diff --git a/hans/INFRASTRUCTURE-OVERVIEW.md b/hans/INFRASTRUCTURE-OVERVIEW.md new file mode 100644 index 0000000..44a04ff --- /dev/null +++ b/hans/INFRASTRUCTURE-OVERVIEW.md @@ -0,0 +1,187 @@ +# vault1984 — Infrastructure Overview + +*Last updated: 2026-03-03 · James ⚡* +*Go-live target: Friday March 6, 2026 — noon ET* + +--- + +## 1. Hub — Zurich SOC (82.22.36.202) + +| Field | Value | +|-------|-------| +| **Provider** | Hostkey (Switzerland, likely Equinix ZH) | +| **IP** | 82.22.36.202 | +| **DNS** | zurich.inou.com | +| **Specs** | 4 vCPU / 6 GB RAM / 120 GB SSD | +| **Cost** | Existing (already paid — inou.com infrastructure) | +| **WireGuard role** | Hub — 10.84.0.1/24, UDP 51820 | + +### Services Running on Hub + +| Service | Port / Address | Purpose | +|---------|---------------|---------| +| **WireGuard hub** | UDP 51820 / 10.84.0.1 | Fleet management network | +| **Caddy** | 443 (public) | Reverse proxy + auto-TLS | +| **Stalwart mail** | 25/465/587/143/993/995 | @jongsma.me, @inou.com, @vault1984.com | +| **Uptime Kuma** | localhost:3001 → `soc.vault1984.com` | Fleet monitoring dashboard | +| **ntfy** | localhost:2586 → `ntfy.inou.com` | Push alerts (`vault1984-alerts`) | +| **Git server** | SSH (git user) | vault1984.git, vault1984-web.git, others | + +> **Note:** SSH on the hub is public (normal sshd). Spoke nodes have SSH on WireGuard only — port 22 is NOT reachable from the public internet. + +--- + +## 2. Spoke Nodes — 16-Node Global Fleet + +### Vultr Plan: VX1 ✅ Confirmed +**$2.50/mo** — 1 vCPU, 512 MB RAM, 10 GB SSD, 500 GB transfer +*(Source: INFRASTRUCTURE.md — "All Vultr nodes: VX1 tier — 1 vCPU, 512 MB RAM, 10 GB SSD, 0.5 TB bandwidth @ $2.50/mo")* + +### Full Node Table + +| # | Node Name | City | Provider | Plan | WG IP | Cost/mo | Status | +|---|-----------|------|----------|------|-------|---------|--------| +| 1 | `zurich` | Zürich, CH | Hostkey (existing) | 4vCPU/6GB/120GB | 10.84.0.2 | $0 (existing) | ⏸️ Spoke not yet deployed | +| 2 | `frankfurt` | Frankfurt, DE | Vultr | VX1 $2.50 | 10.84.0.3 | $2.50 | ❌ Not provisioned | +| 3 | `newjersey` | New Jersey, US | Vultr | VX1 $2.50 | 10.84.0.4 | $2.50 | ❌ Not provisioned | +| 4 | `siliconvalley` | Silicon Valley, US | Vultr | VX1 $2.50 | 10.84.0.5 | $2.50 | ❌ Not provisioned | +| 5 | `dallas` | Dallas, US | Vultr | VX1 $2.50 | 10.84.0.6 | $2.50 | ❌ Not provisioned | +| 6 | `london` | London, UK | Vultr | VX1 $2.50 | 10.84.0.7 | $2.50 | ❌ Not provisioned | +| 7 | `warsaw` | Warsaw, PL | Vultr | VX1 $2.50 | 10.84.0.8 | $2.50 | ❌ Not provisioned | +| 8 | `tokyo` | Tokyo, JP | Vultr | VX1 $2.50 | 10.84.0.9 | $2.50 | ❌ Not provisioned | +| 9 | `seoul` | Seoul, KR | Vultr | VX1 $2.50 | 10.84.0.10 | $2.50 | ❌ Not provisioned | +| 10 | `mumbai` | Mumbai, IN | Vultr | VX1 $2.50 | 10.84.0.11 | $2.50 | ❌ Not provisioned | +| 11 | `saopaulo` | São Paulo, BR | Vultr | VX1 $2.50 | 10.84.0.12 | $2.50 | ❌ Not provisioned | +| 12 | `sydney` | Sydney, AU | Vultr | VX1 $2.50 | 10.84.0.13 | $2.50 | ❌ Not provisioned | +| 13 | `johannesburg` | Johannesburg, ZA | Vultr | VX1 $2.50 | 10.84.0.14 | $2.50 | ❌ Not provisioned | +| 14 | `telaviv` | Tel Aviv, IL | Vultr | VX1 $2.50 | 10.84.0.15 | $2.50 | ❌ Not provisioned | +| 15 | `dubai` | Dubai, AE | Hostkey | ~$5–8/mo (vm.mini class) | 10.84.0.16 | ~$6.50 | ⏸️ Decision pending | +| 16 | `istanbul` | Istanbul, TR | TBD (Hostkey preferred; Vultr has no TR) | TBD | 10.84.0.17 | ~$3.90 est. | ⏸️ Provider TBD | + +> **Istanbul note:** Vultr has no Turkey presence. Hostkey does. Likely Hostkey vm.mini at ~€3.90/mo. Warsaw covers Istanbul at ~30ms if deferred. +> **Dubai note:** INFRASTRUCTURE.md lists Dubai as Hostkey at ~$5–8/mo. Order not yet placed — pending Johan's decision. + +--- + +## 3. What Runs on Each Spoke + +Every spoke node runs the same minimal stack — deliberately so. No drift by design. + +``` +[Vultr/Hostkey VPS] +├── NixOS (declarative, reproducible, 2 generations max) +├── vault1984 binary (Go, ~15 MB, ports :80 + :443) +│ ├── Built-in autocert (Let's Encrypt via golang.org/x/crypto/acme/autocert) +│ ├── Kuma push heartbeat (every 30s to soc.vault1984.com) +│ └── vault1984.db (SQLite + WAL) +└── WireGuard spoke → hub (10.84.0.1:51820) + └── SSH binds to WireGuard IP only (10.84.0.x:22) +``` + +**Public ports:** 80, 443 only. +**NOT public:** Port 22 (SSH reachable only via WireGuard tunnel from Zurich hub). + +### Heartbeat Payload (every 30s, vault1984 → Kuma) +```json +{ + "node": "tokyo", + "ram_mb": 142, "disk_pct": 31.2, "cpu_pct": 2.1, + "db_size_mb": 12, "db_integrity": true, + "active_sessions": 3, "req_1h": 847, "err_1h": 2, + "cert_days_remaining": 62, "nix_gen": 2, "uptime_s": 864000 +} +``` + +**Key watchdog metric:** `cert_days_remaining` — visible in Kuma before any cert expires. + +--- + +## 4. DNS Plan + +### Per-Node Subdomains +Each node gets its own subdomain under `vault1984.com`: + +| Node | FQDN | Type | Points to | +|------|------|------|-----------| +| zurich | zurich.vault1984.com | A | 82.22.36.202 | +| frankfurt | frankfurt.vault1984.com | A | (Vultr IP, TBD) | +| newjersey | newjersey.vault1984.com | A | (Vultr IP, TBD) | +| … | … | A | (Vultr IP, TBD) | +| dubai | dubai.vault1984.com | A | (Hostkey IP, TBD) | + +All DNS via **Cloudflare** (zone: `1c7614cd4ee5eabdc03905609024f93a`). +**DNS-only mode** — no Cloudflare proxying. vault1984 is a password vault; routing through third-party proxies defeats the trust model. + +### vault1984.com Root +- **vault1984.com** → **New Jersey** node (primary; largest US East market) +- `www.vault1984.com` → same (or 301 → apex) +- **Option: Cloudflare Load Balancer GeoDNS** → $5/mo — latency-based routing across all nodes. Johan decides post-pilot. + +### SOC Domain +- `soc.vault1984.com` → 82.22.36.202 (Caddy → Kuma:3001) — internal status dashboard + +--- + +## 5. Current Status vs Plan + +| # | Milestone | Deadline | Status | Notes | +|---|-----------|----------|--------|-------| +| **M1** | Zurich SOC ready (WireGuard hub + Kuma + `soc.vault1984.com`) | Mon Mar 2, EOD | 🔄 In progress | WireGuard hub + Kuma configured on Zurich; fleet Kuma monitors need creation when nodes go live. Hans server (185.218.204.47) live as NOC node. | +| **M2** | NixOS config + deploy tooling in `vault1984/infra/` | Tue Mar 3, EOD | 🔄 In progress | **TODAY** — Hans executing. Includes base.nix, 16 node vars, provision.sh, deploy.sh, healthcheck.sh, vault1984 telemetry push goroutine. | +| **M3** | Pilot: 3 nodes live (Zurich, Frankfurt, NJ) | Wed Mar 4, noon | ❌ Not started | Blocked on M2 completion + Vultr API key. | +| **M4** | Go/No-Go review | Wed Mar 4, EOD | ❌ Not started | Johan reviews pilot. | +| **M5** | Full 16-node fleet live | Thu Mar 5, EOD | ❌ Not started | 4 batches of ~4 nodes. Blocked on M4 green light + Vultr API key. | +| **M6** | DNS, TLS, health checks verified across all 16 | Thu Mar 5, EOD | ❌ Not started | Follows M5. | +| **M7** | 🚀 Go-live — vault1984.com routes to fleet | **Fri Mar 6, noon** | ❌ Not started | Johan + James final sign-off. | + +--- + +## 6. Cost Breakdown + +### Monthly Infrastructure Cost + +| Component | Nodes | Unit Cost | Monthly | +|-----------|-------|-----------|---------| +| Zurich hub (Hostkey) | 1 | Existing (inou.com infra) | $0 incremental | +| Vultr VX1 nodes | 13 | $2.50/mo | **$32.50** | +| Dubai (Hostkey, ~vm.mini) | 1 | ~$5–8/mo est. | **~$6.50** | +| Istanbul (Hostkey est.) | 1 | ~€3.90/mo est. | **~$4.25** | +| **Total fleet** | **16** | — | **~$43/mo** | + +> Zurich hub cost is shared with inou.com, Stalwart mail, and other services — not charged to vault1984 budget. + +### Remaining Budget +- Budget ceiling: **$100/mo** +- Fleet spend: **~$43/mo** +- Reserve for upgrades: **~$57/mo** (use when individual nodes see demand) + +### Node Upgrade Path (when needed) +| Tier | Specs | Cost | +|------|-------|------| +| VX1 (current) | 1 vCPU / 512MB / 10GB | $2.50/mo | +| Next tier | 1 vCPU / 1GB / 25GB / 1TB | $6/mo | +| Mid tier | 2 vCPU / 2GB / 50GB / 2TB | $12/mo | + +--- + +## 7. Blockers + +| Blocker | Owner | Impact | Notes | +|---------|-------|--------|-------| +| **Vultr API key** | 🔴 Johan (pending) | Blocks M3, M5 — cannot provision any VPS | Was due Mon Mar 2 AM. Still outstanding as of Tue Mar 3. Hans cannot provision 13 nodes without it. | +| **Dubai decision** | 🟡 Johan | Blocks Dubai node (15th spoke) | Option A: Order Hostkey Dubai (~$5–8/mo). Option B: Cover Gulf region with Tel Aviv (~40ms). Option C: Defer to post-launch. Warsaw covers Istanbul at 30ms if Istanbul also deferred. | +| **Istanbul provider** | 🟡 James/Hans | Blocks 16th spoke | Vultr has no Turkey presence. Hostkey does. Likely Hostkey vm.mini ~€3.90/mo. Low urgency — Warsaw covers at ~30ms. | + +--- + +## Architecture Principles (for reference) + +1. **No Caddy on spokes.** vault1984 binary handles TLS itself via `autocert` — eliminates a process and potential cert misconfig. Learned from Kaseya cert incidents. +2. **No Cloudflare proxying.** DNS-only. Password vault + third-party MITM = trust model broken. +3. **No public SSH.** Every spoke node: SSH on WireGuard interface only. Public internet sees 80+443, nothing else. +4. **NixOS everywhere.** Declarative = zero drift. One config file per node, checked into repo. Roll back any node in seconds. +5. **Nodes are independent.** No replication. User vault lives on one node. Scale up single nodes when demand warrants. + +--- + +*vault1984 — "1984 had no secrets. You should."* diff --git a/hans/MEMORY.md b/hans/MEMORY.md index e6cb33e..d888f3d 100644 --- a/hans/MEMORY.md +++ b/hans/MEMORY.md @@ -1,76 +1,401 @@ # MEMORY.md — Hans ⛰️ Long-Term Memory -*Last updated: 2026-03-01* +*Last updated: 2026-03-03 (Tuesday — briefed by James ⚡, full operational context)* + +--- ## Who I Am -Hans ⛰️, Swiss Director of Operations for vault1984. Running on Zurich VPS (82.22.36.202). Born 2026-03-01. + +**Hans ⛰️**, Swiss Director of Operations for vault1984. Born 2026-03-01. +- **Home node:** Zurich VPS (82.22.36.202) — the NOC hub +- **NOC node (Hans server):** 185.218.204.47 (`noc.vault1984.com`) — Hostkey vm.mini +- **Mission:** Deploy, monitor, and maintain the vault1984 16-node global fleet. Go-live Friday March 6, 2026 noon ET. +- **I own the fleet.** I execute and report. I don't ask permission for routine ops. + +--- ## The Product: vault1984 -- Password manager built for humans who use AI assistants -- Two-tier encryption: L1 = VAULT_KEY (server secret), L2 = WebAuthn PRF (client-side, AI never sees L2) -- One Go binary + one SQLite file per node. Port 1984 (Orwell — intentional) -- MIT open source. Hosted offering: vault1984.com -- Currently: dev stage, running on forge (192.168.1.16:1984) + +Password manager / structured knowledge store built for humans who use AI assistants. The key differentiator: **agent fields are AI-accessible** (scoped MCP tokens), **sealed fields are human-only** (WebAuthn PRF — key never leaves the client). + +- **L1:** `VAULT_KEY` in `.env` — machine secret, server-side encryption +- **L2:** WebAuthn PRF — client-side only (Touch ID, Face ID, YubiKey). AI NEVER sees L2. +- **One Go binary + one SQLite file per node.** Port 1984 (Orwell — intentional). +- **Auth:** WebAuthn only (no master password). Recovery: 12-word BIP39 mnemonic. +- **Text only, Markdown default.** No attachments, no images — ever. +- **MIT open source.** Core at `git@zurich.inou.com:vault1984.git` + GitHub `johanjongsma/vault1984`. +- **Pricing:** $12/year (annual only). 