhw==,iv:y5G+cBu/Aaghn1ORcFT0wkj5ZJZ3UjzREmiES/dPosE=,tag:5KKANpOgf3+0rvspNCjYrg==,type:str]
bridge_webhook_hmac: ENC[AES256_GCM,data:0qD6BtZSoQx6pKUf8sz2Zcp656TKrzjNvb5zBtoGnLalg4lX7Nm715xtoaqdgAnXOEeJ5e8LfDgLIhwtxYHJxQ==,iv:hvXNzF1dXviGZae0hMhqn/pBwbv/LosHPl/BL6V3ZvU=,tag:B8V4HKqs/+gigQfTmBBCkw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1h90utdztfc23kx8ewrtrtk80mnddvrf8pg4ppej55rwwwupzhfvqhmp3qa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRzN4Q0Eramhkdk8xbmNn
NGRwclpaT3YvR24yemJxQjF1N001cVI3MXdjCk9wUE5QTE1UNmxTa1BWalk1V1hS
M1o2elpOVHNGcWdyWVI1RHdUZi96M0UKLS0tIGpaRDNNa1ZuRWkybitPTlM5ajVK
VjNldWh1Q3lTc2lCNlE4aGNmaVNOT1kKMhsp/z5LbEyAezDHTodL2vS3L/wlNOc0
xiDLBYX1AJSiT8DOBvSMSZFj+ygsNL8GBYABjC0Ioar1PIK/KI00oA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cmk26t9e30ls8594s8txgmf2exenydmntfxqpcd3qdqm3ru2lpnqpdkdz9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTk9uQ3JSeEFidEF6U2FU
Mjk1bVYvNTdYaDJjL0g1ZGlZdXkyR3VUREJrClV5S283elRFbXZkUXNiQkoyYWwr
ZUkxV1UyRE1xcW5DSTNVbEk1dXEyWmcKLS0tIFo5SUdhaVVqYUpZUGQxVGQvR2s0
a2RKRWVaTGhNb0d3TFlnL2NtejZOaEUK2dQaAzlYk4Z7aBej77cO4Ug9Afkka6wg
G1SumwxX0wMocpgz4WhDUPkBC66uWlaR3u1AWzwpzRseuwAZ94gAxA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-26T22:15:49Z"
mac: ENC[AES256_GCM,data:ulV/ounh9Qt6+ZEK5R6eqLi++VwLjGajgpCdl9q3CjNvNinXL19TMIrmezellsVt9njsVqgsKbYkwTAhYN0t7MHcS2ObNe6Gw0EeZBsABTu8fHuyopW4wxFC3I6O4TaEJm4ALOxuqCUFtZoRs5Cnrez4MhzVzZjFoqlVtYj3FCE=,iv:Y6TJTUaeU2rRKP9gd9vByqM2TfX0eZw15Gbz40RzY7M=,tag:f9e8LPbCymrYeL0kDCKzvA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4