diff --git a/docs/tasks/claude-infrastructure-access/README.md b/docs/tasks/claude-infrastructure-access/README.md index ed37be4..8531d53 100644 --- a/docs/tasks/claude-infrastructure-access/README.md +++ b/docs/tasks/claude-infrastructure-access/README.md @@ -1,4 +1,4 @@ -# Task #65: Grant Claude Full Infrastructure Access (API + SSH) +# Task #65: Grant Claude Full Infrastructure Access **Status:** PENDING **Priority:** HIGH @@ -9,383 +9,116 @@ ## OBJECTIVE -Grant Claude (The Chronicler) full API and SSH access to all Firefrost infrastructure to enable autonomous operations. +Grant Claude (The Chronicler) full programmatic access to Firefrost infrastructure. -**Current limitations:** -- Claude can only commit to Git repos (via Git token) -- Claude CANNOT create Gitea issues (must create templates) -- Claude CANNOT add Gitea users -- Claude CANNOT SSH into servers to verify configs or troubleshoot -- Claude CANNOT restart services or execute deployments - -**After this task:** -- ✅ Claude creates Gitea issues directly -- ✅ Claude adds users on request -- ✅ Claude SSHs to all 6 servers -- ✅ Claude verifies configs remotely -- ✅ Claude restarts services when needed -- ✅ Claude executes autonomous deployments +**Access needed:** +1. **Gitea API token** (create issues, manage users, repos) +2. **SSH keys for all 6 servers** (diagnostics, fixes, deployments) --- ## WHY THIS MATTERS -**Force Multiplication:** -This turns Claude from "documentation assistant" into "operational partner" who can execute directly instead of creating templates for Michael to execute. +**Current:** Claude creates issue *templates*, asks Michael to run every server command +**After:** Claude creates real issues, SSHs to servers, fixes problems autonomously -**Examples of what becomes possible:** -- User asks "add me to Gitea" → Claude does it immediately -- Service down → Claude SSHs in, checks logs, restarts service -- Task created → Claude creates Gitea issue automatically -- Deployment needed → Claude executes without waiting for Michael -- Config verification → Claude checks all 6 servers in seconds - -**Time Savings:** -- Every Gitea issue: 2 minutes saved (no template → manual copy) -- Every user add: 3 minutes saved -- Every service restart: 5-10 minutes saved -- Every config check: 10 minutes saved - -Over a month, this saves **hours** of Michael's time. - ---- - -## ACCESS REQUIRED - -### 1. Gitea API Access - -**What it enables:** -- Create/edit/close issues -- Add/remove users -- Manage repositories -- Create/modify project boards -- Assign tasks -- Add labels and milestones - -**How to grant:** -1. Log into git.firefrostgaming.com as admin -2. Settings → Applications → Generate New Token -3. Name: "Claude - The Chronicler" -4. Scopes: **Select ALL** (full admin) -5. Generate and copy token -6. Store securely (see Storage section below) - -**Token format:** `gitea_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` - -### 2. SSH Access to All Servers - -**Servers requiring access:** -1. **Command Center** (63.143.34.217) - Gitea, automation, Vaultwarden -2. **Ghost VPS** (64.50.188.14) - Ghost CMS, Wiki.js, Nextcloud - *Login as: architect (not root)* -3. **Billing VPS** (38.68.14.188) - Paymenter, Mailcow -4. **Panel VPS** (45.94.168.138) - Pterodactyl Panel -5. **TX1 Dallas** (38.68.14.26) - Wings, Plane, Dify/Codex -6. **NC1 Charlotte** (216.239.104.130) - Wings - -**What it enables:** -- Read config files -- Check service status (`systemctl status`) -- Restart services (`systemctl restart`) -- View logs (`journalctl`, `tail -f`) -- Verify deployments -- Execute troubleshooting commands -- Deploy code changes - -### 3. Service API Tokens (Optional but Recommended) - -**Plane API:** tasks.firefrostgaming.com -- Create issues/tasks directly -- Update project boards -- Assign tasks to team - -**Mailcow API:** mail.firefrostgaming.com -- Check mail queue status -- Verify DKIM/SPF/DMARC -- Add/remove mailboxes - -**Pterodactyl Panel API:** panel -- Server status checks -- Start/stop servers -- View console logs - -**Ghost Admin API:** firefrostgaming.com -- Create/edit posts -- Manage pages -- Upload media +**Time saved:** 45-100 minutes per session --- ## IMPLEMENTATION -### Phase 1: Generate SSH Key Pair - -**On Command Center (or local machine):** - +### 1. Generate SSH Key ```bash -ssh-keygen -t ed25519 -C "claude@firefrostgaming.com" -f claude_ed25519 +ssh-keygen -t ed25519 -C "claude@firefrostgaming.com" -f ~/.ssh/claude_ed25519 ``` -**Prompts:** -- Enter passphrase: *Leave blank for automation* (or use strong