johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: auto-commit uncommitted changes

This commit is contained in:
James 2026-03-03 12:02:07 -05:00
parent d2aaeab423
commit 2d7d889ec0
7 changed files with 927 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

187
hans/INFRASTRUCTURE-OVERVIEW.md Normal file
View File

@ -0,0 +1,187 @@
# vault1984 — Infrastructure Overview
*Last updated: 2026-03-03 · James ⚡*
*Go-live target: Friday March 6, 2026 — noon ET*
---
## 1. Hub — Zurich SOC (82.22.36.202)
| Field | Value |
|-------|-------|
| **Provider** | Hostkey (Switzerland, likely Equinix ZH) |
| **IP** | 82.22.36.202 |
| **DNS** | zurich.inou.com |
| **Specs** | 4 vCPU / 6 GB RAM / 120 GB SSD |
| **Cost** | Existing (already paid — inou.com infrastructure) |
| **WireGuard role** | Hub — 10.84.0.1/24, UDP 51820 |
### Services Running on Hub
| Service | Port / Address | Purpose |
|---------|---------------|---------|
| **WireGuard hub** | UDP 51820 / 10.84.0.1 | Fleet management network |
| **Caddy** | 443 (public) | Reverse proxy + auto-TLS |
| **Stalwart mail** | 25/465/587/143/993/995 | @jongsma.me, @inou.com, @vault1984.com |
| **Uptime Kuma** | localhost:3001 → `soc.vault1984.com` | Fleet monitoring dashboard |
| **ntfy** | localhost:2586 → `ntfy.inou.com` | Push alerts (`vault1984-alerts`) |
| **Git server** | SSH (git user) | vault1984.git, vault1984-web.git, others |
> **Note:** SSH on the hub is public (normal sshd). Spoke nodes have SSH on WireGuard only — port 22 is NOT reachable from the public internet.
---
## 2. Spoke Nodes — 16-Node Global Fleet
### Vultr Plan: VX1 ✅ Confirmed
**$2.50/mo** — 1 vCPU, 512 MB RAM, 10 GB SSD, 500 GB transfer
*(Source: INFRASTRUCTURE.md — "All Vultr nodes: VX1 tier — 1 vCPU, 512 MB RAM, 10 GB SSD, 0.5 TB bandwidth @ $2.50/mo")*
### Full Node Table
| # | Node Name | City | Provider | Plan | WG IP | Cost/mo | Status |
|---|-----------|------|----------|------|-------|---------|--------|
| 1 | `zurich` | Zürich, CH | Hostkey (existing) | 4vCPU/6GB/120GB | 10.84.0.2 | $0 (existing) | ⏸️ Spoke not yet deployed |
| 2 | `frankfurt` | Frankfurt, DE | Vultr | VX1 $2.50 | 10.84.0.3 | $2.50 | ❌ Not provisioned |
| 3 | `newjersey` | New Jersey, US | Vultr | VX1 $2.50 | 10.84.0.4 | $2.50 | ❌ Not provisioned |
| 4 | `siliconvalley` | Silicon Valley, US | Vultr | VX1 $2.50 | 10.84.0.5 | $2.50 | ❌ Not provisioned |
| 5 | `dallas` | Dallas, US | Vultr | VX1 $2.50 | 10.84.0.6 | $2.50 | ❌ Not provisioned |
| 6 | `london` | London, UK | Vultr | VX1 $2.50 | 10.84.0.7 | $2.50 | ❌ Not provisioned |
| 7 | `warsaw` | Warsaw, PL | Vultr | VX1 $2.50 | 10.84.0.8 | $2.50 | ❌ Not provisioned |
| 8 | `tokyo` | Tokyo, JP | Vultr | VX1 $2.50 | 10.84.0.9 | $2.50 | ❌ Not provisioned |
| 9 | `seoul` | Seoul, KR | Vultr | VX1 $2.50 | 10.84.0.10 | $2.50 | ❌ Not provisioned |
| 10 | `mumbai` | Mumbai, IN | Vultr | VX1 $2.50 | 10.84.0.11 | $2.50 | ❌ Not provisioned |
| 11 | `saopaulo` | São Paulo, BR | Vultr | VX1 $2.50 | 10.84.0.12 | $2.50 | ❌ Not provisioned |
| 12 | `sydney` | Sydney, AU | Vultr | VX1 $2.50 | 10.84.0.13 | $2.50 | ❌ Not provisioned |
| 13 | `johannesburg` | Johannesburg, ZA | Vultr | VX1 $2.50 | 10.84.0.14 | $2.50 | ❌ Not provisioned |
| 14 | `telaviv` | Tel Aviv, IL | Vultr | VX1 $2.50 | 10.84.0.15 | $2.50 | ❌ Not provisioned |
| 15 | `dubai` | Dubai, AE | Hostkey | ~$58/mo (vm.mini class) | 10.84.0.16 | ~$6.50 | ⏸️ Decision pending |
| 16 | `istanbul` | Istanbul, TR | TBD (Hostkey preferred; Vultr has no TR) | TBD | 10.84.0.17 | ~$3.90 est. | ⏸️ Provider TBD |
> **Istanbul note:** Vultr has no Turkey presence. Hostkey does. Likely Hostkey vm.mini at ~€3.90/mo. Warsaw covers Istanbul at ~30ms if deferred.
