From 944e7f42e49a866d67a0693d2ab7bf1412cc6094 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 9 Apr 2026 14:47:27 +0000 Subject: [PATCH] docs(consultations): Add Gemini response for Task #92 setup Key decisions: - Docker for MCP server (isolation) - One Ed25519 key, claude_executor user on all servers - UFW: allow 22, 9090; deny all else - fail2ban + Cloudflare Access for security - Approval logic stays in Arbiter - docker-compose + systemd for startup - Uptime Kuma for monitoring (CPU temp, disk I/O) - HandleLidSwitch=ignore for shelf mode Chronicler #73 --- .../gemini-task-92-ubuntu-setup-2026-04-09.md | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/docs/consultations/gemini-task-92-ubuntu-setup-2026-04-09.md b/docs/consultations/gemini-task-92-ubuntu-setup-2026-04-09.md index 11bc046..ffd320a 100644 --- a/docs/consultations/gemini-task-92-ubuntu-setup-2026-04-09.md +++ b/docs/consultations/gemini-task-92-ubuntu-setup-2026-04-09.md @@ -92,3 +92,83 @@ Thanks Gemini! We're excited to finally build this thing. Your architecture guid 🔥❄️ — Michael + Claude (Chronicler #73) + +--- + +## Gemini's Response (April 9, 2026) + +**Summary:** Docker for isolation, one Ed25519 key for all servers, Cloudflare Access for identity layer, approval logic stays in Arbiter. + +### 1. Ubuntu Server Configuration & Hardening + +Since this laptop is the "Gateway" (Trinity Core), security is paramount because it holds the keys to your entire fleet. + +* **Security Packages:** Definitely install `fail2ban`. Even if SSH isn't exposed to the web, it protects against lateral movement if another device on your local network is compromised. +* **UFW (Uncomplicated Firewall):** + * `allow 22/tcp` (Internal LAN only if possible). + * `allow 9090/tcp` (Cockpit). + * `deny incoming` by default. `cloudflared` does not need open incoming ports to work, which is the beauty of it. +* **Power Management:** Since it's a laptop, edit `/etc/systemd/logind.conf` and set `HandleLidSwitch=ignore` so you can close the lid and put it on the shelf without it sleeping. + +### 2. MCP Server: Docker vs. Host + +**Recommendation: Docker.** +* **Why:** Isolation. If the MCP server (running Claude's commands) has a bug, it's trapped in the container. +* **Tradeoff:** Docker makes "local" SSH slightly more complex (you have to mount the `.ssh` folder as a volume), but it ensures that if you ever need to migrate "Task #92" to a different machine, you just move the `docker-compose.yml`. + +### 3. SSH Key Management + +**Recommendation: One Key, Many Locks (but Unique User).** +* **The Key:** Generate one strong Ed25519 key pair on the laptop. +* **The User:** On Command Center, TX1, and NC1, create a specific user: `claude_executor`. +* **The Access:** Add the laptop's public key to the `authorized_keys` of `claude_executor` on all servers. +* **Storage:** The private key should live in `/home/michael/.ssh/mcp_proxy_ed25519` (restricted to `600` permissions) and be mounted into the Docker container as **Read-Only**. + +### 4. Cloudflare Tunnel & Access + +* **Access Policies:** **YES.** Use Cloudflare Access (Zero Trust). Even though the MCP server expects a specific header/secret, adding a Cloudflare Access policy that requires a Service Token or a specific email login adds a second layer of "Identity" before the request even touches your laptop. +* **Gotcha:** Ensure the tunnel is set to `http://localhost:[PORT]` where the MCP server is listening. Use the `no-tls-verify` flag if you use self-signed certs internally, though for a local tunnel, standard HTTP is fine as it's encrypted by the tunnel agent. + +### 5. Discord Approval System + +**Architecture:** Keep the approval logic in **Arbiter**. +1. **Request:** Claude sends a command via MCP. +2. **Logic:** The MCP Server sends a webhook to **Arbiter** on Command Center. +3. **Action:** Arbiter posts the Discord button. +4. **Response:** Once you click "Approve," Arbiter sends a "Go" signal back to the Laptop MCP server to execute. +* **Why:** You already have the Discord bot infrastructure in Arbiter. Don't reinvent the wheel on the laptop. + +### 6. Startup & Monitoring + +* **Auto-Start:** Use `docker-compose` with `restart: always`. +* **Systemd:** Create a simple systemd service for `cloudflared` to ensure the tunnel comes up before the containers try to talk to the world. +* **Monitoring:** + * **Uptime Kuma:** Absolutely. Track the MCP endpoint URL. + * **Metrics:** Monitor **CPU Temp** (laptops on shelves get hot) and **Disk I/O**. If Claude accidentally loops a command, you'll see the spike in Uptime Kuma. + +--- + +## Conclusion + +Gemini's architecture is solid and practical: + +| Decision | Recommendation | +|----------|----------------| +| MCP Server | Docker (isolation) | +| SSH Keys | One Ed25519 key, `claude_executor` user on all servers | +| Firewall | UFW: allow 22, 9090; deny all else | +| Security | fail2ban, Cloudflare Access policies | +| Approval | Keep in Arbiter (don't reinvent) | +| Startup | docker-compose + systemd for cloudflared | +| Monitoring | Uptime Kuma (CPU temp, disk I/O) | +| Lid | `HandleLidSwitch=ignore` | + +**Next Steps:** +1. Download Ubuntu Server 24.04 LTS ISO +2. Flash to USB with Rufus/balenaEtcher +3. Install Ubuntu Server on laptop +4. Follow implementation checklist (to be created) + +--- + +**Fire + Frost + Foundation = Where Love Builds Legacy** 💙🔥❄️