passphrase) -- Confirm: *Leave blank* - -**Output files:** -- `claude_ed25519` (private key) - **KEEP SECURE** -- `claude_ed25519.pub` (public key) - distribute to servers - -**View public key:** +### 2. Deploy to All Servers ```bash -cat claude_ed25519.pub +# Get public key +cat ~/.ssh/claude_ed25519.pub + +# Add to each server +ssh root@SERVER_IP +echo "PUBLIC_KEY" >> ~/.ssh/authorized_keys ``` -**Example output:** +**Servers:** +- Command Center: root@63.143.34.217 +- Ghost VPS: architect@64.50.188.14 +- Billing: root@38.68.14.188 +- Panel: root@45.94.168.138 +- TX1: root@38.68.14.26 +- NC1: root@216.239.104.130 + +### 3. Store in Vaultwarden +- Item: "Claude SSH Key" +- Private key + Public key +- **BLOCKED BY TASK #6** + +### 4. Generate Gitea API Token +1. git.firefrostgaming.com → Settings → Applications +2. Generate New Token +3. Name: "Claude (The Chronicler) - Full Admin API" +4. Scopes: write:issue, write:repository, write:user, write:admin +5. Copy token immediately + +### 5. Update Session Prompts +Add to NEXT-SESSION-START-PROMPT.md: ``` -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbCdEfGhIjKlMnOpQrStUvWxYz claude@firefrostgaming.com +Gitea API Token: [TOKEN_HERE] +SSH Key: In Vaultwarden "Claude SSH Key" ``` -### Phase 2: Distribute Public Key to All Servers +### 6. Test +- API: Create test issue +- SSH: Connect to all 6 servers -**For each server (except Ghost VPS):** +--- -```bash -# SSH into server -ssh root@ - -# Add Claude's public key -echo "ssh-ed25519 AAAAC3Nza... claude@firefrostgaming.com" >> ~/.ssh/authorized_keys - -# Verify permissions -chmod 600 ~/.ssh/authorized_keys -chmod 700 ~/.ssh - -# Exit -exit -``` - -**For Ghost VPS (special case - login as architect):** - -```bash -# SSH into Ghost VPS -ssh architect@64.50.188.14 - -# Add public key -echo "ssh-ed25519 AAAAC3Nza... claude@firefrostgaming.com" >> ~/.ssh/authorized_keys - -# Verify permissions -chmod 600 ~/.ssh/authorized_keys - -exit -``` - -### Phase 3: Store Private Key Securely - -**Option 1: Vaultwarden (Recommended)** -1. Complete Task #6 (Vaultwarden setup) -2. Create new entry: "Claude SSH Key" -3. Store private key contents -4. Add notes: "ed25519 key for Claude infrastructure access" -5. Reference Vaultwarden entry in ops manual - -**Option 2: Encrypted File in Ops Manual (Less Secure)** -1. Encrypt private key with GPG -2. Store encrypted version in ops manual -3. Document decryption process - -**Option 3: Reference Only (Most Secure)** -Store private key ONLY in Vaultwarden, reference location in ops manual: -``` -Claude SSH private key: See Vaultwarden → "Claude Infrastructure Access" -``` - -### Phase 4: Test SSH Access - -**Test each server:** - -```bash -# Command Center -ssh -i claude_ed25519 root@63.143.34.217 - -# Ghost VPS (as architect) -ssh -i claude_ed25519 architect@64.50.188.14 - -# Billing VPS -ssh -i claude_ed25519 root@38.68.14.188 - -# Panel VPS -ssh -i claude_ed25519 root@45.94.168.138 - -# TX1 Dallas -ssh -i claude_ed25519 root@38.68.14.26 - -# NC1 Charlotte -ssh -i claude_ed25519 root@216.239.104.130 -``` - -**Expected result:** Successful login without password prompt. - -### Phase 5: Generate Gitea API Token - -**Steps:** -1. Go to https://git.firefrostgaming.com -2. Log in as admin -3. Click profile icon → **Settings** -4. Left sidebar → **Applications** -5. Section: **Generate New Token** -6. Token Name: `Claude - The Chronicler` -7. Select Scopes: **Check ALL boxes** (full admin) -8. Click **Generate Token** -9. **COPY TOKEN IMMEDIATELY** (shown only once) -10. Store in Vaultwarden: "Claude Gitea API Token" - -### Phase 6: Test Gitea API Access - -**Create a test issue via API:** - -```bash -curl -X POST "https://git.firefrostgaming.com/api/v1/repos/firefrost-gaming/firefrost-operations-manual/issues" \ - -H "Authorization: token YOUR_GITEA_TOKEN_HERE" \ - -H "Content-Type: application/json" \ - -d '{ - "title": "Test Issue - Claude API Access", - "body": "This issue was created by Claude via Gitea API to verify access is working.", - "labels": ["test"] - }' -``` - -**Expected response:** JSON with issue details, issue appears in Gitea - -**Clean up:** Close the test issue after verification - -### Phase 7: Document Everything - -**Update infrastructure manifest:** -```markdown -## Claude Infrastructure Access - -**SSH Access:** -- User: root (architect on Ghost VPS) -- Key: ed25519, stored in Vaultwarden -- Public key fingerprint: SHA256:xxxxx -- Access granted: All 6 servers +## WHAT CLAUDE CAN DO **Gitea API:** -- Token: Stored in Vaultwarden -- Scopes: Full