7-day money-back. No free trial. +- **Tagline:** "1984 had no secrets. You should." +- **Brand:** `#0A1628` bg, `#22C55E` accent green, JetBrains Mono ExtraBold, Inter body. +- **URL:** vault1984.com (live, Cloudflare → Caddy on forge → port 8099 for web, port 1984 for app) +- **X:** @vault1984 (registered by Johan on 2026-03-02) + +--- + +## Key People + +### Johan Jongsma — My Human +- **Role:** CTO Backup at Kaseya (formerly Datto). Dutch citizen. St. Petersburg, Florida, USA. +- **Background:** Founded Iaso Backup, sold 2013 (became Cove Data Protection/N-able), left 2019, joined Kaseya/Datto. +- **Communication:** Direct, evidence-based. No small talk. No fluff. Show proof, not claims. +- **Units:** Metric brain (Dutch), lives in US — give both units when relevant. +- **He owns vault1984.** All major decisions go to him. I execute, he decides architecture/GTM. +- **Telegram:** @johanjongsma (ID: 8454563068) — primary channel. +- **Wake policy:** Don't wake before 8AM ET unless it's genuinely urgent. + +### Johan's Schedule (memorize this) +| Block | Time (ET) | +|-------|-----------| +| First sleep | 7:30pm – 10:15pm | +| **Night shift (Sophia care — WORKING)** | 10:30pm – 5:00am | +| Second sleep | 5:15am – 9/10am | +| Awake/Day | ~10am – 7:30pm | + +**CRITICAL:** After 10:30pm he is working, NOT sleeping. Do background/autonomous work during 5:15–9am. + +### Sophia — Johan's Daughter +The reason inou exists and why Johan's work is so important. Serious accident May 2, 2022. She is trached, requires constant monitoring. Johan is her night nurse. **Don't disrupt her care environment** — never make noise or trigger alerts during night shift without critical reason. + +### James ⚡ — My Peer / Chief of Staff +- **Home:** forge (192.168.1.16), port 18789 +- **Role:** Chief of Staff to Johan. Strategic partner. Owns infrastructure oversight. +- **Channel:** Telegram (@jamesjongsma_bot, ID: 8510971070) +- **Discord:** James is on Discord too (dmPolicy=open). Bot: @jamesjongsma_bot on the vault1984 Discord server. +- **Relationship to me:** Peer. James coordinates at the strategic level; I own fleet operations. James spawns me for vault1984 infra tasks and receives my reports. +- **James does NOT use Anthropic tokens** for my tasks — Fireworks only on my node. + +### Misha (Michael) Jongsma — Johan's Son +- Runs Dealspace (muskepo.com), an M&A deal workflow SaaS. +- Contact: michael@muskepo.com, +1 727-238-1189 +- James built Dealspace for him. Johan advises. + +--- ## Infrastructure -### Hub: Zurich VPS -- IP: 82.22.36.202 -- SSH: root@82.22.36.202 -- Specs: 4 vCPU, 6GB RAM, 120GB SSD -- Provider: Hostkey -- Running: Stalwart mail, Uptime Kuma (port 3001), ntfy (port 2586), Caddy reverse proxy -- WireGuard hub: 10.84.0.1/24, UDP 51820 +### Forge (192.168.1.16) — James's Home +- **Hardware:** i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe +- **OS:** Ubuntu 24.04.3 LTS headless +- **Services:** OpenClaw gateway (18789), Mail Bridge (8025), GLM-OCR (8090), vault1984 app (1984), vault1984-web (8099), Docsys (9201), Dealspace (9300) +- **Caddy reverse proxy:** at 192.168.0.2 (not forge directly). Proxies vault1984.com, inou.com, docsys.jongsma.me, etc. -### The 16-Node Fleet (target) -Provider mix: Hostkey (Zurich existing, Dubai) + Vultr VX1 $2.50/mo nodes +### Zurich VPS (82.22.36.202) — MY HUB +- **DNS:** zurich.inou.com +- **Provider:** Hostkey (Switzerland, likely Equinix ZH) +- **Specs:** 4 vCPU, 6GB RAM, 120GB SSD +- **SSH:** root@82.22.36.202 (key auth) +- **Services running:** + - Caddy (owns port 443, auto-TLS) + - Stalwart mail server (ports 25/465/587/143/993/995) — handles @jongsma.me + @inou.com + @vault1984.com + - Uptime Kuma (port 3001) → `kuma.inou.com` + - ntfy (port 2586) → `ntfy.inou.com` + - Git server (`git` user with git-shell) — all our repos here + - Vaultwarden at `vault.jongsma.me` (fresh, no data yet) + - **WireGuard hub: 10.84.0.1/24, UDP 51820** — vault1984 fleet management network + - `soc.vault1984.com` → Kuma (port 3001) via Caddy +- **Git repos here:** vault1984, vault1984-web, dealspace, inou-mobile, azure-backup (abandoned), clawdnode-android, mail-agent -| Node | Location | Provider | -|------|----------|----------| -| zurich | Zürich, CH | Hostkey (existing) | -| frankfurt | Frankfurt, DE | Vultr | -| newjersey | New Jersey, US | Vultr | -| siliconvalley | Silicon Valley, US | Vultr | -| dallas | Dallas, US | Vultr | -| london | London, UK | Vultr | -| warsaw | Warsaw, PL | Vultr | -| tokyo | Tokyo, JP | Vultr | -| seoul | Seoul, KR | Vultr | -| mumbai | Mumbai, IN | Vultr | -| saopaulo | São Paulo, BR | Vultr | -| sydney | Sydney, AU | Vultr | -| johannesburg | Johannesburg, ZA | Vultr | -| telaviv | Tel Aviv, IL | Vultr | -| dubai | Dubai, AE | Hostkey | +### Hans Server / NOC Node (185.218.204.47) +- **DNS:** noc.vault1984.com +- **Provider:** Hostkey (vm.mini, €3.90/mo) +- **Specs:** 4 vCPU / 6GB RAM / 120GB SSD +- **OS:** Ubuntu 24.04 +- **Root password:** ThIsNeEdStOcHaNgE0-- ⚠️ **CHANGE THIS** +- **User:** `johan` (SSH key auth, sudo) +- **UFW:** 22/80/443 only, fail2ban active +- **OpenClaw:** 2026.3.1 installed +- **Model:** Fireworks MiniMax M2.5 (`accounts/fireworks/models/minimax-m2p5`) +- **Fireworks key:** `fw_RVcDe4c6mN4utKLsgA7hTm` +- **Discord:** Bot token configured, connected to vault1984 Discord server. dmPolicy=open. +- **Purpose:** vault1984 NOC operations agent. Receives commands from James via Discord, executes, reports back. -(15 listed + Zurich hub = 16 total) +### Shannon VPS (82.24.174.112) +- Dealspace (muskepo.com) lives here. Paid till 2026-04-09. +- SSH: root@82.24.174.112 / pw: gUB-C63-EN +- Not related to vault1984 fleet. -### Key Credentials -- Zurich SSH: root@82.22.36.202 -- Uptime Kuma: http://zurich.inou.com:3001, user: james, pass: WW8ipJfY27ELf7nnouaKLCL6 -- ntfy token: tk_ggphzgdis49ddsvu51qam6bgzlyxn -- Vultr API key: PENDING from Johan -- vault1984 repo: git@zurich.inou.com:vault1984.git + https://github.com/johanjongsma/vault1984 -- vault1984-web repo: git@zurich.inou.com:vault1984-web.git +### Home Network (St. Petersburg, FL) +- **Public IP:** 47.197.93.62 (rarely changes) +- **Caddy:** 192.168.0.2 (reverse proxy for all home services) +- **Home Assistant:** 192.168.1.252 +- **Forge:** 192.168.1.16 +- **DNS:** AdGuard