Document sifaka first-time setup and hardware details

Adds one-time setup steps (SSH, sudoers, Docker path, device naming) to the sifaka reference card for reproducibility if the NAS is replaced. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 17:22:45 -08:00 · 2026-02-09 17:22:45 -08:00 · 316c213aae
commit 316c213aae
parent 4ed2e3bb5e
1 changed files with 58 additions and 2 deletions
--- a/docs/reference/storage/sifaka.md
+++ b/docs/reference/storage/sifaka.md
@ -13,8 +13,8 @@ Synology NAS providing network storage and backup target.
 | Property | Value |
 |----------|-------|
 | **Dashboard** | https://nas.ops.eblu.me |
-| **Model** | Synology |
-| **Storage** | 10.9TB RAID 5 |
+| **Model** | Synology DS423+ (DSM 7) |
+| **Storage** | 10.9TB RAID 5 (4x Seagate IronWolf 4TB, ST4000VN006) |
 | **Role** | Backup target, media storage |

 ## Network Shares
@ -46,6 +46,62 @@ Prometheus exporters run as Docker containers, managed by Ansible (`mise run pro

 Scraped by [[prometheus]] via Caddy L4 TCP proxy at `nas.ops.eblu.me:9100` and `nas.ops.eblu.me:9633`. Dashboard: [[grafana]] > Sifaka Disk Health.

+## First-Time Setup
+
+These steps were performed once to enable Ansible provisioning. They are documented here for reference if sifaka is ever replaced or reset.
+
+### 1. Enable SSH
+
+DSM Control Panel > Terminal & SNMP > Enable SSH service (port 22).
+
+### 2. SSH Key Authentication
+
+From a tailnet client with an existing SSH key:
+
+```bash
+ssh-copy-id eblume@sifaka   # uses password auth initially
+```
+
+Synology requires strict permissions on the home directory. On sifaka:
+
+```bash
+chmod 755 ~                  # DSM defaults to 777; SSH refuses keys otherwise
+chmod 700 ~/.ssh
+chmod 600 ~/.ssh/authorized_keys
+```
+
+Home directory path: `/var/services/homes/eblume`.
+
+### 3. Passwordless Sudo for Docker
+
+Ansible needs `become: true` for Docker commands. Create a sudoers drop-in:
+
+```bash
+sudo vi /etc/sudoers.d/docker-ansible
+```
+
+Contents:
+
+```
+eblume ALL=(ALL) NOPASSWD: /volume1/@appstore/ContainerManager/usr/bin/docker
+```
+
+This grants passwordless sudo only for the Docker binary — no broader root access.
+
+### 4. Docker Path
+
+Synology installs Docker via Container Manager at a non-standard path:
+
+```
+/volume1/@appstore/ContainerManager/usr/bin/docker
+```
+
+This is configured in the `sifaka_exporters` role defaults.
+
+### 5. Synology Device Naming
+
+Synology uses `/dev/sata*` (e.g., `/dev/sata1` through `/dev/sata4`) instead of the standard `/dev/sd*` naming. The `smartctl_exporter` cannot auto-detect these devices, so they are passed explicitly via `--smartctl.device=` flags in the Ansible role.
+
 ## Tailscale

 - Tag: `tag:nas`