From f972bc1dc4e4c8ad17ce5271013e51e7a674d2dd Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 16:16:58 +0100 Subject: [PATCH] 1c/W2: cc-ci-secrets repo created + populated (cert+infra in sops, verified) Co-Authored-By: Claude Opus 4.7 (1M context) --- JOURNAL-1c.md | 28 ++++++++++++++++++++++++++++ STATUS-1c.md | 13 +++++++++---- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/JOURNAL-1c.md b/JOURNAL-1c.md index 11993c1..ff3880d 100644 --- a/JOURNAL-1c.md +++ b/JOURNAL-1c.md @@ -36,3 +36,31 @@ bootstrap key for throwaway = **recovery age key via `sops.age.keyFile`**. **Next (W2):** create private `recipe-maintainers/cc-ci-secrets`; move secrets + wildcard cert into sops there as a submodule of the base; wire secrets.nix (cert→`/var/lib/ci-certs/live` via `path=`); prove byte-identical build + clean switch with TLS from the git cert. Then claim Gate W2. + +## 2026-05-27 — W2 step 1: cc-ci-secrets repo created + populated (DONE) + +**Did:** +- Created private `recipe-maintainers/cc-ci-secrets` via Gitea API (bot, org admin). HTTP 201, private=True. +- Confirmed cc-ci host SSH key → age identity == `&host` recipient `age1h90utd…`: + `ssh cc-ci 'nix shell nixpkgs#ssh-to-age --command ssh-to-age -i /etc/ssh/ssh_host_ed25519_key.pub'` + → exact match. So I can decrypt/re-encrypt on cc-ci with the host key (master stays sandbox-only). +- Built `secrets.yaml` on cc-ci (script with file redirections, no key material in argv): + `sops -d` existing 6 secrets → append `wildcard_cert`/`wildcard_key` as YAML block scalars from + `/var/lib/ci-certs/live/{fullchain.pem,privkey.pem}` → `sops -e`. Verified round-trip: + - recipients: 2 (host+master) + - keys: test_secret, drone_rpc_secret, drone_gitea_client_secret, bridge_drone_token, + bridge_gitea_token, bridge_webhook_hmac, wildcard_cert, wildcard_key + - cert sha256 file==decrypt `c1d96d61…`; key sha256 file==decrypt `9ec25d00…`; test_secret decrypts OK +- Retrieved ciphertext (7219 B) to sandbox; created cc-ci-secrets repo (root `secrets.yaml`, own + `.sops.yaml` w/ `path_regex: secrets\.yaml$`, README). Pushed to main (auth via per-command + http.extraHeader; verified `.git/config` has NO creds). Remote lists .sops.yaml/README.md/secrets.yaml. +- Cleaned `/root/cc-ci-secrets.yaml` + build script off cc-ci. + +**Layout decision:** cc-ci-secrets has `secrets.yaml` at ROOT → submodule mounts at base `secrets/` +→ base sees `secrets/secrets.yaml`, so `defaultSopsFile = ../secrets/secrets.yaml` is UNCHANGED. + +**Next (W2 step 2):** in base repo — replace tracked `secrets/` with the submodule; add +`wildcard_cert`/`wildcard_key` sops secrets in secrets.nix (path= → /var/lib/ci-certs/live, + recovery +keyFile); adjust proxy.nix framing; switch cc-ci to new config via +`nixos-rebuild switch --flake 'git+file:///root/cc-ci?submodules=1#cc-ci'`; prove byte-identical + +TLS-from-git-cert; then claim Gate W2. (Riskier — touches live server config; fresh iteration.) diff --git a/STATUS-1c.md b/STATUS-1c.md index 8336a36..1cb7d04 100644 --- a/STATUS-1c.md +++ b/STATUS-1c.md @@ -9,10 +9,15 @@ The repo's STATUS.md / BACKLOG.md / REVIEW.md are Phase-1 HISTORY — not this p Now: make the VM fully reproducible from git (secrets+cert in a private `cc-ci-secrets` repo) and perform a genuine throwaway-VM live rebuild to close D8 honestly. -## In flight -- **W2 (next):** create private `cc-ci-secrets` repo; move all secrets + the wildcard cert into sops - there; wire the base flake to consume it. (W1 resize deferred until just before W3 — its only - purpose is RAM headroom for the throwaway VM, and it briefly stops the live server.) +## In flight — W2 (secrets repo + cert into git) +- [x] **W2 step 1 DONE:** private `recipe-maintainers/cc-ci-secrets` created + populated (6 infra + secrets + wildcard cert/key, sops, both recipients; cert/key sha256 verified byte-perfect) + pushed. + Layout: root `secrets.yaml` → submodule mounts at base `secrets/`. +- [ ] **W2 step 2 (next):** base repo — replace tracked `secrets/` with the submodule; add + `wildcard_cert`/`wildcard_key` in secrets.nix (`path=` → /var/lib/ci-certs/live + recovery keyFile); + adjust proxy.nix; switch cc-ci via `--flake 'git+file:///root/cc-ci?submodules=1#cc-ci'`; prove + byte-identical + TLS-from-git-cert; then claim **Gate W2**. +- (W1 resize deferred until just before W3 — it briefly stops the live server; only needed for VM headroom.) ## Definition of Done (C1–C7 — see phase plan §3) - [ ] C1 — Secrets-repo split (private `cc-ci-secrets`, base stays one parameterized repo, byte-identical build)