diff --git a/docs/server-todo-ssh-key.md b/docs/server-todo-ssh-key.md
new file mode 100644
index 0000000..9fe5458
--- /dev/null
+++ b/docs/server-todo-ssh-key.md
@@ -0,0 +1,46 @@
+# Server TODO and SSH key for sunken-ship
+
+## Scope
+
+- **Server TODO** (TODO.md §2): Configure sunken-ship with SSH key-only auth, disable password auth, optional LAN restriction, passwordless sudo for wheel.
+- **SSH key**: Create a **new key for server access**, and specifically **a new key for sunken-ship** (e.g. `id_ed25519_sunken_ship`), not a shared "servers" key. One key dedicated to sunken-ship.
+
+## Tasks
+
+1. **Create key**: On Mac, run:
+   ```bash
+   ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_sunken_ship -N "" -C "danny@sunken-ship"
+   ```
+   Keep private key local, never in repo. Use a passphrase instead of `-N ""` if you prefer.
+2. **Secrets (TODO §1)**: Update sunken-ship bullet to use the new key: scp the public key to the server, add to `~/.ssh/authorized_keys` on server, add `Host sunken-ship` in `~/.ssh/config` with `IdentityFile ~/.ssh/id_ed25519_sunken_ship` and `IdentitiesOnly yes`.
+3. **Server (TODO §2)**: NixOS config in `hosts/sunken-ship.nix`: enable OpenSSH, disable password authentication, optionally restrict to LAN; ensure passwordless sudo for wheel. Authorized keys are not managed by Nix; they are added via scp as above.
+
+## Done
+
+- Key created: `~/.ssh/id_ed25519_sunken_ship` (and `.pub`). Keep private key local; never commit.
+- [nixos/hosts/sunken-ship.nix](../nixos/hosts/sunken-ship.nix): SSH password auth disabled, passwordless sudo for wheel.
+
+## Next steps (you do these)
+
+1. **Add your public key to sunken-ship** (do this before rebuilding, or you may lock yourself out if password auth is already off):
+   - On server: `mkdir -p ~/.ssh; chmod 700 ~/.ssh`
+   - From Mac: `scp ~/.ssh/id_ed25519_sunken_ship.pub danny@SUNKEN_SHIP_IP_OR_HOST:/tmp/`
+   - On server: `cat /tmp/id_ed25519_sunken_ship.pub >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys`
+
+2. **Add to `~/.ssh/config`** (config stays outside repo):
+   ```
+   Host sunken-ship
+     HostName YOUR_SERVER_IP_OR_HOSTNAME
+     User danny
+     IdentityFile ~/.ssh/id_ed25519_sunken_ship
+     IdentitiesOnly yes
+   ```
+
+3. **Rebuild the server** so the new NixOS config (no password auth, passwordless sudo) applies. From your Mac, after commit & push: `ssh sunken-ship 'cd /etc/dotfiles && sudo nixos-rebuild switch --flake .#sunken-ship'` (or use the hostname you use for the server). Per AGENTS.md: commit and push first; the server pulls from origin.
+
+## References
+
+- [TODO.md](../TODO.md) — Secrets §1 (sunken-ship), Server §2
+- [AGENTS.md](../AGENTS.md) — SSH key naming; keys outside repo
+- [ssh-and-secrets.md](ssh-and-secrets.md) — Approach A, scp workflow
+- [nixos/hosts/sunken-ship.nix](../nixos/hosts/sunken-ship.nix) — Server NixOS config