Monitoring primarily

TODO.org

@@ -64,7 +64,7 @@
    now use =nixos-raspberrypi.lib.nixosSystem= and =raspberry-pi-4.base=.
    =nix flake check= passes.
 
-** TODO Verify SD card partition labels in =hosts/pi-main/hardware.nix=
+** DONE Verify SD card partition labels in =hosts/pi-main/hardware.nix=
    The config assumes labels =NIXOS_SD= (root) and =FIRMWARE= (boot).
    After flashing, check with:
    #+begin_src bash
@@ -74,7 +74,7 @@
 
 * Caddy Build
 
-** TODO Fix =vendorHash= in =modules/caddy.nix=
+** DONE Fix =vendorHash= in =modules/caddy.nix=
    The Caddy build with the Cloudflare DNS plugin currently uses =lib.fakeHash=
    as a placeholder. After the first =nix build= attempt it will fail with the
    correct hash in the error message. Replace =lib.fakeHash= with that value.
@@ -94,7 +94,7 @@
 
 * Deployment
 
-** TODO Phase 1 — Build and flash bootstrap SD card image
+** DONE Phase 1 — Build and flash bootstrap SD card image
 
    The bootstrap image is a minimal NixOS with SSH + WiFi only (no sops, no
    services). Its sole purpose is to boot the Pi so you can generate the age key
@@ -123,7 +123,7 @@
    ssh admin@192.168.1.100
    #+end_src
 
-** TODO Phase 2 — Generate age key and add it to sops
+** DONE Phase 2 — Generate age key and add it to sops
 
    On the Pi (over SSH):
    #+begin_src bash
@@ -154,7 +154,7 @@
    git commit -m "add Pi age key to sops recipients"
    #+end_src
 
-** TODO Phase 3 — Fix Caddy vendorHash, then deploy full config
+** DONE Phase 3 — Fix Caddy vendorHash, then deploy full config
 
    The full =pi-main= config includes Caddy built with the Cloudflare DNS
    plugin. The first build will fail with the correct hash in the error output.