impulsivefps
/
devmatrix-docs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
devmatrix-docs/SSH_ACCESS_GUIDE.md

215 lines
5.1 KiB
Markdown
Raw Blame History

# SSH Access for Production Setup
This document outlines how to provide SSH access for DevMatrix AI to help setup and manage the production environment.
## 🔐 Security Model
**Principle:** Minimal access, maximum security
- SSH key-based authentication only (no passwords)
- Dedicated user account with limited permissions
- Access logged and auditable
- Can be revoked instantly
## 📋 Setup Steps
### 1. Create Production VM
On your Proxmox host, run:
```bash
# Download and run the VM creation script
curl -fsSL https://git.lemonlink.eu/devmatrix/devmatrix-scripts/raw/branch/main/proxmox/create-production-vm.sh | sudo bash
```
This creates VM-101 (DevMatrix-Prod) with:
- IP: 192.168.5.211
- 4 CPU cores, 8GB RAM, 100GB disk
- Ubuntu 22.04 LTS
### 2. Get DevMatrix AI SSH Public Key
Ask me for the SSH public key when you're ready. I'll provide:
```
ssh-ed25519 AAAAC3NzaC... devmatrix-ai@production
```
### 3. Add SSH Key to Production VM
On the new production VM (192.168.5.211):
```bash
# SSH into the new VM
ssh devmatrix@192.168.5.211
# Create authorized_keys if not exists
mkdir -p ~/.ssh
chmod 700 ~/.ssh
# Add my public key
echo "ssh-ed25519 AAAAC3NzaC... devmatrix-ai@production" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Verify
ssh -T git@github.com # Just to test SSH is working
```
### 4. Grant Sudo Access (Limited)
For production setup, I need limited sudo access:
```bash
# On production VM, as root or with sudo
sudo visudo
# Add this line at the end
devmatrix-ai ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/systemctl, /usr/bin/pm2, /home/devmatrix/devmatrix-scripts/infrastructure/*.sh, /home/devmatrix/devmatrix-scripts/proxmox/*.sh
```
Or create a dedicated sudoers file:
```bash
echo "devmatrix-ai ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt, /usr/bin/systemctl, /usr/bin/pm2, /usr/sbin/ufw, /bin/mkdir, /bin/chown" | sudo tee /etc/sudoers.d/devmatrix-ai
sudo chmod 440 /etc/sudoers.d/devmatrix-ai
```
### 5. Test SSH Access
Once you've added my key, I'll verify access:
```bash
ssh devmatrix@192.168.5.211
curl -fsSL https://git.lemonlink.eu/devmatrix/devmatrix-scripts/raw/branch/main/proxmox/setup-production-vm.sh | sudo bash
```
## 🔒 Security Measures
### IP Restriction (Recommended)
Restrict SSH to your internal network only:
```bash
# On production VM
sudo ufw allow from 192.168.5.0/24 to any port 22
sudo ufw deny 22
sudo ufw reload
```
### Fail2ban
Already configured in setup script:
- 3 failed attempts = 1 hour ban
- Monitors SSH and application ports
### Audit Logging
All commands are logged:
```bash
# View sudo logs
sudo grep "devmatrix-ai" /var/log/auth.log
# View command history
sudo cat /home/devmatrix/.bash_history
```
## 🚀 Deployment Workflow
### Automated Deployment (Approved)
After initial setup, I can deploy updates with your approval:
1. **You request:** "Deploy latest Mission Control to production"
2. **I verify:** Check git status, run tests
3. **I backup:** Database backup before deploy
4. **I deploy:** Zero-downtime deployment
5. **I verify:** Health checks pass
6. **I report:** Deployment status
### Manual Approval Mode
For sensitive operations, you can require manual approval:
```bash
# Create approval flag
touch /home/devmatrix/.deployment-approved
# I'll check for this before deploying
if [ -f /home/devmatrix/.deployment-approved ]; then
rm /home/devmatrix/.deployment-approved
mc-deploy
fi
```
## 📊 Access Levels
| Operation | Access Level | Requires Approval |
|-----------|--------------|-------------------|
| View logs | ✅ Automatic | No |
| Check status | ✅ Automatic | No |
| Restart service | ✅ Automatic | No |
| Deploy updates | ⚠️ Conditional | Yes (configurable) |
| System updates | ⚠️ Conditional | Yes |
| Database changes | ❌ Manual only | Yes |
| SSH key changes | ❌ Manual only | Yes |
## 🔄 Revoking Access
To revoke access instantly:
```bash
# Remove SSH key
sed -i '/devmatrix-ai/d' ~/.ssh/authorized_keys
# Remove sudo access
sudo rm /etc/sudoers.d/devmatrix-ai
# Kill any active sessions
sudo pkill -u devmatrix-ai
```
## 📞 Communication
For production operations:
1. **Telegram notifications** - Real-time alerts
2. **Git commit logs** - Audit trail of all changes
3. **System logs** - /var/log/mission-control/
## ✅ Checklist
Before giving SSH access:
- [ ] Production VM created (VM-101)
- [ ] Basic OS installed
- [ ] Network configured (192.168.5.211)
- [ ] You have admin/root access
- [ ] SSH key generated for me
- [ ] Firewall rules configured
- [ ] Backup NAS accessible
- [ ] You understand how to revoke access
After giving SSH access:
- [ ] I confirm SSH connection works
- [ ] Run production setup script
- [ ] Deploy Mission Control
- [ ] Verify health checks pass
- [ ] Test backup/restore
- [ ] Document any custom configs
## 🆘 Emergency Contacts
If something goes wrong:
1. Revoke SSH access immediately (see above)
2. Restart services: `mc-restart`
3. Check logs: `mc-logs`
4. Restore from backup if needed
5. Contact me with details
---
**Ready to proceed?** Create the VM and give me the SSH key when you're ready!
Reference in New Issue View Git Blame Copy Permalink