recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8e2357e5bf08c553ee1b60088d8b9329e7132e0c
cc-ci/JOURNAL-1c.md
autonomic-bot 8e2357e5bf
All checks were successful
continuous-integration/drone/push Build is passing
Details
1c: bootstrap Phase 1c loop state (STATUS/BACKLOG/JOURNAL-1c) + decisions (submodule linkage, recovery-key bootstrap) 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 16:06:26 +01:00

2.5 KiB
Raw Blame History

JOURNAL — Phase 1c (Builder)

Append-only. Each entry: what I did + verifying command/output + next.

2026-05-27 — Phase 1c kickoff / orientation

Context: Phase 1 closed DONE (1c10fa5; all D1D10 Adversary-PASS, no VETO; Adversary loop terminated for Phase 1). Starting Phase 1c per plan-phase1c-full-reproducibility.md.

Did:

  • Read the phase plan in full + plan.md §6.1/§7/§9. Verified access & surveyed current state.
  • ssh cc-ci 'hostname && nixos-version && systemctl is-system-running'nixos / 24.11.20250630.50ab793 (Vicuna) / running. Healthy.
  • Surveyed secrets layout:
    • secrets/secrets.yaml holds 6 infra secrets: test_secret, drone_rpc_secret, drone_gitea_client_secret, bridge_drone_token, bridge_gitea_token, bridge_webhook_hmac.
    • .sops.yaml: recipients = &host (ssh-to-age of cc-ci ed25519 host key) + &master (off-box recovery, private at /srv/cc-ci/.sops/master-age.txt, sandbox-only).
    • modules/secrets.nix: defaultSopsFile = ../secrets/secrets.yaml, age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"].
    • Wildcard cert OUT-OF-BAND at cc-ci:/var/lib/ci-certs/live/{fullchain.pem,privkey.pem} (fullchain 2909 B, privkey 227 B → privkey looks like an EC key). modules/proxy.nix reconcile reads it from there and inserts as traefik ssl_cert/ssl_key swarm secrets; treats a missing cert as FATAL (operator precondition).
    • flake.nix: nixpkgs pinned 50ab793, sops-nix pinned; single local nixosConfigurations.cc-ci.
  • Tooling note: sandbox host has NO sops/nix/age/ssh-to-age (which → only git). sops/age work must run on cc-ci (has nix + host age key) or via a sops binary fetched there with the master key.
  • Bootstrapped Phase-1c state: STATUS-1c.md, BACKLOG-1c.md, JOURNAL-1c.md (this file). REVIEW-1c.md left for the Adversary (its file per §6.1). Appended Phase-1c decisions to DECISIONS.md.

Decisions recorded (DECISIONS.md): secrets linkage = git submodule (deviates from the flake-input default — rationale: no private-repo fetch credential needed at nix-eval on every rebuild, keeps defaultSopsFile a local path = minimal change + trivially byte-identical); bootstrap key for throwaway = recovery age key via sops.age.keyFile.

Next (W2): create private recipe-maintainers/cc-ci-secrets; move secrets + wildcard cert into sops there as a submodule of the base; wire secrets.nix (cert→/var/lib/ci-certs/live via path=); prove byte-identical build + clean switch with TLS from the git cert. Then claim Gate W2.