Operations
Runbook 01 — Vidot: Access and security
Main server for the "SoConnective" platform. This document guarantees that you never lose access. Keep it. Secrets are NOT here (see §Secrets).
1. Server identity
| Field | Value |
|---|---|
| Name | Vidot |
| Provider | IONOS |
| Public IP | 216.250.119.216 |
| OS | Ubuntu 24.04.4 LTS (kernel 6.8) |
| Resources | 4 vCPU · 8 GB RAM · 232 GB disk |
| Role | Platform: web + dashboard + CMS + Coolify |
2. How I access it (me, Pamela) — NORMAL METHOD
Access via SSH key (password access is no longer available, for security).
ssh -i <path_to_your_private_key> root@216.250.119.216
- Authorized keys on the server (
/root/.ssh/authorized_keys): 2- Your deployment key (the one you already had).
- The Claude Code key (
claude-code-feedback-os), private on the work machine (~/.ssh/fs_vidot).
- Your private key is the counterpart to your deployment key. Store it in your password manager and back it up.
Adding a new device (another laptop)
On your new machine, generate a key and add the public one to the server:
ssh-keygen -t ed25519 -f ~/.ssh/fs_vidot -C "pamela-laptop"
# copy the contents of ~/.ssh/fs_vidot.pub and, from a machine that ALREADY has access:
echo "YOUR_PUBLIC_KEY" >> /root/.ssh/authorized_keys
3. How I access it if I lose the key — EMERGENCY METHOD
- Go to the IONOS panel → Vidot server → Rescue console / KVM.
- Log in to the console with the root user and the rescue password (stored in your password manager — see §Secrets).
- From there you can re-add an SSH key to
/root/.ssh/authorized_keys.
The IONOS rescue console does not use SSH or the firewall, so it is always your lifeline even if SSH fails.
4. Applied security measures (2026-06-09)
| Measure | Detail |
|---|---|
| SSH key-only | PasswordAuthentication no, PermitRootLogin prohibit-password (/etc/ssh/sshd_config.d/99-hardening.conf) |
| UFW firewall | deny inbound by default; only 22 (SSH), 80 (HTTP), 443 (HTTPS) are open |
| fail2ban | Bans IPs after 5 failed SSH attempts (1 h ban) |
| 8 GB swap | /swapfile (prevents crashes from running out of memory, like the ffmpeg OOM) |
| Auto-updates | unattended-upgrades applies security patches automatically |
| Old project | vidot.service + Caddy stopped and disabled (code intact in /opt/vidot) |
Check the security status
ufw status verbose # firewall
systemctl is-active fail2ban
swapon --show # swap
ss -tlnp # listening ports
5. Secrets (NOT stored in this repo)
Store only in your password manager (Bitwarden/1Password/…):
- IONOS root rescue password (the one from the panel; rotate it since it circulated over chat).
- SSH private keys.
- Future Coolify, Payload, and database credentials.
Policy: no secrets in git or in the documentation. In the code, via environment variables (
.env, ignored by git).
6. Pending / next steps
- Install Coolify (the panel port will be protected behind a domain + HTTPS or an SSH tunnel).
- Rotate the IONOS rescue password.
- Schedule automatic database backups.