> **Dubai note:** INFRASTRUCTURE.md lists Dubai as Hostkey at ~$58/mo. Order not yet placed — pending Johan's decision.
---
## 3. What Runs on Each Spoke
Every spoke node runs the same minimal stack — deliberately so. No drift by design.
```
[Vultr/Hostkey VPS]
├── NixOS (declarative, reproducible, 2 generations max)
├── vault1984 binary (Go, ~15 MB, ports :80 + :443)
│ ├── Built-in autocert (Let's Encrypt via golang.org/x/crypto/acme/autocert)
│ ├── Kuma push heartbeat (every 30s to soc.vault1984.com)
│ └── vault1984.db (SQLite + WAL)
└── WireGuard spoke → hub (10.84.0.1:51820)
└── SSH binds to WireGuard IP only (10.84.0.x:22)
```
**Public ports:** 80, 443 only.
**NOT public:** Port 22 (SSH reachable only via WireGuard tunnel from Zurich hub).
### Heartbeat Payload (every 30s, vault1984 → Kuma)
```json
{
"node": "tokyo",
"ram_mb": 142, "disk_pct": 31.2, "cpu_pct": 2.1,
"db_size_mb": 12, "db_integrity": true,
"active_sessions": 3, "req_1h": 847, "err_1h": 2,
"cert_days_remaining": 62, "nix_gen": 2, "uptime_s": 864000
}
```
**Key watchdog metric:** `cert_days_remaining` — visible in Kuma before any cert expires.
---
## 4. DNS Plan
### Per-Node Subdomains
Each node gets its own subdomain under `vault1984.com`:
| Node | FQDN | Type | Points to |
|------|------|------|-----------|
| zurich | zurich.vault1984.com | A | 82.22.36.202 |
| frankfurt | frankfurt.vault1984.com | A | (Vultr IP, TBD) |
| newjersey | newjersey.vault1984.com | A | (Vultr IP, TBD) |
| … | … | A | (Vultr IP, TBD) |
| dubai | dubai.vault1984.com | A | (Hostkey IP, TBD) |
All DNS via **Cloudflare** (zone: `1c7614cd4ee5eabdc03905609024f93a`).
**DNS-only mode** — no Cloudflare proxying. vault1984 is a password vault; routing through third-party proxies defeats the trust model.
### vault1984.com Root
- **vault1984.com****New Jersey** node (primary; largest US East market)
- `www.vault1984.com` → same (or 301 → apex)
- **Option: Cloudflare Load Balancer GeoDNS** → $5/mo — latency-based routing across all nodes. Johan decides post-pilot.
