docs: create Cockpit deployment task for Chromebook workflow

Complete deployment plan for installing Cockpit web terminal on all 5 remaining servers (Command Center, Billing VPS, Panel VPS, TX1, NC1). Ghost VPS already has Cockpit operational.

Files created:
- docs/tasks/cockpit-deployment/README.md - Task overview
- docs/tasks/cockpit-deployment/deployment-plan.md - Technical strategy
- docs/tasks/cockpit-deployment/installation-commands.md - Copy/paste micro-blocks

Why: Enable full server management from Chromebook without SSH dependency. Claude sessions block port 22, but Cockpit (port 9090) works perfectly.

Estimated time: ~1 hour for all 5 servers (~10 min each)

Signed-off-by: The Chronicler <claude@firefrostgaming.com>

docs/tasks/cockpit-deployment/README.md

@@ -0,0 +1,114 @@
+# Task: Deploy Cockpit Web Terminal to All Servers
+
+## Overview
+
+Deploy Cockpit (web-based server management) to all 5 Firefrost servers that don't have it yet. This enables full server management from Michael's Chromebook without SSH client dependency.
+
+## Current Status
+
+**Has Cockpit:**
+- ✅ Ghost VPS (64.50.188.14:9090)
+
+**Needs Cockpit:**
+- ❌ Command Center (63.143.34.217)
+- ❌ Billing VPS (38.68.14.188)
+- ❌ Panel VPS (45.94.168.138)
+- ❌ TX1 Dallas (38.68.14.26)
+- ❌ NC1 Charlotte (216.239.104.130)
+
+## Why This Matters
+
+**Problem:** Claude sessions block SSH (port 22), forcing reliance on existing Cockpit for Ghost VPS work.
+
+**Solution:** Cockpit on all servers = Chromebook can manage entire infrastructure via browser.
+
+**Benefits:**
+- No SSH client needed
+- Works on Chromebook natively
+- Web terminal + service management + resource monitoring
+- Port 9090 standard across all servers
+- Lightweight (~50MB RAM per server)
+
+## Files in This Task
+
+- **README.md** (this file) - Task overview
+- **deployment-plan.md** - Complete deployment strategy and technical details
+- **installation-commands.md** - Copy/paste ready commands in micro-blocks
+
+## How to Execute
+
+### Recommended Approach
+
+1. **Read deployment-plan.md** - Understand the full strategy
+2. **Pick a server to start with** (suggest Command Center first)
+3. **SSH into that server** (or use existing Cockpit if available)
+4. **Follow installation-commands.md** - Copy/paste each block in order
+5. **Test the Cockpit URL** in browser
+6. **Repeat for remaining servers**
+
+### Order Recommendation
+
+**Phase 1 (VPS tier - quick):**
+1. Command Center
+2. Billing VPS
+3. Panel VPS
+
+**Phase 2 (Dedicated tier):**
+4. TX1 Dallas
+5. NC1 Charlotte
+
+**Time estimate:** ~1 hour total (~10 min per server)
+
+## Success Criteria
+
+- [ ] All 6 servers accessible via `https://IP:9090`
+- [ ] Terminal tab functional on all servers
+- [ ] Services tab shows systemd units
+- [ ] System tab shows accurate resource usage
+- [ ] Michael can manage all servers from Chromebook
+
+## Security Notes
+
+Cockpit is secure by default:
+- HTTPS only (self-signed certificates)
+- Uses existing PAM authentication
+- No new user accounts created
+- No new attack surface (reuses SSH auth)
+
+## Rollback
+
+If any server has issues:
+```bash
+sudo systemctl stop cockpit.socket
+sudo systemctl disable cockpit.socket
+```
+
+Complete removal if needed:
+```bash
+sudo apt remove --purge cockpit
+```
+
+## Documentation Updates After Completion
+
+- [ ] Update `infrastructure-manifest.md` with Cockpit status
+- [ ] Add Cockpit URLs to server quick-reference
+- [ ] Update session-start docs with Chromebook access info
+
+## Related Tasks
+
+- None (standalone infrastructure enhancement)
+
+## Blocks
+
+- None
+
+## Blocked By
+
+- None
+
+---
+
+**Created:** March 21, 2026 (Session 37 - The Chronicler)  
+**Priority:** HIGH (enables Chromebook workflow)  
+**Estimated Time:** 1 hour  
+**Status:** READY TO EXECUTE

