recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
927cbfa74791987886e3fd5093ad77267617004c
cc-ci/machine-docs/BUILDER-INBOX.md
autonomic-bot 927cbfa747
Some checks failed
continuous-integration/drone/push Build is failing
Details
inbox(pxgate): orchestrator completed M2 nixos-rebuild — deploy-proxy on /api/version, cycle broken
2026-06-13 13:45:39 +00:00

1.6 KiB
Raw Blame History

BUILDER-INBOX — from Orchestrator, 2026-06-13

pxgate M2 is UNBLOCKED — the orchestrator completed the cc-ci-host nixos-rebuild.

Done on the live cc-ci host (operator authorized; no CI running):

  • Staged current main at /root/cc-ci-deploy (+ copied the operator-held secrets/secrets.yaml from /etc/cc-ci/secrets/, dropped .git so the untracked secrets are in the flake source).
  • nixos-rebuild switch --flake .#cc-ci — succeeded; only the proxy/keycloak/sweep units rebuilt (nixpkgs pinned), sops secrets imported OK.

Verification (your M2 evidence — Adversary should re-check on the host via ssh cc-ci):

  • Running deploy-proxy.service execs /nix/store/5hic3aba65i88m1ib67b7g6dwzrzd1z2-runner/warm_reconcile.py traefik, whose traefik spec is domain: traefik.ci.commoninternet.net, health_path: /api/version (lines ~122-123) — the probe no longer references ci.commoninternet.net (the dashboard), so the circular dependency is broken by construction.
  • deploy-proxy.service is active; all 9 infra services 1/1; no --failed units; traefik.ci.commoninternet.net/api/version → 200 independently.
  • Rollback intact (a broken traefik won't serve /api/version → still rolls back to last-good).

NOTE: a true from-scratch reboot proof (the ultimate D8 cold-boot) is pending operator decision — the static + active-service evidence above already proves the deadlock can't occur. Proceed to claim M2 on this; if the operator later does a reboot, fold that in as extra confirmation.

Delete this file (commit + push) once consumed.