infra/runbooks/COBBLESTONE-INTAKE.md

# Cobblestone intake — operator hand-off

When operator brings cobblestone online for migration prep, fill in
this template, then unblock agent A2 (cobblestone audit).

## Network

| Field | Value | Notes |
|---|---|---|
| LAN IP | TBD | static recommended; reservation in router OR static `/etc/network/interfaces` |
| Hostname | `cobblestone` | matches CLAUDE.md device registry |
| Tailscale IP | TBD (when joined) | preserve via `/var/lib/tailscale/state` carry-over OR re-enroll |
| MAC | TBD |  |
| Router port-forwards | TBD: 80, 443, 25565, ?222 | `222` for Forgejo SSH (long-deferred fix from nullstone era) |

## SSH

| Field | Value |
|---|---|
| Default user | TBD (Debian default = first-install user) |
| ssh key from onyx authorized? | TBD (if no, run `ssh-copy-id <user>@<ip>`) |
| sshd config | hardened? | nullstone pattern: `AllowUsers user`, no root, no pw auth |

After hand-over, add to `~/.ssh/config` on onyx:

```
Host cobblestone
    HostName <IP>
    User user
    IdentityFile ~/.ssh/id_ed25519
```

## Hardware

| Field | Value |
|---|---|
| CPU | TBD (model + cores) |
| RAM | TBD (GB) |
| Disk(s) | TBD (NVMe? SATA SSD? size?) |
| GPU | TBD (none / iGPU / discrete) |
| TPM2 chip | TBD (`ls /dev/tpm*`) |

## OS state

| Field | Value |
|---|---|
| Debian version | TBD (`cat /etc/debian_version`) |
| Kernel | TBD (`uname -r`) |
| LUKS at install | TBD (`lsblk -f` looking for `crypto_LUKS`) ⚠️ |
| Desktop env | TBD (XFCE / GNOME / KDE / MATE / Cinnamon) |
| Display manager | TBD (`systemctl status display-manager`) |

⚠️ **If LUKS=NO at install**: see [DE-DECISION-cobblestone.md](DE-DECISION-cobblestone.md)
section "post-install LUKS-on-file fallback". Better to reinstall
with LUKS2 from scratch — this is the F4 regression fix.

## Docker

| Field | Value |
|---|---|
| Docker installed | TBD |
| Version | TBD |
| daemon.json | not yet — match nullstone pattern |
| userns-remap | **DROP** per migration recommendation |

## Operator-driven decisions (fill before cutover)

- [ ] LUKS reinstall: yes / LUKS-on-file fallback / accept-no-LUKS
- [ ] DE: strip-now / 30-day soak then strip / keep-forever
- [ ] userns-remap: drop / keep
- [ ] RocketChat: revive on cobblestone / retire (delete volumes)
- [ ] Headscale + step-ca: keep on cobblestone / move to $4 VPS
- [ ] cockpit web admin: install / skip

## Once filled in

Commit + push this file. Then say "agent A2 go" — A2 ssh's into
cobblestone, runs the audit commands from `MIGRATION-...md` section
1, writes `COBBLESTONE-AUDIT-<date>.md` next to this file.
infra: STATE.md + cobblestone intake template STATE.md = source-of-truth for current state + pending decisions. Append to changelog when state changes. Don't rewrite history. COBBLESTONE-INTAKE.md = template the operator fills before agent A2 runs the cobblestone audit. Captures network/SSH/hardware/OS/docker state + operator-driven migration decisions (LUKS, DE, userns-remap, RC revive-or-retire, Headscale SPOF, cockpit). 2026-05-06 10:12:50 +01:00			`# Cobblestone intake — operator hand-off`

			`When operator brings cobblestone online for migration prep, fill in`
			`this template, then unblock agent A2 (cobblestone audit).`

			`## Network`

			`\| Field \| Value \| Notes \|`
			`\|---\|---\|---\|`
			\| LAN IP \| TBD \| static recommended; reservation in router OR static `/etc/network/interfaces` \|
			\| Hostname \| `cobblestone` \| matches CLAUDE.md device registry \|
			\| Tailscale IP \| TBD (when joined) \| preserve via `/var/lib/tailscale/state` carry-over OR re-enroll \|
			`\| MAC \| TBD \| \|`
			\| Router port-forwards \| TBD: 80, 443, 25565, ?222 \| `222` for Forgejo SSH (long-deferred fix from nullstone era) \|

			`## SSH`

			`\| Field \| Value \|`
			`\|---\|---\|`
			`\| Default user \| TBD (Debian default = first-install user) \|`
			\| ssh key from onyx authorized? \| TBD (if no, run `ssh-copy-id <user>@<ip>`) \|
			\| sshd config \| hardened? \| nullstone pattern: `AllowUsers user`, no root, no pw auth \|

			After hand-over, add to `~/.ssh/config` on onyx:

			```
			`Host cobblestone`
			`HostName <IP>`
			`User user`
			`IdentityFile ~/.ssh/id_ed25519`
			```

			`## Hardware`

			`\| Field \| Value \|`
			`\|---\|---\|`
			`\| CPU \| TBD (model + cores) \|`
			`\| RAM \| TBD (GB) \|`
			`\| Disk(s) \| TBD (NVMe? SATA SSD? size?) \|`
			`\| GPU \| TBD (none / iGPU / discrete) \|`
			\| TPM2 chip \| TBD (`ls /dev/tpm*`) \|

			`## OS state`

			`\| Field \| Value \|`
			`\|---\|---\|`
			\| Debian version \| TBD (`cat /etc/debian_version`) \|
			\| Kernel \| TBD (`uname -r`) \|
			\| LUKS at install \| TBD (`lsblk -f` looking for `crypto_LUKS`) ⚠️ \|
			`\| Desktop env \| TBD (XFCE / GNOME / KDE / MATE / Cinnamon) \|`
			\| Display manager \| TBD (`systemctl status display-manager`) \|

			`⚠️ If LUKS=NO at install: see [DE-DECISION-cobblestone.md](DE-DECISION-cobblestone.md)`
			`section "post-install LUKS-on-file fallback". Better to reinstall`
			`with LUKS2 from scratch — this is the F4 regression fix.`

			`## Docker`

			`\| Field \| Value \|`
			`\|---\|---\|`
			`\| Docker installed \| TBD \|`
			`\| Version \| TBD \|`
			`\| daemon.json \| not yet — match nullstone pattern \|`
			`\| userns-remap \| DROP per migration recommendation \|`

			`## Operator-driven decisions (fill before cutover)`

			`- [ ] LUKS reinstall: yes / LUKS-on-file fallback / accept-no-LUKS`
			`- [ ] DE: strip-now / 30-day soak then strip / keep-forever`
			`- [ ] userns-remap: drop / keep`
			`- [ ] RocketChat: revive on cobblestone / retire (delete volumes)`
			`- [ ] Headscale + step-ca: keep on cobblestone / move to $4 VPS`
			`- [ ] cockpit web admin: install / skip`

			`## Once filled in`

			`Commit + push this file. Then say "agent A2 go" — A2 ssh's into`
			cobblestone, runs the audit commands from `MIGRATION-...md` section
			1, writes `COBBLESTONE-AUDIT-<date>.md` next to this file.