Add DB connection string to ops manual, add administration notes, remove stale deploy guide

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-10 22:34:56 +03:00 · 2026-04-10 22:34:56 +03:00 · d534aceadc
commit d534aceadc
parent 05993100e9
3 changed files with 17 additions and 379 deletions
--- a/OPERATIONS_MANUAL.md
+++ b/OPERATIONS_MANUAL.md
@ -1,6 +1,9 @@
 # Fireside Communications — Tracksolid Pro Telemetry Stack
 ## Operations Manual & Verification Guide
 connection string  docker exec -it timescale_db-bo3nov2ija7g8wn9b1g2paxs-210508774107 psql -U postgres -d tracksolid_db
 ---
 ## 1. Service Architecture
--- a/administration/ingest_movement_dockerps.md
+++ b/administration/ingest_movement_dockerps.md
@ -0,0 +1,14 @@
 docker logs -f ingest_events-bo3nov2ija7g8wn9b1g2paxs-162026778012
 docker logs -f ingest_movement-bo3nov2ija7g8wn9b1g2paxs-162026773516
  Or to see both at once with labels, use --tail to get the last N lines:
  # Last 50 lines from each
 docker logs --tail 50 ingest_events-bo3nov2ija7g8wn9b1g2paxs-162026778012
 docker logs --tail 50 ingest_movement-bo3nov2ija7g8wn9b1g2paxs-162026773516
  To follow both simultaneously in split view:
  # Option 1: Follow both in one terminal (prefixed)
 docker logs -f ingest_events-bo3nov2ija7g8wn9b1g2paxs-162026778012 2>&1 | sed 's/^/[EVENTS] /' &
 docker logs -f ingest_movement-bo3nov2ija7g8wn9b1g2paxs-162026773516 2>&1 | sed 's/^/[MOVEMENT] /'
--- a/deployInstance.md
+++ b/deployInstance.md
@ -1,379 +0,0 @@
 # Ubuntu Server Instance Setup Guide
 ## Table of Contents
 1. [Initial System Update](#1-initial-system-update)
 2. [Hostname & Timezone](#2-hostname--timezone)
 3. [Create a Sudo User](#3-create-a-sudo-user)
 4. [SSH Hardening](#4-ssh-hardening)
 5. [Copy SSH Key](#5-copy-ssh-key)
 6. [UFW Firewall](#6-ufw-firewall)
 7. [CrowdSec Intrusion Detection](#7-crowdsec-intrusion-detection)
 8. [Shell Setup (Zsh)](#8-shell-setup-zsh)
 9. [Verify Instance Settings](#9-verify-instance-settings)
 ---
 ## 1. Initial System Update
 ```bash
 sudo apt update && sudo apt upgrade -y
 sudo apt autoremove -y
 ```
 ---
 ## 2. Hostname & Timezone
 ```bash
 # Set hostname
 sudo hostnamectl set-hostname your-hostname
 # Set timezone to Nairobi
 sudo timedatectl set-timezone Africa/Nairobi
 # Enable NTP time sync
 sudo timedatectl set-ntp true
 sudo apt install systemd-timesyncd -y
 sudo systemctl enable --now systemd-timesyncd
 # Verify
 hostnamectl
 timedatectl status
 ```
 Expected NTP output:
 ```
 NTP service: active
 System clock synchronized: yes
 ```
 ---
 ## 3. Create a Sudo User
 ```bash
 # Create user
 sudo adduser username
 # Add to sudo group
 sudo usermod -aG sudo username
 # Verify
 groups username
 ```
 ---
 ## 4. SSH Hardening
 > **Important:** Copy your SSH key (Step 5) BEFORE disabling password authentication or you will lock yourself out.
 ```bash
 sudo nano /etc/ssh/sshd_config
 ```
 Set the following values:
 ```bash
 # Disable root login
 PermitRootLogin no
 # Disable password authentication (keys only — do AFTER copying SSH key)
 PasswordAuthentication no
 # Disable empty passwords
 PermitEmptyPasswords no
 # Only allow specific users
 AllowUsers your-username
 # Disable X11 forwarding
 X11Forwarding no
 # Reduce login grace time
 LoginGraceTime 30
 # Limit authentication attempts
 MaxAuthTries 3
 # Limit simultaneous unauthenticated connections
 MaxStartups 3:50:10
 # Disable unused authentication methods
 ChallengeResponseAuthentication no
 KerberosAuthentication no
 GSSAPIAuthentication no
 # SSH protocol 2 only
 Protocol 2
 # Idle timeout (10 minutes)
 ClientAliveInterval 300
 ClientAliveCountMax 2
 ```
 Optionally change the default SSH port (reduces bot noise):
 ```bash
 Port 2222
 ```
 Test config and restart:
 ```bash
 sudo sshd -t          # test for errors first
 sudo systemctl restart sshd
 ```
 > **Before closing your session** open a second SSH connection to confirm you can still log in.
