feat: get to a solid bootstrap on public ssh

README.md

@@ -1,10 +1,10 @@
 # Noisebridge Wiki Infra
 
-This repo manages the Noisebridge MediaWiki primary and replica on NixOS.
+This repo manages the Noisebridge wiki hosts on NixOS.
 
 ## Commands
 
-Bootstrap a brand new VPS into NixOS and seed its stable agenix host key:
+Bootstrap a brand new Ubuntu 22.04 DigitalOcean VPS into NixOS:
 
 ```sh
 nix run .#bootstrap-host -- <main-wiki|replica-wiki> <target-host> [ssh-identity-file]
@@ -20,12 +20,11 @@ nix run .#bootstrap-host -- root@203.0.113.10 root@203.0.113.11 ~/.ssh/do-bootst
 
 What bootstrap does:
 
-- generates or reuses `.bootstrap/<host>/host.age`
-- writes the matching public recipient to `secrets/hosts/<host>.age.pub`
-- rekeys the agenix secrets with `agenix -r`
-- runs `nixos-anywhere` against one or both raw VPS targets
-- installs `/var/lib/agenix/host.age` onto the new machine
-- lets the machine decrypt its Tailscale auth secret and come up on Tailscale with its configured hostname
+- copies a first-boot module to the host
+- runs `nixos-infect` on the Ubuntu VPS
+- converts the machine to NixOS with the `jet` admin user
+- disables direct root SSH
+- fixes the known bad IPv6 routes generated by `nixos-infect`
 
 Deploy all already-bootstrapped hosts:
 
@@ -58,7 +57,7 @@ nix flake check 'path:.' --accept-flake-config
 
 1. Create a raw VPS.
 2. Run `nix run .#bootstrap-host -- ...` from the repo root on an admin laptop.
-3. The machine installs NixOS, gets its host agenix key, and joins Tailscale.
+3. The machine installs NixOS and comes up over hardened public SSH as `jet`.
 4. Future changes use `nix run .#deploy`.
 
 ## GitHub Settings