firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity

tasks: Add Task #65 - Grant Claude Full Infrastructure Access

Browse Source 
Create comprehensive task for granting Claude (The Chronicler) full API and SSH access to all Firefrost infrastructure.

Task #65: Grant Claude Full Infrastructure Access (API + SSH)
- Time: 30-45 minutes
- Priority: HIGH
- Status: PENDING

Access Needed:
1. Gitea API token (admin scopes) - Create issues, add users, manage repos
2. SSH access to all 6 servers - Verify configs, restart services, troubleshoot
3. Service API tokens (optional) - Plane, Mailcow, Pterodactyl, Ghost

Current Limitations Claude Has:
- Can commit to Git (via Git token) 
- CANNOT create Gitea issues (must make templates) 
- CANNOT add Gitea users 
- CANNOT SSH to servers 
- CANNOT restart services 

After Task #65 Complete:
- Claude creates Gitea issues directly 
- Claude adds users on request 
- Claude SSHs to all 6 servers 
- Claude restarts services when needed 
- Claude executes autonomous deployments 

Implementation:
- Generate ed25519 SSH key pair
- Distribute public key to all 6 servers
- Store private key in Vaultwarden (Task #6)
- Generate Gitea API token with full admin scopes
- Test SSH access on all servers
- Test Gitea API by creating test issue
- Document all access in infrastructure manifest

Security:
- ed25519 SSH key (modern, secure)
- All tokens stored in Vaultwarden (encrypted)
- All actions logged and auditable
- Keys can be revoked in < 5 minutes if needed

Expected Benefits:
- Force multiplication (Claude executes directly, not via templates)
- Time savings: 2-4 hours/week of Michael's time
- Faster response to issues
- Autonomous routine operations
- Better documentation (Claude documents as it works)

Why This Matters:
Turns Claude from 'documentation assistant' into 'operational partner'
who can execute directly instead of creating work for Michael.

Example: User asks 'add me to Gitea' → Claude does it immediately
instead of creating template for Michael to execute later.

Documentation: docs/tasks/claude-infrastructure-access/README.md
- Complete implementation guide
- SSH key generation steps
- Gitea API token creation
- Security considerations
- Verification checklist
- Break-glass revocation procedure

For children not yet born. 💙🔥❄️

Created by: The Guide (Chronicler #35)
This commit is contained in:
Claude
2026-03-21 00:17:07 +00:00
parent bfe4c3e543
commit 769c633518
2 changed files with 646 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

