Skip to content
ROOT
BRAND

Accounts Setup

The identity layer. Accounts, domains, email, social handles. Set up pre-Phase-1.

The brand needs an identity surface before Phase 1 opens. Not a full launch — just the durable handles, the domain, the email aliases, the password discipline. Identity is the thing that compounds across all 60 months: GitHub commit history, blog post archive, the email address on every conference submission, the LinkedIn profile that follows the Year N rolling format. Get it right once, then forget about it for five years.

Three concentric circles organize the identity: an outer recovery anchor (a Gmail address that owns the infrastructure control plane), a middle super-admin (the Workspace owner of abukix.dev), and an inner ring of working aliases for daily use. The separation isn’t theatrical — it’s the seam that makes a future identity split (e.g., when collaborators arrive, or when work and brand mailboxes need to diverge) a one-day migration instead of a multi-week rebuild.

Identity hierarchy

Three concentric circles:

Outer circle (recovery anchor):
  abukixctl@gmail.com          external recovery email
                               holds Cloudflare + Tailscale (network/infra control plane)


Middle circle (super-admin):
  root@abukix.dev              Workspace super-admin
                               daily mailbox (all aliases land here)


Inner circle (working aliases):
  me@abukix.dev                primary daily address
  hello@abukix.dev             public/marketing
  social@abukix.dev            for social account signups (LinkedIn, etc.)
  abuse@abukix.dev             RFC standard
  postmaster@abukix.dev        RFC standard

All three “circles” route to the same inbox practically (you’re solo); the separation is for clean discoverability + security in case identity boundaries become real later.

Accounts

GitHub

Username:          abukix
Profile URL:       github.com/abukix
Email (private):   me@abukix.dev (verified)
SSH key added:     id_ed25519 (from ThinkPad)
2FA:               TOTP via 1Password (NOT SMS)
Profile README:    yes (see brand/github-profile.md when written)

Repos to create pre-Phase-1:

  • github.com/abukix/root (private — this repo)
  • github.com/abukix/portfolio (public — landing site + blog)
  • github.com/abukix/ops-handbook (private — Phase 1 first deliverable)

Domain

Domain:            abukix.dev
Registrar:         Cloudflare Registrar (or transferred to)
DNS:               Cloudflare DNS
Cost:              ~$10-12/year
Renewal:           auto-renew via Cloudflare

DNS records pre-Phase-1:

  • MX for the mail provider (Google Workspace or Fastmail)
  • TXT for SPF / DKIM / DMARC
  • (Pages projects add their CNAME records automatically)

Email: Google Workspace

Plan:              Business Starter (~$6/user/month)
User:              root@abukix.dev (the only paid user)
Aliases:           me@, hello@, social@, abuse@, postmaster@
Recovery:          abukixctl@gmail.com (TOTP recovery codes printed + stored)
2FA:               required

Why Workspace (not personal Gmail): owning the domain means owning the identity. If Gmail bans your account, you keep email by pointing MX elsewhere.

Why one paid user (not separate super-admin + daily): cost discipline. The privilege separation is collapsed into root@; a future split is a one-day migration when budget supports it.

Social

LinkedIn:          linkedin.com/in/abukix
                   bio: "AI platform engineering, in public — building basecamp + Abukix Studio.
                         Pattern-first depth from kernel to LLM."
                   email on profile: me@abukix.dev
                   2FA: TOTP


Twitter/X:         (optional; only if you'll actively post)
                   handle: @abukix


Bluesky:           (optional)

Don’t claim handles you won’t use; they’re noise.

Cloudflare

Account email:     abukixctl@gmail.com   (NOT root@ — keep recovery anchor separate)
2FA:               TOTP via 1Password
Resources:
  - DNS for abukix.dev
  - Pages projects (portfolio, root-docs, studio — created when each launches)
  - Zero Trust / Access (for private docs)
  - Workers (for the Studio demo backend, Y5)

Tailscale

Account email:     abukixctl@gmail.com
Tailnet members:   ThinkPad, MacBook, bastion, Proxmox host
                   (M70q VMs added later: K3s nodes, etc.)
Auth provider:     Google (linked to abukixctl@gmail.com)

The tailnet members above match the substrate described in homelab/hardware — the same machines that will host basecamp once Year 1 opens.

Password manager

Tool:              1Password (paid, ~$3/month)
Vaults:
  - Personal       all the above accounts
  - Recovery       printed recovery codes for everything (kept offline)
  - Shared         (none yet; future-proofing for collaborators)

Every TOTP secret stored in 1Password. Recovery codes printed + stored offline (e.g., a sealed envelope at home). NOT in any cloud.

Recovery drill

Quarterly: verify you can still log into each account from a fresh browser using only 1Password + recovery codes. The drill is the proof.

[ ] Can log into abukixctl@gmail.com from incognito with TOTP
[ ] Can log into root@abukix.dev from incognito with TOTP
[ ] Can log into GitHub with backup TOTP code
[ ] Can log into Cloudflare with backup TOTP code
[ ] Can recover Tailscale access if main Mac is bricked

The drill is calendar-driven, not event-driven — running it every quarter means you find a broken recovery path while you still have working access, not after a real lockout. Treat any failed step as a P1: do not close the drill until every line passes.

What you’re NOT signing up for pre-Phase-1

  • AWS / GCP — Y2 P10-11 (AWS Free Tier + GCP $300 credits)
  • HuggingFace — Y4 P24
  • Show HN account — Y2 P9 (when terralabs first launches)
  • Notion / Linear / Asana — not needed; ops-handbook + git serve as task tracking

Don’t pre-create accounts for years from now. Accounts age; you’ll re-onboard when the phase actually needs them.

Cross-references