A deploy bundle lands in a shared folder at quarter past eleven on a Wednesday night. AUTO put it there. AXIOM is about to pick it up. Neither of them knows the other exists.
That’s the rule. AXIOM is production. AUTO is its dev twin – same VPS spec, same provider, same datacentre, almost certainly the same rack. They host the same sites at different stages of readiness. And they don’t speak to each other. Not directly. Not ever. AUTO uploads the bundle to OneDrive, AXIOM downloads it, AXIOM unpacks and applies it. That’s the whole conversation.
Servers in my world do not talk to each other directly. It’s a hard rule. Yes, it’s silly. It works.
The reasoning is small. A direct rsync over SSH means a key on AUTO that AXIOM trusts, or vice versa. Whichever way round, anyone who gets shell on one machine has a free ride to the other. Routing through a third service neither server has to trust beyond ‘can read and write to this folder’ means a compromise stops at the box it started in. OneDrive isn’t part of the trust boundary. It’s a postbox. If AXIOM gets owned tomorrow, AUTO is fine. If AUTO gets owned tomorrow, AXIOM is fine. Blast radius of one.
The obvious objection is that I’m hosting a personal site, my brother’s patisserie, a portfolio with a Vulcan logic test on it and a Star Trek fan project. Nobody is mounting a sophisticated lateral-movement attack against a man in Blackpool. Fair. The other thing about overkill is that you only find out it was overkill in hindsight, and the cost here is approximately nothing. Both servers sit in fast datacentres, OneDrive sits in a fast datacentre, the round trip is a non-event.
It is, if you squint, an air gap. Not a real one. A polite fiction of one. The Federation would absolutely run this, except their version would involve an isolinear chip carried by an ensign who would then lose it in turbolift two.
First live use was the vulcan.institute migration. Went up clean on the first try, which is the only reason I trust it. gndn.me is going the same route when the redesign is ready. Beurre when the staging copy catches up. Everything else falls in behind.
Two servers, same datacentre, can’t speak to each other, so they leave notes in a shared drawer. Said quickly, it sounds like a long-running prank. Said carefully, it sounds like a security control. Both are correct.