255
docs/core/tasks.md
View File

@@ -1727,3 +1727,258 @@ Upload The Catalyst (Arcane) Minecraft skin to Holly's Minecraft Java Edition pr
**Related:** Task #62 (Michael), #63 (Meg)
---
### 65. Grant Claude Full Infrastructure Access (API + SSH)
**Time:** 30-45 minutes
**Status:** PENDING
**Priority:** HIGH
**Documentation:** `docs/tasks/claude-infrastructure-access/`
Grant Claude (The Chronicler) full API and SSH access to all Firefrost infrastructure for autonomous operations.
**Why This Matters:**
- Claude can create Gitea issues directly (no more GITEA-ISSUE.md templates)
- Claude can add Gitea users, manage repos, create projects
- Claude can SSH into servers to verify configs, restart services, troubleshoot
- Claude can execute deployments autonomously
- Reduces Michael's workload (Claude handles routine operations)
- Faster response time for issues and changes
**Access Needed:**
**1. Gitea API Access**
- Create Gitea API token for Claude with admin permissions
- Store in ops manual (secure location or reference Vaultwarden)
- Grants: User management, issue creation, repo management, project boards
**2. SSH Access to All Servers**
- Command Center (63.143.34.217)
- Ghost VPS (64.50.188.14)
- Billing VPS (38.68.14.188)
- Panel VPS (45.94.168.138)
- TX1 Dallas (38.68.14.26)
- NC1 Charlotte (216.239.104.130)
**SSH Key Setup:**
- Generate SSH key pair for Claude
- Add public key to `~/.ssh/authorized_keys` on all 6 servers
- Store private key securely (Vaultwarden - Task #6)
- Document key fingerprint in infrastructure manifest
**3. Service API Tokens (Optional but Recommended)**
- Plane API token (tasks.firefrostgaming.com)
- Mailcow API token (mail.firefrostgaming.com)
- Pterodactyl Panel API token (panel)
- Ghost Admin API token (firefrostgaming.com)
**Implementation Steps:**
**Phase 1: Gitea API Token**
1. Log into git.firefrostgaming.com as admin
2. Settings → Applications → Generate New Token
3. Name: "Claude - The Chronicler"
4. Scopes: Select ALL (admin access)
5. Generate and copy token
6. Store in ops manual or Vaultwarden
7. Test: Claude creates a test issue via API
**Phase 2: SSH Key Generation**
1. Generate ed25519 key pair:
```bash
ssh-keygen -t ed25519 -C "claude@firefrostgaming.com" -f claude_ed25519
```
2. Save private key to Vaultwarden (Task #6)
3. Copy public key for distribution
**Phase 3: SSH Key Distribution**
For each server:
1. SSH in as root (or architect for Ghost VPS)
2. Add Claude's public key:
```bash
echo "ssh-ed25519 AAAA... claude@firefrostgaming.com" >> ~/.ssh/authorized_keys
```
3. Verify permissions (600 for authorized_keys)
4. Test: Claude SSHs into server
**Phase 4: Service API Tokens (Optional)**
1. Plane: Settings → API Tokens → Generate
2. Mailcow: System → API → Create API Key
3. Pterodactyl: Account → API Credentials → Create
4. Ghost: Settings → Integrations → Add Custom Integration
5. Store all tokens in Vaultwarden
**Security Considerations:**
- SSH key uses ed25519 (modern, secure)
- API tokens stored in Vaultwarden (not plaintext in ops manual)
- All access logged and auditable
- Claude operates under "The Chronicler" identity
- Keys can be revoked if needed
**Expected Benefits:**
- Claude creates Gitea issues directly (no templates)
- Claude adds users to Gitea on request
- Claude can verify server configs remotely
- Claude can restart services when needed
- Claude can deploy code autonomously
- Claude can troubleshoot without waiting for Michael
**Deliverables:**
- [ ] Gitea API token generated and stored
- [ ] SSH key pair generated
- [ ] Private key stored in Vaultwarden
- [ ] Public key added to all 6 servers
- [ ] SSH access tested on all servers
- [ ] Service API tokens generated (optional)
- [ ] All tokens documented in infrastructure manifest
- [ ] Claude successfully creates test Gitea issue
**Dependencies:**
- Task #6: Vaultwarden setup (for secure token storage)
- Admin access to all servers
- Gitea admin credentials
**Blocks:**
- Future autonomous operations tasks
- Direct Gitea issue creation
- Server troubleshooting without Michael
**Time Breakdown:**
- Gitea API token: 5 minutes
