veilor-org/infra
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions
infra/runbooks/DE-DECISION-cobblestone.md
s8n 09d80a63f6 init: nullstone deploys + runbooks + audits 
Sourced from previous audits + agent-wave outputs (2026-05-05):
  AUDIT-2026-05-05.md           — 5-agent stack synthesis
  forgejo/DEPLOY.md             — git.s8n.ru deploy runbook
  forgejo/forgejo-compose.yml   — production compose
  forgejo/runner-compose.yml    — forgejo-runner
  forgejo/migration-report-...  — GH→Forgejo migration audit (6/6 green)
  runbooks/MIGRATION-...        — nullstone→cobblestone runbook
  runbooks/DE-DECISION-...      — keep-vs-strip DE on cobblestone
  repos/REPO-AUDIT-2026-05-05.md — repo trees + ownership
2026-05-06 10:02:28 +01:00

7.6 KiB
Raw Blame History

Cobblestone Desktop Environment: Keep or Strip

Status: Decision pending operator confirmation of which DE shipped. Date: 2026-05-06 Scope: cobblestone (Debian server, fresh install with DE present).

TL;DR

Cobblestone is a service host, not a workstation. The operator already has a Fedora 43 KDE laptop (onyx) for daily driving and a precedent (nullstone) for headless servers. A desktop environment on cobblestone costs ~500 MB RAM, 58 GB disk, and an attack surface dominated by Xorg/Wayland plus the DE session manager — none of which earns its keep once the box is in steady state. The honest counter-argument is bring-up convenience: during the first few weeks of migrating Traefik, Forgejo, Authentik, Headscale, step-ca, Matrix (Tuwunel + LiveKit), Misskey, Pi-hole, n8n, and Minecraft, an operator who needs to debug TLS chains or federation handshakes may want a local browser. Recommendation: strip after a 30-day soak (target 2026-06-05), install cockpit behind Authentik OIDC at cobblestone.s8n.ru for occasional GUI-feeling admin, and treat the bare console (HDMI + USB keyboard) as the recovery path. Strip-now is also defensible if the operator is comfortable doing all bring-up via SSH from onyx — that is genuinely how nullstone runs today.

Side-by-side comparison

Axis Keep DE Strip DE
RAM idle ~500 MB ~50 MB
Disk ~58 GB ~400 MB
Attack surface Xorg/Wayland + DM (sddm/gdm3/lightdm) + ~200 GUI deps + plymouth sshd + cron + journalctl + dockerd
Recovery (network down) Plug monitor + kbd, GUI login, debug Plug monitor + kbd, console login, debug
Update cadence Track DE CVEs (KDE Plasma is frequent; GNOME less so; XFCE quiet) Kernel + sshd + dockerd only
Useful when First 24h bring-up; Firefox to hit internal CA pages; rare on-box troubleshooting Almost always after week 1

Key insight on recovery: the GUI login does not save you when the network is down. A console login on tty1 lets you run the same journalctl, ip a, systemctl status commands. The DE adds polish, not capability.

Decision matrix

                    Cobblestone has DE installed
                           |
              +-----------+----------+
              |                      |
          Operator works            Cobblestone is
          mainly on onyx?           daily-driver too?
              |                          |
            YES                          NO
              |                          |
       +------+------+              KEEP DE
       |             |
   Mid-migration?  Settled?
       |             |
   KEEP (soak)   STRIP NOW
   30-day flip

Operator works mainly on onyx (yes), cobblestone is not a daily driver (no). We are mid-migration (services not yet moved). Path: KEEP for soak, flip on 2026-06-05.

Recommendation: strip after 30-day soak

  1. Leave the DE in place during the migration of the listed services.
  2. Calendar a reminder for 2026-06-05 to revisit.
  3. On that date, if no service troubleshooting still depends on a local browser/GUI editor, run the strip procedure below.
  4. Install cockpit immediately (today) regardless — it is useful with or without the DE and gives a soft landing for "I just want to see disk usage".

Why not strip now: Tuwunel federation debugging, Misskey AGPL endpoint validation, and step-ca chain inspection sometimes benefit from a browser pointed at localhost. SSH port-forwarding from onyx covers 95% of that, but the first migration of each service is the worst time to discover the 5%.

