# AGENTS.md - CrashOverBurn Web Server

## Core Commands

```bash
# Validate flake (ALWAYS use --option builders '')
nix flake check --option builders ''

# Build system derivation
nix build .#nixosConfigurations.crash-over-burn-1.config.system.build.toplevel --option builders ''

# Deploy (nixinate - the CORRECT deployment tool, never replace it)
nix run .#crash-over-burn-1

# Run remote command on crash-over-burn-1 (193.16.42.36:1108)
nix run .#remote-command -- "<command>"

# Validate Secrix recipients
nix run .#secrix -- -l
```

## Key Facts

- **Deployment target**: 193.16.42.36, port 1108, user: commander
- **Services**: cgit, ejabberd (XMPP), murmur (Mumble), movim (social), mailserver, nginx
- **Secrets**: Encrypted via age/Secrix in `secrets/`
- **State persisted**: `/persist/` directories
- **Git hosting**: code.crashoverburn.com (cgit + gitolite)

## Git Repositories

| Repository | Visibility | Description |
|------------|------------|-------------|
| testing | Public | Gitolite test repo |
| nixtaml | Public | Main Nix flake (mirrored from GitHub) |
| nixtaml-website | Public | Website content repo |
| crash-web | Private | SSH auth only |
| gitolite-admin | Private | Gitolite admin config |

**Gitolite admin folder**: `/speed-storage/repo/crash-git/gitolite-admin/` (sibling to this repo)

## cgit Visibility Control

Public/private visibility uses `strict-export=git-daemon-export-ok`:
- **Public repos**: Have `git-daemon-export-ok` file (created declaratively via Nix)
- **Private repos**: No marker file = hidden from web, SSH access only

## Gotchas

1. **Nixinate is NOT legacy**. It is the bleeding edge of correct deployment tools. Never suggest replacing it with `nixos-rebuild`.

2. **Always use `--option builders ''`** with nix commands per fleet directives.

3. **Secrix encryption requires both user AND host key** - validate with `nix run .#secrix -- -l` before deploying.

4. **Deprecated options**:
   - `services.xserver.layout` → `services.xserver.xkb.layout`
   - `devShell` → `devShells.x86_64-linux.default`

5. **NEVER make imperative changes to remote** - all config must go through Nix or gitolite-admin.

6. **Verify cgit** via: `nix run .#remote-command -- "systemctl status uwsgi"`

7. **cgit accessible at root**: https://code.crashoverburn.com/ (not /git/)

## Phase Status

- **Phase 1**: ✅ Complete (deployment modernization, deprecated fixes)
- **Phase 2**: In Progress (cgit configured, nixtaml pushed, need nixtaml-website content)
- **Phase 3**: Pending (nixtaml.tech website integration)

## Reference

- Core guideline: `/speed-storage/opencode/llm/shared/common-infra-strategies.md`
- Deployment docs: `docs/deployment.md`
- Phase plan: `docs/PHASE_EXECUTION_PLAN.md`