Workstation Inventory: modestus-razer

System Overview

Attribute Value

Hostname

modestus-razer

OS

Arch Linux

Kernel

6.18.8-arch2-1

Architecture

x86-64

Root (/)

250G encrypted, 72% used (72G free)

Home (/home)

1.7T encrypted, 2% used (1.6T free)

Security Assets (Critical - Must Backup)

Asset Location Count/Status

SSH Keys

~/.ssh/

16 keypairs

SSH Cert (Vault)

~/.ssh/id_ed25519_vault-cert.pub

Valid until 17:43 today

YubiKey SSH

id_ed25519_sk_rk_*

5 resident keys (d000, d001)

GPG Master

~/.gnupg/

RSA4096, expires 2027-11

Gopass Stores

3 stores (root, v2, v3)

427 entries

Age Key

~/.secrets/.metadata/keys/master.age.key

700 permissions (secure)
SSH Key Domains

  • Git forges: github, gitlab, gitea, bitbucket, codeberg

  • Infrastructure: d000 (home), d001 (work)

  • Vault SSH CA: id_ed25519_vault + cert

Data Organization

Directory Size Contents

~/atelier/

20G

All projects

├── _bibliotheca/

13G

19 domus-* repos

├── _projects/

7.1G

Personal projects

├── _vaults/

367M

Obsidian vaults

└── _architectus/

293M

Templates/scaffolds
Active domus-* Repos (19)

  • Recent activity: captures (10m), docs (12h), infra-ops (12h), linux-ops (8h)

  • Less active: math (2wk), automation-ops, identity-ops (6d)

Cleanup Candidates

Directory Size Action

~/.cache/

8.3G

Safe to clear

~/.npm/

3.8G

npm cache clean --force

~/.npm-global/

1.2G

Review packages

~/.rustup/

2.7G

rustup self clean if unused

~/.ollama/

1.9G

Old models (ollama rm)

~/.claude/

1.6G

Session cache

~/Downloads/

300M

Manual review
Browser Profiles

  • Firefox: 3 profiles, ~684M total (consolidate?)

  • Chromium: 2.6M (minimal use)

Gaps Identified

Gap Risk Remediation

No borg backups visible

Data loss risk

Verify borg repo connectivity

No systemd timers

No automated backups

Set up backup timer

Vault cert expires today

SSH access loss

Run vault-ssh-sign

Security Hardening Tasks

Age Key: Root Ownership (Prompt Injection Defense)

Threat model: Claude Code runs as your user. If compromised via prompt injection, it could read your age key.

Current state: Key is 700 permissions (secure against other users, but readable by your user).

Hardening: Change ownership to root so only root can read.

# Verify current state
ls -la ~/.secrets/.metadata/keys/

# Change ownership to root (requires sudo to read afterward)
sudo chown root:root ~/.secrets/.metadata/keys/master.age.key
sudo chmod 600 ~/.secrets/.metadata/keys/master.age.key

# Verify
ls -la ~/.secrets/.metadata/keys/

After hardening, decrypt with:

sudo age -d -i ~/.secrets/.metadata/keys/master.age.key file.age

To revert (if workflow is too cumbersome):

sudo chown evanusmodestus:evanusmodestus ~/.secrets/.metadata/keys/master.age.key

Pre-Backup Checklist

Security (backup these FIRST)

~/.ssh/                    # All SSH keys
~/.gnupg/                  # GPG keys
~/.password-store/         # gopass root store
~/.local/share/gopass/     # gopass v2, v3 stores
~/.secrets/                # age-encrypted env files

Data

~/atelier/                 # All projects (20G)
~/.config/                 # App configs

Cleanup before backup

# Clear caches (~12G savings)
rm -rf ~/.cache/*
npm cache clean --force