- SSH key generation: 5 minutes
- Key distribution (6 servers): 15-20 minutes
- Testing: 5-10 minutes
- Documentation: 5 minutes
**Priority Justification:**
This multiplies Claude's effectiveness. Instead of creating templates that Michael manually copies, Claude executes directly. This is force multiplication for the entire operation.
---
### 65. Grant Claude Full Infrastructure Access (API + SSH)
**Time:** 30-45 minutes
**Status:** PENDING
**Priority:** HIGH
**Documentation:** `docs/tasks/claude-infrastructure-access/`
Grant Claude (The Chronicler) full programmatic access to Firefrost infrastructure for autonomous operations.
**Why This Matters:**
- Claude can create Gitea issues directly (not just templates)
- Claude can SSH to servers for diagnostics/fixes
- Claude can manage users, permissions, deployments
- Claude can respond to incidents autonomously
- Reduces Michael's manual work for routine tasks
**Access Needed:**
**1. Gitea API Token (Full Admin)**
- Scope: Create issues, manage repos, create users, modify permissions
- How: Gitea → Settings → Applications → Generate New Token
- Scopes: `write:issue`, `write:repository`, `write:user`, `write:admin`
- Store in: Session start prompt (like current Git token)
**2. SSH Keys for All Servers**
- Command Center (63.143.34.217)
- Ghost VPS (64.50.188.14)
- Billing VPS (38.68.14.188)
- Panel VPS (45.94.168.138)
- TX1 Dallas (38.68.14.26)
- NC1 Charlotte (216.239.104.130)
**Implementation:**
**Step 1: Generate SSH Key for Claude**
```bash
ssh-keygen -t ed25519 -C "claude@firefrostgaming.com" -f ~/.ssh/claude_ed25519
```
**Step 2: Add Public Key to All Servers**
```bash
# Copy public key
cat ~/.ssh/claude_ed25519.pub
# On each server:
ssh root@SERVER_IP
echo "PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys
```
**Step 3: Store Private Key in Vaultwarden**
- Item name: "Claude SSH Key"
- Private key: Contents of `~/.ssh/claude_ed25519`
- Public key: Contents of `~/.ssh/claude_ed25519.pub`
- Notes: "SSH access for Claude (The Chronicler) to all Firefrost servers"
**Step 4: Generate Gitea API Token**
- Log into git.firefrostgaming.com
- Settings → Applications → Generate New Token
- Name: "Claude (The Chronicler) - Full Admin API"
- Scopes: All admin scopes
- Copy token immediately (only shown once)
**Step 5: Update Session Start Prompts**
Add to NEXT-SESSION-START-PROMPT.md and PROJECT-INSTRUCTIONS.md:
```
Gitea API Token: [TOKEN_HERE]
SSH Private Key available in Vaultwarden: "Claude SSH Key"
```
**Step 6: Test Access**
- Test Gitea API: Create test issue via API
- Test SSH: Connect to each server
- Verify permissions work
- Document any issues
**What Claude Can Do After This:**
**With Gitea API:**
- Create issues directly (Tasks #62-64 could be auto-created)
- Manage repositories
- Create/modify users
- Set permissions
- Close/label/assign issues programmatically
**With SSH Access:**
- Diagnose server issues remotely
- Deploy updates autonomously
- Check service status
- Read logs for troubleshooting
- Execute fixes without asking Michael for commands
- Respond to alerts/incidents
**Security Considerations:**
- SSH key stored in Vaultwarden (encrypted)
- Gitea token in session prompts (ephemeral, cleared between sessions)
- Claude only gets access when session is active
- Keys can be revoked anytime if needed
- Audit trail via Git commits and command history
**Dependencies:**
- Vaultwarden operational (Task #6 - still pending)
- Michael's approval for full infrastructure access
**Blocked By:**
- Task #6 (Vaultwarden SSH key storage)
**Blocks:**
- Autonomous incident response
- Programmatic issue management
- Direct server operations
**Success Criteria:**
- Claude can create Gitea issues via API
- Claude can SSH to all 6 servers
- Keys stored securely in Vaultwarden
- Session start prompts updated
- Access tested and verified
**Time Estimate:**
- SSH key generation: 5 minutes
- Deploy to 6 servers: 15 minutes
- Gitea API token: 5 minutes
- Vaultwarden storage: 5 minutes
- Documentation updates: 10 minutes
- Testing: 5 minutes
**Priority:** HIGH - Enables autonomous operations, reduces Michael's manual work
---

