Cutover (Handover)
Transfer full server ownership to yourself. OneLift removes its SSH key, management tokens, and platform user — your server becomes entirely yours.
Cutover (Handover)
Cutover is the final step in the OneLift lifecycle. It permanently removes all platform access from your server, transferring full ownership to you. After cutover, OneLift has no access to your server.
What Happens During Cutover
The cutover process runs 4 steps in sequence:
| Step | What It Does | Duration |
|---|---|---|
| Pre-checks | Verifies SSH key, services, disk, backups, DNS | ~10s |
| Final Backup | Creates a full backup before handover | up to 2 min |
| Server Documentation | Generates /opt/onelift/README.md with server info | ~5s |
| Remove Platform Access | Deletes OneLift user, SSH key, management tokens | ~5s |
Before You Start
Make sure you can SSH into your server with your own SSH key before starting cutover. After cutover, the OneLift SSH key is permanently removed.
Checklist
- Add your SSH key to the server's
/root/.ssh/authorized_keys - Verify SSH access:
ssh root@YOUR_SERVER_IP— must work with your own key - Run diagnostics:
lift doctor --cutover— all checks should pass - Take a backup if you haven't recently
Pre-flight Checks
The dashboard runs 6 automated checks before allowing cutover:
| Check | What It Verifies |
|---|---|
| User SSH Key | At least one non-platform SSH key exists in authorized_keys |
| All Services Healthy | No Docker containers in unhealthy, exited, or restarting state |
| Disk Space | Root partition usage below 80% |
| Cron Jobs | Backup and cleanup cron jobs are installed |
| Recent Backup | A backup was taken within the last hour |
| Domain DNS | Your domains point to the correct server IP |
How to Run Cutover
From the Dashboard
- Open your project in the dashboard
- Scroll to the Handover card
- Click Run Checks — review the pre-flight results
- If all checks pass, click Start Cutover
- Confirm in the dialog
- Watch the real-time step progress
- After completion, you'll see the SSH command and a 24-hour checklist
From the CLI (Pre-check Only)
# Run cutover pre-handover checks
lift doctor --cutover
# Expected output:
# ✓ User SSH Key 1 user SSH key(s) found
# ✓ All Services Healthy All containers running
# ✓ Cron Jobs Installed 3 cron job(s) configured
# ✓ Backup Recent Last backup 5 minutes ago
# ✓ Disk Usage (<80%) Disk usage: 42%
The CLI lift doctor --cutover only runs checks — it does not trigger the actual cutover. Use the dashboard to start the handover.
What Stays on Your Server
After cutover, your server retains everything it needs to run independently:
- All Docker containers and tools — running exactly as before
- Traefik reverse proxy — SSL auto-renewal via Let's Encrypt continues
- Backup system — daily incremental + weekly full backups via cron
- Firewall rules — iptables rules and fail2ban configuration
- Monitoring stack — Victoria Metrics at
http://localhost:8428 - Server documentation —
/opt/onelift/README.mdwith all server details
What Gets Removed
- OneLift SSH key — platform installer and management keys removed from
authorized_keys - OneLift user — the
oneliftsystem user is deleted - Management tokens —
.onelift-management-tokenand.onelift-api-configfiles - Sudoers entries —
/etc/sudoers.d/onelift*files - Legacy users —
onelift-installerandonelift-platformusers if they exist
After Cutover
First 24 Hours Checklist
After the handover completes, verify everything works:
- SSH access — Can you SSH into the server?
ssh root@YOUR_SERVER_IP - Services running — Are all containers up?
sudo docker compose ls && sudo docker ps - Website accessible — Can you access your site in a browser?
- Backups working — Is the last backup recent?
cat /var/log/onelift/last-backup.json
Important Directories
| Directory | Contents |
|---|---|
/opt/onelift/ | Main directory |
/opt/onelift/tools/ | Installed tools (each tool has its own subdirectory) |
/opt/onelift/traefik/ | Reverse proxy configuration |
/opt/onelift/scripts/ | Backup, cleanup, and maintenance scripts |
/var/log/onelift/ | Session logs and backup history |
Useful Commands
# Check all running services
sudo docker compose ls
sudo docker ps
# Manual backup
sudo /opt/onelift/scripts/db-backup.sh full
# Restore from backup
sudo /opt/onelift/scripts/db-restore.sh --time "2026-02-27 14:30:00"
# Disk cleanup
sudo /opt/onelift/scripts/disk-cleanup.sh
# View backup schedule
sudo crontab -l | grep backup
Troubleshooting
Cutover Failed — How to Retry
If cutover fails, the project status reverts to failed. You can:
- Fix the underlying issue (check the error message)
- Click Retry on the CutoverCard in the dashboard
- Or use Reset Status if the project is stuck
Pre-checks Failing
| Check | Fix |
|---|---|
| No user SSH key | ssh-copy-id root@YOUR_SERVER_IP |
| Unhealthy containers | ssh root@SERVER && sudo docker compose up -d |
| Disk full | ssh root@SERVER && sudo /opt/onelift/scripts/disk-cleanup.sh |
| No recent backup | ssh root@SERVER && sudo /opt/onelift/scripts/db-backup.sh full |
| DNS mismatch | Update your domain's A record to point to the server IP |
Locked Out After Cutover
If you cannot SSH into the server after cutover, you can access it through your cloud provider's console (Hetzner, Vultr, DigitalOcean, or Linode) and add your SSH key manually.
Related
- lift doctor --cutover - Pre-handover diagnostic checks
- Security - SSH key management and security features
- Zero-Downtime Deploy - Blue-green deployments