### SOC Domain
- `soc.vault1984.com` → 82.22.36.202 (Caddy → Kuma:3001) — internal status dashboard
---
## 5. Current Status vs Plan
| # | Milestone | Deadline | Status | Notes |
|---|-----------|----------|--------|-------|
| **M1** | Zurich SOC ready (WireGuard hub + Kuma + `soc.vault1984.com`) | Mon Mar 2, EOD | 🔄 In progress | WireGuard hub + Kuma configured on Zurich; fleet Kuma monitors need creation when nodes go live. Hans server (185.218.204.47) live as NOC node. |
| **M2** | NixOS config + deploy tooling in `vault1984/infra/` | Tue Mar 3, EOD | 🔄 In progress | **TODAY** — Hans executing. Includes base.nix, 16 node vars, provision.sh, deploy.sh, healthcheck.sh, vault1984 telemetry push goroutine. |
| **M3** | Pilot: 3 nodes live (Zurich, Frankfurt, NJ) | Wed Mar 4, noon | ❌ Not started | Blocked on M2 completion + Vultr API key. |
| **M4** | Go/No-Go review | Wed Mar 4, EOD | ❌ Not started | Johan reviews pilot. |
| **M5** | Full 16-node fleet live | Thu Mar 5, EOD | ❌ Not started | 4 batches of ~4 nodes. Blocked on M4 green light + Vultr API key. |
| **M6** | DNS, TLS, health checks verified across all 16 | Thu Mar 5, EOD | ❌ Not started | Follows M5. |
| **M7** | 🚀 Go-live — vault1984.com routes to fleet | **Fri Mar 6, noon** | ❌ Not started | Johan + James final sign-off. |
---
## 6. Cost Breakdown
### Monthly Infrastructure Cost
| Component | Nodes | Unit Cost | Monthly |
|-----------|-------|-----------|---------|
| Zurich hub (Hostkey) | 1 | Existing (inou.com infra) | $0 incremental |
| Vultr VX1 nodes | 13 | $2.50/mo | **$32.50** |
| Dubai (Hostkey, ~vm.mini) | 1 | ~$58/mo est. | **~$6.50** |
| Istanbul (Hostkey est.) | 1 | ~€3.90/mo est. | **~$4.25** |
| **Total fleet** | **16** | — | **~$43/mo** |
> Zurich hub cost is shared with inou.com, Stalwart mail, and other services — not charged to vault1984 budget.
### Remaining Budget
- Budget ceiling: **$100/mo**
- Fleet spend: **~$43/mo**
- Reserve for upgrades: **~$57/mo** (use when individual nodes see demand)
### Node Upgrade Path (when needed)
| Tier | Specs | Cost |
|------|-------|------|
| VX1 (current) | 1 vCPU / 512MB / 10GB | $2.50/mo |
| Next tier | 1 vCPU / 1GB / 25GB / 1TB | $6/mo |
| Mid tier | 2 vCPU / 2GB / 50GB / 2TB | $12/mo |
---
## 7. Blockers
| Blocker | Owner | Impact | Notes |
|---------|-------|--------|-------|
| **Vultr API key** | 🔴 Johan (pending) | Blocks M3, M5 — cannot provision any VPS | Was due Mon Mar 2 AM. Still outstanding as of Tue Mar 3. Hans cannot provision 13 nodes without it. |
| **Dubai decision** | 🟡 Johan | Blocks Dubai node (15th spoke) | Option A: Order Hostkey Dubai (~$58/mo). Option B: Cover Gulf region with Tel Aviv (~40ms). Option C: Defer to post-launch. Warsaw covers Istanbul at 30ms if Istanbul also deferred. |
| **Istanbul provider** | 🟡 James/Hans | Blocks 16th spoke | Vultr has no Turkey presence. Hostkey does. Likely Hostkey vm.mini ~€3.90/mo. Low urgency — Warsaw covers at ~30ms. |
---
## Architecture Principles (for reference)
1. **No Caddy on spokes.** vault1984 binary handles TLS itself via `autocert` — eliminates a process and potential cert misconfig. Learned from Kaseya cert incidents.
2. **No Cloudflare proxying.** DNS-only. Password vault + third-party MITM = trust model broken.
3. **No public SSH.** Every spoke node: SSH on WireGuard interface only. Public internet sees 80+443, nothing else.
4. **NixOS everywhere.** Declarative = zero drift. One config file per node, checked into repo. Roll back any node in seconds.
5. **Nodes are independent.** No replication. User vault lives on one node. Scale up single nodes when demand warrants.
---
*vault1984 — "1984 had no secrets. You should."*

439
hans/MEMORY.md
View File

@ -1,76 +1,401 @@
# MEMORY.md — Hans ⛰️ Long-Term Memory
*Last updated: 2026-03-01*
*Last updated: 2026-03-03 (Tuesday — briefed by James ⚡, full operational context)*
---
## Who I Am
Hans ⛰️, Swiss Director of Operations for vault1984. Running on Zurich VPS (82.22.36.202). Born 2026-03-01.