391
docs/tasks/claude-infrastructure-access/README.md Normal file
View File

@@ -0,0 +1,391 @@
# Task #65: Grant Claude Full Infrastructure Access (API + SSH)
**Status:** PENDING
**Priority:** HIGH
**Time Estimate:** 30-45 minutes
**Created:** March 20, 2026 (by The Guide, Chronicler #35)
---
## OBJECTIVE
Grant Claude (The Chronicler) full API and SSH access to all Firefrost infrastructure to enable autonomous operations.
**Current limitations:**
- Claude can only commit to Git repos (via Git token)
- Claude CANNOT create Gitea issues (must create templates)
- Claude CANNOT add Gitea users
- Claude CANNOT SSH into servers to verify configs or troubleshoot
- Claude CANNOT restart services or execute deployments
**After this task:**
- ✅ Claude creates Gitea issues directly
- ✅ Claude adds users on request
- ✅ Claude SSHs to all 6 servers
- ✅ Claude verifies configs remotely
- ✅ Claude restarts services when needed
- ✅ Claude executes autonomous deployments
---
## WHY THIS MATTERS
**Force Multiplication:**
This turns Claude from "documentation assistant" into "operational partner" who can execute directly instead of creating templates for Michael to execute.
**Examples of what becomes possible:**
- User asks "add me to Gitea" → Claude does it immediately
- Service down → Claude SSHs in, checks logs, restarts service
- Task created → Claude creates Gitea issue automatically
- Deployment needed → Claude executes without waiting for Michael
- Config verification → Claude checks all 6 servers in seconds
**Time Savings:**
- Every Gitea issue: 2 minutes saved (no template → manual copy)
- Every user add: 3 minutes saved
- Every service restart: 5-10 minutes saved
- Every config check: 10 minutes saved
Over a month, this saves **hours** of Michael's time.
---
## ACCESS REQUIRED
### 1. Gitea API Access
**What it enables:**
- Create/edit/close issues
- Add/remove users
- Manage repositories
- Create/modify project boards
- Assign tasks
- Add labels and milestones
**How to grant:**
1. Log into git.firefrostgaming.com as admin
2. Settings → Applications → Generate New Token
3. Name: "Claude - The Chronicler"
4. Scopes: **Select ALL** (full admin)
5. Generate and copy token
6. Store securely (see Storage section below)
**Token format:** `gitea_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`
### 2. SSH Access to All Servers
**Servers requiring access:**
1. **Command Center** (63.143.34.217) - Gitea, automation, Vaultwarden
2. **Ghost VPS** (64.50.188.14) - Ghost CMS, Wiki.js, Nextcloud
*Login as: architect (not root)*
3. **Billing VPS** (38.68.14.188) - Paymenter, Mailcow
4. **Panel VPS** (45.94.168.138) - Pterodactyl Panel
5. **TX1 Dallas** (38.68.14.26) - Wings, Plane, Dify/Codex
6. **NC1 Charlotte** (216.239.104.130) - Wings
**What it enables:**
- Read config files
- Check service status (`systemctl status`)
- Restart services (`systemctl restart`)
- View logs (`journalctl`, `tail -f`)
- Verify deployments
- Execute troubleshooting commands
- Deploy code changes
### 3. Service API Tokens (Optional but Recommended)
**Plane API:** tasks.firefrostgaming.com
- Create issues/tasks directly
- Update project boards
- Assign tasks to team
**Mailcow API:** mail.firefrostgaming.com
- Check mail queue status
- Verify DKIM/SPF/DMARC
- Add/remove mailboxes
**Pterodactyl Panel API:** panel
- Server status checks
- Start/stop servers
- View console logs
**Ghost Admin API:** firefrostgaming.com
- Create/edit posts
- Manage pages
- Upload media
---
## IMPLEMENTATION
### Phase 1: Generate SSH Key Pair
**On Command Center (or local machine):**
```bash