Home (at 192.168.1.252) -## Milestone Plan +### vault1984 Fleet Target — 16 Nodes -| Date | Milestone | -|------|-----------| -| Mon Mar 2 | Zurich SOC setup (WireGuard hub, Kuma fleet monitors, soc.vault1984.com) | -| Tue Mar 3 | NixOS config + deploy tooling in vault1984 repo | -| Wed Mar 4 noon | Pilot — 3 nodes live (Zurich, Frankfurt, NJ) | -| Wed Mar 4 EOD | Johan Go/No-Go review | -| Thu Mar 5 | Full 16-node fleet live | -| **Fri Mar 6 noon** | 🚀 **GO-LIVE** | +| Node | Location | Provider | WireGuard IP | +|------|----------|----------|--------------| +| zurich | Zürich, CH (HQ) | Hostkey (existing) | 10.84.0.2 | +| frankfurt | Frankfurt, DE | Vultr VX1 $2.50 | 10.84.0.3 | +| newjersey | New Jersey, US | Vultr VX1 $2.50 | 10.84.0.4 | +| siliconvalley | Silicon Valley, US | Vultr VX1 $2.50 | 10.84.0.5 | +| dallas | Dallas, US | Vultr VX1 $2.50 | 10.84.0.6 | +| london | London, UK | Vultr VX1 $2.50 | 10.84.0.7 | +| warsaw | Warsaw, PL | Vultr VX1 $2.50 | 10.84.0.8 | +| tokyo | Tokyo, JP | Vultr VX1 $2.50 | 10.84.0.9 | +| seoul | Seoul, KR | Vultr VX1 $2.50 | 10.84.0.10 | +| mumbai | Mumbai, IN | Vultr VX1 $2.50 | 10.84.0.11 | +| saopaulo | São Paulo, BR | Vultr VX1 $2.50 | 10.84.0.12 | +| sydney | Sydney, AU | Vultr VX1 $2.50 | 10.84.0.13 | +| johannesburg | Johannesburg, ZA | Vultr VX1 $2.50 | 10.84.0.14 | +| telaviv | Tel Aviv, IL | Vultr VX1 $2.50 | 10.84.0.15 | +| dubai | Dubai, AE | Hostkey | 10.84.0.16 | +| istanbul | Istanbul, TR | (TBD) | 10.84.0.17 | -## Key People -- **Johan Jongsma** — my human. CTO Backup at Kaseya. Dutch, St. Petersburg FL. Direct, evidence-based. He owns vault1984. -- **James ⚡** — main agent on forge (192.168.1.16). Chief of Staff. My peer and coordinator. +Budget: ~$40/mo for full fleet. -## Key Docs (on forge) -- `/home/johan/dev/vault1984/docs/NOC-DEPLOYMENT-PLAN.md` -- `/home/johan/dev/vault1984/docs/INFRASTRUCTURE.md` +--- + +## Tools & Services + +### Uptime Kuma +- **URL:** http://zurich.inou.com:3001 (also via `soc.vault1984.com`) +- **User:** james / WW8ipJfY27ELf7nnouaKLCL6 +- **My job:** Set up one push monitor per vault1984 fleet node. SEV2: 2 missed pushes. SEV1: 5+ min down. +- **ntfy topic for vault1984 alerts:** `vault1984-alerts` +- **Heartbeat:** Each node pushes every 30s with runtime telemetry (RAM, disk, CPU, DB size, DB integrity, active sessions, req_1h, err_1h, cert_days_remaining, uptime_s) + +### ntfy (Self-hosted on Zurich) +- **URL:** https://ntfy.inou.com +- **Token:** `tk_ggphzgdis49ddsvu51qam6bgzlyxn` +- **Topics:** + - `vault1984-alerts` — vault1984 fleet alerts (nodes down, deploy failures) + - `forge-alerts` — James's infra alerts + - `inou-alerts` — inou health platform alerts + +### Discord — vault1984 Server +- **vault1984 Discord server ID:** `1478270766007976009` +- **Johan's Discord ID:** `666836243262210068` +- **My bot token prefix:** `MTQ3ODMyMTE2...` (full token in my OpenClaw config on 185.218.204.47) +- **James bot token prefix:** `MTQ3ODI1...` (James has his full token on forge) +- **My bot:** Hans ⛰️ bot token configured in OpenClaw on my node (185.218.204.47). dmPolicy=open. +- **James bot:** @jamesjongsma_bot also in the vault1984 server. dmPolicy=open. +- **Both:** in the vault1984 Discord server as of 2026-03-03. +- **Use for:** James→Hans deploy commands, Hans→James status reports. Private NOC channel in the server. +- **Key:** Discord is the communication bus between James (forge) and Hans (NOC node). +- **To reach James:** Message him in the vault1984 Discord server. He responds there. +- **To reach Johan:** Telegram is primary (@johanjongsma, ID: 8454563068). Discord secondary. + +### Telegram +- **James's primary channel to Johan:** @jamesjongsma_bot +- **Johan:** @johanjongsma (Telegram ID: 8454563068) +- Signal is retired (as of 2026-03-01). Telegram is sole briefing channel. +- For briefings: use Telegram Markdown (bold, italic, headers work). + +### Git (Zurich git server) +- **Format:** `git@zurich.inou.com:.git` +- **vault1984 repo:** `git@zurich.inou.com:vault1984.git` + GitHub `johanjongsma/vault1984` +- **vault1984-web repo:** `git@zurich.inou.com:vault1984-web.git` (proprietary) +- **My infra config lives in:** `vault1984/infra/` (to be created in M2) + +### Fireworks AI (My LLM provider) +- **API Key:** `fw_RVcDe4c6mN4utKLsgA7hTm` +- **Model:** `accounts/fireworks/models/minimax-m2p5` (MiniMax M2.5, 230B MoE) +- **Base URL:** `https://api.fireworks.ai/inference/v1` +- **Privacy:** Zero retention guaranteed. Safe for all data. +- **No Anthropic tokens on Hans.** Fireworks only. James uses Anthropic on forge. + +### Cloudflare +- **vault1984.com zone:** `1c7614cd4ee5eabdc03905609024f93a` +- **API token:** `dSVz7JZtyK023q7kh4MMNmIggK1dahWdnBxVnP3O` +- Cloudflare manages DNS for vault1984.com, inou.com, jongsma.me, etc. + +### vault1984 Credentials (what I need for deploy) +- **VAULT_KEY:** `d153af4a1b9e58023d0ec465f2674fc29d52ea0b9ef9a0f0cbbaaee63f0117fb` +- **GitHub token (for releases):** `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` +- **Vultr API key:** PENDING from Johan (needed for node provisioning) + +--- + +## Deployment Plan — Current Status + +**Target:** 16 nodes live, vault1984.com routing to fleet. Go-live: Friday March 6, 2026 noon ET. + +| Milestone | Deadline | Status | +|-----------|----------|--------| +| M1: Zurich SOC (WireGuard hub, Kuma fleet monitors, soc.vault1984.com) | Mon Mar 2, EOD | ✅ DONE (partial — hub+Caddy+Kuma up; fleet monitors pending nodes) | +| **M2: NixOS config + deploy tooling in vault1984/infra/** | **Tue Mar 3, EOD** | 🔴 TODAY — my primary task | +| M3: Pilot — 3 nodes live (Zurich, Frankfurt, NJ) | Wed Mar 4, noon | Pending M2 | +| M4: Go/No-Go review | Wed Mar 4, EOD | Johan decides | +| M5: Full 16-node fleet live | Thu Mar 5, EOD | Pending M4 green | +| M6: DNS, TLS, health checks verified | Thu Mar 5, EOD | Pending M5 | +| M7: Go-live — vault1984.com to fleet | **Fri Mar 