 If you changed the port, update UFW before restarting sshd:
 ```bash
 sudo ufw allow 2222/tcp
 sudo ufw delete allow ssh
 sudo systemctl restart sshd
 ```
 Connect going forward with:
 ```bash
 ssh -p 2222 username@server-ip
 ```
 ---
 ## 5. Copy SSH Key
 Run this from your **local machine**:
 ```bash
 ssh-copy-id username@server-ip
 # If using a non-standard port
 ssh-copy-id -p 2222 username@server-ip
 # If specifying a key explicitly
 ssh-copy-id -i ~/.ssh/id_rsa.pub username@server-ip
 ```
 Test passwordless login:
 ```bash
 ssh username@server-ip
 ```
 ---
 ## 6. UFW Firewall
 ```bash
 # Set default rules
 sudo ufw default deny incoming
 sudo ufw default allow outgoing
 # Allow SSH (do this BEFORE enabling)
 sudo ufw allow ssh
 # Or if using custom port:
 sudo ufw allow 2222/tcp
 # Allow web traffic
 sudo ufw allow 80/tcp
 sudo ufw allow 443/tcp
 # Enable firewall
 sudo ufw enable
 # Verify
 sudo ufw status verbose
 ```
 Add any additional ports your services need:
 ```bash
 # Grafana
 sudo ufw allow 3000/tcp
 # Webhook receiver
 sudo ufw allow 8888/tcp
 # PostgreSQL (only if external access needed)
 sudo ufw allow 5432/tcp
 ```
 ---
 ## 7. CrowdSec Intrusion Detection
 ### Install CrowdSec
 ```bash
 curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
 sudo apt install crowdsec -y
 ```
 ### Install Firewall Bouncer
 ```bash
 sudo apt install crowdsec-firewall-bouncer -y
 ```
 ### Configure for nftables (default on Ubuntu 22+)
 ```bash
 sudo nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
 ```
 Confirm top of file:
 ```yaml
 mode: ${BACKEND}
 ```
 Ensure nftables is enabled:
 ```yaml
 nftables:
  ipv4:
    enabled: true
  ipv6:
    enabled: false
 ```
 Restart bouncer:
 ```bash
 sudo systemctl restart crowdsec-firewall-bouncer
 sudo systemctl status crowdsec-firewall-bouncer
 ```
 ### Enroll with CrowdSec Console (Recommended)
 Register at `https://app.crowdsec.net`, grab your enroll key, then:
 ```bash
 sudo cscli console enroll <your-enroll-key>
 sudo systemctl restart crowdsec
 ```
 ### Update Collections
 ```bash
 sudo cscli hub update
 sudo cscli collections upgrade --all
 ```
 ### Whitelist Your Own IP
 ```bash
 sudo nano /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
 ```
 ```yaml
 name: crowdsecurity/whitelists
 description: "Whitelist trusted IPs"
 whitelist:
  reason: "trusted management IPs"
  ip:
    - "<your-home-ip>"
    - "<your-vpn-ip>"
 ```
 ```bash
 sudo systemctl restart crowdsec
 ```
 ### Test CrowdSec Is Working
 ```bash
 # Add a test ban
 sudo cscli decisions add --ip 1.2.3.4 --duration 5m --reason "test"
 # Verify it registered
 sudo cscli decisions list
 # Remove the test ban
 sudo cscli decisions delete --ip 1.2.3.4
 ```
 ### Useful CrowdSec Commands
 ```bash
 sudo cscli decisions list          # active bans
 sudo cscli alerts list             # recent alerts
 sudo cscli bouncers list           # registered bouncers
 sudo cscli collections list        # installed collections
 sudo cscli metrics                 # ingestion metrics
 ```
 ---
 ## 8. Shell Setup (Zsh)
 ```bash
 # Install zsh
 sudo apt install zsh -y
 # Set as default shell
 chsh -s $(which zsh)
 ```
 Log out and back in, then verify:
 ```bash
 echo $SHELL   # should return /usr/bin/zsh
 ```
 Optional — install Oh My Zsh:
 ```bash
 sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
 ```
 ---
 ## 9. Verify Instance Settings
 Run this to get a full summary of the instance:
 ```bash
 echo "=== HOSTNAME ===" && hostnamectl | grep -E "hostname|OS|Kernel" && \
 echo "=== CPU ===" && lscpu | grep -E "Model name|CPU\(s\):" && \
 echo "=== RAM ===" && free -h | grep Mem && \
 echo "=== DISK ===" && df -h / && \
 echo "=== IP ===" && ip addr show | grep "inet " && \
 echo "=== TIMEZONE ===" && timedatectl | grep -E "Time zone|NTP|synchronized"
 ```
 Or individually:
 ```bash
 hostnamectl                          # hostname, OS, kernel
 lscpu | grep -E "Model|CPU\(s\)"    # CPU
 free -h                              # RAM
 df -h                                # disk
 ip addr show                         # network interfaces
 ss -tlnp                             # listening ports
 timedatectl                          # timezone and NTP
 sudo ufw status verbose              # firewall rules
 sudo systemctl status crowdsec       # CrowdSec status
 sudo systemctl status crowdsec-firewall-bouncer  # bouncer status
 ```
 ---
 ## Quick Reference Checklist
 - [ ] System updated (`apt update && apt upgrade`)
 - [ ] Hostname set
 - [ ] Timezone set to `Africa/Nairobi`
 - [ ] NTP enabled and syncing
 - [ ] Sudo user created
 - [ ] SSH key copied to server
 - [ ] SSH hardened (no root login, no password auth)
 - [ ] UFW enabled with correct ports open
 - [ ] CrowdSec installed and running
 - [ ] Firewall bouncer installed and running
 - [ ] Own IP whitelisted in CrowdSec
 - [ ] Zsh set as default shell