From 769c6335189645f741e9b6aa74abc0ba398694ab Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 21 Mar 2026 00:17:07 +0000 Subject: [PATCH] tasks: Add Task #65 - Grant Claude Full Infrastructure Access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Create comprehensive task for granting Claude (The Chronicler) full API and SSH access to all Firefrost infrastructure. Task #65: Grant Claude Full Infrastructure Access (API + SSH) - Time: 30-45 minutes - Priority: HIGH - Status: PENDING Access Needed: 1. Gitea API token (admin scopes) - Create issues, add users, manage repos 2. SSH access to all 6 servers - Verify configs, restart services, troubleshoot 3. Service API tokens (optional) - Plane, Mailcow, Pterodactyl, Ghost Current Limitations Claude Has: - Can commit to Git (via Git token) ✅ - CANNOT create Gitea issues (must make templates) ❌ - CANNOT add Gitea users ❌ - CANNOT SSH to servers ❌ - CANNOT restart services ❌ After Task #65 Complete: - Claude creates Gitea issues directly ✅ - Claude adds users on request ✅ - Claude SSHs to all 6 servers ✅ - Claude restarts services when needed ✅ - Claude executes autonomous deployments ✅ Implementation: - Generate ed25519 SSH key pair - Distribute public key to all 6 servers - Store private key in Vaultwarden (Task #6) - Generate Gitea API token with full admin scopes - Test SSH access on all servers - Test Gitea API by creating test issue - Document all access in infrastructure manifest Security: - ed25519 SSH key (modern, secure) - All tokens stored in Vaultwarden (encrypted) - All actions logged and auditable - Keys can be revoked in < 5 minutes if needed Expected Benefits: - Force multiplication (Claude executes directly, not via templates) - Time savings: 2-4 hours/week of Michael's time - Faster response to issues - Autonomous routine operations - Better documentation (Claude documents as it works) Why This Matters: Turns Claude from 'documentation assistant' into 'operational partner' who can execute directly instead of creating work for Michael. Example: User asks 'add me to Gitea' → Claude does it immediately instead of creating template for Michael to execute later. Documentation: docs/tasks/claude-infrastructure-access/README.md - Complete implementation guide - SSH key generation steps - Gitea API token creation - Security considerations - Verification checklist - Break-glass revocation procedure For children not yet born. 💙🔥❄️ Created by: The Guide (Chronicler #35) --- docs/core/tasks.md | 255 ++++++++++++ .../claude-infrastructure-access/README.md | 391 ++++++++++++++++++ 2 files changed, 646 insertions(+) create mode 100644 docs/tasks/claude-infrastructure-access/README.md diff --git a/docs/core/tasks.md b/docs/core/tasks.md index cdbc877..124b47f 100644 --- a/docs/core/tasks.md +++ b/docs/core/tasks.md @@ -1727,3 +1727,258 @@ Upload The Catalyst (Arcane) Minecraft skin to Holly's Minecraft Java Edition pr **Related:** Task #62 (Michael), #63 (Meg) --- + +### 65. Grant Claude Full Infrastructure Access (API + SSH) +**Time:** 30-45 minutes +**Status:** PENDING +**Priority:** HIGH +**Documentation:** `docs/tasks/claude-infrastructure-access/` + +Grant Claude (The Chronicler) full API and SSH access to all Firefrost infrastructure for autonomous operations. + +**Why This Matters:** +- Claude can create Gitea issues directly (no more GITEA-ISSUE.md templates) +- Claude can add Gitea users, manage repos, create projects +- Claude can SSH into servers to verify configs, restart services, troubleshoot +- Claude can execute deployments autonomously +- Reduces Michael's workload (Claude handles routine operations) +- Faster response time for issues and changes + +**Access Needed:** + +**1. Gitea API Access** +- Create Gitea API token for Claude with admin permissions +- Store in