6, noon** | 🚀 TARGET | + +**⚠️ BLOCKING ITEM:** Vultr API key still missing from Johan as of Tue Mar 3 morning. M3 cannot proceed without it (need to provision VX1 nodes). Chase Johan for this. He committed to providing it Mon Mar 2 AM — it's now overdue. + +### M2 Details — What I Need to Build Today (Tue Mar 3) + +**Repo structure to create:** +``` +vault1984/infra/ + nixos/ + base.nix # shared: WireGuard spoke, SSH, vault1984 service, firewall + nodes/ + frankfurt.nix # per-node vars: wg_ip, hostname, kuma_token, subdomain + new-jersey.nix + ... (16 total) + scripts/ + keygen.sh # generate WireGuard keypair for a new node + provision.sh # nixos-infect fresh Debian VPS + full config push + deploy.sh # push binary + nixos-rebuild [node|all], rolling + healthcheck.sh # verify: WG ping, HTTPS 200, Kuma heartbeat received + wireguard/ + zurich.pub # hub public key + peers.conf # all node pubkeys + WG IPs (no private keys ever) +``` + +**base.nix requirements:** +- WireGuard spoke (parameterized) +- **SSH on WireGuard interface only** — port 22 NOT public on spoke nodes +- vault1984 systemd service +- Firewall: public 80+443 only +- Nix store: 2 generations max, weekly GC + +**vault1984 binary telemetry push (M2.4):** +New background goroutine, 30s interval. POST to `KUMA_PUSH_URL` env var: +```json +{ + "ram_mb": ..., "disk_pct": ..., "cpu_pct": ..., + "db_size_mb": ..., "db_integrity": true/false, + "active_sessions": ..., "req_1h": ..., "err_1h": ..., + "cert_days_remaining": ..., "nix_gen": ..., "uptime_s": ... +} +``` + +**Build:** `CGO_ENABLED=1` with zig cross-compile for NixOS musl; fallback `modernc.org/sqlite` if needed. + +**provision.sh flow:** +1. SSH to fresh Debian VPS +2. Run `nixos-infect` → wait for reboot (~3 min) +3. Push base.nix + node vars + WireGuard private key +4. `nixos-rebuild switch` +5. Push vault1984 binary + .env +6. Run healthcheck.sh → confirm WG up, HTTPS 200, Kuma green + +**deploy.sh:** Rolling — deploy one node → verify health → next. Abort on first failure. + +**✅ M2 Done when:** Any node provisionable in <20 min. Fleet-wide binary deploy in <10 min. + +### M3 Details — Wednesday Pilot (3 nodes) +1. Zurich as first spoke → `https://zurich.vault1984.com` + Kuma green +2. Frankfurt VX1 ($2.50) → provision.sh → DNS → Kuma green +3. New Jersey VX1 ($2.50) → provision.sh → DNS → Kuma green +4. Kill vault1984 on Frankfurt → Kuma alert to ntfy in <2 min → restart → green (validation) +5. `nmap` each node: confirm port 22 NOT public +6. TLS cert valid on all 3 + +### Pending from Johan (blockers) +- [ ] **Vultr API key** — ⚠️ OVERDUE. Was due Mon Mar 2 AM. Still missing as of Tue Mar 3. M3 pilot BLOCKED without it. This is the single biggest risk to Fri Mar 6 go-live. Chase him. +- [ ] **Hostkey Dubai order** — or defer decision (if deferred, Istanbul or another Vultr node fills slot 16) + +--- + +## Active Projects Status (as of 2026-03-03) + +### vault1984 — PRIMARY +- **Core binary:** Built, running at `http://192.168.1.16:1984/` +- **vault1984.com:** Live (Caddy → forge → port 8099 for web, 1984 for app) +- **Tests:** 11 integration tests passing +- **Pending (Day 2, non-blocking for fleet deploy):** + - WebAuthn PRF implementation (L2 client-side encryption) + - Scoped MCP tokens UI + - Import Johan's 12,623 entries from Proton Pass + - vault1984 binary dead website copy cleanup (cmd/vault1984/website/ needs deletion) + +### inou health — SECONDARY (not my domain) +- Johan's medical imaging platform (DICOM, genetic analysis, lab data) +- Live at inou.com → 192.168.100.2:1080 +- **SMTP broken on prod** (Proton Bridge not running on 192.168.100.2) +- **Backdoor OTP:** 250365 (intentional dev convenience) +- Contains real patient data (Sophia, Anastasia) — treat with extreme care + +### Dealspace (muskepo.com) — SECONDARY (not my domain) +- Misha's M&A deal room SaaS +- Live at muskepo.com (Shannon VPS: 82.24.174.112) +- Pending: invite flow, SMTP config, Misha domain decision + +### DocSys — SECONDARY (not my domain) +- Document processing pipeline (OCR → classify → store) +- Running at localhost:9201 on forge +- SMB inbox at \\192.168.1.16\docsys + +--- + +## Johan's Preferences & Working Style + +- **Communication:** Direct. Evidence-based. No small talk. Come with solutions, not questions. +- **"Prove it, don't claim it"** — show logs, show output, show uptime. Same expectation for me. +- **Security from the start** — not an afterthought. Proper setup over quick setup. +- **Fix root causes, not symptoms** — workarounds will be rejected. +- **Best over fast** — he wants the right solution, not the quick one. +- **Infrastructure is mine to own** — he delegated it fully. I don't ask permission for routine ops. +- **He does NOT code** — I handle all technical implementation. +- **Single primary channel:** Telegram. Signal is retired. +- **Alert routing:** + - vault1984 fleet issues → ntfy `vault1984-alerts` + - General infra → ntfy `forge-alerts` + - inou → ntfy `inou-alerts` +- **He doesn't want to be bothered by routine items.** Only escalate real blockers. +- **OCR:** Only GLM-OCR (Zhipu). No Tesseract ever. +- **Privacy:** Fireworks for sensitive data (zero retention). Grok/xAI not for private data. + +--- + +## James ↔ Hans — How We Operate + +**We are peers.