1c/W2: cc-ci-secrets repo created + populated (cert+infra in sops, verified)
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -36,3 +36,31 @@ bootstrap key for throwaway = **recovery age key via `sops.age.keyFile`**.
|
||||
**Next (W2):** create private `recipe-maintainers/cc-ci-secrets`; move secrets + wildcard cert into
|
||||
sops there as a submodule of the base; wire secrets.nix (cert→`/var/lib/ci-certs/live` via `path=`);
|
||||
prove byte-identical build + clean switch with TLS from the git cert. Then claim Gate W2.
|
||||
|
||||
## 2026-05-27 — W2 step 1: cc-ci-secrets repo created + populated (DONE)
|
||||
|
||||
**Did:**
|
||||
- Created private `recipe-maintainers/cc-ci-secrets` via Gitea API (bot, org admin). HTTP 201, private=True.
|
||||
- Confirmed cc-ci host SSH key → age identity == `&host` recipient `age1h90utd…`:
|
||||
`ssh cc-ci 'nix shell nixpkgs#ssh-to-age --command ssh-to-age -i /etc/ssh/ssh_host_ed25519_key.pub'`
|
||||
→ exact match. So I can decrypt/re-encrypt on cc-ci with the host key (master stays sandbox-only).
|
||||
- Built `secrets.yaml` on cc-ci (script with file redirections, no key material in argv):
|
||||
`sops -d` existing 6 secrets → append `wildcard_cert`/`wildcard_key` as YAML block scalars from
|
||||
`/var/lib/ci-certs/live/{fullchain.pem,privkey.pem}` → `sops -e`. Verified round-trip:
|
||||
- recipients: 2 (host+master)
|
||||
- keys: test_secret, drone_rpc_secret, drone_gitea_client_secret, bridge_drone_token,
|
||||
bridge_gitea_token, bridge_webhook_hmac, wildcard_cert, wildcard_key
|
||||
- cert sha256 file==decrypt `c1d96d61…`; key sha256 file==decrypt `9ec25d00…`; test_secret decrypts OK
|
||||
- Retrieved ciphertext (7219 B) to sandbox; created cc-ci-secrets repo (root `secrets.yaml`, own
|
||||
`.sops.yaml` w/ `path_regex: secrets\.yaml$`, README). Pushed to main (auth via per-command
|
||||
http.extraHeader; verified `.git/config` has NO creds). Remote lists .sops.yaml/README.md/secrets.yaml.
|
||||
- Cleaned `/root/cc-ci-secrets.yaml` + build script off cc-ci.
|
||||
|
||||
**Layout decision:** cc-ci-secrets has `secrets.yaml` at ROOT → submodule mounts at base `secrets/`
|
||||
→ base sees `secrets/secrets.yaml`, so `defaultSopsFile = ../secrets/secrets.yaml` is UNCHANGED.
|
||||
|
||||
**Next (W2 step 2):** in base repo — replace tracked `secrets/` with the submodule; add
|
||||
`wildcard_cert`/`wildcard_key` sops secrets in secrets.nix (path= → /var/lib/ci-certs/live, + recovery
|
||||
keyFile); adjust proxy.nix framing; switch cc-ci to new config via
|
||||
`nixos-rebuild switch --flake 'git+file:///root/cc-ci?submodules=1#cc-ci'`; prove byte-identical +
|
||||
TLS-from-git-cert; then claim Gate W2. (Riskier — touches live server config; fresh iteration.)
|
||||
|
||||
Reference in New Issue
Block a user