dannydannydanny/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: add server-todo-ssh-key.md with ssh-keygen command (moved from .cursor/plans)

Browse source 
Made-with: Cursor
This commit is contained in:
DannyDannyDanny 2026-03-08 12:06:53 +01:00
parent 424ba82399
commit e38640f8ea
1 changed files with 46 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

46
docs/server-todo-ssh-key.md Normal file
View file

@ -0,0 +1,46 @@
# Server TODO and SSH key for sunken-ship
## Scope
- **Server TODO** (TODO.md §2): Configure sunken-ship with SSH key-only auth, disable password auth, optional LAN restriction, passwordless sudo for wheel.
- **SSH key**: Create a **new key for server access**, and specifically **a new key for sunken-ship** (e.g. `id_ed25519_sunken_ship`), not a shared "servers" key. One key dedicated to sunken-ship.
## Tasks
1. **Create key**: On Mac, run:
```bash
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_sunken_ship -N "" -C "danny@sunken-ship"
```
Keep private key local, never in repo. Use a passphrase instead of `-N ""` if you prefer.
2. **Secrets (TODO §1)**: Update sunken-ship bullet to use the new key: scp the public key to the server, add to `~/.ssh/authorized_keys` on server, add `Host sunken-ship` in `~/.ssh/config` with `IdentityFile ~/.ssh/id_ed25519_sunken_ship` and `IdentitiesOnly yes`.
3. **Server (TODO §2)**: NixOS config in `hosts/sunken-ship.nix`: enable OpenSSH, disable password authentication, optionally restrict to LAN; ensure passwordless sudo for wheel. Authorized keys are not managed by Nix; they are added via scp as above.
## Done
- Key created: `~/.ssh/id_ed25519_sunken_ship` (and `.pub`). Keep private key local; never commit.
- [nixos/hosts/sunken-ship.nix](../nixos/hosts/sunken-ship.nix): SSH password auth disabled, passwordless sudo for wheel.
## Next steps (you do these)
1. **Add your public key to sunken-ship** (do this before rebuilding, or you may lock yourself out if password auth is already off):
- On server: `mkdir -p ~/.ssh; chmod 700 ~/.ssh`
- From Mac: `scp ~/.ssh/id_ed25519_sunken_ship.pub danny@SUNKEN_SHIP_IP_OR_HOST:/tmp/`
- On server: `cat /tmp/id_ed25519_sunken_ship.pub >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys`
2. **Add to `~/.ssh/config`** (config stays outside repo):
```
Host sunken-ship
HostName YOUR_SERVER_IP_OR_HOSTNAME
User danny
IdentityFile ~/.ssh/id_ed25519_sunken_ship
IdentitiesOnly yes
```
3. **Rebuild the server** so the new NixOS config (no password auth, passwordless sudo) applies. From your Mac, after commit & push: `ssh sunken-ship 'cd /etc/dotfiles && sudo nixos-rebuild switch --flake .#sunken-ship'` (or use the hostname you use for the server). Per AGENTS.md: commit and push first; the server pulls from origin.
## References
- [TODO.md](../TODO.md) — Secrets §1 (sunken-ship), Server §2
- [AGENTS.md](../AGENTS.md) — SSH key naming; keys outside repo
- [ssh-and-secrets.md](ssh-and-secrets.md) — Approach A, scp workflow
- [nixos/hosts/sunken-ship.nix](../nixos/hosts/sunken-ship.nix) — Server NixOS config