recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
352f624ce68cb6331cec2009edda35efef199dc3
cc-ci/docs/install.md
autonomic-bot 12f86fd3fb M1: proxy via real coop-cloud/traefik (abra, wildcard/no-ACME); recipe deploy+teardown; M1 CLAIMED 
Orchestrator decision: deploy canonical coop-cloud traefik via abra instead of a
hand-rolled module. abra packaged in Nix (pinned). custom-html deployed over HTTPS
(200) via the gateway and torn down clean. docs/install.md seeded.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 22:21:12 +01:00

2.6 KiB
Raw Blame History

Installing cc-ci from scratch

WORK IN PROGRESS — grows with each milestone; the full from-scratch rebuild is verified at M9 (D8).

cc-ci is declared as a NixOS flake (this repo) plus a reproducible proxy-deploy step. Target: a NixOS 24.11 host reachable as cc-ci over SSH (root), with the operator preconditions in place.

Operator preconditions (class-A1, see DECISIONS.md / docs/baseline.md)

  • Wildcard TLS cert at /var/lib/ci-certs/live/{fullchain.pem,privkey.pem} (*.ci.commoninternet.net + ci.commoninternet.net). Renewed out-of-band; never ACME here.
  • DNS: *.ci.commoninternet.net (+ bare) → the gateway, which TLS-passthroughs (SNI) to cc-ci.
  • Firewall path: gateway reaches cc-ci on tcp/80+443 (opened by modules/swarm.nix).

1. Apply the NixOS flake

The flake (flake.nix, hosts/cc-ci/, modules/) declares: base host, sops-nix (decrypts via the host SSH key), Docker + single-node Swarm + the proxy overlay (modules/swarm.nix), and abra (modules/abra.nix).

# materialise the repo on the host (the build runs on cc-ci itself — see DECISIONS.md deploy mech)
#   e.g. git clone <repo> /root/cc-ci   (or sync it)
nixos-rebuild switch --flake /root/cc-ci#cc-ci
# verify
systemctl is-system-running          # -> running
docker info --format '{{.Swarm.LocalNodeState}}'   # -> active
docker network ls | grep proxy       # -> proxy ... overlay swarm

Tip: when driving the switch over an SSH session that rides Tailscale, run it as a detached unit so it survives a momentary drop, and use the absolute flake path (systemd units run with cwd /): systemd-run --unit=ccci-sw --property=Type=oneshot nixos-rebuild switch --flake /root/cc-ci#cc-ci

2. Deploy the reverse proxy (coop-cloud traefik, wildcard/file-provider, no ACME)

bash /root/cc-ci/scripts/deploy-proxy.sh

This idempotently deploys the canonical Co-op Cloud traefik recipe via abra in wildcard mode, serving the pre-issued cert as the ssl_cert/ssl_key swarm secrets, with LETS_ENCRYPT_ENV empty so no ACME ever runs (see DECISIONS.md "Proxy: real coop-cloud/traefik via abra"). Verify:

docker service ls | grep traefik     # app + socket-proxy, 1/1
# wildcard cert served end-to-end via the gateway:
curl -ksv --resolve probe.ci.commoninternet.net:443:<gateway-ip> https://probe.ci.commoninternet.net/ \
  2>&1 | grep -E 'subject:|HTTP/'    # -> CN=*.ci.commoninternet.net, HTTP 404 (no app router yet)

3. (later milestones) Drone, comment-bridge, dashboard, recipe enrollment

See docs/enroll-recipe.md (D5), docs/secrets.md (D6), docs/runbook.md. Added as those land.