veilor-org/infra
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions
infra/runbooks/DE-DECISION-cobblestone.md

171 lines
7.6 KiB
Markdown
Raw Normal View History

init: nullstone deploys + runbooks + audits Sourced from previous audits + agent-wave outputs (2026-05-05): AUDIT-2026-05-05.md — 5-agent stack synthesis forgejo/DEPLOY.md — git.s8n.ru deploy runbook forgejo/forgejo-compose.yml — production compose forgejo/runner-compose.yml — forgejo-runner forgejo/migration-report-... — GH→Forgejo migration audit (6/6 green) runbooks/MIGRATION-... — nullstone→cobblestone runbook runbooks/DE-DECISION-... — keep-vs-strip DE on cobblestone repos/REPO-AUDIT-2026-05-05.md — repo trees + ownership
2026-05-06 10:02:28 +01:00
# Cobblestone Desktop Environment: Keep or Strip
**Status:** Decision pending operator confirmation of which DE shipped.
**Date:** 2026-05-06
**Scope:** cobblestone (Debian server, fresh install with DE present).
---
## TL;DR
Cobblestone is a service host, not a workstation. The operator already has a Fedora 43 KDE laptop (onyx) for daily driving and a precedent (nullstone) for headless servers. A desktop environment on cobblestone costs ~500 MB RAM, 58 GB disk, and an attack surface dominated by Xorg/Wayland plus the DE session manager — none of which earns its keep once the box is in steady state. The honest counter-argument is bring-up convenience: during the first few weeks of migrating Traefik, Forgejo, Authentik, Headscale, step-ca, Matrix (Tuwunel + LiveKit), Misskey, Pi-hole, n8n, and Minecraft, an operator who needs to debug TLS chains or federation handshakes may want a local browser. Recommendation: **strip after a 30-day soak (target 2026-06-05)**, install `cockpit` behind Authentik OIDC at `cobblestone.s8n.ru` for occasional GUI-feeling admin, and treat the bare console (HDMI + USB keyboard) as the recovery path. Strip-now is also defensible if the operator is comfortable doing all bring-up via SSH from onyx — that is genuinely how nullstone runs today.
---
## Side-by-side comparison
| Axis | Keep DE | Strip DE |
|---|---|---|
| RAM idle | ~500 MB | ~50 MB |
| Disk | ~58 GB | ~400 MB |
| Attack surface | Xorg/Wayland + DM (sddm/gdm3/lightdm) + ~200 GUI deps + plymouth | sshd + cron + journalctl + dockerd |
| Recovery (network down) | Plug monitor + kbd, GUI login, debug | Plug monitor + kbd, console login, debug |
| Update cadence | Track DE CVEs (KDE Plasma is frequent; GNOME less so; XFCE quiet) | Kernel + sshd + dockerd only |
| Useful when | First 24h bring-up; Firefox to hit internal CA pages; rare on-box troubleshooting | Almost always after week 1 |
**Key insight on recovery:** the GUI login does *not* save you when the network is down. A console login on `tty1` lets you run the same `journalctl`, `ip a`, `systemctl status` commands. The DE adds polish, not capability.
---
## Decision matrix
```
Cobblestone has DE installed
|
+-----------+----------+
| |
Operator works Cobblestone is
mainly on onyx? daily-driver too?
| |
YES NO
| |
+------+------+ KEEP DE
| |
Mid-migration? Settled?
| |
KEEP (soak) STRIP NOW
30-day flip
```
Operator works mainly on onyx (yes), cobblestone is not a daily driver (no). We are mid-migration (services not yet moved). **Path: KEEP for soak, flip on 2026-06-05.**
---
## Recommendation: strip after 30-day soak
1. Leave the DE in place during the migration of the listed services.
2. Calendar a reminder for **2026-06-05** to revisit.
3. On that date, if no service troubleshooting still depends on a local browser/GUI editor, run the strip procedure below.
4. Install `cockpit` immediately (today) regardless — it is useful with or without the DE and gives a soft landing for "I just want to see disk usage".
Why not strip now: Tuwunel federation debugging, Misskey AGPL endpoint validation, and step-ca chain inspection sometimes benefit from a browser pointed at `localhost`. SSH port-forwarding from onyx covers 95% of that, but the first migration of each service is the worst time to discover the 5%.
Why not keep forever: cobblestone is not a workstation. Every Plasma/GNOME CVE becomes a patch obligation for zero return.
