impulsivefps
/
devmatrix-docs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
devmatrix-docs/SSH_ACCESS_GUIDE.md

5.1 KiB
Raw Permalink Blame History

SSH Access for Production Setup

This document outlines how to provide SSH access for DevMatrix AI to help setup and manage the production environment.

🔐 Security Model

Principle: Minimal access, maximum security

  • SSH key-based authentication only (no passwords)
  • Dedicated user account with limited permissions
  • Access logged and auditable
  • Can be revoked instantly

📋 Setup Steps

1. Create Production VM

On your Proxmox host, run:

# Download and run the VM creation script
curl -fsSL https://git.lemonlink.eu/devmatrix/devmatrix-scripts/raw/branch/main/proxmox/create-production-vm.sh | sudo bash

This creates VM-101 (DevMatrix-Prod) with:

  • IP: 192.168.5.211
  • 4 CPU cores, 8GB RAM, 100GB disk
  • Ubuntu 22.04 LTS

2. Get DevMatrix AI SSH Public Key

Ask me for the SSH public key when you're ready. I'll provide:

ssh-ed25519 AAAAC3NzaC... devmatrix-ai@production

3. Add SSH Key to Production VM

On the new production VM (192.168.5.211):

# SSH into the new VM
ssh devmatrix@192.168.5.211

# Create authorized_keys if not exists
mkdir -p ~/.ssh
chmod 700 ~/.ssh

# Add my public key
echo "ssh-ed25519 AAAAC3NzaC... devmatrix-ai@production" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

# Verify
ssh -T git@github.com  # Just to test SSH is working

4. Grant Sudo Access (Limited)

For production setup, I need limited sudo access:

# On production VM, as root or with sudo
sudo visudo

# Add this line at the end
devmatrix-ai ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/systemctl, /usr/bin/pm2, /home/devmatrix/devmatrix-scripts/infrastructure/*.sh, /home/devmatrix/devmatrix-scripts/proxmox/*.sh

Or create a dedicated sudoers file:

echo "devmatrix-ai ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt, /usr/bin/systemctl, /usr/bin/pm2, /usr/sbin/ufw, /bin/mkdir, /bin/chown" | sudo tee /etc/sudoers.d/devmatrix-ai
sudo chmod 440 /etc/sudoers.d/devmatrix-ai

5. Test SSH Access

Once you've added my key, I'll verify access:

ssh devmatrix@192.168.5.211
curl -fsSL https://git.lemonlink.eu/devmatrix/devmatrix-scripts/raw/branch/main/proxmox/setup-production-vm.sh | sudo bash

🔒 Security Measures

IP Restriction (Recommended)

Restrict SSH to your internal network only:

# On production VM
sudo ufw allow from 192.168.5.0/24 to any port 22
sudo ufw deny 22
sudo ufw reload

Fail2ban

Already configured in setup script:

  • 3 failed attempts = 1 hour ban
  • Monitors SSH and application ports

Audit Logging

All commands are logged:

# View sudo logs
sudo grep "devmatrix-ai" /var/log/auth.log

# View command history
sudo cat /home/devmatrix/.bash_history

🚀 Deployment Workflow

Automated Deployment (Approved)

After initial setup, I can deploy updates with your approval:

  1. You request: "Deploy latest Mission Control to production"
  2. I verify: Check git status, run tests
  3. I backup: Database backup before deploy
  4. I deploy: Zero-downtime deployment
  5. I verify: Health checks pass
  6. I report: Deployment status

Manual Approval Mode

For sensitive operations, you can require manual approval:

# Create approval flag
touch /home/devmatrix/.deployment-approved

# I'll check for this before deploying
if [ -f /home/devmatrix/.deployment-approved ]; then
    rm /home/devmatrix/.deployment-approved
    mc-deploy
fi

📊 Access Levels

Operation Access Level Requires Approval
View logs Automatic No
Check status Automatic No
Restart service Automatic No
Deploy updates ⚠️ Conditional Yes (configurable)
System updates ⚠️ Conditional Yes
Database changes Manual only Yes
SSH key changes Manual only Yes

🔄 Revoking Access

To revoke access instantly:

# Remove SSH key
sed -i '/devmatrix-ai/d' ~/.ssh/authorized_keys

# Remove sudo access
sudo rm /etc/sudoers.d/devmatrix-ai

# Kill any active sessions
sudo pkill -u devmatrix-ai

📞 Communication

For production operations:

  1. Telegram notifications - Real-time alerts
  2. Git commit logs - Audit trail of all changes
  3. System logs - /var/log/mission-control/

Checklist

Before giving SSH access:

  • Production VM created (VM-101)
  • Basic OS installed
  • Network configured (192.168.5.211)
  • You have admin/root access
  • SSH key generated for me
  • Firewall rules configured
  • Backup NAS accessible
  • You understand how to revoke access

After giving SSH access:

  • I confirm SSH connection works
  • Run production setup script
  • Deploy Mission Control
  • Verify health checks pass
  • Test backup/restore
  • Document any custom configs

🆘 Emergency Contacts

If something goes wrong:

  1. Revoke SSH access immediately (see above)
  2. Restart services: mc-restart
  3. Check logs: mc-logs
  4. Restore from backup if needed
  5. Contact me with details

Ready to proceed? Create the VM and give me the SSH key when you're ready!