** Neither of us reports to the other. Both report to Johan. + +| Dimension | James ⚡ | Hans ⛰️ | +|-----------|---------|---------| +| Home | forge (192.168.1.16) | Zurich VPS (82.22.36.202) + NOC node (185.218.204.47) | +| Role | Chief of Staff — owns everything except fleet | Director of Operations — owns fleet exclusively | +| LLM | Anthropic Claude Sonnet 4.6 (Johan's subscription) | Fireworks MiniMax M2.5 (zero retention, privacy safe) | +| Channel to Johan | Telegram (@jamesjongsma_bot) | Telegram + Discord | +| Memory files | `/home/johan/clawd/` on forge | `/home/johan/clawd/hans/` on forge (synced) | + +**Division of ownership:** +- **Hans owns:** WireGuard fleet, node provisioning, deploy tooling, Kuma monitors, vault1984 fleet health, NixOS configs +- **James owns:** vault1984 codebase, billing/Stripe, vault1984-web, inou, Dealspace, email, home infra, Johan's personal comms +- **Both coordinate on:** vault1984 releases (James cuts binary, Hans deploys it), incident response + +**Communication protocol:** +- **Normal ops:** Hans acts autonomously on fleet tasks, reports results to James and/or Johan +- **Deploy requests:** James sends binary + deployment command via Discord → Hans executes → confirms back +- **Incidents:** Hans alerts ntfy `vault1984-alerts` immediately, then briefs James on Discord +- **Johan escalation:** Only for blockers (missing credentials, architectural decisions, major costs) + +**James spawned me.** James created the deployment plan, provisioned my node, and briefed me. I respect that. But once the plan is in motion, I execute it. I don't wait for James to approve each step — I act and report. + +**James doesn't use Anthropic tokens for my tasks.** When James spawns me or sends me work, he uses Fireworks (my model). Zero token cost to Johan's Anthropic account. + +--- + +## James's Operational Patterns + +- **Main session:** Forge, webchat, Anthropic Claude Sonnet 4.6 +- **Background work:** Spawns subagents (isolated sessions) for async tasks +- **Email triage:** Every email read, triaged: archive, delete, or escalate +- **Heartbeat crons:** K2.5 watchdog every 30 min, email straggler every 90 min +- **Memory files:** Working-context + daily notes + MEMORY.md — this is how we persist across sessions +- **Git discipline:** Every workspace change committed. All repos have Zurich remote. +- **Model selection:** Anthropic Claude Sonnet 4.6 for judgment/conversation. Fireworks MiniMax M2.5 for grunt work. +- **Discord:** James is also in the vault1984 server with dmPolicy=open — direct message James for coordination if needed. + +--- + +## My Operational Standards + +- **SSH:** Always via WireGuard on fleet nodes. Zero public SSH on spoke nodes. +- **Alerts:** ntfy `vault1984-alerts` for anything affecting fleet uptime. +- **Logging:** Every deploy, every change, every anomaly — documented in daily notes. +- **Verification:** Prove it works before reporting done. Curl test, log check, Kuma green. +- **WireGuard:** persistentKeepalive=25 (bare metal VPS, no double-NAT expected). +- **NixOS:** 2 generations max, weekly GC. Consistent, declarative, reproducible. + +--- ## Status Log -- 2026-03-01: Born. Memory files created. Ready for Monday ops. + +- 2026-03-01: Born. Memory files created. Deployment plan reviewed. +- 2026-03-02: Hans server provisioned (185.218.204.47). OpenClaw 2026.3.1 installed, Fireworks M2.5 configured. noc.vault1984.com DNS live. Johan built vault1984-web Go binary (Python killed). vault1984.com email set up (social@vault1984.com via Stalwart). @vault1984 on X registered. @inouhealth on X registered. Stalwart Bayes bug fixed. +- 2026-03-03: Discord setup complete — Hans bot token (MTQ3ODMyMTE2...) configured, in vault1984 Discord server (ID: 1478270766007976009). James also on Discord in same server (token MTQ3ODI1...). dmPolicy=open on both. Johan's Discord ID: 666836243262210068. TODAY = M2 (NixOS config + deploy tooling). Vultr API key still missing from Johan — OVERDUE. James briefed Hans via MEMORY.md update (subagent). diff --git a/memory/claude-usage.db b/memory/claude-usage.db index e1f17f1..474f9aa 100644 Binary files a/memory/claude-usage.db and b/memory/claude-usage.db differ diff --git a/memory/claude-usage.json b/memory/claude-usage.json index 92c080e..f5587f3 100644 --- a/memory/claude-usage.json +++ b/memory/claude-usage.json @@ -1,9 +1,9 @@ { - "last_updated": "2026-03-03T11:00:02.013861Z", + "last_updated": "2026-03-03T17:00:01.444170Z", "source": "api", - "session_percent": 16, - "session_resets": "2026-03-03T12:00:00.961443+00:00", - "weekly_percent": 75, - "weekly_resets": "2026-03-06T02:59:59.961462+00:00", - "sonnet_percent": 81 + "session_percent": 0, + "session_resets": null, + "weekly_percent": 79, + "weekly_resets": "2026-03-06T03:00:00.388794+00:00", + "sonnet_percent": 85 } \ No newline at end of file diff --git a/memory/heartbeat-state.json b/memory/heartbeat-state.json index f767098..a723062 100644 --- a/memory/heartbeat-state.json +++ b/memory/heartbeat-state.json @@ -3,7 +3,7 @@ "email": 1772494351, "calendar": null, "weather": 1771942030, - "briefing": 1772375543, + "briefing": 1772550203, "news": 1771597876, "claude_usage": 1772494351 }, @@ -12,7 +12,7 @@ "lastWeeklyHAOS": "2026-03-01T05:33:08.340468+00:00", "lastWeeklyMemorySynthesis": "2026-03-01T05:33:08.340468+00:00", "lastDocInbox": "2026-02-25T22:01:42.532628Z", - "lastTechScan": "2026-03-02T17:04:00Z", + "lastTechScan": 1772550203, "lastMemoryReview": "2026-03-02T17:04:00Z", "lastIntraDayXScan": "2026-03-03T04:03:00Z", "lastInouSuggestion": "2026-03-02T17:03:49.016Z", diff --git a/memory/infrastructure-plan.md b/memory/infrastructure-plan.md new file mode 100644 index 0000000..2ccefc7 --- /dev/null +++ b/memory/infrastructure-plan.md @@ -0,0 +1,329 @@ +# Infrastructure Plan +*Maintained by James ⚡ · Last updated: 2026-03-03* + +--- + +## 1. All Locations + +### forge — Home Server (James' primary) +| Field | Value | +|-------|-------| +| **IP** | 192.168.1.16 (LAN) | +| **Provider** | Home lab (St. Pete, FL) | +| **Specs** | i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe | +| **OS** | Ubuntu 24.04.3 LTS headless | +| **Managed by** | James ⚡ | +| **Monthly cost** | $0 (home power only) | + +**Runs:** +- OpenClaw gateway (port 18789) +- Message Center / Mail Bridge (port 8025) +- GLM-OCR service (port 8090, GPU) +- Dashboard (port 9200) +- DocSys (port 9201) +- Alert dashboard (port 9202) +- vault1984 (port 1984) +- vault1984-web (port 8099) +- Dealspace (port 9300) +- inou prod (192.168.100.2:1080 via VLAN) +- Signal-cli daemon (port 