docs: update runbook — sshpass for EC2 SSH, no key decryption needed

Replace openssl pkey decryption with direct sshpass passphrase handling. Use original key file directly. Added VPN note. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 20:12:25 +00:00 · 2026-04-12 16:50:58 +05:30
parent 636badfa31
commit 5a24bbde0a
1 changed files with 23 additions and 21 deletions
--- a/docs/developer-operations-runbook.md
+++ b/docs/developer-operations-runbook.md
@@ -36,38 +36,35 @@ Docker Compose stack (EC2 — 13.234.31.194):
 ## EC2 Access
 ```bash
-# SSH into EC2
+# SSH into EC2 (key passphrase handled by sshpass)
-ssh -i /tmp/ramaiah-ec2-key -o StrictHostKeyChecking=no ubuntu@13.234.31.194
+SSHPASS='SasiSuman@2007' sshpass -P "Enter passphrase" -e \
  ssh -i ~/Downloads/fortytwoai_hostinger -o StrictHostKeyChecking=no ubuntu@13.234.31.194
 ```
 | Detail | Value |
 |---|---|
 | Host | `13.234.31.194` |
 | User | `ubuntu` |
-| SSH key | `/tmp/ramaiah-ec2-key` (decrypted from `~/Downloads/fortytwoai_hostinger`) |
+| SSH key | `~/Downloads/fortytwoai_hostinger` (passphrase-protected) |
 | Passphrase | `SasiSuman@2007` |
 | Docker compose dir | `/opt/fortytwo` |
 | Frontend static files | `/opt/fortytwo/helix-engage-frontend` |
 | Caddyfile | `/opt/fortytwo/Caddyfile` |
-### SSH Key Setup
+### SSH Helper
-The key at `~/Downloads/fortytwoai_hostinger` is passphrase-protected (`SasiSuman@2007`).
+The key is passphrase-protected. Use `sshpass` to supply the passphrase non-interactively.
-Create a decrypted copy for non-interactive use:
+No need to decrypt or copy the key — use the original file directly.
 ```bash
-# One-time setup
+# SSH shorthand
-openssl pkey -in ~/Downloads/fortytwoai_hostinger -out /tmp/ramaiah-ec2-key
+EC2_SSH="SSHPASS='SasiSuman@2007' sshpass -P 'Enter passphrase' -e ssh -i ~/Downloads/fortytwoai_hostinger -o StrictHostKeyChecking=no ubuntu@13.234.31.194"
 chmod 600 /tmp/ramaiah-ec2-key
 # Verify
-ssh -i /tmp/ramaiah-ec2-key ubuntu@13.234.31.194 hostname
+eval $EC2_SSH hostname
 ```
-### Handy alias
+> **Note:** VPN may block port 22 to AWS. Disconnect VPN before SSH.
 ```bash
 alias ec2="ssh -i /tmp/ramaiah-ec2-key -o StrictHostKeyChecking=no ubuntu@13.234.31.194"
 ```
 ---
@@ -155,29 +152,34 @@ REDIS_URL=redis://localhost:6379
 ### Frontend
 ```bash
 # Helper — reuse in all commands below
 EC2="SSHPASS='SasiSuman@2007' sshpass -P 'Enter passphrase' -e ssh -i ~/Downloads/fortytwoai_hostinger -o StrictHostKeyChecking=no ubuntu@13.234.31.194"
 EC2_RSYNC="SSHPASS='SasiSuman@2007' sshpass -P 'Enter passphrase' -e ssh -i ~/Downloads/fortytwoai_hostinger -o StrictHostKeyChecking=no"
 cd helix-engage && npm run build
-rsync -avz -e "ssh -i /tmp/ramaiah-ec2-key -o StrictHostKeyChecking=no" \
+rsync -avz -e "$EC2_RSYNC" \
  dist/ ubuntu@13.234.31.194:/opt/fortytwo/helix-engage-frontend/
-ssh -i /tmp/ramaiah-ec2-key ubuntu@13.234.31.194 \
+eval $EC2 "cd /opt/fortytwo && sudo docker compose restart caddy"
  "cd /opt/fortytwo && sudo docker compose restart caddy"
 ```
-### Sidecar (quick — code only, no new dependencies)
+### Sidecar
 ```bash
 cd helix-engage-server
 # 1. Login to ECR
 aws ecr get-login-password --region ap-south-1 | \
  docker login --username AWS --password-stdin 043728036361.dkr.ecr.ap-south-1.amazonaws.com
 # 2. Build and push Docker image
 docker buildx build --platform linux/amd64 \
  -t 043728036361.dkr.ecr.ap-south-1.amazonaws.com/fortytwo-eap/helix-engage-sidecar:alpha \
  --push .
-ssh -i /tmp/ramaiah-ec2-key ubuntu@13.234.31.194 \
+# 3. Pull and restart on EC2
-  "cd /opt/fortytwo && sudo docker compose pull sidecar-ramaiah sidecar-global && sudo docker compose up -d sidecar-ramaiah sidecar-global"
+eval $EC2 "cd /opt/fortytwo && sudo docker compose pull sidecar-ramaiah sidecar-global && sudo docker compose up -d sidecar-ramaiah sidecar-global"
 ```
 ### How to decide