veilor-org/infra
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions
infra/runbooks/COBBLESTONE-INTAKE.md
s8n f59a6e90d0 infra: STATE.md + cobblestone intake template 
STATE.md = source-of-truth for current state + pending decisions.
Append to changelog when state changes. Don't rewrite history.

COBBLESTONE-INTAKE.md = template the operator fills before agent A2
runs the cobblestone audit. Captures network/SSH/hardware/OS/docker
state + operator-driven migration decisions (LUKS, DE, userns-remap,
RC revive-or-retire, Headscale SPOF, cockpit).
2026-05-06 10:12:50 +01:00

2.5 KiB
Raw Permalink Blame History

Cobblestone intake — operator hand-off

When operator brings cobblestone online for migration prep, fill in this template, then unblock agent A2 (cobblestone audit).

Network

Field Value Notes
LAN IP TBD static recommended; reservation in router OR static /etc/network/interfaces
Hostname cobblestone matches CLAUDE.md device registry
Tailscale IP TBD (when joined) preserve via /var/lib/tailscale/state carry-over OR re-enroll
MAC TBD
Router port-forwards TBD: 80, 443, 25565, ?222 222 for Forgejo SSH (long-deferred fix from nullstone era)

SSH

Field Value
Default user TBD (Debian default = first-install user)
ssh key from onyx authorized? TBD (if no, run ssh-copy-id <user>@<ip>)
sshd config hardened?

After hand-over, add to ~/.ssh/config on onyx:

Host cobblestone
    HostName <IP>
    User user
    IdentityFile ~/.ssh/id_ed25519

Hardware

Field Value
CPU TBD (model + cores)
RAM TBD (GB)
Disk(s) TBD (NVMe? SATA SSD? size?)
GPU TBD (none / iGPU / discrete)
TPM2 chip TBD (ls /dev/tpm*)

OS state

Field Value
Debian version TBD (cat /etc/debian_version)
Kernel TBD (uname -r)
LUKS at install TBD (lsblk -f looking for crypto_LUKS) ⚠️
Desktop env TBD (XFCE / GNOME / KDE / MATE / Cinnamon)
Display manager TBD (systemctl status display-manager)

⚠️ If LUKS=NO at install: see DE-DECISION-cobblestone.md section "post-install LUKS-on-file fallback". Better to reinstall with LUKS2 from scratch — this is the F4 regression fix.

Docker

Field Value
Docker installed TBD
Version TBD
daemon.json not yet — match nullstone pattern
userns-remap DROP per migration recommendation

Operator-driven decisions (fill before cutover)

  • LUKS reinstall: yes / LUKS-on-file fallback / accept-no-LUKS
  • DE: strip-now / 30-day soak then strip / keep-forever
  • userns-remap: drop / keep
  • RocketChat: revive on cobblestone / retire (delete volumes)
  • Headscale + step-ca: keep on cobblestone / move to $4 VPS
  • cockpit web admin: install / skip

Once filled in

Commit + push this file. Then say "agent A2 go" — A2 ssh's into cobblestone, runs the audit commands from MIGRATION-...md section 1, writes COBBLESTONE-AUDIT-<date>.md next to this file.