fix: loosed tailscale requirements and update README

README.md

@@ -10,12 +10,35 @@ services:
 - caddy (reverse proxy)
 - grafana/prometheus (status.extremist.software)
 
-deploy:
-`nix run github:nix-community/nixos-anywhere -- --flake .#extremist-software --impure root@<ip>`
+## Deployment
 
-secrets:
-1. copy `secrets.nix.example` to `secrets.nix`.
-2. fill in values (generate random keys for searx/tailscale).
-3. `tailscaleKey` must be a **reusable** key.
+This repository uses **untracked secrets**, so you must build the system locally before deploying.
 
-repo uses `impure` build to load `secrets.nix` directly. no encrypted secrets in git.
+### 1. Setup Secrets
+1.  `cp secrets/secrets.nix.example secrets/secrets.nix`
+2.  Fill in the values (generate random keys, etc).
+    - `tailscaleKey` must be a **Reusable** key from the Tailscale admin console.
+
+### 2. Initial Install (Wite & Install)
+Run this command to build and deploy. **Warning: Wipes the server disk.**
+
+```bash
+# Replace <TARGET_IP> with your server's IP
+nix run github:nix-community/nixos-anywhere -- --store-paths \
+  $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --impure --print-out-paths --no-link) \
+  $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --print-out-paths --no-link) \
+  root@<TARGET_IP> | tee install.log
+```
+
+### 3. Update Existing Server (No Wipe)
+Once the server is running NixOS, use `nixos-rebuild` to push updates. This is faster and doesn't wipe data.
+
+```bash
+# Update via IP
+nixos-rebuild switch --flake path:.#extremist-software --target-host root@<TARGET_IP> --impure
+
+# Update via Tailscale (Once tailored up)
+nixos-rebuild switch --flake path:.#extremist-software --target-host root@extremist-software --impure
+```
+
+repo uses `impure` build to load `secrets/secrets.nix` directly. no encrypted secrets in git.