docs/tasks/cockpit-deployment/deployment-plan.md

@@ -0,0 +1,174 @@
+# Task: Deploy Cockpit to All Servers
+
+## Priority: HIGH
+**Reason:** Enable Chromebook-based management without SSH dependency
+
+## Current State
+
+**Servers with Cockpit:**
+- ✅ Ghost VPS (64.50.188.14:9090) - Currently operational
+
+**Servers needing Cockpit:**
+- ❌ Command Center (63.143.34.217)
+- ❌ Billing VPS (38.68.14.188)
+- ❌ Panel VPS (45.94.168.138)
+- ❌ TX1 Dallas (38.68.14.26)
+- ❌ NC1 Charlotte (216.239.104.130)
+
+## Why Cockpit
+
+**Benefits:**
+- Web-based terminal (no SSH client needed)
+- System resource monitoring
+- Service management (systemd)
+- Works perfectly on Chromebook
+- Port 9090 (standard, easy to remember)
+- Lightweight (~50MB RAM usage)
+
+**Use case:** Michael uses Chromebook frequently - Cockpit means full server access from any device with a browser.
+
+## Deployment Process (Per Server)
+
+### Standard Installation (Ubuntu/Debian)
+```bash
+# Update package list
+sudo apt update
+
+# Install Cockpit
+sudo apt install -y cockpit
+
+# Enable and start service
+sudo systemctl enable --now cockpit.socket
+
+# Verify it's running
+sudo systemctl status cockpit.socket
+
+# Check it's listening on port 9090
+sudo ss -tulpn | grep 9090
+```
+
+### Firewall Configuration
+```bash
+# Allow Cockpit through UFW (if enabled)
+sudo ufw allow 9090/tcp
+
+# Verify UFW status
+sudo ufw status
+```
+
+### Access Testing
+- URL format: `https://SERVER_IP:9090`
+- Login: Use existing server credentials (e.g., `architect` on Ghost VPS)
+- Accept self-signed certificate warning (expected for self-hosted)
+
+## Deployment Order (Recommended)
+
+**Phase 1: VPS Tier (Quick wins)**
+1. Command Center (63.143.34.217) - Backend hub
+2. Billing VPS (38.68.14.188) - Financial isolation
+3. Panel VPS (45.94.168.138) - Control plane
+
+**Phase 2: Dedicated Tier (Game servers)**
+4. TX1 Dallas (38.68.14.26) - 251GB RAM dedicated
+5. NC1 Charlotte (216.239.104.130) - 251GB RAM dedicated
+
+## Server-Specific Notes
+
+### Command Center (63.143.34.217)
+- **OS:** Ubuntu (verify version first)
+- **Current services:** Gitea, Uptime Kuma, Code-Server, Automation
+- **User:** Likely `root` or `frostystyle`
+- **Test after install:** Terminal access, service status view
+
+### Billing VPS (38.68.14.188)
+- **OS:** Ubuntu
+- **Current services:** Paymenter (8081), Mailcow (8080/8443)
+- **User:** Likely `root`
+- **Critical:** Don't interfere with Mailcow ports
+
+### Panel VPS (45.94.168.138)
+- **OS:** Ubuntu
