# Baseline — cc-ci starting environment (rollback reference)

Captured at bootstrap, 2026-05-26, before any Builder changes. This is the state to roll back to.

## Host

- Hostname: `nixos` (Tailscale node `cc-nix-test`, tailnet IP **100.90.116.4**, tailnet
  `taila4a0bf.ts.net`).
- OS: **NixOS 24.11** `24.11.719113.50ab793786d9 (Vicuna)`.
- Virtualisation: **Incus VM** (imports `virtualisation/incus-virtual-machine.nix`), incus agent on.
- Resources: **2 vCPU, 3.5 GiB RAM, 8.9 GiB root disk (4.7 GiB used / 3.8 GiB free)**.
- Access: SSH as **root** (PermitRootLogin yes), reached from sandbox via userspace-tailscaled
  SOCKS proxy `127.0.0.1:1055` → `ssh cc-ci`.

## Installed / present

- Config: **channel-based**, no flake. `/etc/nixos/`:
  - `configuration.nix` — incus VM module, cloud-init, tailscale (auth-key file), openssh,
    base pkgs (curl git jq openssh), firewall (trust tailscale0, allow tcp/22), DHCP,
    nameservers 1.1.1.1/8.8.8.8, `nix.settings.experimental-features = [nix-command flakes]`,
    `system.stateVersion = "24.11"`.
  - `incus-base.nix` — tailscale auth-key + hostname from `/etc/ts-hostname`.
  - `setup.sh` — original provisioning script (channel add + `nixos-rebuild boot` + sysrq reboot).
- **No** docker, **no** swarm, **no** abra installed.
- Tailscale up and authenticated (state persists; reconnects without key).

## Provided infra inputs (operator-owned, do not improvise — §4.4 class A1)

- Wildcard TLS cert at **`/var/lib/ci-certs/live/{fullchain.pem,privkey.pem}`**
  (`*.ci.commoninternet.net` + `ci.commoninternet.net`, LE 90-day, next renewal ~2026-08-24).
  Agent serves it via Traefik file provider; **never** runs ACME for this domain.
- DNS: wildcard `*.ci.commoninternet.net` (+ bare `ci.commoninternet.net`) → **gateway**
  `143.244.213.108` (Gandi-hosted public zone). Gateway TLS-passthroughs the whole wildcard to
  cc-ci by SNI; TLS terminates on cc-ci's Traefik. Per-run subdomains need no DNS/gateway/cert work.
- Gitea bot `autonomic-bot` (id 64), admin on private org `recipe-maintainers`.
- Tailscale auth key (reusable) — in `/srv/cc-ci/.testenv`.

## Recipes already mirrored to recipe-maintainers (at bootstrap)

`bluesky-pds`, `cryptpad`, `custom-html`, `custom-html-tiny`, `keycloak`, `lasuite-docs`,
`lasuite-meet`, `matrix-synapse`, `n8n`. Others (hedgedoc, authentik, immich, lasuite-drive) are
pulled from upstream git.coopcloud.tech and mirrored via the recipe mirror+PR flow (§4.1) as needed.

## Rollback

The original config is preserved above and in the host's Nix generations
(`nixos-rebuild --rollback` / boot menu). To fully revert, restore `/etc/nixos/*` to the channel
config above and `nixos-rebuild switch`.