firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity

docs(consultations): Add Gemini response for Task #92 setup

Browse Source 
Key decisions:
- Docker for MCP server (isolation)
- One Ed25519 key, claude_executor user on all servers
- UFW: allow 22, 9090; deny all else
- fail2ban + Cloudflare Access for security
- Approval logic stays in Arbiter
- docker-compose + systemd for startup
- Uptime Kuma for monitoring (CPU temp, disk I/O)
- HandleLidSwitch=ignore for shelf mode

Chronicler #73
This commit is contained in:
Claude
2026-04-09 14:47:27 +00:00
parent 52c3293f1f
commit 944e7f42e4
1 changed files with 80 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
docs/consultations/gemini-task-92-ubuntu-setup-2026-04-09.md
View File

@@ -92,3 +92,83 @@ Thanks Gemini! We're excited to finally build this thing. Your architecture guid
🔥❄️
— Michael + Claude (Chronicler #73)
---
## Gemini's Response (April 9, 2026)
**Summary:** Docker for isolation, one Ed25519 key for all servers, Cloudflare Access for identity layer, approval logic stays in Arbiter.
### 1. Ubuntu Server Configuration & Hardening
Since this laptop is the "Gateway" (Trinity Core), security is paramount because it holds the keys to your entire fleet.
* **Security Packages:** Definitely install `fail2ban`. Even if SSH isn't exposed to the web, it protects against lateral movement if another device on your local network is compromised.
* **UFW (Uncomplicated Firewall):**
* `allow 22/tcp` (Internal LAN only if possible).
* `allow 9090/tcp` (Cockpit).
* `deny incoming` by default. `cloudflared` does not need open incoming ports to work, which is the beauty of it.
* **Power Management:** Since it's a laptop, edit `/etc/systemd/logind.conf` and set `HandleLidSwitch=ignore` so you can close the lid and put it on the shelf without it sleeping.
### 2. MCP Server: Docker vs. Host
**Recommendation: Docker.**
* **Why:** Isolation. If the MCP server (running Claude's commands) has a bug, it's trapped in the container.
* **Tradeoff:** Docker makes "local" SSH slightly more complex (you have to mount the `.ssh` folder as a volume), but it ensures that if you ever need to migrate "Task #92" to a different machine, you just move the `docker-compose.yml`.
### 3. SSH Key Management
**Recommendation: One Key, Many Locks (but Unique User).**
* **The Key:** Generate one strong Ed25519 key pair on the laptop.
* **The User:** On Command Center, TX1, and NC1, create a specific user: `claude_executor`.
* **The Access:** Add the laptop's public key to the `authorized_keys` of `claude_executor` on all servers.
* **Storage:** The private key should live in `/home/michael/.ssh/mcp_proxy_ed25519` (restricted to `600` permissions) and be mounted into the Docker container as **Read-Only**.
### 4. Cloudflare Tunnel & Access
* **Access Policies:** **YES.** Use Cloudflare Access (Zero Trust). Even though the MCP server expects a specific header/secret, adding a Cloudflare Access policy that requires a Service Token or a specific email login adds a second layer of "Identity" before the request even touches your laptop.
* **Gotcha:** Ensure the tunnel is set to `http://localhost:[PORT]` where the MCP server is listening. Use the `no-tls-verify` flag if you use self-signed certs internally, though for a local tunnel, standard HTTP is fine as it's encrypted by the tunnel agent.
### 5. Discord Approval System
**Architecture:** Keep the approval logic in **Arbiter**.
1. **Request:** Claude sends a command via MCP.
2. **Logic:** The MCP Server sends a webhook to **Arbiter** on Command Center.
3. **Action:** Arbiter posts the Discord button.
4. **Response:** Once you click "Approve," Arbiter sends a "Go" signal back to the Laptop MCP server to execute.
* **Why:** You already have the Discord bot infrastructure in Arbiter. Don't reinvent the wheel on the laptop.
### 6. Startup & Monitoring
* **Auto-Start:** Use `docker-compose` with `restart: always`.
* **Systemd:** Create a simple systemd service for `cloudflared` to ensure the tunnel comes up before the containers try to talk to the world.
* **Monitoring:**
* **Uptime Kuma:** Absolutely. Track the MCP endpoint URL.
* **Metrics:** Monitor **CPU Temp** (laptops on shelves get hot) and **Disk I/O**. If Claude accidentally loops a command, you'll see the spike in Uptime Kuma.
---
## Conclusion
Gemini's architecture is solid and practical:
| Decision | Recommendation |
|----------|----------------|
| MCP Server | Docker (isolation) |
| SSH Keys | One Ed25519 key, `claude_executor` user on all servers |
| Firewall | UFW: allow 22, 9090; deny all else |
| Security | fail2ban, Cloudflare Access policies |
| Approval | Keep in Arbiter (don't reinvent) |
| Startup | docker-compose + systemd for cloudflared |
| Monitoring | Uptime Kuma (CPU temp, disk I/O) |
| Lid | `HandleLidSwitch=ignore` |
**Next Steps:**
1. Download Ubuntu Server 24.04 LTS ISO
2. Flash to USB with Rufus/balenaEtcher
3. Install Ubuntu Server on laptop
4. Follow implementation checklist (to be created)
---
**Fire + Frost + Foundation = Where Love Builds Legacy** 💙🔥❄️