autonomic-bot
9bffb55b28
Pins nixpkgs to the rev cc-ci already ran (no-op-then-base); deploy via switch --flake on-host. System healthy (gen 3) post-switch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
61 lines
3.5 KiB
Markdown
61 lines
3.5 KiB
Markdown
# JOURNAL — cc-ci Builder (append-only)
|
|
|
|
## 2026-05-26 — Bootstrap (§1)
|
|
|
|
**Access verification (all pass):**
|
|
- `ssh cc-ci 'hostname && whoami && nixos-version'` → `nixos` / `root` / `24.11.719113.50ab793786d9 (Vicuna)`
|
|
- `curl https://git.autonomic.zone/api/v1/version` → `{"version":"1.24.2"}`
|
|
- Gitea bot auth (`curl -u $GITEA_USERNAME:$GITEA_PASSWORD .../api/v1/user`) → `login: autonomic-bot`, id 64
|
|
- `getent hosts probe-$RANDOM.ci.commoninternet.net` → `143.244.213.108` (the gateway IP, as expected — TLS passthrough)
|
|
- Cert present: `ls /var/lib/ci-certs/live/` → `fullchain.pem` (2909 b), `privkey.pem` (227 b, mode 640)
|
|
- recipe-maintainers org exists (private); `recipe-maintainers/cc-ci` → 404 (created below)
|
|
- Mirrored recipes already present: bluesky-pds, lasuite-docs, custom-html, custom-html-tiny, n8n,
|
|
keycloak, lasuite-meet, matrix-synapse, cryptpad
|
|
|
|
**Baseline (docs/baseline.md):** fresh NixOS 24.11 Incus VM, 2 vCPU, 3.5 GiB RAM, 8.9 GiB disk
|
|
(3.8 GiB free). No docker/swarm/abra. Channel-based `/etc/nixos/configuration.nix` (no flake).
|
|
|
|
**Actions:**
|
|
- Created repo `recipe-maintainers/cc-ci` (private) via Gitea API.
|
|
- `git init` in /srv/cc-ci/cc-ci; credential helper reads creds from /srv/cc-ci/.testenv (no
|
|
secrets stored in git config).
|
|
- Seeded skeleton layout (§3) + loop-state files + docs/baseline.md.
|
|
|
|
**Next:** commit + push bootstrap, then M0 (flake + base config + sops test secret).
|
|
|
|
## 2026-05-26 — M0: flake + base config rebuilt from repo
|
|
|
|
**Authored** `flake.nix` (pins nixpkgs rev `50ab793786d9…`, the exact rev cc-ci ran),
|
|
`hosts/cc-ci/hardware.nix` (incus VM module + cloud-init + DHCP/nameservers) and
|
|
`hosts/cc-ci/configuration.nix` (faithful baseline repro: tailscale w/ hardcoded `--hostname=
|
|
cc-nix-test` since `builtins.readFile /etc/ts-hostname` is impure under flakes; sshd root; firewall
|
|
trust tailscale0 + tcp/22; base pkgs).
|
|
|
|
**Disk/inode hiccup → resolved:** first `nix flake lock`/build hit `No space left on device` —
|
|
diagnosed as **inode** exhaustion (`df -i` → 6005 free of 586336; old 8.9 GiB fs). Operator grew
|
|
the VM to 28 GiB while I was measuring; ext4 auto-resized → 22 GiB free, 1.21M inodes free. Retried.
|
|
|
|
**Build + switch (commands + output):**
|
|
- `ssh cc-ci 'cd /root/cc-ci && nix flake lock && nixos-rebuild build --flake .#cc-ci'` → `BUILD EXIT 0`,
|
|
produced `nixos-system-nixos-24.11.20250630.50ab793`.
|
|
- `ssh cc-ci 'systemd-run --unit=ccci-rebuild --collect --property=Type=oneshot nixos-rebuild switch
|
|
--flake /root/cc-ci#cc-ci'` (detached so it survives ssh drop) → unit `Result=success
|
|
ExecMainStatus=0`.
|
|
|
|
**Gate verification:**
|
|
- `systemctl is-system-running` → `running`
|
|
- `readlink /run/current-system` → `…-nixos-system-nixos-24.11.20250630.50ab793` (gen 3, from flake)
|
|
- `systemctl is-active tailscaled` → `active`; `sshd.socket` → `active` (sshd is socket-activated, so
|
|
`sshd.service` reads inactive — live ssh proves it works)
|
|
- `systemctl --failed` → none
|
|
- `nixos-rebuild list-generations` → gen 3 current @20:23, prior channel gen 2 retained for rollback.
|
|
|
|
**Known warning (tracked, non-blocking):** incus module enables `systemd.network` while we keep
|
|
`networking.useDHCP=true` (scripted dhcpcd); Nix warns both may manage interfaces. Inherited from
|
|
baseline; networking is up. Clean up by choosing one stack later.
|
|
|
|
**Deploy mechanism settled** (DECISIONS.md): `switch --flake` on-host, repo synced via `tar | ssh`.
|
|
|
|
**Next:** sops-nix wiring (host age key from ssh host key + a decrypt-a-test-secret proof), then
|
|
CLAIM the M0 gate for the Adversary.
|