playbooks

home / skills / jmerta / codex-skills / vps-checkup

vps-checkup skill

/vps-checkup

This skill performs a read-only health and security check on an Ubuntu VPS with Docker, reports findings, and awaits explicit confirmation for fixes.

npx playbooks add skill jmerta/codex-skills --skill vps-checkup

Review the files below or copy the command above to add this skill to your agents.

Files (3)
SKILL.md
3.6 KB
---
name: vps-checkup
description: "SSH into an Ubuntu VPS (Docker) for a read-only health/security/update report (UFW + fail2ban) and propose fixes; apply updates/restarts only with explicit confirmation. Use when the user wants a read-only VPS health/security check."
---

# VPS checkup (Ubuntu + Docker)

## Goal
- Produce a clear, read-only health/security/update report for an Ubuntu VPS running Docker.
- Propose safe, minimal fixes; do not apply changes or restart anything unless the user explicitly confirms.

## Inputs to ask for (if missing)
- SSH target host alias (from `~/.ssh/config` on Windows: `$HOME\\.ssh\\config`) or `user@ip`.
- Confirm `sudo` access and whether running `apt update` is allowed (it modifies package lists).
- Required open ports (e.g., `22`, `80`, `443`) and any non-standard SSH port.
- Where deployments live: confirm if Docker Compose is used on the VPS (common), and whether compose files are in a known path.
- If the local `ssh` client or required tools are missing, tell the user and ask whether to install them or provide command output manually.

## Workflow (checklist)
1) Connect safely
   - Keep a second SSH session open before any SSH/firewall changes.
   - Record identity/time/host: `whoami`, `hostname -f`, `date -Is`, `uptime`.
2) Collect a read-only baseline (system)
   - OS/kernel: `lsb_release -a` (or `cat /etc/os-release`), `uname -a`.
   - CPU/mem/disk: `top` snapshot, `free -h`, `df -hT`, `lsblk`.
   - Services: `systemctl --failed`, `journalctl -p 3 -xb --no-pager` (use `sudo` if needed).
3) Check security posture (read-only)
   - SSH: prefer `sudo sshd -T` (fallback to `sudo cat /etc/ssh/sshd_config` + `sshd_config.d/`).
   - Firewall: `sudo ufw status verbose` (and `sudo ufw status numbered`).
   - Fail2ban: `sudo fail2ban-client status` (+ `status sshd` if present).
   - Listening ports: `ss -tulpn` (use `sudo` if needed).
4) Check update posture (read-only by default)
   - If user allows: run `sudo apt update` to ensure accurate results.
   - Then collect: `apt list --upgradable`, `ubuntu-security-status` (if available), and `/var/run/reboot-required` presence.
   - Check unattended upgrades: `systemctl status unattended-upgrades --no-pager` and `/var/log/unattended-upgrades/`.
5) Check Docker health (read-only)
   - Daemon status: `systemctl status docker --no-pager`, `docker info`.
   - Containers: `docker ps`, unhealthy/restarting containers, recent restarts, and `docker stats --no-stream`.
   - Disk usage: `docker system df` and large log growth indicators.
   - Compose overview: `docker compose ls` (then inspect key projects as needed).
6) Produce the report + recommendations
   - Use `references/report-template.md`.
   - Use `references/ubuntu-docker-checkup-commands.md` for a copy/paste command set.
   - Rank findings by severity and explicitly list what requires confirmation (updates, firewall changes, SSH changes, restarts, pruning, reboot).
7) Apply fixes (ONLY with explicit confirmation)
   - Do not run `apt upgrade`, change UFW rules, change SSH auth, prune Docker, restart services/containers, or reboot unless the user says to.

## Safety gates (non-negotiable)
- No restarts (Docker/system services) unless the user explicitly asks for restart.
- No SSH/firewall changes unless you have a backup access path (second session open) and the user confirms the plan.
- Never paste secrets (tokens, private keys) into chat or logs.

## Deliverable
Provide:
- A read-only report using `references/report-template.md`.
- A prioritized list of recommended fixes and which ones require explicit confirmation.
- The exact commands run (or requested if the user ran them manually).

Overview

This skill performs a read-only health, security, and update check on an Ubuntu VPS running Docker over SSH. It collects system, firewall (UFW), fail2ban, package, and Docker data, produces a prioritized report, and proposes safe fixes. Any change, update, restart, or firewall modification is only applied after you explicitly confirm.

How this skill works

The skill connects to the target VPS via SSH (user@host or an SSH config alias) and runs a predefined set of read-only commands to gather OS, resource, service, SSH, UFW, fail2ban, package, and Docker status. If you permit, it will run sudo apt update to provide current upgrade data. It formats findings into a prioritized report, lists recommended fixes, and marks which actions require explicit confirmation before being executed.

When to use it

  • You want a quick, non-invasive health and security snapshot of an Ubuntu VPS running Docker.
  • Before scheduling maintenance or upgrades to understand risk and reboot needs.
  • After detecting service instability, unexpected restarts, or high resource usage.
  • When assessing SSH, firewall, or fail2ban posture before public exposure.
  • To prepare change plans that require operator confirmation before applying.

Best practices

  • Provide the SSH target as user@ip or an alias from your ~/.ssh/config and confirm sudo access.
  • Keep a second SSH session open when planning firewall or SSH changes to avoid lockout.
  • Allow apt update only if you want accurate upgrade listings; it modifies package lists.
  • Share required open ports and whether Docker Compose is used and where compose files live.
  • Treat all proposed fixes as suggestions until you explicitly approve execution.

Example use cases

  • Perform a pre-maintenance check to see if a reboot or package upgrades are required and which services would be impacted.
  • Audit firewall and fail2ban settings after opening new ports for a web app.
  • Investigate container restarts and resource pressure by correlating docker ps, stats, and system metrics.
  • Produce a prioritized remediation plan with exact commands to fix SSH, UFW, fail2ban, package, or Docker issues, then apply only on confirmation.
  • Generate a snapshot report for compliance or handover documentation before handing a server to another team.

FAQ

Do you make changes to the server without permission?

No. The skill only suggests fixes and will not apply updates, firewall rules, or restarts unless you explicitly confirm each action.

What inputs do you need to start?

Provide an SSH target (user@host or SSH alias), confirm sudo capability, state allowed open ports and whether Docker Compose is used. Optionally allow apt update for accurate upgrade info.