Operations runbook

How-to & procedures

Step-by-step procedures for operating the SPX trading system, server, and website. Click any section to expand it.

Security note: This page contains procedures only — never actual passwords, secrets, or keys. When a step needs a secret (SSH passphrase, dashboard password, webhook secret), it lives in your password manager, not here. Keep this page behind login at all times.
Reference — key facts
Key facts & addresses
  • VPS IP: 165.227.84.78 (DigitalOcean droplet "spx-server", Ubuntu 24.04)
  • SSH user: victor
  • Trading server path: /home/victor/spx-server/
  • Trading service: spx-server.service (port 5005)
  • Dashboard service: spx-dashboard.service (port 5006)
  • Journal file: /home/victor/spx-server/journal/trades_journal_2026.csv
  • URLs: hub = victorngoma.com · dashboard = dashboard.victorngoma.com · webhook = webhook.victorngoma.com · strategies = pine.victorngoma.com · runbook = runbook.victorngoma.com
  • Cloudflare account: vngoma78@gmail.com
  • Secrets location: your password manager (SSH passphrase, dashboard password, webhook secret)
Before going live: revert SPX_0DTE_DAILY_SPEND_CAP_PCT from 100.0 back to 0.02, and verify PAPER_MODE=true until ready to fund.
Connecting to the server
SSH into the VPS

Run this on your Mac (Terminal app), not on the server:

ssh victor@165.227.84.78

Enter your SSH passphrase when prompted (it's in your password manager). You'll land at a prompt that reads victor@spx-server:~$ — that confirms you're on the VPS.

If the prompt still says victorngoma@Victors-MacBook-Pro, you're still on your Mac — the SSH didn't connect. Re-run the command.

Never run server commands while the prompt shows your Mac name — they'll run on the wrong machine.
Download the full journal CSV to your Mac

Run this on your Mac (NOT on the VPS — open a fresh Mac terminal, do not SSH in first):

scp victor@165.227.84.78:/home/victor/spx-server/journal/trades_journal_2026.csv ~/Downloads/

Enter your SSH passphrase. The file lands in your Mac's ~/Downloads/ folder.

This must run on the Mac. If your prompt says victor@spx-server, you're on the VPS — the command will fail (the VPS can't SSH to itself). Open a new Mac terminal instead.
Server operations (run after SSH'ing in)
Check if the trading server is running 
sudo systemctl status spx-server

Look for Active: active (running) in green. Press q to exit the view.

Restart the trading server 
sudo systemctl restart spx-server

Then confirm it came back up:

sudo systemctl status spx-server
Avoid restarting during market hours unless necessary — it briefly interrupts the webhook listener.
View the trading server log (live)

Tail the log to watch incoming webhooks in real time:

sudo tail -f /var/log/spx-server.log

Press Ctrl + C to stop watching.

To see just the last 50 lines:

sudo tail -50 /var/log/spx-server.log
Check / restart the dashboard 
sudo systemctl status spx-dashboard

Restart if needed:

sudo systemctl restart spx-dashboard
Website & access management (Cloudflare)
Add a new user to a locked tool
  1. Go to Cloudflare dashboard → Zero Trust
  2. Access controls → Policies
  3. Click the policy for the tool (e.g. pine-allowed-users) — pick the one with Used by applications = 1
  4. Click Configure
  5. Under Include → Value, type the new email and add it
  6. Click Save policy

The new person can now log in to that tool via email PIN code. Each tool has its own policy/allowlist — add someone to one tool without affecting others.

To remove someone: same steps, click the × on their email chip, then Save.

Update a hub or subdomain page
  1. Edit the index.html file in the matching Mac folder (e.g. victorngoma-hub, victorngoma-pine)
  2. Cloudflare dashboard → Workers & Pages → click the project (e.g. victorngoma-pine)
  3. Create deployment (or drag-and-drop the updated folder)
  4. Upload the new index.html → Deploy

Keep the filename index.html — Cloudflare serves that as the page automatically. Keep each project's files in its own folder.

Add a brand-new locked subdomain

Part 1 — deploy the page:

  1. Make a new Mac folder with an index.html inside
  2. Cloudflare → Workers & Pages → Create application → Pages → "Get started" next to "Drag and drop your files"
  3. Project name (e.g. victorngoma-docs) → Create project → upload folder → Deploy
  4. Custom domains tab → Set up a custom domain → enter the subdomain (e.g. docs.victorngoma.com) → Activate

Part 2 — lock it:

  1. Zero Trust → Access controls → Applications → Add an application
  2. Self-hosted and private → Public DNS → Continue
  3. Destinations: Subdomain = the subdomain, Domain = victorngoma.com, Path = empty
  4. Access policies → Create new policy → name it, Action = Allow, Include → Selector = Emails → add emails → Save policy
  5. Authentication: "Accept all available identity providers" = ON
  6. Details: Name it, Session Duration 24h → Create
After clicking Create, confirm the app appears in the Applications list ("Showing 1-1 of 1" etc). If it doesn't show, the save failed — redo it. A silent save-failure leaves the page unprotected.

Test in a fresh Incognito window (or phone) — you should hit the Cloudflare Access email login. If it loads straight through, the lock isn't active.

Verify a locked page is actually protected
  1. Open a fresh Incognito window, or use your phone
  2. Visit the subdomain
  3. You should see the Cloudflare Access email login page
  4. An email NOT on the allowlist should be denied; an allowed email gets a PIN code by email

If the page loads with no login prompt, the lock isn't working — check the Application exists and its DNS record is orange-clouded (proxied).