commit 630a3a098534ba68336e626dbdeedbd601a9216b Author: nikola Date: Tue May 19 14:53:39 2026 +0200 feat: initial commit diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..7db6870 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,6 @@ +# Project Rules + +- This project builds and iterates a custom Codex skill for Linux, networking, and sysadmin tasks. +- Keep skill instructions concise and operational. +- Validate skill metadata and structure after every major edit. +- Do not commit Codex-only scratch files. diff --git a/sysadmin/SKILL.md b/sysadmin/SKILL.md new file mode 100644 index 0000000..ced5a2b --- /dev/null +++ b/sysadmin/SKILL.md @@ -0,0 +1,46 @@ +--- +name: sysadmin +description: Linux system administration, networking diagnostics, and production hardening workflows. Use when handling SSH/connectivity incidents, DNS/routing/firewall issues, host health checks, systemd/service failures, disk or memory pressure, log triage, baseline security checks, or when the user asks for repeatable Linux ops runbooks. +--- + +# Sysadmin + +## Overview + +Execute Linux and network operations with a diagnose-first approach. +Prefer minimal-risk commands, capture evidence before changes, and verify outcome after every fix. + +## Workflow + +1. Confirm scope and blast radius. +2. Capture current state with `scripts/sysdiag.sh` when possible. +3. Isolate layer: host, service, network path, DNS, or policy. +4. Apply the smallest reversible fix. +5. Re-check service health and user-facing behavior. +6. Summarize root cause, change made, and follow-up hardening actions. + +## Triage Decision Map + +- Connection refused or timeout: +Check `ss -tulpn`, service status, local firewall (`nft list ruleset` or `iptables -S`), and routing (`ip route`). +- Name resolves incorrectly: +Check `/etc/resolv.conf`, `resolvectl status`, `dig`, and local cache behavior. +- Service flapping: +Check `systemctl status`, `journalctl -u --since "-30m"`, restart policy, and resource pressure. +- Packet loss or latency spikes: +Check `ping`, `mtr` (if present), interface errors via `ip -s link`, and host saturation. +- Host unhealthy: +Check CPU, memory, disk inode usage, and top failing units from `systemctl --failed`. + +## Command Guardrails + +- Prefer read-only diagnostics first. +- Ask before destructive actions (mass deletes, firewall flush, forced reboot). +- For privileged reads, run with `sudo` only when required. +- Before config edits, back up file: `cp .bak.`. +- After change, validate with targeted checks and logs. + +## Resources + +- Incident runbook and command matrix: `references/runbook.md` +- Snapshot collector: `scripts/sysdiag.sh` diff --git a/sysadmin/agents/openai.yaml b/sysadmin/agents/openai.yaml new file mode 100644 index 0000000..e7ec21c --- /dev/null +++ b/sysadmin/agents/openai.yaml @@ -0,0 +1,6 @@ +interface: + display_name: "Sysadmin" + short_description: "Linux ops, network triage, and hardening" + default_prompt: "Use $sysadmin to triage and fix this Linux/network issue with verifiable steps." +policy: + allow_implicit_invocation: true diff --git a/sysadmin/references/runbook.md b/sysadmin/references/runbook.md new file mode 100644 index 0000000..236c492 --- /dev/null +++ b/sysadmin/references/runbook.md @@ -0,0 +1,43 @@ +# Linux/Network Incident Runbook + +## 1) SSH nedostupan + +- Provera puta: `ping ` i `traceroute ` (ako postoji) +- Provera porta: `nc -vz 22` ili `telnet 22` +- Na hostu: `ss -tulpn | rg ':22'` +- Servis: `systemctl status sshd` ili `systemctl status ssh` +- Firewall: `nft list ruleset | rg '22|ssh'` + +## 2) DNS problemi + +- Rezolucija: `dig +short ` +- Autoritativna provera: `dig @` +- Lokalni resolver: `resolvectl status` +- Konfiguracija: `cat /etc/resolv.conf` + +## 3) Aplikacija ne odgovara + +- Proces i socket: `ss -tulpn | rg '|'` +- Unit health: `systemctl status ` +- Logovi: `journalctl -u --since '-30m' --no-pager` +- Resursi: `free -h`, `df -hT`, `top` + +## 4) Latencija/packet loss + +- RTT i gubitak: `ping -c 20 ` +- Hop analiza: `mtr -rwzbc 100 ` (ako postoji) +- NIC greške: `ip -s link` +- TCP state: `ss -s` + +## 5) Hardening minimum + +- Otvoreni portovi: `ss -tulpn` +- Neuspešni servisi: `systemctl --failed` +- Kritični CVE pipeline: proveri SBOM/dependency skener u CI +- Audit konfiguracije: baseline CIS/OS hardening check-list + +## Promene bezbedno + +- Uvek snimi stanje pre izmene (`scripts/sysdiag.sh`). +- Menjaj jednu stvar po iteraciji. +- Posle izmene uradi health-check i rollback plan. diff --git a/sysadmin/scripts/sysdiag.sh b/sysadmin/scripts/sysdiag.sh new file mode 100755 index 0000000..755e75c --- /dev/null +++ b/sysadmin/scripts/sysdiag.sh @@ -0,0 +1,70 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Collect a concise host and network snapshot for incident triage. + +now="$(date -u +%Y-%m-%dT%H:%M:%SZ)" +host="$(hostname 2>/dev/null || echo unknown)" + +echo "=== sysdiag snapshot ===" +echo "timestamp_utc: $now" +echo "host: $host" +echo + +echo "--- os ---" +uname -a || true +if [ -f /etc/os-release ]; then + sed -n '1,12p' /etc/os-release || true +fi +echo + +echo "--- uptime/load ---" +uptime || true +echo + +echo "--- cpu/memory ---" +free -h || true +echo + +echo "--- disk ---" +df -hT || true +df -ih || true +echo + +echo "--- interfaces ---" +ip -br addr 2>/dev/null || true +ip -s link 2>/dev/null || true +echo + +echo "--- routing ---" +ip route show 2>/dev/null || true +ip rule show 2>/dev/null || true +echo + +echo "--- listening sockets ---" +ss -tulpn 2>/dev/null || true +echo + +echo "--- dns ---" +if command -v resolvectl >/dev/null 2>&1; then + resolvectl status 2>/dev/null || true +fi +cat /etc/resolv.conf 2>/dev/null || true +echo + +echo "--- firewall ---" +if command -v nft >/dev/null 2>&1; then + nft list ruleset 2>/dev/null || true +elif command -v iptables >/dev/null 2>&1; then + iptables -S 2>/dev/null || true +else + echo "No nftables/iptables binary found" +fi +echo + +echo "--- services ---" +systemctl --failed --no-pager 2>/dev/null || true +echo + +echo "--- recent critical logs ---" +journalctl -p 3 -xb --no-pager -n 120 2>/dev/null || true