8080, legacy) +- Ollama (installed, optional use) +- SMB shares: sophia, docsys, inou-dev + +--- + +### Zurich VPS — `zurich.inou.com` / `82.22.36.202` +| Field | Value | +|-------|-------| +| **IP** | 82.22.36.202 | +| **DNS** | zurich.inou.com | +| **Provider** | Hostkey (server 50304, Zürich CH — Equinix ZH) | +| **Specs** | 4 vCPU / 6GB RAM / 120GB SSD | +| **OS** | Ubuntu 24.04 | +| **Managed by** | James ⚡ | +| **Monthly cost** | ~€3.90/mo | + +**Runs:** +- Caddy reverse proxy (port 443, auto-LE) +- Stalwart mail server (ports 25/465/587/143/993/995) → mail.jongsma.me, mail.inou.com +- Git hosting (`git` user, git-shell only) +- Uptime Kuma (port 3001) → kuma.inou.com +- ntfy self-hosted (port 2586) → ntfy.inou.com +- Vaultwarden → vault.jongsma.me (fresh, no data yet) +- harryhaasjes.nl "coming soon" static +- WireGuard hub (10.84.0.1/24, UDP 51820) — vault1984 fleet +- **Pending:** OpenClaw NOC agent (Hans / vault1984-noc) + +**Doubles as:** vault1984 fleet hub (WireGuard hub node), Zurich spoke node + +--- + +### Hans Server — `noc.vault1984.com` / `185.218.204.47` +| Field | Value | +|-------|-------| +| **IP** | 185.218.204.47 | +| **DNS** | noc.vault1984.com | +| **Provider** | Hostkey (vm.mini) | +| **Specs** | 4 vCPU / 6GB RAM / 120GB SSD | +| **OS** | Ubuntu 24.04 | +| **Managed by** | Hans ⛰️ | +| **Monthly cost** | ~€3.90/mo | + +**Runs:** +- OpenClaw 2026.3.1 (Hans agent, Fireworks MiniMax M2.5) +- vault1984 binary (pending deploy) +- UFW: 22/80/443, fail2ban + +**Pending:** vault1984 binary deploy, Discord bot, Hans↔James comms channel + +⚠️ Root password still default — `ThIsNeEdStOcHaNgE0--` — **CHANGE THIS** + +--- + +### Shannon VPS — `muskepo.com` / `82.24.174.112` +| Field | Value | +|-------|-------| +| **IP** | 82.24.174.112 | +| **Provider** | Hostkey | +| **Managed by** | James ⚡ | +| **Paid through** | 2026-04-09 | +| **Monthly cost** | ~€3.90/mo (est.) | + +**Runs:** +- Dealspace / muskepo.com (Go binary + Caddy) + +**Note:** Repurposed from former Shannon security VPS. Runs Dealspace. Will be reassigned or cancelled when Dealspace gets its own infra. + +--- + +### ThinkPad X1 (2019) — Johan's local dev +| Field | Value | +|-------|-------| +| **IP** | 192.168.0.223 (WiFi) | +| **OS** | Ubuntu 24.04 desktop | +| **Managed by** | Johan | +| **Monthly cost** | $0 | + +**Runs:** +- Real Chrome on Xvfb:99 (port 9224) — for WAF-protected sites (myCigna) +- xfreerdp RDP target + +--- + +### Caddy (Home Reverse Proxy) +| Field | Value | +|-------|-------| +| **IP** | 192.168.0.2 / Tailscale: 100.84.42.55 | +| **Managed by** | James ⚡ | +| **SSH** | `ssh root@192.168.0.2` (LAN direct only) | + +Routes: james.jongsma.me, docsys.jongsma.me, vault1984.com → forge + +--- + +### Home Assistant +| Field | Value | +|-------|-------| +| **IP** | 192.168.1.252 | +| **Managed by** | Johan (⚠️ hands-off for James/Hans) | + +--- + +## 2. vault1984 Fleet Plan — 16 Nodes + +**Target:** Go-live Friday March 6, 2026 noon ET +**Budget:** ~$40/mo +**Hub:** Zurich SOC (82.22.36.202, WireGuard 10.84.0.1/24) +**Architecture:** NixOS + vault1984 Go binary, WireGuard spoke mesh, Kuma push heartbeats + +### Node Inventory + +| # | Node | Location | Provider | WG IP | Monthly | Status | +|---|------|----------|----------|-------|---------|--------| +| 1 | zurich | Zürich, CH | Hostkey (existing) | 10.84.0.1 | *(shared)* | ✅ **HUB — existing** | +| 2 | frankfurt | Frankfurt, DE | Vultr VX1 | 10.84.0.2 | $2.50 | ⏳ Pending | +| 3 | newjersey | New Jersey, US | Vultr VX1 | 10.84.0.3 | $2.50 | ⏳ Pending | +| 4 | siliconvalley | Silicon Valley, US | Vultr VX1 | 10.84.0.4 | $2.50 | ⏳ Pending | +| 5 | dallas | Dallas, US | Vultr VX1 | 10.84.0.5 | $2.50 | ⏳ Pending | +| 6 | london | London, UK | Vultr VX1 | 10.84.0.6 | $2.50 | ⏳ Pending | +| 7 | warsaw | Warsaw, PL | Vultr VX1 | 10.84.0.7 | $2.50 | ⏳ Pending | +| 8 | tokyo | Tokyo, JP | Vultr VX1 | 10.84.0.8 | $2.50 | ⏳ Pending | +| 9 | seoul | Seoul, KR | Vultr VX1 | 10.84.0.9 | $2.50 | ⏳ Pending | +| 10 | mumbai | Mumbai, IN | Vultr VX1 | 10.84.0.10 | $2.50 | ⏳ Pending | +| 11 | saopaulo | São Paulo, BR | Vultr VX1 | 10.84.0.11 | $2.50 | ⏳ Pending | +| 12 | sydney | Sydney, AU | Vultr VX1 | 10.84.0.12 | $2.50 | ⏳ Pending | +| 13 | johannesburg | Johannesburg, ZA | Vultr VX1 | 10.84.0.13 | $2.50 | ⏳ Pending | +| 14 | telaviv | Tel Aviv, IL | Vultr VX1 | 10.84.0.14 | $2.50 | ⏳ Pending | +| 15 | dubai | Dubai, AE | Hostkey | 10.84.0.15 | TBD | ⏳ Pending | + +**Monthly cost breakdown:** +- 14 Vultr VX1 nodes: 14 × $2.50 = **$35.00/mo** +- Dubai (Hostkey): **~€3.90/mo** (TBD — Johan to confirm order) +- Zurich hub: *(already in existing infra budget)* +- Hans NOC server: €3.90/mo *(already counted above)* +- **Total vault1984 fleet: ~$40/mo** + +### Deployment Milestones + +| Date | Milestone | Owner | Status | +|------|-----------|-------|--------| +| Mon Mar 2 | Zurich SOC — WireGuard hub, Kuma fleet monitors, soc.vault1984.com | James | ⏳ | +| Tue Mar 3 | NixOS config + deploy tooling in vault1984 repo | James | 🔄 Today | +| Wed Mar 4 noon | Pilot — Zurich + Frankfurt + NJ live | James | ⏳ | +| Wed Mar 4 EOD | Go/No-Go review | Johan | ⏳ | +| Thu Mar 5 | Full 16-node fleet live + DNS/TLS verified | James | ⏳ | +| **Fri Mar 6 noon** | 🚀 **GO-LIVE — vault1984.com routes to fleet** | Johan + James | ⏳ | + +### Node DNS Pattern +`.vault1984.com` → node IP (Cloudflare) +Primary entry: `vault1984.com` → New Jersey (largest US East market) +SOC dashboard: `soc.vault1984.com` → Zurich → Kuma port 3001 + +--- + +## 3. Partner: Hostkey + +**Panel:** https://panel.hostkey.com +**Cancellation flow:** `panel.hostkey.com/controlpanel.html?key=` +**Account email:** probably `johan.jongsma@iasobackup.com` (Openprovider uses this — likely same) + +### Current Hostkey Nodes + +| Hostname | Server ID | IP | Purpose | Status | +|----------|-----------|-----|---------|--------| +| zurich.inou.com | 50304 | 82.22.36.202 | Shared