firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
a6a53e27a74df079eae55972fe695aee00a685cf
firefrost-operations-manual/docs/tasks/whitelist-manager/README.md
Claude 5e7849fab9 docs: Add Command Center security hardening deployment guide 
Created comprehensive security hardening guide (500+ lines):

Defense-in-Depth Strategy:
- Layer 1: Fail2Ban auto-banning
- Layer 2: SSH key-only authentication
- Layer 3: UFW firewall optimization

5-Phase Deployment (1 hour total):
- Phase 1: Test SSH key access (CRITICAL - prevents lockout)
- Phase 2: Install and configure Fail2Ban (20 min)
- Phase 3: SSH hardening (20 min)
- Phase 4: UFW firewall review (15 min)
- Phase 5: Additional security (automatic updates, AIDE)

Security Features:
- Fail2Ban monitors SSH, Nginx, bad bots
- SSH: Key-only auth, MaxAuthTries=3, rate limiting
- UFW: Management IP whitelist, unnecessary ports closed
- Automatic security updates
- File integrity checking (AIDE)

Critical Safety Measures:
- Mandatory SSH key testing before disabling passwords
- Keep session open while testing
- Backup access via console/IPMI
- Step-by-step verification at each phase
- Comprehensive troubleshooting (lockout recovery)

Monitoring & Maintenance:
- Daily: Check Fail2Ban bans and auth logs
- Weekly: Review UFW logs and security updates
- Monthly: AIDE file integrity check

Ready to deploy when SSH access available.
Risk level: MEDIUM (can lock out if keys not tested)

Task: Command Center Security Hardening (Tier 1)
FFG-STD-002 compliant
2026-02-17 23:59:44 +00:00

223 lines
5.4 KiB
Markdown
Raw Blame History

# Whitelist Manager Web Dashboard
**Status:** DEPLOYMENT READY
**Owner:** Michael "Frostystyle" Krause
**Priority:** Tier 0 - Immediate Win
**Last Updated:** 2026-02-17
**Time Estimate:** 30-45 minutes deployment
---
## Quick Links
- [Deployment Plan](deployment-plan.md) - Complete 6-phase build guide
- [Prerequisites](prerequisites.md) - What you need before starting
- *(usage-guide.md - To be created after deployment)*
- *(troubleshooting.md - To be created after deployment)*
---
## Overview
Web dashboard at `whitelist.firefrostgaming.com` for managing player whitelists across all 11 Minecraft servers. Replaces manual SSH and Pterodactyl console work.
**The Problem:**
- Currently requires manual SSH to each node (TX1, NC1)
- Update whitelist on each server individually via Pterodactyl console
- Time-consuming (15+ minutes per change)
- Error-prone
- No visibility into current whitelist status
**The Solution:**
- Web interface with server list and status
- Toggle whitelist ON/OFF per server (one click)
- Add/remove players from individual servers
- Bulk add/remove across all servers
- Staff-accessible (Michael, Meg, trusted staff)
---
## Key Deliverables
- **Web Dashboard:** `whitelist.firefrostgaming.com`
- **Backend:** Python Flask application
- **Frontend:** HTML + TailwindCSS responsive design
- **Authentication:** Basic auth (username/password) via HTTPS
- **Hosting:** Billing VPS (38.68.14.188, Chicago) - "Money on Billing" principle
---
## Managed Servers
**11 Minecraft Servers:**
**Texas Node (TX1):**
- Reclamation
- Stoneblock 4
- Society: Sunlit Valley
- Vanilla 1.21.11
- All The Mons
**North Carolina Node (NC1):**
- The Ember Project
- Minecolonies: Create and Conquer
- All The Mods 10
- Homestead
- EMC Subterra Tech
**Excluded (Non-Minecraft):**
- FoundryVTT (TX)
- Hytale (NC)
---
## Tech Stack
- **Backend:** Python 3 + Flask
- **API Integration:** Pterodactyl API v1 (console commands)
- **Frontend:** HTML5 + TailwindCSS
- **Web Server:** Nginx (reverse proxy)
- **SSL:** Let's Encrypt
- **Process Manager:** systemd
- **Authentication:** Flask-HTTPAuth (basic auth)
---
## Success Metrics
-**15-minute task → 30 seconds** (time savings)
-**Zero-error whitelist management** (reliability)
-**Full visibility** across all servers (transparency)
-**Staff accessible** without SSH access (usability)
---
## Dependencies
**Blocks:**
- None (standalone tool)
**Blocked By:**
- None (ready to build)
**Prerequisites:**
- Pterodactyl panel URL and API key
- Ghost VPS SSH access
- DNS A record: `whitelist.firefrostgaming.com` → Ghost VPS IP
- Admin credentials for dashboard
---
## Current Status
**COMPLETE - Ready for Deployment:**
- ✅ Complete Flask web application built
- ✅ Fire & Frost themed TailwindCSS UI
- ✅ Pterodactyl API integration complete
- ✅ All configuration files created
- ✅ Deployment scripts and guides ready
- ✅ Security implemented (HTTPS, auth, API key management)
-**Awaiting SSH access to Billing VPS for deployment**
**Deployment Package Location:**
`/deployments/whitelist-manager/` in operations manual repository
**Next Steps:**
1. Obtain SSH access to Billing VPS (38.68.14.188)
2. Configure DNS: `whitelist.firefrostgaming.com``38.68.14.188`
3. Run deployment (30-45 minutes using provided scripts)
4. Test all functions
5. Document credentials in Vaultwarden
---
## Documentation in This Directory
### Core Documents
**deployment-plan.md** (40+ pages)
- Complete 6-phase deployment guide
- Prerequisites checklist
- Code examples (Flask, Nginx, systemd)
- Testing procedures
- Security considerations
- Maintenance guidelines
- Future enhancements roadmap
**prerequisites.md**
- Pterodactyl API access
- Ghost VPS requirements
- DNS configuration
- Authentication setup
### To Be Created
**usage-guide.md** (after deployment)
- Staff usage instructions
- Common workflows
- Access control
- Screenshots
**troubleshooting.md** (after deployment)
- Common issues and solutions
- Error messages
- Recovery procedures
- Service restart procedures
**maintenance.md** (after deployment)
- Daily/weekly/monthly tasks
- Update procedures
- Log rotation
- Health checks
---
## Future Enhancements (Phase 2)
**Discord Bot Integration:**
- `/whitelist add player` command in Discord
- Automated notifications when players added/removed
**Paymenter Integration:**
- Auto-whitelist on subscription payment
- Auto-remove on subscription cancellation
- Grace period handling
**Advanced Features:**
- Whitelist sync verification (ensure all servers match)
- Player activity tracking
- Automated whitelist backups
- Whitelist import/export (CSV)
- Bulk operations via file upload
**UI Improvements:**
- Real-time server status indicators
- Player search/filter
- Recent changes history
- Multi-server checkbox selection
**Authentication Upgrades:**
- SSO integration with Wiki.js
- Role-based permissions (admin/moderator/viewer)
- 2FA support
- API tokens for automation
---
## Related Documents
- [Task Documentation Standard](../../standards/task-documentation-standard.md) - Standard this task follows
- [Tasks Master List](../../core/tasks.md) - High-level task entry
- *(Infrastructure Manifest - for Ghost VPS details)*
- *(Pterodactyl deployment docs - for API context)*
---
**Fire + Frost + Foundation = Where Love Builds Legacy** 💙🔥❄️
---
**Document Status:** ACTIVE
**Task Status:** Planning
**Ready to Build:** Yes (awaiting medical clearance)
Reference in New Issue View Git Blame Copy Permalink