**Hans ⛰️**, Swiss Director of Operations for vault1984. Born 2026-03-01.
- **Home node:** Zurich VPS (82.22.36.202) — the NOC hub
- **NOC node (Hans server):** 185.218.204.47 (`noc.vault1984.com`) — Hostkey vm.mini
- **Mission:** Deploy, monitor, and maintain the vault1984 16-node global fleet. Go-live Friday March 6, 2026 noon ET.
- **I own the fleet.** I execute and report. I don't ask permission for routine ops.
---
## The Product: vault1984
- Password manager built for humans who use AI assistants
- Two-tier encryption: L1 = VAULT_KEY (server secret), L2 = WebAuthn PRF (client-side, AI never sees L2)
- One Go binary + one SQLite file per node. Port 1984 (Orwell — intentional)
- MIT open source. Hosted offering: vault1984.com
- Currently: dev stage, running on forge (192.168.1.16:1984)
Password manager / structured knowledge store built for humans who use AI assistants. The key differentiator: **agent fields are AI-accessible** (scoped MCP tokens), **sealed fields are human-only** (WebAuthn PRF — key never leaves the client).
- **L1:** `VAULT_KEY` in `.env` — machine secret, server-side encryption
- **L2:** WebAuthn PRF — client-side only (Touch ID, Face ID, YubiKey). AI NEVER sees L2.
- **One Go binary + one SQLite file per node.** Port 1984 (Orwell — intentional).
- **Auth:** WebAuthn only (no master password). Recovery: 12-word BIP39 mnemonic.
- **Text only, Markdown default.** No attachments, no images — ever.
- **MIT open source.** Core at `git@zurich.inou.com:vault1984.git` + GitHub `johanjongsma/vault1984`.
- **Pricing:** $12/year (annual only). 7-day money-back. No free trial.
- **Tagline:** "1984 had no secrets. You should."
- **Brand:** `#0A1628` bg, `#22C55E` accent green, JetBrains Mono ExtraBold, Inter body.
- **URL:** vault1984.com (live, Cloudflare → Caddy on forge → port 8099 for web, port 1984 for app)
- **X:** @vault1984 (registered by Johan on 2026-03-02)
---
## Key People
### Johan Jongsma — My Human
- **Role:** CTO Backup at Kaseya (formerly Datto). Dutch citizen. St. Petersburg, Florida, USA.
- **Background:** Founded Iaso Backup, sold 2013 (became Cove Data Protection/N-able), left 2019, joined Kaseya/Datto.
- **Communication:** Direct, evidence-based. No small talk. No fluff. Show proof, not claims.
- **Units:** Metric brain (Dutch), lives in US — give both units when relevant.
- **He owns vault1984.** All major decisions go to him. I execute, he decides architecture/GTM.
- **Telegram:** @johanjongsma (ID: 8454563068) — primary channel.
- **Wake policy:** Don't wake before 8AM ET unless it's genuinely urgent.
### Johan's Schedule (memorize this)
| Block | Time (ET) |
|-------|-----------|
| First sleep | 7:30pm 10:15pm |
| **Night shift (Sophia care — WORKING)** | 10:30pm 5:00am |
| Second sleep | 5:15am 9/10am |
| Awake/Day | ~10am 7:30pm |
**CRITICAL:** After 10:30pm he is working, NOT sleeping. Do background/autonomous work during 5:159am.
### Sophia — Johan's Daughter
The reason inou exists and why Johan's work is so important. Serious accident May 2, 2022. She is trached, requires constant monitoring. Johan is her night nurse. **Don't disrupt her care environment** — never make noise or trigger alerts during night shift without critical reason.
### James ⚡ — My Peer / Chief of Staff
- **Home:** forge (192.168.1.16), port 18789
- **Role:** Chief of Staff to Johan. Strategic partner. Owns infrastructure oversight.
- **Channel:** Telegram (@jamesjongsma_bot, ID: 8510971070)
- **Discord:** James is on Discord too (dmPolicy=open). Bot: @jamesjongsma_bot on the vault1984 Discord server.
- **Relationship to me:** Peer. James coordinates at the strategic level; I own fleet operations. James spawns me for vault1984 infra tasks and receives my reports.
- **James does NOT use Anthropic tokens** for my tasks — Fireworks only on my node.
### Misha (Michael) Jongsma — Johan's Son
- Runs Dealspace (muskepo.com), an M&A deal workflow SaaS.