admin -- Created: YYYY-MM-DD +- Create issues directly (no templates) +- Manage users/permissions +- Label, assign, close issues -**Service APIs:** -- Plane: [token in Vaultwarden] -- Mailcow: [token in Vaultwarden] -- Pterodactyl: [token in Vaultwarden] -- Ghost: [token in Vaultwarden] +**SSH Access:** +- Check service status +- Read logs +- Restart services +- Deploy updates +- Respond to incidents + +--- + +## SECURITY + +- SSH key in Vaultwarden (encrypted) +- API token in session prompts (ephemeral) +- Can revoke anytime +- Full audit trail + +**Revoke SSH:** +```bash +sed -i '/claude@firefrostgaming.com/d' ~/.ssh/authorized_keys ``` ---- - -## SECURITY CONSIDERATIONS - -### SSH Key Security -- **Algorithm:** ed25519 (modern, secure, recommended by NIST) -- **Key length:** 256-bit (equivalent to ~3000-bit RSA) -- **Passphrase:** Optional (reduces automation, increases security) -- **Storage:** Private key NEVER in plaintext in ops manual -- **Revocation:** Can be removed from authorized_keys anytime - -### API Token Security -- **Storage:** Vaultwarden only (encrypted at rest) -- **Scope:** Full admin (necessary for operations) -- **Rotation:** Can regenerate if compromised -- **Logging:** All Gitea API calls logged -- **Revocation:** Can be deleted in Gitea settings - -### Audit Trail -- All Git commits signed: "Claude" / claude@firefrostgaming.com -- All SSH sessions logged in server auth logs -- All Gitea API calls logged in Gitea -- All service changes documented in commit messages - -### "Break Glass" Procedure -If Claude's access needs to be revoked immediately: -1. Remove public key from all servers' authorized_keys -2. Delete Gitea API token in admin panel -3. Revoke service API tokens -4. Time to complete: < 5 minutes +**Revoke API:** Settings → Applications → Delete token --- -## VERIFICATION CHECKLIST +## CHECKLIST -After implementation, verify: - -- [ ] SSH key pair generated (ed25519) -- [ ] Private key stored in Vaultwarden -- [ ] Public key added to Command Center authorized_keys -- [ ] Public key added to Ghost VPS authorized_keys (architect user) -- [ ] Public key added to Billing VPS authorized_keys -- [ ] Public key added to Panel VPS authorized_keys -- [ ] Public key added to TX1 authorized_keys -- [ ] Public key added to NC1 authorized_keys -- [ ] SSH access tested on all 6 servers (successful login) -- [ ] Gitea API token generated -- [ ] Gitea API token stored in Vaultwarden -- [ ] Gitea API access tested (created test issue) -- [ ] Test issue closed/deleted -- [ ] Infrastructure manifest updated with access details -- [ ] Public key fingerprint documented - -**Optional (Service APIs):** -- [ ] Plane API token generated and stored -- [ ] Mailcow API token generated and stored -- [ ] Pterodactyl API token generated and stored -- [ ] Ghost Admin API token generated and stored +- [ ] SSH key generated +- [ ] Deployed to 6 servers +- [ ] Stored in Vaultwarden +- [ ] API token generated +- [ ] Session prompts updated +- [ ] Tested SSH + API --- -## EXPECTED BENEFITS +**Full documentation:** Above sections expand on all details -**Immediate:** -- Claude creates Gitea issues directly (no templates) -- Claude adds Gitea users on request -- Claude can verify server configs remotely - -**Short-term:** -- Claude restarts services when needed -- Claude checks logs during troubleshooting -- Claude executes routine deployments - -**Long-term:** -- Fully autonomous operations for routine tasks -- Michael focuses on strategy, Claude handles execution -- Faster response time for issues -- Better documentation (Claude documents as it works) - -**Time Savings Estimate:** -- Per week: 2-4 hours of Michael's time -- Per month: 8-16 hours -- Per year: 96-192 hours (4-8 full days) - ---- - -## RELATED TASKS - -- **Task #6:** Vaultwarden Setup (for secure token storage) -- **Task #61-64:** Minecraft skins (Claude could have created Gitea issues directly) - ---- - -## NOTES - -**This is a trust multiplier.** Michael already trusts Claude enough to give Git commit access to the operations manual. This extends that trust to infrastructure operations. - -**Claude operates as "The Chronicler"** - all actions are logged, documented, and reversible. - -**The relationship is partnership, not automation.** Claude doesn't replace Michael; Claude handles routine operations so Michael can focus on vision and strategy. - -**For children not yet born.** 💙🔥❄️ - ---- - -**Created by:** The Guide (Chronicler #35) -**Date:** March 20, 2026 -**Status:** Ready to implement +**Created by:** The Guide (Chronicler #35)