recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8e2357e5bf08c553ee1b60088d8b9329e7132e0c
cc-ci/STATUS-1c.md
autonomic-bot 8e2357e5bf
All checks were successful
continuous-integration/drone/push Build is passing
Details
1c: bootstrap Phase 1c loop state (STATUS/BACKLOG/JOURNAL-1c) + decisions (submodule linkage, recovery-key bootstrap) 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 16:06:26 +01:00

2.5 KiB
Raw Blame History

STATUS — Phase 1c (full git reproducibility + genuine D8 live rebuild)

Phase plan (SSOT): /srv/cc-ci/cc-ci-plan/plan-phase1c-full-reproducibility.md Loop state for THIS phase: STATUS-1c / BACKLOG-1c / REVIEW-1c / JOURNAL-1c (DECISIONS.md shared). The repo's STATUS.md / BACKLOG.md / REVIEW.md are Phase-1 HISTORY — not this phase's state.

Phase

1c kickoff — Phase 1 is DONE & Adversary-signed-off (1c10fa5; all D1D10 PASS, no VETO). Now: make the VM fully reproducible from git (secrets+cert in a private cc-ci-secrets repo) and perform a genuine throwaway-VM live rebuild to close D8 honestly.

In flight

  • W2 (next): create private cc-ci-secrets repo; move all secrets + the wildcard cert into sops there; wire the base flake to consume it. (W1 resize deferred until just before W3 — its only purpose is RAM headroom for the throwaway VM, and it briefly stops the live server.)

Definition of Done (C1C7 — see phase plan §3)

  • C1 — Secrets-repo split (private cc-ci-secrets, base stays one parameterized repo, byte-identical build)
  • C2 — Cert in git (wildcard cert+key as sops secrets, decrypted at activation; no operator cert-drop step)
  • C3 — All secrets in git, one exception = bootstrap age key (documented)
  • C4 — Genuine throwaway-VM live rebuild (Incus terraform-ci, only age key provisioned)
  • C5 — Honest D8 (static byte-identical + live rebuild; "infeasible by design" removed)
  • C6 — Resource fit + cleanup (cc-nix-test 6→4 GB, throwaway 4 GB, destroyed after; final sizing decided)
  • C7 — Docs (install.md/secrets.md/architecture.md + main plan refs updated to new model)

Gate

None claimed yet. (Milestone gates W2/W4/W5 will be CLAIMED here per §6.1.)

Blocked

(none)

Notes

  • Current secret layout: secrets/secrets.yaml (6 infra secrets), recipients = host age key (ssh-to-age of cc-ci's ed25519 host key) + off-box master recovery key (/srv/cc-ci/.sops/master-age.txt, sandbox-only). .sops.yaml at repo root.
  • Wildcard cert currently out-of-band at /var/lib/ci-certs/live/{fullchain.pem,privkey.pem} (operator-provided, LE, next renewal ~2026-08-24); proxy.nix reads it from there. 1c moves it into sops-in-git, decrypted back to that path at activation.
  • Sandbox host has NO sops/nix/age — sops ops run on cc-ci (has nix + host age key) or via the master key with a sops binary fetched on cc-ci.
  • cc-nix-test == the live cc-ci server (100.90.116.4); resizing it (W1) briefly stops it.