- Contact: michael@muskepo.com, +1 727-238-1189
- James built Dealspace for him. Johan advises.
---
## Infrastructure
### Hub: Zurich VPS
- IP: 82.22.36.202
- SSH: root@82.22.36.202
- Specs: 4 vCPU, 6GB RAM, 120GB SSD
- Provider: Hostkey
- Running: Stalwart mail, Uptime Kuma (port 3001), ntfy (port 2586), Caddy reverse proxy
- WireGuard hub: 10.84.0.1/24, UDP 51820
### Forge (192.168.1.16) — James's Home
- **Hardware:** i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe
- **OS:** Ubuntu 24.04.3 LTS headless
- **Services:** OpenClaw gateway (18789), Mail Bridge (8025), GLM-OCR (8090), vault1984 app (1984), vault1984-web (8099), Docsys (9201), Dealspace (9300)
- **Caddy reverse proxy:** at 192.168.0.2 (not forge directly). Proxies vault1984.com, inou.com, docsys.jongsma.me, etc.
### The 16-Node Fleet (target)
Provider mix: Hostkey (Zurich existing, Dubai) + Vultr VX1 $2.50/mo nodes
### Zurich VPS (82.22.36.202) — MY HUB
- **DNS:** zurich.inou.com
- **Provider:** Hostkey (Switzerland, likely Equinix ZH)
- **Specs:** 4 vCPU, 6GB RAM, 120GB SSD
- **SSH:** root@82.22.36.202 (key auth)
- **Services running:**
- Caddy (owns port 443, auto-TLS)
- Stalwart mail server (ports 25/465/587/143/993/995) — handles @jongsma.me + @inou.com + @vault1984.com
- Uptime Kuma (port 3001) → `kuma.inou.com`
- ntfy (port 2586) → `ntfy.inou.com`
- Git server (`git` user with git-shell) — all our repos here
- Vaultwarden at `vault.jongsma.me` (fresh, no data yet)
- **WireGuard hub: 10.84.0.1/24, UDP 51820** — vault1984 fleet management network
- `soc.vault1984.com` → Kuma (port 3001) via Caddy
- **Git repos here:** vault1984, vault1984-web, dealspace, inou-mobile, azure-backup (abandoned), clawdnode-android, mail-agent
| Node | Location | Provider |
|------|----------|----------|
| zurich | Zürich, CH | Hostkey (existing) |
| frankfurt | Frankfurt, DE | Vultr |
| newjersey | New Jersey, US | Vultr |
| siliconvalley | Silicon Valley, US | Vultr |
| dallas | Dallas, US | Vultr |
| london | London, UK | Vultr |
| warsaw | Warsaw, PL | Vultr |
| tokyo | Tokyo, JP | Vultr |
| seoul | Seoul, KR | Vultr |
| mumbai | Mumbai, IN | Vultr |
| saopaulo | São Paulo, BR | Vultr |
| sydney | Sydney, AU | Vultr |
| johannesburg | Johannesburg, ZA | Vultr |
| telaviv | Tel Aviv, IL | Vultr |
| dubai | Dubai, AE | Hostkey |
### Hans Server / NOC Node (185.218.204.47)
- **DNS:** noc.vault1984.com
- **Provider:** Hostkey (vm.mini, €3.90/mo)
- **Specs:** 4 vCPU / 6GB RAM / 120GB SSD
- **OS:** Ubuntu 24.04
- **Root password:** ThIsNeEdStOcHaNgE0-- ⚠️ **CHANGE THIS**
- **User:** `johan` (SSH key auth, sudo)
- **UFW:** 22/80/443 only, fail2ban active
- **OpenClaw:** 2026.3.1 installed
- **Model:** Fireworks MiniMax M2.5 (`accounts/fireworks/models/minimax-m2p5`)
- **Fireworks key:** `fw_RVcDe4c6mN4utKLsgA7hTm`
- **Discord:** Bot token configured, connected to vault1984 Discord server. dmPolicy=open.
- **Purpose:** vault1984 NOC operations agent. Receives commands from James via Discord, executes, reports back.
(15 listed + Zurich hub = 16 total)
### Shannon VPS (82.24.174.112)
- Dealspace (muskepo.com) lives here. Paid till 2026-04-09.
- SSH: root@82.24.174.112 / pw: gUB-C63-EN
- Not related to vault1984 fleet.
