1338fb1b68
- Rename hosts/nixos-server.nix -> sunken-ship.nix, nixos-server-hardware.nix -> sunken-ship-hardware.nix - Flake: nixos-server -> sunken-ship, update module path - Set networking.hostName = sunken-ship in server configs - Update AGENTS.md, nixos/readme.md, docs/ssh-and-secrets.md, TODO.md Made-with: Cursor
18 lines
1.3 KiB
Markdown
18 lines
1.3 KiB
Markdown
# TODO
|
|
|
|
1. **Secrets** — Approach A (see [docs/ssh-and-secrets.md](docs/ssh-and-secrets.md)): public repo only, one key per purpose (AGENTS.md), server keys via scp. Optional later: private repo + sops-nix.
|
|
- **GitHub:** Use `id_ed25519_github`; in `~/.ssh/config`: `Host github.com` with `IdentityFile ~/.ssh/id_ed25519_github` and `IdentitiesOnly yes`. Remove `id_rsa_github` from GitHub and locally once confirmed unused.
|
|
- **sunken-ship:** Switch to key auth if still on password: on server `mkdir -p ~/.ssh; chmod 700 ~/.ssh`; from Mac `scp ~/.ssh/id_ed25519_github.pub danny@SERVER:/tmp/`; on server `cat /tmp/id_ed25519_github.pub >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys`. Optional: create `id_ed25519_servers` and use only for servers (add Host in config).
|
|
- **Forgejo:** When needed: create `id_ed25519_forgejo`, add to forge, add Host in `~/.ssh/config`.
|
|
|
|
2. **Server**
|
|
- Only I use the machine. Access: SSH keys only (no password auth).
|
|
- Continue configuring (add services in `hosts/sunken-ship.nix` as needed).
|
|
- SSH: key-only auth; disable password auth. Optionally restrict SSH to LAN.
|
|
- Passwordless sudo for wheel.
|
|
|
|
3. ~~Rename nixos-server to sunken-ship~~ Done.
|
|
|
|
4. Give <something-cooler> wifi access instead of ethernet.
|
|
|
|
5. Host telegram bot once again (for what purpose?)
|