# SSH Access for Production Setup This document outlines how to provide SSH access for DevMatrix AI to help setup and manage the production environment. ## 🔐 Security Model **Principle:** Minimal access, maximum security - SSH key-based authentication only (no passwords) - Dedicated user account with limited permissions - Access logged and auditable - Can be revoked instantly ## 📋 Setup Steps ### 1. Create Production VM On your Proxmox host, run: ```bash # Download and run the VM creation script curl -fsSL https://git.lemonlink.eu/devmatrix/devmatrix-scripts/raw/branch/main/proxmox/create-production-vm.sh | sudo bash ``` This creates VM-101 (DevMatrix-Prod) with: - IP: 192.168.5.211 - 4 CPU cores, 8GB RAM, 100GB disk - Ubuntu 22.04 LTS ### 2. Get DevMatrix AI SSH Public Key Ask me for the SSH public key when you're ready. I'll provide: ``` ssh-ed25519 AAAAC3NzaC... devmatrix-ai@production ``` ### 3. Add SSH Key to Production VM On the new production VM (192.168.5.211): ```bash # SSH into the new VM ssh devmatrix@192.168.5.211 # Create authorized_keys if not exists mkdir -p ~/.ssh chmod 700 ~/.ssh # Add my public key echo "ssh-ed25519 AAAAC3NzaC... devmatrix-ai@production" >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys # Verify ssh -T git@github.com # Just to test SSH is working ``` ### 4. Grant Sudo Access (Limited) For production setup, I need limited sudo access: ```bash # On production VM, as root or with sudo sudo visudo # Add this line at the end devmatrix-ai ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/systemctl, /usr/bin/pm2, /home/devmatrix/devmatrix-scripts/infrastructure/*.sh, /home/devmatrix/devmatrix-scripts/proxmox/*.sh ``` Or create a dedicated sudoers file: ```bash echo "devmatrix-ai ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt, /usr/bin/systemctl, /usr/bin/pm2, /usr/sbin/ufw, /bin/mkdir, /bin/chown" | sudo tee /etc/sudoers.d/devmatrix-ai sudo chmod 440 /etc/sudoers.d/devmatrix-ai ``` ### 5. Test SSH Access Once you've added my key, I'll verify access: ```bash ssh devmatrix@192.168.5.211 curl -fsSL https://git.lemonlink.eu/devmatrix/devmatrix-scripts/raw/branch/main/proxmox/setup-production-vm.sh | sudo bash ``` ## 🔒 Security Measures ### IP Restriction (Recommended) Restrict SSH to your internal network only: ```bash # On production VM sudo ufw allow from 192.168.5.0/24 to any port 22 sudo ufw deny 22 sudo ufw reload ``` ### Fail2ban Already configured in setup script: - 3 failed attempts = 1 hour ban - Monitors SSH and application ports ### Audit Logging All commands are logged: ```bash # View sudo logs sudo grep "devmatrix-ai" /var/log/auth.log # View command history sudo cat /home/devmatrix/.bash_history ``` ## 🚀 Deployment Workflow ### Automated Deployment (Approved) After initial setup, I can deploy updates with your approval: 1. **You request:** "Deploy latest Mission Control to production" 2. **I verify:** Check git status, run tests 3. **I backup:** Database backup before deploy 4. **I deploy:** Zero-downtime deployment 5. **I verify:** Health checks pass 6. **I report:** Deployment status ### Manual Approval Mode For sensitive operations, you can require manual approval: ```bash # Create approval flag touch /home/devmatrix/.deployment-approved # I'll check for this before deploying if [ -f /home/devmatrix/.deployment-approved ]; then rm /home/devmatrix/.deployment-approved mc-deploy fi ``` ## 📊 Access Levels | Operation | Access Level | Requires Approval | |-----------|--------------|-------------------| | View logs | ✅ Automatic | No | | Check status | ✅ Automatic | No | | Restart service | ✅ Automatic | No | | Deploy updates | ⚠️ Conditional | Yes (configurable) | | System updates | ⚠️ Conditional | Yes | | Database changes | ❌ Manual only | Yes | | SSH key changes | ❌ Manual only | Yes | ## 🔄 Revoking Access To revoke access instantly: ```bash # Remove SSH key sed -i '/devmatrix-ai/d' ~/.ssh/authorized_keys # Remove sudo access sudo rm /etc/sudoers.d/devmatrix-ai # Kill any active sessions sudo pkill -u devmatrix-ai ``` ## 📞 Communication For production operations: 1. **Telegram notifications** - Real-time alerts 2. **Git commit logs** - Audit trail of all changes 3. **System logs** - /var/log/mission-control/ ## ✅ Checklist Before giving SSH access: - [ ] Production VM created (VM-101) - [ ] Basic OS installed - [ ] Network configured (192.168.5.211) - [ ] You have admin/root access - [ ] SSH key generated for me - [ ] Firewall rules configured - [ ] Backup NAS accessible - [ ] You understand how to revoke access After giving SSH access: - [ ] I confirm SSH connection works - [ ] Run production setup script - [ ] Deploy Mission Control - [ ] Verify health checks pass - [ ] Test backup/restore - [ ] Document any custom configs ## 🆘 Emergency Contacts If something goes wrong: 1. Revoke SSH access immediately (see above) 2. Restart services: `mc-restart` 3. Check logs: `mc-logs` 4. Restore from backup if needed 5. Contact me with details --- **Ready to proceed?** Create the VM and give me the SSH key when you're ready!