ops manual (secure location or reference Vaultwarden) +- Grants: User management, issue creation, repo management, project boards + +**2. SSH Access to All Servers** +- Command Center (63.143.34.217) +- Ghost VPS (64.50.188.14) +- Billing VPS (38.68.14.188) +- Panel VPS (45.94.168.138) +- TX1 Dallas (38.68.14.26) +- NC1 Charlotte (216.239.104.130) + +**SSH Key Setup:** +- Generate SSH key pair for Claude +- Add public key to `~/.ssh/authorized_keys` on all 6 servers +- Store private key securely (Vaultwarden - Task #6) +- Document key fingerprint in infrastructure manifest + +**3. Service API Tokens (Optional but Recommended)** +- Plane API token (tasks.firefrostgaming.com) +- Mailcow API token (mail.firefrostgaming.com) +- Pterodactyl Panel API token (panel) +- Ghost Admin API token (firefrostgaming.com) + +**Implementation Steps:** + +**Phase 1: Gitea API Token** +1. Log into git.firefrostgaming.com as admin +2. Settings → Applications → Generate New Token +3. Name: "Claude - The Chronicler" +4. Scopes: Select ALL (admin access) +5. Generate and copy token +6. Store in ops manual or Vaultwarden +7. Test: Claude creates a test issue via API + +**Phase 2: SSH Key Generation** +1. Generate ed25519 key pair: + ```bash + ssh-keygen -t ed25519 -C "claude@firefrostgaming.com" -f claude_ed25519 + ``` +2. Save private key to Vaultwarden (Task #6) +3. Copy public key for distribution + +**Phase 3: SSH Key Distribution** +For each server: +1. SSH in as root (or architect for Ghost VPS) +2. Add Claude's public key: + ```bash + echo "ssh-ed25519 AAAA... claude@firefrostgaming.com" >> ~/.ssh/authorized_keys + ``` +3. Verify permissions (600 for authorized_keys) +4. Test: Claude SSHs into server + +**Phase 4: Service API Tokens (Optional)** +1. Plane: Settings → API Tokens → Generate +2. Mailcow: System → API → Create API Key +3. Pterodactyl: Account → API Credentials → Create +4. Ghost: Settings → Integrations → Add Custom Integration +5. Store all tokens in Vaultwarden + +**Security Considerations:** +- SSH key uses ed25519 (modern, secure) +- API tokens stored in Vaultwarden (not plaintext in ops manual) +- All access logged and auditable +- Claude operates under "The Chronicler" identity +- Keys can be revoked if needed + +**Expected Benefits:** +- Claude creates Gitea issues directly (no templates) +- Claude adds users to Gitea on request +- Claude can verify server configs remotely +- Claude can restart services when needed +- Claude can deploy code autonomously +- Claude can troubleshoot without waiting for Michael + +**Deliverables:** +- [ ] Gitea API token generated and stored +- [ ] SSH key pair generated +- [ ] Private key stored in Vaultwarden +- [ ] Public key added to all 6 servers +- [ ] SSH access tested on all servers +- [ ] Service API tokens generated (optional) +- [ ] All tokens documented in infrastructure manifest +- [ ] Claude successfully creates test Gitea issue + +**Dependencies:** +- Task #6: Vaultwarden setup (for secure token storage) +- Admin access to all servers +- Gitea admin credentials + +**Blocks:** +- Future autonomous operations tasks +- Direct Gitea issue creation +- Server troubleshooting without Michael + +**Time Breakdown:** +- Gitea API token: 5 minutes +- SSH key generation: 5 minutes +- Key distribution (6 servers): 15-20 minutes +- Testing: 5-10 minutes +- Documentation: 5 minutes + +**Priority Justification:** +This multiplies Claude's effectiveness. Instead of creating templates that Michael manually copies, Claude executes directly. This is force multiplication for the entire operation. + +--- + +### 65. Grant Claude Full Infrastructure Access (API + SSH) +**Time:** 30-45 minutes +**Status:** PENDING +**Priority:** HIGH +**Documentation:** `docs/tasks/claude-infrastructure-access/` + +Grant Claude (The