recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
124 Commits 19 Branches 1 Tag
d8aa7578d4e776f290cfcb5dcdc5a9781a76ea92
Commit Graph

5 Commits

Author SHA1 Message Date
autonomic-bot
9cc678853b 1c/W4: add sops.age.keyFile for bootstrap age key (recovery key on clones; host-derived on cc-ci)
All checks were successful
continuous-integration/drone/push Build is passing
Details 
cc-ci /var/lib/sops-nix/key.txt provisioned = host-derived age key (pub == &host recipient), so
adding keyFile is safe (sops-install-secrets aborts if a configured keyFile is missing).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-27 17:24:39 +01:00
autonomic-bot
f79e542149 1c/W2a: mount cc-ci-secrets as submodule at secrets/; cert+key now sops-decrypted to /var/lib/ci-certs/live
All checks were successful
continuous-integration/drone/push Build is passing
Details 
- secrets/ is now the private cc-ci-secrets repo (submodule). defaultSopsFile path unchanged.
- secrets.nix: add wildcard_cert/wildcard_key sops secrets -> path=/var/lib/ci-certs/live/*.
- proxy.nix: cert is sops-from-git, not an operator file drop (reframed; FATAL guard kept as decrypt-path check).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-27 16:32:10 +01:00
autonomic-bot
2d6a312d44 M3: bridge deployed + verified publicly reachable; webhook delivery blocked at Gitea (ALLOWED_HOST_LIST)
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Bridge healthz 200 over public DNS; HMAC verified. Gitea sends no deliveries
(suspect webhook host allowlist). Recorded in STATUS Blocked + operator options.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-26 23:46:43 +01:00
autonomic-bot
a385148af9 M2: Drone server + exec runner up; infra as idempotent-reconcile oneshots 
Convert proxy+drone bring-up to writeShellApplication systemd oneshots that
reconcile every activation (orchestrator steer). pkgs.abra overlay. Runner
connected via RPC (polling, capacity=2). install.md = clone + nixos-rebuild switch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-26 22:59:59 +01:00
autonomic-bot
deb4a0fbed M0 complete: sops-nix wiring + decrypt-a-test-secret; M0 gate CLAIMED 
Host decrypts /run/secrets/test_secret via its ssh host key (age identity);
off-box master recovery recipient. sops-nix pinned to a buildGoModule-era rev
for nixpkgs 24.11 compat.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-26 21:41:45 +01:00