---
## Install instead of DE (do this today)
- **cockpit + cockpit-machines + cockpit-podman** — web admin on port 9090. Front it with a Traefik vhost `cobblestone.s8n.ru` behind Authentik OIDC. Drop-in for "show me disk/CPU/services in a UI".
- **lazydocker** — TUI for docker. Faster than `docker ps -a` for daily ops.
- **dive** — image-layer inspector. Useful when an image is 2 GB and you want to know why.
- **glances** — htop with optional web UI on port 61208 (firewall it; cockpit covers most cases).
- **mc** (midnight commander) — file manager replacement for the no-GUI case.
- **Claude Code on cobblestone** — separate decision; not blocking. Running it on cobblestone enables ssh-less ops and lets cron/agent jobs operate on the box natively. If installed, gate it behind the same SSO posture as cockpit.
---
## Strip commands per DE flavour
The operator has not confirmed which DE shipped. Run `ls /usr/bin/*session* 2>/dev/null; dpkg -l | grep -E 'task-(xfce|gnome|kde|mate|cinnamon)-desktop'` first to identify it.
**Important:** `task-*-desktop` is a meta-package. Removing it alone does NOT remove the desktop — you must remove the actual package set too, then `apt autoremove --purge`. Always run `apt autoremove --purge` with caution: review the list before pressing `y`. It can sweep packages you wanted to keep if a DE dependency was the only reverse-dep.
### XFCE
```
sudo apt remove --purge \
task-xfce-desktop xfce4 xfce4-* \
lightdm lightdm-gtk-greeter \
xorg xserver-xorg* \
plymouth plymouth-themes
sudo apt autoremove --purge
```
### GNOME
```
sudo apt remove --purge \
task-gnome-desktop gnome-shell gnome-session gnome-* \
gdm3 \
xorg xserver-xorg* xwayland \
plymouth plymouth-themes
sudo apt autoremove --purge
```
### KDE Plasma
```
sudo apt remove --purge \
task-kde-desktop kde-plasma-desktop plasma-* kde-* \
sddm sddm-theme-* \
xorg xserver-xorg* xwayland \
plymouth plymouth-themes
sudo apt autoremove --purge
```
### MATE
```
sudo apt remove --purge \
task-mate-desktop mate-desktop-environment mate-* \
lightdm lightdm-gtk-greeter \
xorg xserver-xorg* \
plymouth plymouth-themes
sudo apt autoremove --purge
```
### Cinnamon
```
sudo apt remove --purge \
task-cinnamon-desktop cinnamon cinnamon-* \
lightdm lightdm-gtk-greeter \
xorg xserver-xorg* \
plymouth plymouth-themes
sudo apt autoremove --purge
```
### After any of the above
```
sudo systemctl set-default multi-user.target
sudo systemctl disable --now sddm gdm3 lightdm 2>/dev/null
sudo apt install --no-install-recommends cockpit cockpit-podman lazydocker mc glances
sudo reboot
```
Confirm `systemctl get-default` returns `multi-user.target` and `who` shows only ssh/console sessions after reboot.
---
## What breaks when you strip
| Lost capability | Replacement |
|---|---|
| Browser to test internal CA pages | `curl --cacert /etc/step-ca/certs/root_ca.crt https://...` or SSH port-forward from onyx |
| GUI text editor | vim / nano (already installed) |
| File manager | `mc` or shell |
| LightDM/SDDM/GDM autostart | `multi-user.target` (pure systemd) |
| Plymouth boot splash | Plain text scroll (better for debugging boot issues) |
| Local Firefox for OIDC login flows | Port-forward `ssh -L 9090:localhost:9090 cobblestone` from onyx, then hit `http://localhost:9090` in onyx Firefox |
None of these are losses for a service host. The text-scroll boot is arguably an upgrade — Plymouth hides the systemd unit that hung on boot, which is exactly the moment you need to see it.
---
## Open questions for the operator
1. Which DE actually shipped on cobblestone? (XFCE / GNOME / KDE / MATE / Cinnamon)
2. Strip-now or 30-day soak? Default recommendation is soak.
3. Install Claude Code on cobblestone? Out of scope for this doc, but related.
4. Cockpit vhost name confirmed as `cobblestone.s8n.ru`?
---
**Path:** `/home/admin/ai-lab/_github/infra/runbooks/DE-DECISION-cobblestone.md`
Reference in a new issue Copy permalink