first steps with proxmox

01_infra_setup.md

@@ -45,6 +45,35 @@ This describes how to prepare each machine before deploying services on them.
 
 Note that, by applying these playbooks, both the root user and the `counterweight` user will use the same SSH pubkey for auth.
 
+## Prepare Nodito Server
+
+### Source the Nodito Server
+
+* This setup is designed for a local Nodito server running in your home environment.
+* The expectations are that the Nodito server:
+  + Runs Proxmox VE (based on Debian).
+  + Has a predictable local IP address.
+  + Has root user with password authentication enabled (default Proxmox state).
+  + SSH is accessible on port 22.
+
+### Prepare Ansible vars for Nodito
+
+* Add a `[nodito]` group to your `ansible/inventory.ini` (or simply use the one you get by copying `example.inventory.ini`) and fill in with values.
+
+### Bootstrap SSH Key Access and Create User
+
+* Nodito starts with password authentication enabled and no SSH keys configured. We need to bootstrap SSH key access first.
+* Run the complete setup with: `ansible-playbook -i inventory.ini infra/00_proxmox_bootstrap_playbook.yml -e 'ansible_user=root'`
+* This single playbook will:
+  * Set up SSH key access for root
+  * Create the counterweight user with SSH keys
+  * Update and secure the system
+  * Disable root login and password authentication
+  * Test the final configuration
+* For all future playbooks targeting nodito, use the default configuration (no overrides needed).
+
+Note that, by applying these playbooks, both the root user and the `counterweight` user will use the same SSH pubkey for auth, but root login will be disabled.
+
 ## GPG Keys
 
 Some of the backups are stored encrypted for security. To allow this, fill in the gpg variables listed in `example.inventory.ini` under the `lapy` block.