Why not keep forever: cobblestone is not a workstation. Every Plasma/GNOME CVE becomes a patch obligation for zero return.

Install instead of DE (do this today)

  • cockpit + cockpit-machines + cockpit-podman — web admin on port 9090. Front it with a Traefik vhost cobblestone.s8n.ru behind Authentik OIDC. Drop-in for "show me disk/CPU/services in a UI".
  • lazydocker — TUI for docker. Faster than docker ps -a for daily ops.
  • dive — image-layer inspector. Useful when an image is 2 GB and you want to know why.
  • glances — htop with optional web UI on port 61208 (firewall it; cockpit covers most cases).
  • mc (midnight commander) — file manager replacement for the no-GUI case.
  • Claude Code on cobblestone — separate decision; not blocking. Running it on cobblestone enables ssh-less ops and lets cron/agent jobs operate on the box natively. If installed, gate it behind the same SSO posture as cockpit.

Strip commands per DE flavour

The operator has not confirmed which DE shipped. Run ls /usr/bin/*session* 2>/dev/null; dpkg -l | grep -E 'task-(xfce|gnome|kde|mate|cinnamon)-desktop' first to identify it.

Important: task-*-desktop is a meta-package. Removing it alone does NOT remove the desktop — you must remove the actual package set too, then apt autoremove --purge. Always run apt autoremove --purge with caution: review the list before pressing y. It can sweep packages you wanted to keep if a DE dependency was the only reverse-dep.

XFCE

sudo apt remove --purge \
  task-xfce-desktop xfce4 xfce4-* \
  lightdm lightdm-gtk-greeter \
  xorg xserver-xorg* \
  plymouth plymouth-themes
sudo apt autoremove --purge

GNOME

sudo apt remove --purge \
  task-gnome-desktop gnome-shell gnome-session gnome-* \
  gdm3 \
  xorg xserver-xorg* xwayland \
  plymouth plymouth-themes
sudo apt autoremove --purge

KDE Plasma

sudo apt remove --purge \
  task-kde-desktop kde-plasma-desktop plasma-* kde-* \
  sddm sddm-theme-* \
  xorg xserver-xorg* xwayland \
  plymouth plymouth-themes
sudo apt autoremove --purge

MATE

sudo apt remove --purge \
  task-mate-desktop mate-desktop-environment mate-* \
  lightdm lightdm-gtk-greeter \
  xorg xserver-xorg* \
  plymouth plymouth-themes
sudo apt autoremove --purge

Cinnamon

sudo apt remove --purge \
  task-cinnamon-desktop cinnamon cinnamon-* \
  lightdm lightdm-gtk-greeter \
  xorg xserver-xorg* \
  plymouth plymouth-themes
sudo apt autoremove --purge

After any of the above

sudo systemctl set-default multi-user.target
sudo systemctl disable --now sddm gdm3 lightdm 2>/dev/null
sudo apt install --no-install-recommends cockpit cockpit-podman lazydocker mc glances
sudo reboot

Confirm systemctl get-default returns multi-user.target and who shows only ssh/console sessions after reboot.

What breaks when you strip

Lost capability Replacement
Browser to test internal CA pages curl --cacert /etc/step-ca/certs/root_ca.crt https://... or SSH port-forward from onyx
GUI text editor vim / nano (already installed)
File manager mc or shell
LightDM/SDDM/GDM autostart multi-user.target (pure systemd)
Plymouth boot splash Plain text scroll (better for debugging boot issues)
Local Firefox for OIDC login flows Port-forward ssh -L 9090:localhost:9090 cobblestone from onyx, then hit http://localhost:9090 in onyx Firefox

None of these are losses for a service host. The text-scroll boot is arguably an upgrade — Plymouth hides the systemd unit that hung on boot, which is exactly the moment you need to see it.

Open questions for the operator

  1. Which DE actually shipped on cobblestone? (XFCE / GNOME / KDE / MATE / Cinnamon)
  2. Strip-now or 30-day soak? Default recommendation is soak.
  3. Install Claude Code on cobblestone? Out of scope for this doc, but related.
  4. Cockpit vhost name confirmed as cobblestone.s8n.ru?

Path: /home/admin/ai-lab/_github/infra/runbooks/DE-DECISION-cobblestone.md