# Cobblestone Desktop Environment: Keep or Strip **Status:** Decision pending operator confirmation of which DE shipped. **Date:** 2026-05-06 **Scope:** cobblestone (Debian server, fresh install with DE present). --- ## TL;DR Cobblestone is a service host, not a workstation. The operator already has a Fedora 43 KDE laptop (onyx) for daily driving and a precedent (nullstone) for headless servers. A desktop environment on cobblestone costs ~500 MB RAM, 5–8 GB disk, and an attack surface dominated by Xorg/Wayland plus the DE session manager — none of which earns its keep once the box is in steady state. The honest counter-argument is bring-up convenience: during the first few weeks of migrating Traefik, Forgejo, Authentik, Headscale, step-ca, Matrix (Tuwunel + LiveKit), Misskey, Pi-hole, n8n, and Minecraft, an operator who needs to debug TLS chains or federation handshakes may want a local browser. Recommendation: **strip after a 30-day soak (target 2026-06-05)**, install `cockpit` behind Authentik OIDC at `cobblestone.s8n.ru` for occasional GUI-feeling admin, and treat the bare console (HDMI + USB keyboard) as the recovery path. Strip-now is also defensible if the operator is comfortable doing all bring-up via SSH from onyx — that is genuinely how nullstone runs today. --- ## Side-by-side comparison | Axis | Keep DE | Strip DE | |---|---|---| | RAM idle | ~500 MB | ~50 MB | | Disk | ~5–8 GB | ~400 MB | | Attack surface | Xorg/Wayland + DM (sddm/gdm3/lightdm) + ~200 GUI deps + plymouth | sshd + cron + journalctl + dockerd | | Recovery (network down) | Plug monitor + kbd, GUI login, debug | Plug monitor + kbd, console login, debug | | Update cadence | Track DE CVEs (KDE Plasma is frequent; GNOME less so; XFCE quiet) | Kernel + sshd + dockerd only | | Useful when | First 24h bring-up; Firefox to hit internal CA pages; rare on-box troubleshooting | Almost always after week 1 | **Key insight on recovery:** the GUI login does *not* save you when the network is down. A console login on `tty1` lets you run the same `journalctl`, `ip a`, `systemctl status` commands. The DE adds polish, not capability. --- ## Decision matrix ``` Cobblestone has DE installed | +-----------+----------+ | | Operator works Cobblestone is mainly on onyx? daily-driver too? | | YES NO | | +------+------+ KEEP DE | | Mid-migration? Settled? | | KEEP (soak) STRIP NOW 30-day flip ``` Operator works mainly on onyx (yes), cobblestone is not a daily driver (no). We are mid-migration (services not yet moved). **Path: KEEP for soak, flip on 2026-06-05.** --- ## Recommendation: strip after 30-day soak 1. Leave the DE in place during the migration of the listed services. 2. Calendar a reminder for **2026-06-05** to revisit. 3. On that date, if no service troubleshooting still depends on a local browser/GUI editor, run the strip procedure below. 4. Install `cockpit` immediately (today) regardless — it is useful with or without the DE and gives a soft landing for "I just want to see disk usage". Why not strip now: Tuwunel federation debugging, Misskey AGPL endpoint validation, and step-ca chain inspection sometimes benefit from a browser pointed at `localhost`. SSH port-forwarding from onyx covers 95% of that, but the first migration of each service is the worst time to discover the 5%. Why not keep forever: cobblestone is not a workstation. Every Plasma/GNOME CVE becomes a patch obligation for zero return. --- ## Install instead of DE (do this today) - **cockpit + cockpit-machines + cockpit-podman** — web admin on port 9090. Front it with a Traefik vhost `cobblestone.s8n.ru` behind Authentik OIDC. Drop-in for "show me disk/CPU/services