recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
4eae6eb20867cfca55899ffedc1afa8b25ffae9b
cc-ci/docs/baseline.md
autonomic-bot c21cce51b9 chore: bootstrap cc-ci loop state 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 21:07:31 +01:00

49 lines
2.7 KiB
Markdown
Raw Blame History

# Baseline — cc-ci starting environment (rollback reference)
Captured at bootstrap, 2026-05-26, before any Builder changes. This is the state to roll back to.
## Host
- Hostname: `nixos` (Tailscale node `cc-nix-test`, tailnet IP **100.90.116.4**, tailnet
`taila4a0bf.ts.net`).
- OS: **NixOS 24.11** `24.11.719113.50ab793786d9 (Vicuna)`.
- Virtualisation: **Incus VM** (imports `virtualisation/incus-virtual-machine.nix`), incus agent on.
- Resources: **2 vCPU, 3.5 GiB RAM, 8.9 GiB root disk (4.7 GiB used / 3.8 GiB free)**.
- Access: SSH as **root** (PermitRootLogin yes), reached from sandbox via userspace-tailscaled
SOCKS proxy `127.0.0.1:1055``ssh cc-ci`.
## Installed / present
- Config: **channel-based**, no flake. `/etc/nixos/`:
- `configuration.nix` — incus VM module, cloud-init, tailscale (auth-key file), openssh,
base pkgs (curl git jq openssh), firewall (trust tailscale0, allow tcp/22), DHCP,
nameservers 1.1.1.1/8.8.8.8, `nix.settings.experimental-features = [nix-command flakes]`,
`system.stateVersion = "24.11"`.
- `incus-base.nix` — tailscale auth-key + hostname from `/etc/ts-hostname`.
- `setup.sh` — original provisioning script (channel add + `nixos-rebuild boot` + sysrq reboot).
- **No** docker, **no** swarm, **no** abra installed.
- Tailscale up and authenticated (state persists; reconnects without key).
## Provided infra inputs (operator-owned, do not improvise — §4.4 class A1)
- Wildcard TLS cert at **`/var/lib/ci-certs/live/{fullchain.pem,privkey.pem}`**
(`*.ci.commoninternet.net` + `ci.commoninternet.net`, LE 90-day, next renewal ~2026-08-24).
Agent serves it via Traefik file provider; **never** runs ACME for this domain.
- DNS: wildcard `*.ci.commoninternet.net` (+ bare `ci.commoninternet.net`) → **gateway**
`143.244.213.108` (Gandi-hosted public zone). Gateway TLS-passthroughs the whole wildcard to
cc-ci by SNI; TLS terminates on cc-ci's Traefik. Per-run subdomains need no DNS/gateway/cert work.
- Gitea bot `autonomic-bot` (id 64), admin on private org `recipe-maintainers`.
- Tailscale auth key (reusable) — in `/srv/cc-ci/.testenv`.
## Recipes already mirrored to recipe-maintainers (at bootstrap)
`bluesky-pds`, `cryptpad`, `custom-html`, `custom-html-tiny`, `keycloak`, `lasuite-docs`,
`lasuite-meet`, `matrix-synapse`, `n8n`. Others (hedgedoc, authentik, immich, lasuite-drive) are
pulled from upstream git.coopcloud.tech and mirrored via the recipe mirror+PR flow (§4.1) as needed.
## Rollback
The original config is preserved above and in the host's Nix generations
(`nixos-rebuild --rollback` / boot menu). To fully revert, restore `/etc/nixos/*` to the channel
config above and `nixos-rebuild switch`.
Reference in New Issue View Git Blame Copy Permalink