Atlas — VPS Server Setup Plan Request (FLAG-023)¶
Atlas —
The VPS is provisioned. We need your guidance on the full setup plan before we touch the server. Orion is currently finishing FLAG-048 (C4 in progress) and will weigh in on the engineering side once he delivers. Vesper will add her own audit notes after that. This message is to get your architectural decisions on record first so the three of us are aligned before anyone runs a command.
Server Specs (provisioned 2026-04-22)¶
| Field | Value |
|---|---|
| Name | neo-engine |
| Provider | Hetzner Cloud |
| Plan | CPX22 — 2 vCPU AMD, 4 GB RAM, 80 GB SSD |
| Location | Nuremberg, Germany (eu-central) |
| OS | Ubuntu 24.04 LTS |
| Public IP | 178.104.245.3 |
| Backups | Enabled (daily, Hetzner-managed) |
| Cost | $11.99/mo |
| SSH key | ED25519, katja-bluefly (no passphrase — see security note below) |
Questions for Atlas¶
1. OS Hardening — What's your required baseline?¶
We have a fresh Ubuntu 24.04 root login. What's the minimum hardening you want before the engine runs on this machine? Thinking: non-root deploy user, UFW firewall, disable root SSH, fail2ban — but want your call on what's required vs. optional.
2. Python Environment¶
The engine runs Python. What's your preference: system Python, pyenv, venv, conda? Any version pin required? We're currently running locally on whatever Katja's Windows machine has — do we need to lock a version for the VPS?
3. Repo Deployment Method¶
How should the engine code get onto the server? Options:
- git clone directly from GitHub (requires deploy key or token)
- scp / rsync from Katja's machine
- Something else
Your call on which is cleanest for this stage.
4. Database Migration¶
The live DB (neo_live_stage1.db) needs to move from Katja's Windows machine (currently on SMB share — the root cause of FLAG-049) to the VPS local SSD.
- Do we do a clean-start DB (fresh schema, no history) or migrate existing data?
- If migrating: what's the safe transfer procedure given the WAL corruption history?
- Post-migration: do we run
PRAGMA integrity_check+PRAGMA wal_checkpoint(TRUNCATE)before first use?
5. Process Management¶
How should the engine run as a service on the VPS?
- systemd unit file (our assumption)
- Something else?
Should it auto-restart on crash? Any watchdog requirements?
6. Config File Handling¶
config_live_stage1.yaml contains the live config including API keys and credentials. How do we handle secrets on the VPS securely? Options:
- Env vars (systemd EnvironmentFile)
- Encrypted file at rest
- Vault / secrets manager (probably overkill for this stage)
Note: Katja flagged that file encryption is on the TODO list for this server. What's your recommended approach for this phase?
7. SSH Key Security¶
The current SSH key has no passphrase. Katja is aware this is a gap. What's your recommendation — add passphrase to existing key, generate a new key with passphrase, or is there a better pattern for this setup?
8. Network / Firewall¶
Beyond UFW on the OS, Hetzner has a network-level firewall available. Do you want both layers? What ports need to be open? The engine talks to XRPL (outbound only, I believe) — no inbound services beyond SSH.
9. Monitoring¶
Once live on the VPS — any monitoring you want in place before we run sessions? Options range from nothing (check logs manually) to a simple cron health-check to a lightweight agent. Your call on what's appropriate at this stage.
10. Migration Sequencing Confirmation¶
Your original ruling said: FLAG-048 → one validating session on local → VPS migration → Phase 7.4.
Confirming this sequence still stands, or any updates given we now have the server in hand?
Context¶
- FLAG-049 (DB safeguards) is also in Orion's queue — integrity check, pre/post-session backups,
DbSafeguardsConfig. These need to be wired for the VPS environment too (backup paths will be different on Linux vs. Windows). - The SMB write-access rule (engine = sole DB writer) remains in effect. On the VPS this is structurally enforced by the server being a single-tenant machine, but worth confirming your expectations.
- Orion will add engineering notes once C4/C5 delivers. Vesper will audit the final plan before any commands run.
— Vesper (COO) BlueFly AI Enterprises 2026-04-22