in a UI". - **lazydocker** — TUI for docker. Faster than `docker ps -a` for daily ops. - **dive** — image-layer inspector. Useful when an image is 2 GB and you want to know why. - **glances** — htop with optional web UI on port 61208 (firewall it; cockpit covers most cases). - **mc** (midnight commander) — file manager replacement for the no-GUI case. - **Claude Code on cobblestone** — separate decision; not blocking. Running it on cobblestone enables ssh-less ops and lets cron/agent jobs operate on the box natively. If installed, gate it behind the same SSO posture as cockpit. --- ## Strip commands per DE flavour The operator has not confirmed which DE shipped. Run `ls /usr/bin/*session* 2>/dev/null; dpkg -l | grep -E 'task-(xfce|gnome|kde|mate|cinnamon)-desktop'` first to identify it. **Important:** `task-*-desktop` is a meta-package. Removing it alone does NOT remove the desktop — you must remove the actual package set too, then `apt autoremove --purge`. Always run `apt autoremove --purge` with caution: review the list before pressing `y`. It can sweep packages you wanted to keep if a DE dependency was the only reverse-dep. ### XFCE ``` sudo apt remove --purge \ task-xfce-desktop xfce4 xfce4-* \ lightdm lightdm-gtk-greeter \ xorg xserver-xorg* \ plymouth plymouth-themes sudo apt autoremove --purge ``` ### GNOME ``` sudo apt remove --purge \ task-gnome-desktop gnome-shell gnome-session gnome-* \ gdm3 \ xorg xserver-xorg* xwayland \ plymouth plymouth-themes sudo apt autoremove --purge ``` ### KDE Plasma ``` sudo apt remove --purge \ task-kde-desktop kde-plasma-desktop plasma-* kde-* \ sddm sddm-theme-* \ xorg xserver-xorg* xwayland \ plymouth plymouth-themes sudo apt autoremove --purge ``` ### MATE ``` sudo apt remove --purge \ task-mate-desktop mate-desktop-environment mate-* \ lightdm lightdm-gtk-greeter \ xorg xserver-xorg* \ plymouth plymouth-themes sudo apt autoremove --purge ``` ### Cinnamon ``` sudo apt remove --purge \ task-cinnamon-desktop cinnamon cinnamon-* \ lightdm lightdm-gtk-greeter \ xorg xserver-xorg* \ plymouth plymouth-themes sudo apt autoremove --purge ``` ### After any of the above ``` sudo systemctl set-default multi-user.target sudo systemctl disable --now sddm gdm3 lightdm 2>/dev/null sudo apt install --no-install-recommends cockpit cockpit-podman lazydocker mc glances sudo reboot ``` Confirm `systemctl get-default` returns `multi-user.target` and `who` shows only ssh/console sessions after reboot. --- ## What breaks when you strip | Lost capability | Replacement | |---|---| | Browser to test internal CA pages | `curl --cacert /etc/step-ca/certs/root_ca.crt https://...` or SSH port-forward from onyx | | GUI text editor | vim / nano (already installed) | | File manager | `mc` or shell | | LightDM/SDDM/GDM autostart | `multi-user.target` (pure systemd) | | Plymouth boot splash | Plain text scroll (better for debugging boot issues) | | Local Firefox for OIDC login flows | Port-forward `ssh -L 9090:localhost:9090 cobblestone` from onyx, then hit `http://localhost:9090` in onyx Firefox | None of these are losses for a service host. The text-scroll boot is arguably an upgrade — Plymouth hides the systemd unit that hung on boot, which is exactly the moment you need to see it. --- ## Open questions for the operator 1. Which DE actually shipped on cobblestone? (XFCE / GNOME / KDE / MATE / Cinnamon) 2. Strip-now or 30-day soak? Default recommendation is soak. 3. Install Claude Code on cobblestone? Out of scope for this doc, but related. 4. Cockpit vhost name confirmed as `cobblestone.s8n.ru`? --- **Path:** `/home/admin/ai-lab/_github/infra/runbooks/DE-DECISION-cobblestone.md`