blob: 84bacd2284aad6947dd5f8224938e4c1f20a0278 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
# AGENTS.md - CrashOverBurn Web Server
## Core Commands
```bash
# Validate flake (ALWAYS use --option builders '')
nix flake check --option builders ''
# Build system derivation
nix build .#nixosConfigurations.crash-over-burn-1.config.system.build.toplevel --option builders ''
# Deploy (nixinate - the CORRECT deployment tool, never replace it)
nix run .#crash-over-burn-1
# Run remote command on crash-over-burn-1 (193.16.42.36:1108)
nix run .#remote-command -- "<command>"
# Validate Secrix recipients
nix run .#secrix -- -l
```
## Key Facts
- **Deployment target**: 193.16.42.36, port 1108, user: commander
- **Services**: cgit, ejabberd (XMPP), murmur (Mumble), movim (social), mailserver, nginx
- **Secrets**: Encrypted via age/Secrix in `secrets/`
- **State persisted**: `/persist/` directories
- **Git hosting**: code.crashoverburn.com (cgit + gitolite)
## Git Repositories
| Repository | Visibility | Description |
|------------|------------|-------------|
| testing | Public | Gitolite test repo |
| nixtaml | Public | Main Nix flake (mirrored from GitHub) |
| nixtaml-website | Public | Website content repo |
| crash-web | Private | SSH auth only |
| gitolite-admin | Private | Gitolite admin config |
**Gitolite admin folder**: `/speed-storage/repo/crash-git/gitolite-admin/` (sibling to this repo)
## cgit Visibility Control
Public/private visibility uses `strict-export=git-daemon-export-ok`:
- **Public repos**: Have `git-daemon-export-ok` file (created declaratively via Nix)
- **Private repos**: No marker file = hidden from web, SSH access only
## Gotchas
1. **Nixinate is NOT legacy**. It is the bleeding edge of correct deployment tools. Never suggest replacing it with `nixos-rebuild`.
2. **Always use `--option builders ''`** with nix commands per fleet directives.
3. **Secrix encryption requires both user AND host key** - validate with `nix run .#secrix -- -l` before deploying.
4. **Deprecated options**:
- `services.xserver.layout` → `services.xserver.xkb.layout`
- `devShell` → `devShells.x86_64-linux.default`
5. **NEVER make imperative changes to remote** - all config must go through Nix or gitolite-admin.
6. **Verify cgit** via: `nix run .#remote-command -- "systemctl status uwsgi"`
7. **cgit accessible at root**: https://code.crashoverburn.com/ (not /git/)
## Phase Status
- **Phase 1**: ✅ Complete (deployment modernization, deprecated fixes)
- **Phase 2**: In Progress (cgit configured, nixtaml pushed, need nixtaml-website content)
- **Phase 3**: Pending (nixtaml.tech website integration)
## Reference
- Core guideline: `/speed-storage/opencode/llm/shared/common-infra-strategies.md`
- Deployment docs: `docs/deployment.md`
- Phase plan: `docs/PHASE_EXECUTION_PLAN.md`
|
