# Ops Dashboard

Single-user ops dashboard voor jp-visser.nl.

See `docs/runbooks/` for setup, deployment, and operational procedures.

## Ops-agent auth

The web-app communicates with the ops-agent via a shared secret stored in
`/etc/ops-agent/secret` (mode 0640, owner `root:ops-agent`).

- The ops-agent reads the secret at startup via `OPS_AGENT_SECRET_PATH`.
- Every request from the web-app carries `Authorization: Bearer <secret>`.
- The agent validates using a constant-time comparison to prevent timing attacks.
- The web-app reads the secret value from the `OPS_AGENT_SECRET` environment variable.

### Secret rotation procedure

1. Generate a new secret on the server:
   ```
   openssl rand -hex 32 | sudo tee /etc/ops-agent/secret
   sudo chown root:ops-agent /etc/ops-agent/secret
   sudo chmod 0640 /etc/ops-agent/secret
   ```
2. Update `OPS_AGENT_SECRET` in the web-app's environment file
   (`/srv/ops/ops-dashboard.env`) with the new value.
3. Restart both services:
   ```
   sudo systemctl restart ops-agent
   sudo docker compose -f /srv/ops/docker-compose.ops-dashboard.yml restart ops-dashboard
   ```
4. Verify the dashboard is operational and that `systemctl status ops-agent` shows
   the service running without errors.