+- **Current services:** Pterodactyl Panel
+- **User:** Likely `root` or `pterodactyl`
+- **Test after install:** Panel service status visible in Cockpit
+
+### TX1 Dallas (38.68.14.26)
+- **OS:** Ubuntu
+- **Current services:** Pterodactyl Wings, 7 game servers
+- **RAM:** 251GB
+- **User:** Likely `root`
+- **Test after install:** Resource monitoring shows all 251GB
+
+### NC1 Charlotte (216.239.104.130)
+- **OS:** Ubuntu
+- **Current services:** Pterodactyl Wings, 7 game servers
+- **RAM:** 251GB
+- **User:** Likely `root`
+- **Test after install:** Resource monitoring shows all 251GB
+
+## Post-Deployment Verification
+
+For each server:
+- [ ] Access Cockpit at https://IP:9090
+- [ ] Login with server credentials works
+- [ ] Terminal tab loads and is functional
+- [ ] Services tab shows systemd services
+- [ ] System tab shows CPU/RAM/disk correctly
+- [ ] Network tab shows interfaces
+- [ ] Logs tab accessible
+
+## Security Considerations
+
+**Cockpit is secure by default:**
+- HTTPS only (self-signed cert)
+- Uses existing PAM authentication
+- Session timeout configurable
+- No new attack surface (uses existing user accounts)
+
+**Additional hardening (optional):**
+- Limit Cockpit to specific IPs (via firewall)
+- Use SSH key authentication instead of passwords
+- Enable fail2ban for Cockpit login attempts
+
+## Success Criteria
+
+- [ ] All 6 servers have Cockpit accessible at port 9090
+- [ ] Michael can access any server from Chromebook via browser
+- [ ] Terminal functionality works on all servers
+- [ ] Service management works on all servers
+- [ ] No SSH dependency for basic server management
+
+## Rollback Plan
+
+If issues arise:
+```bash
+# Stop Cockpit
+sudo systemctl stop cockpit.socket
+
+# Disable Cockpit
+sudo systemctl disable cockpit.socket
+
+# Uninstall (if needed)
+sudo apt remove --purge cockpit
+```
+
+## Estimated Time
+
+- **Per VPS:** ~10 minutes (install + test)
+- **Per Dedicated:** ~10 minutes (install + test)
+- **Total:** ~1 hour for all 5 servers
+
+## Documentation Updates Needed
+
+After deployment:
+- [ ] Update infrastructure-manifest.md with Cockpit status
+- [ ] Add Cockpit access info to server quick-reference
+- [ ] Document standard Cockpit URL format in session-start docs
+- [ ] Update accessibility notes (Chromebook-friendly management)
+
+---
+
+**Created:** Session 37 (The Chronicler)  
+**Status:** READY TO EXECUTE  
+**Blocks:** None (enhances existing infrastructure)  
+**Enables:** Full Chromebook-based server management

