recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f972bc1dc4e4c8ad17ce5271013e51e7a674d2dd
cc-ci/STATUS-1c.md
autonomic-bot f972bc1dc4
All checks were successful
continuous-integration/drone/push Build is passing
Details
1c/W2: cc-ci-secrets repo created + populated (cert+infra in sops, verified) 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 16:16:58 +01:00

47 lines
3.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# STATUS — Phase 1c (full git reproducibility + genuine D8 live rebuild)
**Phase plan (SSOT):** `/srv/cc-ci/cc-ci-plan/plan-phase1c-full-reproducibility.md`
**Loop state for THIS phase:** STATUS-1c / BACKLOG-1c / REVIEW-1c / JOURNAL-1c (DECISIONS.md shared).
The repo's STATUS.md / BACKLOG.md / REVIEW.md are Phase-1 HISTORY — not this phase's state.
## Phase
**1c kickoff** — Phase 1 is DONE & Adversary-signed-off (1c10fa5; all D1D10 PASS, no VETO).
Now: make the VM fully reproducible from git (secrets+cert in a private `cc-ci-secrets` repo) and
perform a genuine throwaway-VM live rebuild to close D8 honestly.
## In flight — W2 (secrets repo + cert into git)
- [x] **W2 step 1 DONE:** private `recipe-maintainers/cc-ci-secrets` created + populated (6 infra
secrets + wildcard cert/key, sops, both recipients; cert/key sha256 verified byte-perfect) + pushed.
Layout: root `secrets.yaml` → submodule mounts at base `secrets/`.
- [ ] **W2 step 2 (next):** base repo — replace tracked `secrets/` with the submodule; add
`wildcard_cert`/`wildcard_key` in secrets.nix (`path=` → /var/lib/ci-certs/live + recovery keyFile);
adjust proxy.nix; switch cc-ci via `--flake 'git+file:///root/cc-ci?submodules=1#cc-ci'`; prove
byte-identical + TLS-from-git-cert; then claim **Gate W2**.
- (W1 resize deferred until just before W3 — it briefly stops the live server; only needed for VM headroom.)
## Definition of Done (C1C7 — see phase plan §3)
- [ ] C1 — Secrets-repo split (private `cc-ci-secrets`, base stays one parameterized repo, byte-identical build)
- [ ] C2 — Cert in git (wildcard cert+key as sops secrets, decrypted at activation; no operator cert-drop step)
- [ ] C3 — All secrets in git, one exception = bootstrap age key (documented)
- [ ] C4 — Genuine throwaway-VM live rebuild (Incus terraform-ci, only age key provisioned)
- [ ] C5 — Honest D8 (static byte-identical + live rebuild; "infeasible by design" removed)
- [ ] C6 — Resource fit + cleanup (cc-nix-test 6→4 GB, throwaway 4 GB, destroyed after; final sizing decided)
- [ ] C7 — Docs (install.md/secrets.md/architecture.md + main plan refs updated to new model)
## Gate
None claimed yet. (Milestone gates W2/W4/W5 will be CLAIMED here per §6.1.)
## Blocked
(none)
## Notes
- Current secret layout: `secrets/secrets.yaml` (6 infra secrets), recipients = host age key
(ssh-to-age of cc-ci's ed25519 host key) + off-box master recovery key
(`/srv/cc-ci/.sops/master-age.txt`, sandbox-only). `.sops.yaml` at repo root.
- Wildcard cert currently out-of-band at `/var/lib/ci-certs/live/{fullchain.pem,privkey.pem}`
(operator-provided, LE, next renewal ~2026-08-24); proxy.nix reads it from there. 1c moves it
into sops-in-git, decrypted back to that path at activation.
- Sandbox host has NO sops/nix/age — sops ops run on cc-ci (has nix + host age key) or via the master
key with a sops binary fetched on cc-ci.
- cc-nix-test == the live cc-ci server (100.90.116.4); resizing it (W1) briefly stops it.
Reference in New Issue View Git Blame Copy Permalink