new hosts vps

docs/playbooks/enroll-vps.md

@@ -0,0 +1,16 @@
+# Playbook: Enroll VPS Secrets
+
+- Name: Enroll VPS secrets after first boot
+- Purpose: Enroll the vps host key and re-encrypt secrets so services can start.
+- Prerequisites: vps host booted and reachable; secure host; SOPS access on operator machine.
+- Inputs: vps host public key; secrets files under `secrets/`; repo checkout.
+- Steps:
+  1. Retrieve the vps host public key from the running instance.
+  2. Add the vps public key to SOPS recipients for the relevant secrets files.
+  3. Re-encrypt secrets and commit updates as needed.
+  4. Rebuild the vps host from an explicitly authorized operator machine.
+- Validation:
+  - Services that require secrets start successfully after the rebuild.
+  - SOPS decrypt succeeds on the vps host without manual intervention.
+- Outputs: Updated secrets files with the vps recipient; vps host with secrets available.
+- References: `docs/constitution.md` (Secrets Map and secureHost), `docs/reference/index.md` (Hosts and Roles)

docs/playbooks/vps-rebuild.md

@@ -0,0 +1,15 @@
+# Playbook: Rebuild VPS
+
+- Name: Remote rebuild of vps
+- Purpose: Apply configuration changes to the vps host from an explicitly authorized operator machine.
+- Prerequisites: Operator machine authorized; vps reachable via SSH; repo checkout.
+- Inputs: vps hostname or IP; flake path; target profile `vps`.
+- Steps:
+  1. Ensure the operator machine is in the authorized key list for `nixremote`.
+  2. Run the rebuild helper script with the target host details.
+  3. Monitor the rebuild for completion and errors.
+- Validation:
+  - vps reports the new configuration after rebuild.
+  - Remote access remains available after the update.
+- Outputs: Updated vps host configuration.
+- References: `docs/constitution.md` (Hosts and Roles, secureHost), `docs/reference/index.md` (Hosts and Roles)