veilor-org/infra
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions
infra/runbooks/DE-DECISION-cobblestone.md
s8n 09d80a63f6 init: nullstone deploys + runbooks + audits 
Sourced from previous audits + agent-wave outputs (2026-05-05):
  AUDIT-2026-05-05.md           — 5-agent stack synthesis
  forgejo/DEPLOY.md             — git.s8n.ru deploy runbook
  forgejo/forgejo-compose.yml   — production compose
  forgejo/runner-compose.yml    — forgejo-runner
  forgejo/migration-report-...  — GH→Forgejo migration audit (6/6 green)
  runbooks/MIGRATION-...        — nullstone→cobblestone runbook
  runbooks/DE-DECISION-...      — keep-vs-strip DE on cobblestone
  repos/REPO-AUDIT-2026-05-05.md — repo trees + ownership
2026-05-06 10:02:28 +01:00

170 lines
7.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Cobblestone Desktop Environment: Keep or Strip
**Status:** Decision pending operator confirmation of which DE shipped.
**Date:** 2026-05-06
**Scope:** cobblestone (Debian server, fresh install with DE present).
---
## TL;DR
Cobblestone is a service host, not a workstation. The operator already has a Fedora 43 KDE laptop (onyx) for daily driving and a precedent (nullstone) for headless servers. A desktop environment on cobblestone costs ~500 MB RAM, 58 GB disk, and an attack surface dominated by Xorg/Wayland plus the DE session manager — none of which earns its keep once the box is in steady state. The honest counter-argument is bring-up convenience: during the first few weeks of migrating Traefik, Forgejo, Authentik, Headscale, step-ca, Matrix (Tuwunel + LiveKit), Misskey, Pi-hole, n8n, and Minecraft, an operator who needs to debug TLS chains or federation handshakes may want a local browser. Recommendation: **strip after a 30-day soak (target 2026-06-05)**, install `cockpit` behind Authentik OIDC at `cobblestone.s8n.ru` for occasional GUI-feeling admin, and treat the bare console (HDMI + USB keyboard) as the recovery path. Strip-now is also defensible if the operator is comfortable doing all bring-up via SSH from onyx — that is genuinely how nullstone runs today.
---
## Side-by-side comparison
| Axis | Keep DE | Strip DE |
|---|---|---|
| RAM idle | ~500 MB | ~50 MB |
| Disk | ~58 GB | ~400 MB |
| Attack surface | Xorg/Wayland + DM (sddm/gdm3/lightdm) + ~200 GUI deps + plymouth | sshd + cron + journalctl + dockerd |
| Recovery (network down) | Plug monitor + kbd, GUI login, debug | Plug monitor + kbd, console login, debug |
| Update cadence | Track DE CVEs (KDE Plasma is frequent; GNOME less so; XFCE quiet) | Kernel + sshd + dockerd only |
| Useful when | First 24h bring-up; Firefox to hit internal CA pages; rare on-box troubleshooting | Almost always after week 1 |
**Key insight on recovery:** the GUI login does *not* save you when the network is down. A console login on `tty1` lets you run the same `journalctl`, `ip a`, `systemctl status` commands. The DE adds polish, not capability.
---
## Decision matrix
```
Cobblestone has DE installed
|
+-----------+----------+
| |
Operator works Cobblestone is
mainly on onyx? daily-driver too?
| |
YES NO
| |
+------+------+ KEEP DE
| |
Mid-migration? Settled?
| |
KEEP (soak) STRIP NOW
30-day flip
```
Operator works mainly on onyx (yes), cobblestone is not a daily driver (no). We are mid-migration (services not yet moved). **Path: KEEP for soak, flip on 2026-06-05.**
---
## Recommendation: strip after 30-day soak
1. Leave the DE in place during the migration of the listed services.
2. Calendar a reminder for **2026-06-05** to revisit.
3. On that date, if no service troubleshooting still depends on a local browser/GUI editor, run the strip procedure below.
4. Install `cockpit` immediately (today) regardless — it is useful with or without the DE and gives a soft landing for "I just want to see disk usage".
Why not strip now: Tuwunel federation debugging, Misskey AGPL endpoint validation, and step-ca chain inspection sometimes benefit from a browser pointed at `localhost`. SSH port-forwarding from onyx covers 95% of that, but the first migration of each service is the worst time to discover the 5%.
Why not keep forever: cobblestone is not a workstation. Every Plasma/GNOME CVE becomes a patch obligation for zero return.