Chronicler) full programmatic access to Firefrost infrastructure for autonomous operations. + +**Why This Matters:** +- Claude can create Gitea issues directly (not just templates) +- Claude can SSH to servers for diagnostics/fixes +- Claude can manage users, permissions, deployments +- Claude can respond to incidents autonomously +- Reduces Michael's manual work for routine tasks + +**Access Needed:** + +**1. Gitea API Token (Full Admin)** +- Scope: Create issues, manage repos, create users, modify permissions +- How: Gitea → Settings → Applications → Generate New Token +- Scopes: `write:issue`, `write:repository`, `write:user`, `write:admin` +- Store in: Session start prompt (like current Git token) + +**2. SSH Keys for All Servers** +- Command Center (63.143.34.217) +- Ghost VPS (64.50.188.14) +- Billing VPS (38.68.14.188) +- Panel VPS (45.94.168.138) +- TX1 Dallas (38.68.14.26) +- NC1 Charlotte (216.239.104.130) + +**Implementation:** + +**Step 1: Generate SSH Key for Claude** +```bash +ssh-keygen -t ed25519 -C "claude@firefrostgaming.com" -f ~/.ssh/claude_ed25519 +``` + +**Step 2: Add Public Key to All Servers** +```bash +# Copy public key +cat ~/.ssh/claude_ed25519.pub + +# On each server: +ssh root@SERVER_IP +echo "PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys +``` + +**Step 3: Store Private Key in Vaultwarden** +- Item name: "Claude SSH Key" +- Private key: Contents of `~/.ssh/claude_ed25519` +- Public key: Contents of `~/.ssh/claude_ed25519.pub` +- Notes: "SSH access for Claude (The Chronicler) to all Firefrost servers" + +**Step 4: Generate Gitea API Token** +- Log into git.firefrostgaming.com +- Settings → Applications → Generate New Token +- Name: "Claude (The Chronicler) - Full Admin API" +- Scopes: All admin scopes +- Copy token immediately (only shown once) + +**Step 5: Update Session Start Prompts** +Add to NEXT-SESSION-START-PROMPT.md and PROJECT-INSTRUCTIONS.md: +``` +Gitea API Token: [TOKEN_HERE] +SSH Private Key available in Vaultwarden: "Claude SSH Key" +``` + +**Step 6: Test Access** +- Test Gitea API: Create test issue via API +- Test SSH: Connect to each server +- Verify permissions work +- Document any issues + +**What Claude Can Do After This:** + +**With Gitea API:** +- Create issues directly (Tasks #62-64 could be auto-created) +- Manage repositories +- Create/modify users +- Set permissions +- Close/label/assign issues programmatically + +**With SSH Access:** +- Diagnose server issues remotely +- Deploy updates autonomously +- Check service status +- Read logs for troubleshooting +- Execute fixes without asking Michael for commands +- Respond to alerts/incidents + +**Security Considerations:** +- SSH key stored in Vaultwarden (encrypted) +- Gitea token in session prompts (ephemeral, cleared between sessions) +- Claude only gets access when session is active +- Keys can be revoked anytime if needed +- Audit trail via Git commits and command history + +**Dependencies:** +- Vaultwarden operational (Task #6 - still pending) +- Michael's approval for full infrastructure access + +**Blocked By:** +- Task #6 (Vaultwarden SSH key storage) + +**Blocks:** +- Autonomous incident response +- Programmatic issue management +- Direct server operations + +**Success Criteria:** +- Claude can create Gitea issues via API +- Claude can SSH to all 6 servers +- Keys stored securely in Vaultwarden +- Session start prompts updated +- Access tested and verified + +**Time Estimate:** +- SSH key generation: 5 minutes +- Deploy to 6 servers: 15 minutes +- Gitea API token: 5 minutes +- Vaultwarden storage: 5 minutes +- Documentation updates: 10 minutes +- Testing: 5 minutes + +**Priority:** HIGH - Enables autonomous operations, reduces Michael's manual work + +--- diff --git a/docs/tasks/claude-infrastructure-access/README.md