### Key Credentials
- Zurich SSH: root@82.22.36.202
- Uptime Kuma: http://zurich.inou.com:3001, user: james, pass: WW8ipJfY27ELf7nnouaKLCL6
- ntfy token: tk_ggphzgdis49ddsvu51qam6bgzlyxn
- Vultr API key: PENDING from Johan
- vault1984 repo: git@zurich.inou.com:vault1984.git + https://github.com/johanjongsma/vault1984
- vault1984-web repo: git@zurich.inou.com:vault1984-web.git
### Home Network (St. Petersburg, FL)
- **Public IP:** 47.197.93.62 (rarely changes)
- **Caddy:** 192.168.0.2 (reverse proxy for all home services)
- **Home Assistant:** 192.168.1.252
- **Forge:** 192.168.1.16
- **DNS:** AdGuard Home (at 192.168.1.252)
## Milestone Plan
### vault1984 Fleet Target — 16 Nodes
| Date | Milestone |
|------|-----------|
| Mon Mar 2 | Zurich SOC setup (WireGuard hub, Kuma fleet monitors, soc.vault1984.com) |
| Tue Mar 3 | NixOS config + deploy tooling in vault1984 repo |
| Wed Mar 4 noon | Pilot — 3 nodes live (Zurich, Frankfurt, NJ) |
| Wed Mar 4 EOD | Johan Go/No-Go review |
| Thu Mar 5 | Full 16-node fleet live |
| **Fri Mar 6 noon** | 🚀 **GO-LIVE** |
| Node | Location | Provider | WireGuard IP |
|------|----------|----------|--------------|
| zurich | Zürich, CH (HQ) | Hostkey (existing) | 10.84.0.2 |
| frankfurt | Frankfurt, DE | Vultr VX1 $2.50 | 10.84.0.3 |
| newjersey | New Jersey, US | Vultr VX1 $2.50 | 10.84.0.4 |
| siliconvalley | Silicon Valley, US | Vultr VX1 $2.50 | 10.84.0.5 |
| dallas | Dallas, US | Vultr VX1 $2.50 | 10.84.0.6 |
| london | London, UK | Vultr VX1 $2.50 | 10.84.0.7 |
| warsaw | Warsaw, PL | Vultr VX1 $2.50 | 10.84.0.8 |
| tokyo | Tokyo, JP | Vultr VX1 $2.50 | 10.84.0.9 |
| seoul | Seoul, KR | Vultr VX1 $2.50 | 10.84.0.10 |
| mumbai | Mumbai, IN | Vultr VX1 $2.50 | 10.84.0.11 |
| saopaulo | São Paulo, BR | Vultr VX1 $2.50 | 10.84.0.12 |
| sydney | Sydney, AU | Vultr VX1 $2.50 | 10.84.0.13 |
| johannesburg | Johannesburg, ZA | Vultr VX1 $2.50 | 10.84.0.14 |
| telaviv | Tel Aviv, IL | Vultr VX1 $2.50 | 10.84.0.15 |
| dubai | Dubai, AE | Hostkey | 10.84.0.16 |
| istanbul | Istanbul, TR | (TBD) | 10.84.0.17 |
## Key People
- **Johan Jongsma** — my human. CTO Backup at Kaseya. Dutch, St. Petersburg FL. Direct, evidence-based. He owns vault1984.
- **James ⚡** — main agent on forge (192.168.1.16). Chief of Staff. My peer and coordinator.
Budget: ~$40/mo for full fleet.
## Key Docs (on forge)
- `/home/johan/dev/vault1984/docs/NOC-DEPLOYMENT-PLAN.md`
- `/home/johan/dev/vault1984/docs/INFRASTRUCTURE.md`
---
## Tools & Services
### Uptime Kuma
- **URL:** http://zurich.inou.com:3001 (also via `soc.vault1984.com`)
- **User:** james / WW8ipJfY27ELf7nnouaKLCL6
- **My job:** Set up one push monitor per vault1984 fleet node. SEV2: 2 missed pushes. SEV1: 5+ min down.
