proxmox/docs/10-best-practices/QUICK_WINS.md

# Quick Wins - Immediate Improvements

**Last Updated:** 2026-01-31  
**Document Version:** 1.0  
**Status:** Active Documentation

---

These are high-impact, low-effort improvements that can be implemented quickly.

## 🔒 Security Quick Wins (5-30 minutes each)

### 1. Secure .env File Permissions
```bash
# From project root (covers .env and subproject env files):
bash scripts/security/secure-env-permissions.sh
# Or manually:
chmod 600 .env unifi-api/.env smom-dbis-138/.env dbis_core/.env 2>/dev/null
chown $USER:$USER .env  # adjust for other env files if needed
```
**Impact**: Prevents unauthorized access to credentials
**Time**: 1 minute

### 2. Secure Validator Key Permissions
```bash
for dir in /keys/validators/validator-*; do
    chmod 600 "$dir"/*.pem "$dir"/*.priv 2>/dev/null || true
    chown -R besu:besu "$dir"
done
```
**Impact**: Protects validator keys from unauthorized access
**Time**: 2 minutes

### 3. Implement SSH Key Authentication
```bash
# On Proxmox host
# Edit /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes

# Restart SSH
systemctl restart sshd
```
**Impact**: Eliminates password-based attacks
**Time**: 5 minutes

## 💾 Backup Quick Wins (30-60 minutes each)

### 4. Create Simple Backup Script
```bash
#!/bin/bash
# Save as: scripts/backup/backup-configs.sh

BACKUP_DIR="/backup/smom-dbis-138/$(date +%Y%m%d-%H%M%S)"
mkdir -p "$BACKUP_DIR"

# Backup configs
tar -czf "$BACKUP_DIR/configs.tar.gz" config/

# Backup validator keys (encrypted)
tar -czf - keys/validators/ | \
    gpg -c --cipher-algo AES256 > "$BACKUP_DIR/validator-keys.tar.gz.gpg"

echo "Backup complete: $BACKUP_DIR"
```
**Impact**: Protects against data loss
**Time**: 30 minutes

### 5. Create Snapshot Before Changes
```bash
# Add to deployment scripts
pct snapshot <vmid> pre-change-$(date +%Y%m%d-%H%M%S)
```
**Impact**: Enables quick rollback
**Time**: 5 minutes to add to scripts

## 📊 Monitoring Quick Wins (1-2 hours each)

### 6. Enable Besu Metrics Scraping
```yaml
# prometheus.yml
scrape_configs:
  - job_name: 'besu'
    static_configs:
      - targets:
          - '192.168.11.13:9545'  # validator-1
          - '192.168.11.14:9545'  # validator-2
          # ... add all nodes
```
**Impact**: Provides visibility into node health
**Time**: 1 hour

### 7. Create Basic Health Check Cron Job
```bash
# Option A: Besu node health (run on Proxmox host; requires scripts/health/check-node-health.sh)
# See: scripts/archive/consolidated/deploy/setup-health-check-cron.sh
# Option B: From project root, blockchain RPC health:
# */5 * * * * cd /path/to/proxmox && bash scripts/monitoring/monitor-blockchain-health.sh >> logs/blockchain-health.log 2>&1
```
**Impact**: Automated health monitoring
**Time**: 15 minutes

### 8. Set Up Basic Alerts
```bash
# Simple alert script
#!/bin/bash
if ! pct exec 1000 -- systemctl is-active --quiet besu-validator; then
    echo "ALERT: Validator 1000 is down!" | mail -s "Besu Alert" admin@example.com
fi
```
**Impact**: Immediate notification of issues
**Time**: 30 minutes

## 🔧 Script Improvements (1-2 hours each)

### 9. Add --dry-run Flag
```bash
# Add to deploy-validated-set.sh
if [[ "${DRY_RUN:-false}" == "true" ]]; then
    log_info "DRY RUN MODE - No changes will be made"
    # Show what would be done without executing
fi
```
**Impact**: Safe testing of changes
**Time**: 2 hours

### 10. Add Progress Indicators
```bash
# Add progress bars using pv or simple percentage
total_steps=10
current_step=0

progress() {
    current_step=$((current_step + 1))
    percent=$((current_step * 100 / total_steps))
    echo -ne "\rProgress: [$percent%] [$current_step/$total_steps]"
}
```
**Impact**: Better user experience during long operations
**Time**: 1 hour

## 📚 Documentation Quick Wins (30-60 minutes each)

### 11. Create Troubleshooting FAQ
- Document 10 most common issues
- Provide solutions
- Add to main documentation

**Impact**: Faster problem resolution
**Time**: 1 hour

### 12. Add Inline Comments to Scripts
- Document complex logic
- Add usage examples
- Explain non-obvious decisions

**Impact**: Easier maintenance
**Time**: 2 hours

## ✅ Implementation Checklist

- [ ] Secure .env file permissions (`scripts/security/secure-env-permissions.sh` or chmod 600)
- [ ] Secure validator key permissions (`scripts/secure-validator-keys.sh [--dry-run]` on Proxmox host)
- [ ] Create backup script (NPMplus: `scripts/verify/backup-npmplus.sh [--dry-run]`; cron: `scripts/maintenance/schedule-npmplus-backup-cron.sh --install`)
- [ ] Add snapshot before changes (`pct snapshot <vmid> pre-change-$(date +%Y%m%d-%H%M%S)`; see docs/03-deployment/PRE_START_CHECKLIST.md)
- [ ] Enable metrics scraping
- [ ] Set up health check cron (`scripts/health/check-node-health.sh` + wrapper or `scripts/monitoring/monitor-blockchain-health.sh`)
- [ ] Create basic alerts
- [ ] Add --dry-run flag (many scripts already support it; see scripts/README.md)
- [ ] Create troubleshooting FAQ
- [ ] Review and update inline comments

## 📈 Expected Impact

After implementing these quick wins:
- **Security**: Significantly improved credential and key protection
- **Reliability**: Better backup and rollback capabilities
- **Visibility**: Basic monitoring and alerting in place
- **Usability**: Better script functionality and documentation
- **Time Savings**: Faster problem resolution

**Total Time Investment**: ~10-15 hours
**Expected Return**: Significant improvement in operational reliability and security