new hosts vps

docs/constitution.md

@@ -42,6 +42,7 @@ config.services = {
 - Secrets files: `secrets/certs.yaml`, `secrets/env.yaml`, `secrets/gallery.yaml`, `secrets/homepage.yaml`, `secrets/keys.yaml`, `secrets/wireguard.yaml`, `secrets/secrets.yaml`, plus `secrets/ssh/` for host keys.
 - Placement rules: Keep secrets aligned to their file purpose (certificates → `certs.yaml`; environment/service env vars → `env.yaml`; media/gallery creds → `gallery.yaml`; homepage widgets → `homepage.yaml`; SSH/private keys → `keys.yaml`; WireGuard peers → `wireguard.yaml`; misc defaults → `secrets.yaml`).
 - secureHost gating: Only hosts with `my.secureHost = true` load SOPS secrets and WireGuard interfaces. Hosts with `secureHost = false` must avoid secret-dependent services and skip SOPS entries.
+- VPS enrollment flow: The vps host generates its own key on first boot, then operators enroll the public key, re-encrypt secrets, and redeploy. Follow `docs/playbooks/enroll-vps.md`.
 
 ## Module Categories and Active Hosts
 - Module categories: apps, dev, scripts, servers, services, shell, network, users, nix, patches. Factories sit in `modules/factories/` and are imported explicitly.

docs/playbooks/enroll-vps.md

@@ -0,0 +1,16 @@
+# Playbook: Enroll VPS Secrets
+
+- Name: Enroll VPS secrets after first boot
+- Purpose: Enroll the vps host key and re-encrypt secrets so services can start.
+- Prerequisites: vps host booted and reachable; secure host; SOPS access on operator machine.
+- Inputs: vps host public key; secrets files under `secrets/`; repo checkout.
+- Steps:
+  1. Retrieve the vps host public key from the running instance.
+  2. Add the vps public key to SOPS recipients for the relevant secrets files.
+  3. Re-encrypt secrets and commit updates as needed.
+  4. Rebuild the vps host from an explicitly authorized operator machine.
+- Validation:
+  - Services that require secrets start successfully after the rebuild.
+  - SOPS decrypt succeeds on the vps host without manual intervention.
+- Outputs: Updated secrets files with the vps recipient; vps host with secrets available.
+- References: `docs/constitution.md` (Secrets Map and secureHost), `docs/reference/index.md` (Hosts and Roles)

docs/playbooks/vps-rebuild.md

@@ -0,0 +1,15 @@
+# Playbook: Rebuild VPS
+
+- Name: Remote rebuild of vps
+- Purpose: Apply configuration changes to the vps host from an explicitly authorized operator machine.
+- Prerequisites: Operator machine authorized; vps reachable via SSH; repo checkout.
+- Inputs: vps hostname or IP; flake path; target profile `vps`.
+- Steps:
+  1. Ensure the operator machine is in the authorized key list for `nixremote`.
+  2. Run the rebuild helper script with the target host details.
+  3. Monitor the rebuild for completion and errors.
+- Validation:
+  - vps reports the new configuration after rebuild.
+  - Remote access remains available after the update.
+- Outputs: Updated vps host configuration.
+- References: `docs/constitution.md` (Hosts and Roles, secureHost), `docs/reference/index.md` (Hosts and Roles)

docs/reference/index.md

@@ -20,13 +20,14 @@
 
 ## Hosts and Roles
 - Configs: `hosts/<name>/configuration.nix` with toggles in `hosts/<name>/toggles.nix`.
-- Active hosts: `workstation`, `server`, `miniserver`, `galaxy`, `emacs`.
+- Active hosts: `workstation`, `server`, `miniserver`, `galaxy`, `emacs`, `vps`.
 - Roles:
   - workstation: developer desktop; provides build power for distributed builds.
   - server: primary services host (overrides `my.mainServer = "server"` and enables proxies/containers).
   - miniserver: small-footprint server; default `mainServer` in shared options.
   - galaxy: small server variant using nixpkgs-small.
   - emacs: VM profile, `my.secureHost = false` for secret-free usage.
+  - vps: Linode VPS image target, secure host with enrollment-based secrets.
 - Network maps: `my.ips` and `my.interfaces` declared in `modules/modules.nix`; host toggles may override.
 
 ## Proxy, Firewall, and Networking