tier-1: validate deployment, docs, and Secrix workflow

- nix flake check passes (minor warnings only)
- nix build produces valid derivation
- docs/deployment.md: complete deployment workflow
- phase plan updated with Secrix validation task

1 files changed, 53 insertions, 0 deletions

diff --git a/docs/deployment.md b/docs/deployment.md
new file mode 100644
index 0000000..3438301
--- /dev/null
+++ b/docs/deployment.md
@@ -0,0 +1,53 @@
+# Deployment Documentation for CrashOverBurn Web Server
+
+## Overview
+
+This document outlines the deployment process for the CrashOverBurn web server to the target host `crash-over-burn-1` at IP address `193.16.42.36`.
+
+## Prerequisites
+
+- Nix with flakes enabled
+- SSH access to the target host
+- Secrix keys configured
+
+## Deployment Commands
+
+### Validate
+```
+nix flake check --option builders ''
+```
+
+### Build
+```
+nix build .#nixosConfigurations.crash-over-burn-1.config.system.build.toplevel --option builders ''
+```
+
+### Deploy via nixinate
+```
+nix run .#crash-over-burn-1
+```
+
+## Secrix Commands
+
+### Validate recipients
+```
+nix run .#secrix -- -l
+```
+
+### Encrypt a new secret
+```
+nix run .#secrix encrypt ./secrets/<path> -- --all-users -s crash-over-burn-1
+```
+
+## Post-Deployment
+
+- Verify services are running
+- Check logs: `journalctl -u uwsgi` etc.
+
+## Rollback Procedure
+
+If deployment fails, rollback to the previous system generation by running:
+```
+sudo nixos-rebuild switch --rollback
+```
+on the target host. This will revert to the last known good configuration.
\ No newline at end of file