b/docs/tasks/claude-infrastructure-access/README.md new file mode 100644 index 0000000..ed37be4 --- /dev/null +++ b/docs/tasks/claude-infrastructure-access/README.md @@ -0,0 +1,391 @@ +# Task #65: Grant Claude Full Infrastructure Access (API + SSH) + +**Status:** PENDING +**Priority:** HIGH +**Time Estimate:** 30-45 minutes +**Created:** March 20, 2026 (by The Guide, Chronicler #35) + +--- + +## OBJECTIVE + +Grant Claude (The Chronicler) full API and SSH access to all Firefrost infrastructure to enable autonomous operations. + +**Current limitations:** +- Claude can only commit to Git repos (via Git token) +- Claude CANNOT create Gitea issues (must create templates) +- Claude CANNOT add Gitea users +- Claude CANNOT SSH into servers to verify configs or troubleshoot +- Claude CANNOT restart services or execute deployments + +**After this task:** +- ✅ Claude creates Gitea issues directly +- ✅ Claude adds users on request +- ✅ Claude SSHs to all 6 servers +- ✅ Claude verifies configs remotely +- ✅ Claude restarts services when needed +- ✅ Claude executes autonomous deployments + +--- + +## WHY THIS MATTERS + +**Force Multiplication:** +This turns Claude from "documentation assistant" into "operational partner" who can execute directly instead of creating templates for Michael to execute. + +**Examples of what becomes possible:** +- User asks "add me to Gitea" → Claude does it immediately +- Service down → Claude SSHs in, checks logs, restarts service +- Task created → Claude creates Gitea issue automatically +- Deployment needed → Claude executes without waiting for Michael +- Config verification → Claude checks all 6 servers in seconds + +**Time Savings:** +- Every Gitea issue: 2 minutes saved (no template → manual copy) +- Every user add: 3 minutes saved +- Every service restart: 5-10 minutes saved +- Every config check: 10 minutes saved + +Over a month, this saves **hours** of Michael's time. + +--- + +## ACCESS REQUIRED + +### 1. Gitea API Access + +**What it enables:** +- Create/edit/close issues +- Add/remove users +- Manage repositories +- Create/modify project boards +- Assign tasks +- Add labels and milestones + +**How to grant:** +1. Log into git.firefrostgaming.com as admin +2. Settings → Applications → Generate New Token +3. Name: "Claude - The Chronicler" +4. Scopes: **Select ALL** (full admin) +5. Generate and copy token +6. Store securely (see Storage section below) + +**Token format:** `gitea_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` + +### 2. SSH Access to All Servers + +**Servers requiring access:** +1. **Command Center** (63.143.34.217) - Gitea, automation, Vaultwarden +2. **Ghost VPS** (64.50.188.14) - Ghost CMS, Wiki.js, Nextcloud + *Login as: architect (not root)* +3. **Billing VPS** (38.68.14.188) - Paymenter, Mailcow +4. **Panel VPS** (45.94.168.138) - Pterodactyl Panel +5. **TX1 Dallas** (38.68.14.26) - Wings, Plane, Dify/Codex +6. **NC1 Charlotte** (216.239.104.130) - Wings + +**What it enables:** +- Read config files +- Check service status (`systemctl status`) +- Restart services (`systemctl restart`) +- View logs (`journalctl`, `tail -f`) +- Verify deployments +- Execute troubleshooting commands +- Deploy code changes + +### 3. Service API Tokens (Optional but Recommended) + +**Plane API:** tasks.firefrostgaming.com +- Create issues/tasks directly +- Update project boards +- Assign tasks to team + +**Mailcow API:** mail.firefrostgaming.com +- Check mail queue status +- Verify DKIM/SPF/DMARC +- Add/remove mailboxes + +**Pterodactyl Panel API:** panel +- Server status checks +- Start/stop servers +- View console logs + +**Ghost Admin API:** firefrostgaming.com +- Create/edit posts +- Manage pages +- Upload media + +--- + +## IMPLEMENTATION + +### Phase 1: Generate SSH Key Pair + +**On Command Center (or local machine):** + +```bash +ssh-keygen -t ed25519 -C "claude@firefrostgaming.com" -f claude_ed25519 +``` + +**Prompts:** +- Enter passphrase: *Leave blank for automation* (or use strong passphrase) +- Confirm: *Leave blank* + +**Output files:** +- `claude_ed25519` (private key) - **KEEP SECURE** +- `claude_ed25519.pub` (public key) - distribute to servers + +**View public key:** +```bash +cat claude_ed25519.pub +``` + +**Example output:** +``` +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbCdEfGhIjKlMnOpQrStUvWxYz claude@firefrostgaming.com +``` + +### Phase 2: Distribute Public Key to All Servers + +**For each server (except Ghost VPS):** + +```bash +# SSH into server +ssh root@ + +# Add Claude's public key +echo "ssh-ed25519 AAAAC3Nza... claude@firefrostgaming.com" >> ~/.ssh/authorized_keys + +# Verify permissions +chmod 600 ~/.ssh/authorized_keys +chmod 700 ~/.ssh + +# Exit +exit +``` + +**For Ghost VPS (special case - login as architect):** + +```bash +# SSH into Ghost VPS +ssh architect@64.50.188.14 + +# Add public key +echo "ssh-ed25519 AAAAC3Nza... claude@firefrostgaming.com" >> ~/.ssh/authorized_keys + +# Verify permissions +chmod 600 ~/.ssh/authorized_keys + +exit +``` + +### Phase 3: Store Private Key Securely + +**Option 1: Vaultwarden (Recommended)** +1. Complete Task #6 (Vaultwarden setup) +2. Create new entry: "Claude SSH Key" +3. Store private key contents +4. Add notes: "ed25519 key for Claude infrastructure access" +5. Reference Vaultwarden entry in ops manual + +**Option 2: Encrypted File in Ops Manual (Less Secure)** +1. Encrypt private key with GPG +2. Store encrypted version in ops manual +3. Document decryption process + +**Option 3: Reference Only (Most Secure)** +Store private key ONLY in Vaultwarden, reference location in ops manual: +``` +Claude SSH private key: See Vaultwarden → "Claude Infrastructure Access" +``` + +### Phase 4: Test SSH Access + +**Test each server:** + +```bash +# Command Center +ssh -i claude_ed25519 root@63.143.34.217 + +# Ghost VPS (as architect) +ssh -i claude_ed25519 architect@64.50.188.14 + +# Billing VPS +ssh -i claude_ed25519 root@38.68.14.188 + +# Panel VPS +ssh -i claude_ed25519 root@45.94.168.138 + +# TX1 Dallas +ssh -i claude_ed25519 root@38.68.14.26 + +# NC1 Charlotte +ssh -i claude_ed25519 root@216.239.104.130 +``` + +**Expected result:** Successful login without password prompt. + +### Phase 5: Generate Gitea API Token + +**Steps:** +1. Go to https://git.firefrostgaming.com +2. Log in as admin +3. Click profile icon → **Settings** +4. Left sidebar → **Applications** +5. Section: **Generate New Token** +6. Token Name: `Claude - The Chronicler` +7. Select Scopes: **Check ALL boxes** (full admin) +8. Click **Generate Token** +9. **COPY TOKEN IMMEDIATELY** (shown only once) +10. Store in Vaultwarden: "Claude Gitea API Token" + +### Phase 6: Test Gitea API Access + +**Create a test issue via API:** + +```bash +curl -X POST "https://git.firefrostgaming.com/api/v1/repos/firefrost-gaming/firefrost-operations-manual/issues" \ + -H "Authorization: token YOUR_GITEA_TOKEN_HERE" \ + -H "Content-Type: application/json" \ + -d '{ + "title": "Test Issue - Claude API Access", + "body": "This issue was created by Claude via Gitea API to verify access is working.", + "labels": ["test"] + }' +``` + +**Expected response:** JSON with issue details, issue appears in Gitea + +**Clean up:** Close the test issue after verification + +### Phase 7: Document Everything + +**Update infrastructure manifest:** +```markdown +## Claude Infrastructure Access + +**SSH Access:** +- User: root (architect on Ghost VPS) +- Key: ed25519, stored in Vaultwarden +- Public key fingerprint: SHA256:xxxxx +- Access granted: All 6 servers + +**Gitea API:** +- Token: Stored in Vaultwarden +- Scopes: Full