name: vps-checkup
description: "SSH into an Ubuntu VPS (Docker) for a read-only health/security/update report (UFW + fail2ban) and propose fixes; apply updates/restarts only with explicit confirmation. Use when the user wants a read-only VPS health/security check."

VPS checkup (Ubuntu + Docker)

Goal

• Produce a clear, read-only health/security/update report for an Ubuntu VPS running Docker.
• Propose safe, minimal fixes; do not apply changes or restart anything unless the user explicitly confirms.

Inputs to ask for (if missing)

• SSH target host alias (from ~/.ssh/config on Windows: $HOME\\.ssh\\config) or user@ip.
• Confirm sudo access and whether running apt update is allowed (it modifies package lists).
• Required open ports (e.g., 22, 80, 443) and any non-standard SSH port.
• Where deployments live: confirm if Docker Compose is used on the VPS (common), and whether compose files are in a known path.
• If the local ssh client or required tools are missing, tell the user and ask whether to install them or provide command output manually.

Workflow (checklist)

1) Connect safely
- Keep a second SSH session open before any SSH/firewall changes.
- Record identity/time/host: whoami, hostname -f, date -Is, uptime.
2) Collect a read-only baseline (system)
- OS/kernel: lsb_release -a (or cat /etc/os-release), uname -a.
- CPU/mem/disk: top snapshot, free -h, df -hT, lsblk.
- Services: systemctl --failed, journalctl -p 3 -xb --no-pager (use sudo if needed).
3) Check security posture (read-only)
- SSH: prefer sudo sshd -T (fallback to sudo cat /etc/ssh/sshd_config + sshd_config.d/).
- Firewall: sudo ufw status verbose (and sudo ufw status numbered).
- Fail2ban: sudo fail2ban-client status (+ status sshd if present).
- Listening ports: ss -tulpn (use sudo if needed).
4) Check update posture (read-only by default)
- If user allows: run sudo apt update to ensure accurate results.
- Then collect: apt list --upgradable, ubuntu-security-status (if available), and /var/run/reboot-required presence.
- Check unattended upgrades: systemctl status unattended-upgrades --no-pager and /var/log/unattended-upgrades/.
5) Check Docker health (read-only)
- Daemon status: systemctl status docker --no-pager, docker info.
- Containers: docker ps, unhealthy/restarting containers, recent restarts, and docker stats --no-stream.
- Disk usage: docker system df and large log growth indicators.
- Compose overview: docker compose ls (then inspect key projects as needed).
6) Produce the report + recommendations
- Use references/report-template.md.
- Use references/ubuntu-docker-checkup-commands.md for a copy/paste command set.
- Rank findings by severity and explicitly list what requires confirmation (updates, firewall changes, SSH changes, restarts, pruning, reboot).
7) Apply fixes (ONLY with explicit confirmation)
- Do not run apt upgrade, change UFW rules, change SSH auth, prune Docker, restart services/containers, or reboot unless the user says to.

Safety gates (non-negotiable)

• No restarts (Docker/system services) unless the user explicitly asks for restart.
• No SSH/firewall changes unless you have a backup access path (second session open) and the user confirms the plan.
• Never paste secrets (tokens, private keys) into chat or logs.

Deliverable

Provide:
- A read-only report using references/report-template.md.
- A prioritized list of recommended fixes and which ones require explicit confirmation.
- The exact commands run (or requested if the user ran them manually).