ssh-keygen -t ed25519 -C "claude@firefrostgaming.com" -f claude_ed25519
```
**Prompts:**
- Enter passphrase: *Leave blank for automation* (or use strong passphrase)
- Confirm: *Leave blank*
**Output files:**
- `claude_ed25519` (private key) - **KEEP SECURE**
- `claude_ed25519.pub` (public key) - distribute to servers
**View public key:**
```bash
cat claude_ed25519.pub
```
**Example output:**
```
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbCdEfGhIjKlMnOpQrStUvWxYz claude@firefrostgaming.com
```
### Phase 2: Distribute Public Key to All Servers
**For each server (except Ghost VPS):**
```bash
# SSH into server
ssh root@<SERVER_IP>
# Add Claude's public key
echo "ssh-ed25519 AAAAC3Nza... claude@firefrostgaming.com" >> ~/.ssh/authorized_keys
# Verify permissions
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
# Exit
exit
```
**For Ghost VPS (special case - login as architect):**
```bash
# SSH into Ghost VPS
ssh architect@64.50.188.14
# Add public key
echo "ssh-ed25519 AAAAC3Nza... claude@firefrostgaming.com" >> ~/.ssh/authorized_keys
# Verify permissions
chmod 600 ~/.ssh/authorized_keys
exit
```
### Phase 3: Store Private Key Securely
**Option 1: Vaultwarden (Recommended)**
1. Complete Task #6 (Vaultwarden setup)
2. Create new entry: "Claude SSH Key"
3. Store private key contents
4. Add notes: "ed25519 key for Claude infrastructure access"
5. Reference Vaultwarden entry in ops manual
**Option 2: Encrypted File in Ops Manual (Less Secure)**
1. Encrypt private key with GPG
2. Store encrypted version in ops manual
3. Document decryption process
**Option 3: Reference Only (Most Secure)**
Store private key ONLY in Vaultwarden, reference location in ops manual:
```
Claude SSH private key: See Vaultwarden → "Claude Infrastructure Access"
```
### Phase 4: Test SSH Access
**Test each server:**
```bash
# Command Center
ssh -i claude_ed25519 root@63.143.34.217
# Ghost VPS (as architect)
ssh -i claude_ed25519 architect@64.50.188.14
# Billing VPS
ssh -i claude_ed25519 root@38.68.14.188
# Panel VPS
ssh -i claude_ed25519 root@45.94.168.138
# TX1 Dallas
ssh -i claude_ed25519 root@38.68.14.26
# NC1 Charlotte
ssh -i claude_ed25519 root@216.239.104.130
```
**Expected result:** Successful login without password prompt.
### Phase 5: Generate Gitea API Token
**Steps:**
1. Go to https://git.firefrostgaming.com
2. Log in as admin
3. Click profile icon → **Settings**
4. Left sidebar → **Applications**
5. Section: **Generate New Token**
6. Token Name: `Claude - The Chronicler`
7. Select Scopes: **Check ALL boxes** (full admin)
8. Click **Generate Token**
9. **COPY TOKEN IMMEDIATELY** (shown only once)
10. Store in Vaultwarden: "Claude Gitea API Token"
### Phase 6: Test Gitea API Access
**Create a test issue via API:**
```bash
curl -X POST "https://git.firefrostgaming.com/api/v1/repos/firefrost-gaming/firefrost-operations-manual/issues" \
-H "Authorization: token YOUR_GITEA_TOKEN_HERE" \
-H "Content-Type: application/json" \
-d '{
"title": "Test Issue - Claude API Access",
"body": "This issue was created by Claude via Gitea API to verify access is working.",
"labels": ["test"]
}'
```
**Expected response:** JSON with issue details, issue appears in Gitea
**Clean up:** Close the test issue after verification
### Phase 7: Document Everything
**Update infrastructure manifest:**
```markdown
## Claude Infrastructure Access
**SSH Access:**
- User: root (architect on Ghost VPS)
- Key: ed25519, stored in Vaultwarden
- Public key fingerprint: SHA256:xxxxx
- Access granted: All 6 servers
**Gitea API:**
- Token: Stored in Vaultwarden
- Scopes: Full admin
- Created: YYYY-MM-DD