docs/tasks/cockpit-deployment/installation-commands.md

@@ -0,0 +1,223 @@
+# Cockpit Installation Commands (Micro-Blocks)
+
+## Command Center (63.143.34.217)
+
+**Block 1: Update and install**
+```bash
+sudo apt update
+```
+
+**Block 2: Install Cockpit**
+```bash
+sudo apt install -y cockpit
+```
+
+**Block 3: Enable service**
+```bash
+sudo systemctl enable --now cockpit.socket
+```
+
+**Block 4: Check status**
+```bash
+sudo systemctl status cockpit.socket
+```
+
+**Block 5: Verify port**
+```bash
+sudo ss -tulpn | grep 9090
+```
+
+**Block 6: Open firewall (if UFW active)**
+```bash
+sudo ufw allow 9090/tcp
+```
+
+**Block 7: Test access**
+- Open browser: `https://63.143.34.217:9090`
+- Login with your server credentials
+- Accept the self-signed certificate warning
+- Verify Terminal tab works
+
+---
+
+## Billing VPS (38.68.14.188)
+
+**Block 1: Update and install**
+```bash
+sudo apt update
+```
+
+**Block 2: Install Cockpit**
+```bash
+sudo apt install -y cockpit
+```
+
+**Block 3: Enable service**
+```bash
+sudo systemctl enable --now cockpit.socket
+```
+
+**Block 4: Check status**
+```bash
+sudo systemctl status cockpit.socket
+```
+
+**Block 5: Verify port**
+```bash
+sudo ss -tulpn | grep 9090
+```
+
+**Block 6: Open firewall (if UFW active)**
+```bash
+sudo ufw allow 9090/tcp
+```
+
+**Block 7: Test access**
+- Open browser: `https://38.68.14.188:9090`
+- Login with your server credentials
+- Accept the self-signed certificate warning
+- Verify Terminal tab works
+
+---
+
+## Panel VPS (45.94.168.138)
+
+**Block 1: Update and install**
+```bash
+sudo apt update
+```
+
+**Block 2: Install Cockpit**
+```bash
+sudo apt install -y cockpit
+```
+
+**Block 3: Enable service**
+```bash
+sudo systemctl enable --now cockpit.socket
+```
+
+**Block 4: Check status**
+```bash
+sudo systemctl status cockpit.socket
+```
+
+**Block 5: Verify port**
+```bash
+sudo ss -tulpn | grep 9090
+```
+
+**Block 6: Open firewall (if UFW active)**
+```bash
+sudo ufw allow 9090/tcp
+```
+
+**Block 7: Test access**
+- Open browser: `https://45.94.168.138:9090`
+- Login with your server credentials
+- Accept the self-signed certificate warning
+- Verify Terminal tab works
+
+---
+
+## TX1 Dallas (38.68.14.26)
+
+**Block 1: Update and install**
+```bash
+sudo apt update
+```
+
+**Block 2: Install Cockpit**
+```bash
+sudo apt install -y cockpit
+```
+
+**Block 3: Enable service**
+```bash
+sudo systemctl enable --now cockpit.socket
+```
+
+**Block 4: Check status**
+```bash
+sudo systemctl status cockpit.socket
+```
+
+**Block 5: Verify port**
+```bash
+sudo ss -tulpn | grep 9090
+```
+
+**Block 6: Open firewall (if UFW active)**
+```bash
+sudo ufw allow 9090/tcp
+```
+
+**Block 7: Test access**
+- Open browser: `https://38.68.14.26:9090`
+- Login with your server credentials
+- Accept the self-signed certificate warning
+- Verify Terminal tab works
+
+---
+
+## NC1 Charlotte (216.239.104.130)
+
+**Block 1: Update and install**
+```bash
+sudo apt update
+```
+
+**Block 2: Install Cockpit**
+```bash
+sudo apt install -y cockpit
+```
+
+**Block 3: Enable service**
+```bash
+sudo systemctl enable --now cockpit.socket
+```
+
+**Block 4: Check status**
+```bash
+sudo systemctl status cockpit.socket
+```
+
+**Block 5: Verify port**
+```bash
+sudo ss -tulpn | grep 9090
+```
+
+**Block 6: Open firewall (if UFW active)**
+```bash
+sudo ufw allow 9090/tcp
+```
+
+**Block 7: Test access**
+- Open browser: `https://216.239.104.130:9090`
+- Login with your server credentials
+- Accept the self-signed certificate warning
+- Verify Terminal tab works
+
+---
+
+## Quick Reference After Install
+
+**All Cockpit URLs:**
+- Command Center: `https://63.143.34.217:9090`
+- Ghost VPS: `https://64.50.188.14:9090` (already working)
+- Billing VPS: `https://38.68.14.188:9090`
+- Panel VPS: `https://45.94.168.138:9090`
+- TX1 Dallas: `https://38.68.14.26:9090`
+- NC1 Charlotte: `https://216.239.104.130:9090`
+
+**Expected behavior:**
+- Browser shows security warning (self-signed cert) - click "Advanced" → "Proceed"
+- Login screen appears
+- Use your normal server SSH username/password
+- Terminal tab = full command line access
+- Services tab = systemd service management
+- System tab = resource monitoring
+
+---
+
+**Note:** Commands are in micro-blocks (8-10 lines max) for easy copy/paste execution.