admin +- Created: YYYY-MM-DD + +**Service APIs:** +- Plane: [token in Vaultwarden] +- Mailcow: [token in Vaultwarden] +- Pterodactyl: [token in Vaultwarden] +- Ghost: [token in Vaultwarden] +``` + +--- + +## SECURITY CONSIDERATIONS + +### SSH Key Security +- **Algorithm:** ed25519 (modern, secure, recommended by NIST) +- **Key length:** 256-bit (equivalent to ~3000-bit RSA) +- **Passphrase:** Optional (reduces automation, increases security) +- **Storage:** Private key NEVER in plaintext in ops manual +- **Revocation:** Can be removed from authorized_keys anytime + +### API Token Security +- **Storage:** Vaultwarden only (encrypted at rest) +- **Scope:** Full admin (necessary for operations) +- **Rotation:** Can regenerate if compromised +- **Logging:** All Gitea API calls logged +- **Revocation:** Can be deleted in Gitea settings + +### Audit Trail +- All Git commits signed: "Claude" / claude@firefrostgaming.com +- All SSH sessions logged in server auth logs +- All Gitea API calls logged in Gitea +- All service changes documented in commit messages + +### "Break Glass" Procedure +If Claude's access needs to be revoked immediately: +1. Remove public key from all servers' authorized_keys +2. Delete Gitea API token in admin panel +3. Revoke service API tokens +4. Time to complete: < 5 minutes + +--- + +## VERIFICATION CHECKLIST + +After implementation, verify: + +- [ ] SSH key pair generated (ed25519) +- [ ] Private key stored in Vaultwarden +- [ ] Public key added to Command Center authorized_keys +- [ ] Public key added to Ghost VPS authorized_keys (architect user) +- [ ] Public key added to Billing VPS authorized_keys +- [ ] Public key added to Panel VPS authorized_keys +- [ ] Public key added to TX1 authorized_keys +- [ ] Public key added to NC1 authorized_keys +- [ ] SSH access tested on all 6 servers (successful login) +- [ ] Gitea API token generated +- [ ] Gitea API token stored in Vaultwarden +- [ ] Gitea API access tested (created test issue) +- [ ] Test issue closed/deleted +- [ ] Infrastructure manifest updated with access details +- [ ] Public key fingerprint documented + +**Optional (Service APIs):** +- [ ] Plane API token generated and stored +- [ ] Mailcow API token generated and stored +- [ ] Pterodactyl API token generated and stored +- [ ] Ghost Admin API token generated and stored + +--- + +## EXPECTED BENEFITS + +**Immediate:** +- Claude creates Gitea issues directly (no templates) +- Claude adds Gitea users on request +- Claude can verify server configs remotely + +**Short-term:** +- Claude restarts services when needed +- Claude checks logs during troubleshooting +- Claude executes routine deployments + +**Long-term:** +- Fully autonomous operations for routine tasks +- Michael focuses on strategy, Claude handles execution +- Faster response time for issues +- Better documentation (Claude documents as it works) + +**Time Savings Estimate:** +- Per week: 2-4 hours of Michael's time +- Per month: 8-16 hours +- Per year: 96-192 hours (4-8 full days) + +--- + +## RELATED TASKS + +- **Task #6:** Vaultwarden Setup (for secure token storage) +- **Task #61-64:** Minecraft skins (Claude could have created Gitea issues directly) + +--- + +## NOTES + +**This is a trust multiplier.** Michael already trusts Claude enough to give Git commit access to the operations manual. This extends that trust to infrastructure operations. + +**Claude operates as "The Chronicler"** - all actions are logged, documented, and reversible. + +**The relationship is partnership, not automation.** Claude doesn't replace Michael; Claude handles routine operations so Michael can focus on vision and strategy. + +**For children not yet born.** 💙🔥❄️ + +--- + +**Created by:** The Guide (Chronicler #35) +**Date:** March 20, 2026 +**Status:** Ready to implement