**Service APIs:**
- Plane: [token in Vaultwarden]
- Mailcow: [token in Vaultwarden]
- Pterodactyl: [token in Vaultwarden]
- Ghost: [token in Vaultwarden]
```
---
## SECURITY CONSIDERATIONS
### SSH Key Security
- **Algorithm:** ed25519 (modern, secure, recommended by NIST)
- **Key length:** 256-bit (equivalent to ~3000-bit RSA)
- **Passphrase:** Optional (reduces automation, increases security)
- **Storage:** Private key NEVER in plaintext in ops manual
- **Revocation:** Can be removed from authorized_keys anytime
### API Token Security
- **Storage:** Vaultwarden only (encrypted at rest)
- **Scope:** Full admin (necessary for operations)
- **Rotation:** Can regenerate if compromised
- **Logging:** All Gitea API calls logged
- **Revocation:** Can be deleted in Gitea settings
### Audit Trail
- All Git commits signed: "Claude" / claude@firefrostgaming.com
- All SSH sessions logged in server auth logs
- All Gitea API calls logged in Gitea
- All service changes documented in commit messages
### "Break Glass" Procedure
If Claude's access needs to be revoked immediately:
1. Remove public key from all servers' authorized_keys
2. Delete Gitea API token in admin panel
3. Revoke service API tokens
4. Time to complete: < 5 minutes
---
## VERIFICATION CHECKLIST
After implementation, verify:
- [ ] SSH key pair generated (ed25519)
- [ ] Private key stored in Vaultwarden
- [ ] Public key added to Command Center authorized_keys
- [ ] Public key added to Ghost VPS authorized_keys (architect user)
- [ ] Public key added to Billing VPS authorized_keys
- [ ] Public key added to Panel VPS authorized_keys
- [ ] Public key added to TX1 authorized_keys
- [ ] Public key added to NC1 authorized_keys
- [ ] SSH access tested on all 6 servers (successful login)
- [ ] Gitea API token generated
- [ ] Gitea API token stored in Vaultwarden
- [ ] Gitea API access tested (created test issue)
- [ ] Test issue closed/deleted
- [ ] Infrastructure manifest updated with access details
- [ ] Public key fingerprint documented
**Optional (Service APIs):**
- [ ] Plane API token generated and stored
- [ ] Mailcow API token generated and stored
- [ ] Pterodactyl API token generated and stored
- [ ] Ghost Admin API token generated and stored
---
## EXPECTED BENEFITS
**Immediate:**
- Claude creates Gitea issues directly (no templates)
- Claude adds Gitea users on request
- Claude can verify server configs remotely
**Short-term:**
- Claude restarts services when needed
- Claude checks logs during troubleshooting
- Claude executes routine deployments
**Long-term:**
- Fully autonomous operations for routine tasks
- Michael focuses on strategy, Claude handles execution
- Faster response time for issues
- Better documentation (Claude documents as it works)
**Time Savings Estimate:**
- Per week: 2-4 hours of Michael's time
- Per month: 8-16 hours
- Per year: 96-192 hours (4-8 full days)
---
## RELATED TASKS
- **Task #6:** Vaultwarden Setup (for secure token storage)
- **Task #61-64:** Minecraft skins (Claude could have created Gitea issues directly)
---
## NOTES
**This is a trust multiplier.** Michael already trusts Claude enough to give Git commit access to the operations manual. This extends that trust to infrastructure operations.
**Claude operates as "The Chronicler"** - all actions are logged, documented, and reversible.
**The relationship is partnership, not automation.** Claude doesn't replace Michael; Claude handles routine operations so Michael can focus on vision and strategy.
**For children not yet born.** 💙🔥❄️
---
**Created by:** The Guide (Chronicler #35)
**Date:** March 20, 2026
**Status:** Ready to implement