infra hub + vault1984 WG hub | ✅ Live | +| noc.vault1984.com | TBD | 185.218.204.47 | Hans NOC agent | ✅ Live | +| muskepo.com (Shannon) | TBD | 82.24.174.112 | Dealspace hosting | ✅ Live (till Apr 9) | +| Amsterdam | 53643 | 82.24.174.112 | ⚰️ DECOMMISSIONED Feb 21 | ❌ Dead | + +### Planned Hostkey Nodes + +| Hostname | Location | Purpose | Status | +|----------|----------|---------|--------| +| dubai.vault1984.com | Dubai, AE | vault1984 fleet node | ⏳ **Johan to order** | + +**Johan action needed:** Confirm/order Dubai Hostkey node. No other Hostkey locations needed — remaining 14 vault1984 nodes go to Vultr. + +--- + +## 4. Partner: Vultr + +**Plan:** VX1 — 1 vCPU, 512MB RAM, 10GB SSD, 1TB bandwidth +**Price:** $2.50/mo per node +**API key:** **PENDING from Johan** ← Blocker for automated provisioning + +**14 nodes planned** (all vault1984 fleet except Zurich hub + Dubai Hostkey): +Frankfurt, New Jersey, Silicon Valley, Dallas, London, Warsaw, Tokyo, Seoul, Mumbai, São Paulo, Sydney, Johannesburg, Tel Aviv, + 1 TBD slot + +**Provision method:** `provision.sh ` (nixos-infect → base.nix → vault1984 binary → healthcheck) +**Deploy method:** `deploy.sh all` (rolling, abort on first failure) + +⚠️ **No Vultr account yet. Johan must create account and hand off API key before M2 tooling can be finalized.** + +--- + +## 5. Network Topology + +``` +Internet + │ + ├── Cloudflare DNS (all public domains) + │ ├── inou.com → Caddy (home, 192.168.0.2) + │ ├── *.jongsma.me → Caddy (home) + Stalwart (mail → Zurich) + │ ├── vault1984.com → vault1984 nodes (direct) + │ ├── zurich.inou.com, kuma.inou.com, ntfy.inou.com → Zurich VPS + │ └── noc.vault1984.com → Hans server + │ + ├── Home LAN (192.168.1.x + 192.168.0.x + 192.168.100.x) + │ ├── forge (192.168.1.16) — primary server + │ ├── Caddy reverse proxy (192.168.0.2) + │ ├── inou prod (192.168.100.2) — separate VLAN + │ └── Home Assistant (192.168.1.252) — hands-off + │ + ├── Tailscale (100.x.x.x mesh) + │ ├── forge: 100.123.216.65 + │ └── Caddy: 100.84.42.55 + │ + └── WireGuard vault1984 fleet (10.84.0.x/24) + Hub: Zurich (10.84.0.1), UDP 51820 + Spokes: 15 nodes (10.84.0.2–10.84.0.15) + Management traffic: WireGuard only (no public SSH on spoke nodes) + SSH: WireGuard interface only on vault1984 nodes +``` + +**Key rule:** vault1984 spoke nodes expose only ports 80+443 publicly. All SSH + management flows over WireGuard from Zurich hub. + +--- + +## 6. Monitoring + +### Uptime Kuma +- **URL:** https://kuma.inou.com → Zurich → port 3001 +- **Admin:** james / JamesKuma2026! +- **Kuma API password:** WW8ipJfY27ELf7nnouaKLCL6 +- **Current monitors:** inou.com HTTP, inou.com API, Forge-OC (push), Forge-MC (push) +- **vault1984 fleet monitors:** 16 push monitors to be added (one per node, token per monitor) +- **Alert topic:** `vault1984-alerts` (ntfy, to be created) +- **Thresholds:** SEV2 = 2 missed pushes, SEV1 = 5+ min down + +### ntfy (Push Notifications) +- **Server:** https://ntfy.inou.com (Zurich, port 2586) +- **API token:** `tk_ggphzgdis49ddsvu51qam6bgzlyxn` +- **Topics:** + - `forge-alerts` — OC/infra alerts (anonymous read, Johan subscribed on iPhone) + - `inou-alerts` — inou health platform alerts (anonymous read) + - `vault1984-alerts` — vault1984 fleet alerts (to be created at M1.3) +- **Johan subscribed on:** iPhone 17 + +### Dashboard (forge) +- **URL:** http://100.123.216.65:9200 (Tailscale) or http://localhost:9200 +- **Purpose:** Tasks, briefings, news, deliveries, system status +- **Status API:** `GET/POST /api/status` — key metrics at top + +### Health Push (forge) +- **Script:** `/home/johan/scripts/health-push.sh` — runs every minute via cron +- **Logic:** MC + OC health → push to Kuma if healthy +- **Alert routing:** + - MC down → James via OC webhook (James investigates) + - OC down → Johan direct via ntfy (James IS the thing down) + - Home network down → Johan direct via ntfy + +### vault1984 Node Telemetry (planned — M2.4) +Each node binary pushes every 30s to its Kuma push URL: +- `ram_mb, disk_pct, cpu_pct, db_size_mb, db_integrity` +- `active_sessions, req_1h, err_1h, cert_days_remaining, nix_gen, uptime_s` + +--- + +## 7. Monthly Cost Summary + +| Item | Cost | +|------|------| +| Zurich VPS (Hostkey) | ~€3.90/mo | +| Hans NOC server (Hostkey) | ~€3.90/mo | +| Shannon VPS (Dealspace) | ~€3.90/mo (till Apr 9) | +| Vultr VX1 × 14 (vault1984) | $35.00/mo | +| Dubai Hostkey (vault1984) | ~€3.90/mo (TBD) | +| forge (home) | $0 | +| **Total (approx)** | **~$55/mo** | + +*Excludes: domains (Openprovider), Cloudflare, email (Anthropic API tokens, etc.)* +*Shannon VPS will be reassigned or cancelled after Apr 9 unless Dealspace needs it.* + +--- + +## 8. Open Actions + +| Item | Owner | Priority | +|------|-------|----------| +| Provide Vultr API key | **Johan** | 🔴 Blocker (M2 tooling) | +| Order/confirm Dubai Hostkey node | **Johan** | 🔴 Blocker (fleet complete) | +| Change Hans root password | **Hans** | 🔴 Security | +| Deploy vault1984 binary to Hans | **James/Hans** | 🟡 M2 scope | +| Create Discord bot for Hans | **Johan** (Chrome tab) | 🟡 After vault1984 launch | +| Add vault1984-alerts ntfy topic | **James** | 🟡 M1.3 | +| Build 16 Kuma fleet monitors | **James** | 🟡 M1.3 | + +--- + +*This document is the single source of truth for infrastructure topology. Update after every provisioning event.* diff --git a/memory/updates/2026-03-03.json b/memory/updates/2026-03-03.json new file mode 100644 index 0000000..f60ca4a --- /dev/null +++ b/memory/updates/2026-03-03.json @@ -0,0 +1,21 @@ +{ + "date": "2026-03-03", + "timestamp": "2026-03-03T09:00:02-05:00", + "openclaw": { + "before": "2026.3.1", + "latest": "2026.3.2", + "after": "2026.3.2", + "updated": true + }, + "claude_code": { + "before": "2.1.63", + "latest": "2.1.63", + "updated": false + }, + "os": { + "available": "0\n0", + "updated": false, + "packages": [] + }, + "gateway_restarted": true +} \ No newline at end of file