doc: SSH key management and secrets 📝

- Updated AGENTS.md to specify one key per purpose for SSH access, including naming conventions and configuration tips. - Revised README.md to streamline the roadmap and link to SSH and secrets documentation. - Created docs/ssh-and-secrets.md to outline the strategy for managing SSH keys and secrets in a public repo. - Refined TODO.md to reflect the new approach for secrets and server configuration tasks.
2026-03-01 11:55:44 +01:00 · 2026-03-01 11:55:44 +01:00 · cd7658f452
commit cd7658f452
parent 1fdce52239
5 changed files with 108 additions and 114 deletions
--- a/TODO.md
+++ b/TODO.md
@ -1,26 +1,24 @@
 # TODO

-1. **Secrets** (started)
-   - SSH public keys removed from `nixos/hosts/nixos-server.nix` and `nixos/server-install-configuration.nix`. Keys are not managed by NixOS there; use scp (see comments in those files and server-quickstart.md).
-   - Optional: audit repo for other IDs (emails, UUIDs) if desired.
-   - Check out friend's setup: public repo w config + setup; private repo w IDs, keys and secrets.
-   - **SSH keys (one key per purpose).** Strategy: AGENTS.md. Actions:
-     - **GitHub:** In use: `id_ed25519_github`. Add `~/.ssh/config`: `Host github.com` with `IdentityFile ~/.ssh/id_ed25519_github` and `IdentitiesOnly yes`. Remove `id_rsa_github` from GitHub and locally once confirmed unused.
-     - **nixos-server:** No `~/.ssh/authorized_keys` on server → currently password auth. To switch to key auth: on server `mkdir -p ~/.ssh; chmod 700 ~/.ssh`; from Mac `scp ~/.ssh/id_ed25519_github.pub danny@SERVER:/tmp/`; on server `cat /tmp/id_ed25519_github.pub >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys`. Optional: create `id_ed25519_servers` and use that only for server (then add Host in config).
-     - **Forgejo:** When needed: create `id_ed25519_forgejo`, add to forge, add Host in `~/.ssh/config`.
+1. **Secrets** — Approach A (see [docs/ssh-and-secrets.md](docs/ssh-and-secrets.md)): public repo only, one key per purpose (AGENTS.md), server keys via scp. Optional later: private repo + sops-nix.
+   - **GitHub:** Use `id_ed25519_github`; in `~/.ssh/config`: `Host github.com` with `IdentityFile ~/.ssh/id_ed25519_github` and `IdentitiesOnly yes`. Remove `id_rsa_github` from GitHub and locally once confirmed unused.
+   - **nixos-server:** Switch to key auth if still on password: on server `mkdir -p ~/.ssh; chmod 700 ~/.ssh`; from Mac `scp ~/.ssh/id_ed25519_github.pub danny@SERVER:/tmp/`; on server `cat /tmp/id_ed25519_github.pub >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys`. Optional: create `id_ed25519_servers` and use only for servers (add Host in config).
+   - **Forgejo:** When needed: create `id_ed25519_forgejo`, add to forge, add Host in `~/.ssh/config`.

-2. ~~**Server hardware before testing**~~ Done. Fetched via `ssh danny@server 'sudo cat /etc/nixos/hardware-configuration.nix'`, replaced stub; added boot.loader and system.stateVersion; flake check passes.
+2. **Server**
+   - Only I use the machine. Access: SSH keys only (no password auth).
+   - Continue configuring (add services in `hosts/nixos-server.nix` as needed).
+   - SSH: key-only auth; disable password auth. Optionally restrict SSH to LAN.
+   - Passwordless sudo for wheel.

-3. **Server**
-   - Continue configuring the server (add more services to `hosts/nixos-server.nix` as needed).
-   - Make sure SSH is only possible via LAN, using ssh keys and no password
-   - Make sudo not require a password
+3. Rename nixos-server to <something-cooler>
+   - Shortlist hostnames; then do flake + hostname + docs in one pass.
+   - **Monte Cristo–themed candidates (two-word, non-human):**
+     - Ships / sea: sunken-ship, phantom-ship, rusty-anchor, salty-wind, stormy-wave, calm-harbor, distant-shore, foreign-port, wooden-hull, anchor-chain
+     - Prison / stone: prison-rock, cold-stone, iron-chain, damp-cell, guard-tower, midnight-bell, stony-corridor, broken-chain
+     - Secrets / treasure: buried-treasure, secret-cave, forgotten-tunnel, hidden-key, rusty-sword, faded-parchment, ancient-map, broken-seal, buried-chest
+     - Atmosphere: strange-companion, masked-ball, poison-vial

-4. **Verify**
-   - After 2–4: confirm server hardware in repo, flake builds, auto-rebuild works. On server, `systemctl is-active dotfiles-rebuild.timer` should be `active` once the flake config is live (see nixos/readme.md).
+4. Give <something-cooler> wifi access instead of ethernet.

-5. Rename nixos-server to <something-cooler>
-
-6. Give <something-cooler> wifi access in stead of using ethernet.
-
-7. Host telegram bot once again (for what purpose?)
+5. Host telegram bot once again (for what purpose?)