doc: SSH key management and secrets 📝

- Updated AGENTS.md to specify one key per purpose for SSH access, including naming conventions and configuration tips.
- Revised README.md to streamline the roadmap and link to SSH and secrets documentation.
- Created docs/ssh-and-secrets.md to outline the strategy for managing SSH keys and secrets in a public repo.
- Refined TODO.md to reflect the new approach for secrets and server configuration tasks.

nixos/readme.md

@@ -1,48 +1,27 @@
-Rebuild nixos and points to dotfiles dir:
+# NixOS flake
 
-```
+Rebuild from dotfiles dir:
+
+```bash
 sudo nixos-rebuild switch --flake ~/dotfiles/nixos#macbookair
-# or
-sudo nixos-rebuild switch --flake ~/dotfiles/nixos#wsl
-# or (macOS)
-sudo -H nix run github:lnl7/nix-darwin -- switch --flake ~/dotfiles/nixos#Daniel-Macbook-Air
+# or #wsl
+# macOS: cd ~/dotfiles/nixos && darwin-rebuild switch --flake .
 ```
 
 ## Server (nixos-server)
 
-One-time on the server (git is not installed until after the first rebuild, so use nix run to get git):
+One-time bootstrap (no git until first rebuild):
 
 ```bash
 nix run --extra-experimental-features "nix-command flakes" nixpkgs#git -- clone https://github.com/DannyDannyDanny/dotfiles.git /tmp/dotfiles
 sudo mv /tmp/dotfiles /etc/dotfiles
-# Enable flakes for this run (needed if the current system config does not)
 sudo nixos-rebuild switch --flake /etc/dotfiles/nixos#nixos-server --option accept-flake-config true
 ```
-If that fails with "does not provide attribute ... nixos-rebuild", enable flakes for the Nix daemon via the current config (on NixOS, `/etc/nix/nix.conf` is often read-only), then build and switch manually.
 
-**From your Mac:** push a config that enables flakes, then on the server copy it and rebuild:
-```bash
-scp nixos/server-configuration-with-flakes.nix danny@<server>:/tmp/configuration.nix
-```
-**On the server:**
-```bash
-sudo cp /tmp/configuration.nix /etc/nixos/configuration.nix
-sudo nixos-rebuild switch
-```
-Then build and switch to the flake:
-```bash
-sudo nix build /etc/dotfiles/nixos#nixosConfigurations.nixos-server.config.system.build.toplevel -o /tmp/nixos-result
-sudo /tmp/nixos-result/bin/switch-to-configuration switch
-```
+If the daemon doesn’t have flakes: copy [server-configuration-with-flakes.nix](server-configuration-with-flakes.nix) to `/etc/nixos/configuration.nix`, run `sudo nixos-rebuild switch`, then build and switch to the flake (see [server-quickstart.md](../server-quickstart.md) for SSH keys).
 
-Use `git@github.com:DannyDannyDanny/dotfiles.git` if the repo is private (clone as danny then `sudo mv` and `sudo chown -R root:root /etc/dotfiles`).
+SSH keys (not in repo): `scp ~/.ssh/*.pub danny@server:/tmp/`, then on server `mkdir -p ~/.ssh; cat /tmp/*.pub >> ~/.ssh/authorized_keys`. See [docs/ssh-and-secrets.md](../docs/ssh-and-secrets.md).
 
-SSH keys for danny (not in repo): from your machine `scp ~/.ssh/*.pub danny@server:/tmp/`, then on server `mkdir -p ~/.ssh; cat /tmp/*.pub >> ~/.ssh/authorized_keys`.
+Timer: every 15 min the server pulls and rebuilds when `main` changes. Config: `hosts/nixos-server.nix`, `hosts/nixos-server-hardware.nix`.
 
-After that, a timer pulls and rebuilds every 15 min when `main` changes. Config lives in `hosts/nixos-server.nix` and `hosts/nixos-server-hardware.nix`.
-
-**Pull when git is not in PATH** (e.g. before first rebuild or when `sudo git` says "command not found"):
-```bash
-sudo nix run nixpkgs#git -- -C /etc/dotfiles pull origin main
-```
-Then run `sudo nixos-rebuild switch --flake /etc/dotfiles/nixos#nixos-server` as usual. After that, git is in the system profile; for manual pulls you can use `sudo /run/current-system/sw/bin/git -C /etc/dotfiles pull origin main` if `sudo git` still isn’t in PATH.
+No git in PATH: `sudo nix run nixpkgs#git -- -C /etc/dotfiles pull origin main`.