# Ticket: Configure Pi assistant SSH access

## Metadata
- Type: Ticket
- Status: In Progress
- Project: Infrastructure Access
- Created: 2026-05-13
- Updated: 2026-05-17
- Priority: High

## Goal

Set up secure SSH key-based access so Pi can help administer the Proxmox host and/or guest VMs from this workspace.

## Why

Remote administration is mission critical for managing home servers, deploying Nextcloud, and maintaining services safely and efficiently.

## Scope

Included:
- Generate or choose an assistant SSH keypair
- Install the public key for a dedicated assistant user where appropriate
- Add host aliases to `.pi/ssh/hosts.json`
- Prefer limited access and confirmation for destructive commands
- Verify non-interactive SSH works

Not included:
- Broad/root SSH access without explicit approval
- Public exposure of management interfaces
- Destructive Proxmox changes without confirmation

## Acceptance Criteria

This ticket is done when:
- [x] Assistant public key is generated or selected
- [x] Dedicated assistant user exists on Nextcloud VM
- [x] `.pi/ssh/hosts.json` has correct `nextcloud-vm` alias
- [x] SSH login works without password prompts to Nextcloud VM
- [ ] Proxmox access policy is documented if Proxmox access is later needed

## Questions

- Should Pi get SSH access to the Proxmox host, the Nextcloud VM only, or both?
- What username should be used? Suggested: `piagent`.
- Should Proxmox access be read-mostly, with destructive commands requiring confirmation?
- Where should the private key live on the user's machine/container?

## Plan / Next Actions

- [x] Generate/select assistant SSH keypair
- [x] User installs public key on Nextcloud VM
- [x] Configure `.pi/ssh/hosts.json`
- [x] Test SSH connection
- [ ] Decide whether Proxmox host access is needed later

## 2026-05-17 Spec Advancement

Confidence level: high for Nextcloud VM access; low/undecided for Proxmox host access.

Decisions now stable:
- The repository-local SSH model works for the Nextcloud VM using named config and `.ssh/piagent_homelab`.
- Guest VM administration is the preferred path before direct hypervisor access.
- Proxmox access should remain a separate, deliberate decision with read-mostly permissions where possible.

Refined next milestone:
- Close this ticket for the Nextcloud VM after documenting the current access model and leaving Proxmox as a follow-up ticket if/when needed.

Updated next actions:
- [ ] Update the access runbook with the confirmed working key and target alias.
- [ ] Decide whether Proxmox access is actually required for the next month of work.
- [ ] If required, create a separate Proxmox least-privilege access spec.

## Notes

- Never paste or store private keys in this repo.
- It is safe to share the public key.
- Prefer guest VM administration over direct hypervisor changes when possible.
- Setup instructions are documented in `runbooks/configure-assistant-ssh-access.md`.