---
## Install instead of DE (do this today)
- **cockpit + cockpit-machines + cockpit-podman** — web admin on port 9090. Front it with a Traefik vhost `cobblestone.s8n.ru` behind Authentik OIDC. Drop-in for "show me disk/CPU/services in a UI".
- **lazydocker** — TUI for docker. Faster than `docker ps -a` for daily ops.
- **dive** — image-layer inspector. Useful when an image is 2 GB and you want to know why.
- **glances** — htop with optional web UI on port 61208 (firewall it; cockpit covers most cases).
- **mc** (midnight commander) — file manager replacement for the no-GUI case.
- **Claude Code on cobblestone** — separate decision; not blocking. Running it on cobblestone enables ssh-less ops and lets cron/agent jobs operate on the box natively. If installed, gate it behind the same SSO posture as cockpit.
---
## Strip commands per DE flavour
The operator has not confirmed which DE shipped. Run `ls /usr/bin/*session* 2>/dev/null; dpkg -l | grep -E 'task-(xfce|gnome|kde|mate|cinnamon)-desktop'` first to identify it.
**Important:** `task-*-desktop` is a meta-package. Removing it alone does NOT remove the desktop — you must remove the actual package set too, then `apt autoremove --purge`. Always run `apt autoremove --purge` with caution: review the list before pressing `y`. It can sweep packages you wanted to keep if a DE dependency was the only reverse-dep.
### XFCE
```
sudo apt remove --purge \
task-xfce-desktop xfce4 xfce4-* \
lightdm lightdm-gtk-greeter \
xorg xserver-xorg* \
plymouth plymouth-themes
sudo apt autoremove --purge
```
### GNOME
```
sudo apt remove --purge \
task-gnome-desktop gnome-shell gnome-session gnome-* \
gdm3 \
xorg xserver-xorg* xwayland \
plymouth plymouth-themes
sudo apt autoremove --purge
```
### KDE Plasma
```
sudo apt remove --purge \
task-kde-desktop kde-plasma-desktop plasma-* kde-* \
sddm sddm-theme-* \
xorg xserver-xorg* xwayland \
plymouth plymouth-themes
sudo apt autoremove --purge
```
### MATE
```
sudo apt remove --purge \
task-mate-desktop mate-desktop-environment mate-* \
lightdm lightdm-gtk-greeter \
xorg xserver-xorg* \
plymouth plymouth-themes
sudo apt autoremove --purge
```
### Cinnamon
```
sudo apt remove --purge \
task-cinnamon-desktop cinnamon cinnamon-* \
lightdm lightdm-gtk-greeter \
xorg xserver-xorg* \
plymouth plymouth-themes
sudo apt autoremove --purge
```
### After any of the above
```
sudo systemctl set-default multi-user.target
sudo systemctl disable --now sddm gdm3 lightdm 2>/dev/null
sudo apt install --no-install-recommends cockpit cockpit-podman lazydocker mc glances
sudo reboot
```
Confirm `systemctl get-default` returns `multi-user.target` and `who` shows only ssh/console sessions after reboot.
---
## What breaks when you strip
| Lost capability | Replacement |
|---|---|
| Browser to test internal CA pages | `curl --cacert /etc/step-ca/certs/root_ca.crt https://...` or SSH port-forward from onyx |
| GUI text editor | vim / nano (already installed) |
| File manager | `mc` or shell |
| LightDM/SDDM/GDM autostart | `multi-user.target` (pure systemd) |
| Plymouth boot splash | Plain text scroll (better for debugging boot issues) |
| Local Firefox for OIDC login flows | Port-forward `ssh -L 9090:localhost:9090 cobblestone` from onyx, then hit `http://localhost:9090` in onyx Firefox |
None of these are losses for a service host. The text-scroll boot is arguably an upgrade — Plymouth hides the systemd unit that hung on boot, which is exactly the moment you need to see it.
---
## Open questions for the operator
1. Which DE actually shipped on cobblestone? (XFCE / GNOME / KDE / MATE / Cinnamon)
2. Strip-now or 30-day soak? Default recommendation is soak.
3. Install Claude Code on cobblestone? Out of scope for this doc, but related.
4. Cockpit vhost name confirmed as `cobblestone.s8n.ru`?
---
**Path:** `/home/admin/ai-lab/_github/infra/runbooks/DE-DECISION-cobblestone.md`
Reference in a new issue View git blame Copy permalink