recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
e0a01323608568b3ddb6b763073fa2c8a135916d
cc-ci/docs/baseline.md
autonomic-bot c21cce51b9 chore: bootstrap cc-ci loop state 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 21:07:31 +01:00

2.7 KiB
Raw Blame History

Baseline — cc-ci starting environment (rollback reference)

Captured at bootstrap, 2026-05-26, before any Builder changes. This is the state to roll back to.

Host

  • Hostname: nixos (Tailscale node cc-nix-test, tailnet IP 100.90.116.4, tailnet taila4a0bf.ts.net).
  • OS: NixOS 24.11 24.11.719113.50ab793786d9 (Vicuna).
  • Virtualisation: Incus VM (imports virtualisation/incus-virtual-machine.nix), incus agent on.
  • Resources: 2 vCPU, 3.5 GiB RAM, 8.9 GiB root disk (4.7 GiB used / 3.8 GiB free).
  • Access: SSH as root (PermitRootLogin yes), reached from sandbox via userspace-tailscaled SOCKS proxy 127.0.0.1:1055ssh cc-ci.

Installed / present

  • Config: channel-based, no flake. /etc/nixos/:
    • configuration.nix — incus VM module, cloud-init, tailscale (auth-key file), openssh, base pkgs (curl git jq openssh), firewall (trust tailscale0, allow tcp/22), DHCP, nameservers 1.1.1.1/8.8.8.8, nix.settings.experimental-features = [nix-command flakes], system.stateVersion = "24.11".
    • incus-base.nix — tailscale auth-key + hostname from /etc/ts-hostname.
    • setup.sh — original provisioning script (channel add + nixos-rebuild boot + sysrq reboot).
  • No docker, no swarm, no abra installed.
  • Tailscale up and authenticated (state persists; reconnects without key).

Provided infra inputs (operator-owned, do not improvise — §4.4 class A1)

  • Wildcard TLS cert at /var/lib/ci-certs/live/{fullchain.pem,privkey.pem} (*.ci.commoninternet.net + ci.commoninternet.net, LE 90-day, next renewal ~2026-08-24). Agent serves it via Traefik file provider; never runs ACME for this domain.
  • DNS: wildcard *.ci.commoninternet.net (+ bare ci.commoninternet.net) → gateway 143.244.213.108 (Gandi-hosted public zone). Gateway TLS-passthroughs the whole wildcard to cc-ci by SNI; TLS terminates on cc-ci's Traefik. Per-run subdomains need no DNS/gateway/cert work.
  • Gitea bot autonomic-bot (id 64), admin on private org recipe-maintainers.
  • Tailscale auth key (reusable) — in /srv/cc-ci/.testenv.

Recipes already mirrored to recipe-maintainers (at bootstrap)

bluesky-pds, cryptpad, custom-html, custom-html-tiny, keycloak, lasuite-docs, lasuite-meet, matrix-synapse, n8n. Others (hedgedoc, authentik, immich, lasuite-drive) are pulled from upstream git.coopcloud.tech and mirrored via the recipe mirror+PR flow (§4.1) as needed.

Rollback

The original config is preserved above and in the host's Nix generations (nixos-rebuild --rollback / boot menu). To fully revert, restore /etc/nixos/* to the channel config above and nixos-rebuild switch.