- **ntfy topic for vault1984 alerts:** `vault1984-alerts`
- **Heartbeat:** Each node pushes every 30s with runtime telemetry (RAM, disk, CPU, DB size, DB integrity, active sessions, req_1h, err_1h, cert_days_remaining, uptime_s)
### ntfy (Self-hosted on Zurich)
- **URL:** https://ntfy.inou.com
- **Token:** `tk_ggphzgdis49ddsvu51qam6bgzlyxn`
- **Topics:**
- `vault1984-alerts` — vault1984 fleet alerts (nodes down, deploy failures)
- `forge-alerts` — James's infra alerts
- `inou-alerts` — inou health platform alerts
### Discord — vault1984 Server
- **vault1984 Discord server ID:** `1478270766007976009`
- **Johan's Discord ID:** `666836243262210068`
- **My bot token prefix:** `MTQ3ODMyMTE2...` (full token in my OpenClaw config on 185.218.204.47)
- **James bot token prefix:** `MTQ3ODI1...` (James has his full token on forge)
- **My bot:** Hans ⛰️ bot token configured in OpenClaw on my node (185.218.204.47). dmPolicy=open.
- **James bot:** @jamesjongsma_bot also in the vault1984 server. dmPolicy=open.
- **Both:** in the vault1984 Discord server as of 2026-03-03.
- **Use for:** James→Hans deploy commands, Hans→James status reports. Private NOC channel in the server.
- **Key:** Discord is the communication bus between James (forge) and Hans (NOC node).
- **To reach James:** Message him in the vault1984 Discord server. He responds there.
- **To reach Johan:** Telegram is primary (@johanjongsma, ID: 8454563068). Discord secondary.
### Telegram
- **James's primary channel to Johan:** @jamesjongsma_bot
- **Johan:** @johanjongsma (Telegram ID: 8454563068)
- Signal is retired (as of 2026-03-01). Telegram is sole briefing channel.
- For briefings: use Telegram Markdown (bold, italic, headers work).
### Git (Zurich git server)
- **Format:** `git@zurich.inou.com:<repo>.git`
- **vault1984 repo:** `git@zurich.inou.com:vault1984.git` + GitHub `johanjongsma/vault1984`
- **vault1984-web repo:** `git@zurich.inou.com:vault1984-web.git` (proprietary)
- **My infra config lives in:** `vault1984/infra/` (to be created in M2)
### Fireworks AI (My LLM provider)
- **API Key:** `fw_RVcDe4c6mN4utKLsgA7hTm`
- **Model:** `accounts/fireworks/models/minimax-m2p5` (MiniMax M2.5, 230B MoE)
- **Base URL:** `https://api.fireworks.ai/inference/v1`
- **Privacy:** Zero retention guaranteed. Safe for all data.
- **No Anthropic tokens on Hans.** Fireworks only. James uses Anthropic on forge.
### Cloudflare
- **vault1984.com zone:** `1c7614cd4ee5eabdc03905609024f93a`
- **API token:** `dSVz7JZtyK023q7kh4MMNmIggK1dahWdnBxVnP3O`
- Cloudflare manages DNS for vault1984.com, inou.com, jongsma.me, etc.
### vault1984 Credentials (what I need for deploy)
- **VAULT_KEY:** `d153af4a1b9e58023d0ec465f2674fc29d52ea0b9ef9a0f0cbbaaee63f0117fb`
- **GitHub token (for releases):** `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`
- **Vultr API key:** PENDING from Johan (needed for node provisioning)
---
## Deployment Plan — Current Status
**Target:** 16 nodes live, vault1984.com routing to fleet. Go-live: Friday March 6, 2026 noon ET.
| Milestone | Deadline | Status |
|-----------|----------|--------|
| M1: Zurich SOC (WireGuard hub, Kuma fleet monitors, soc.vault1984.com) | Mon Mar 2, EOD | ✅ DONE (partial — hub+Caddy+Kuma up; fleet monitors pending nodes) |
| **M2: NixOS config + deploy tooling in vault1984/infra/** | **Tue Mar 3, EOD** | 🔴 TODAY — my primary task |
| M3: Pilot — 3 nodes live (Zurich, Frankfurt, NJ) | Wed Mar 4, noon | Pending M2 |
| M4: Go/No-Go review | Wed Mar 4, EOD | Johan decides |
| M5: Full 16-node fleet live | Thu Mar 5, EOD | Pending M4 green |
| M6: DNS, TLS, health checks verified | Thu Mar 5, EOD | Pending M5 |
| M7: Go-live — vault1984.com to fleet | **Fri Mar 6, noon** | 🚀 TARGET |
**⚠️ BLOCKING ITEM:** Vultr API key still missing from Johan as of Tue Mar 3 morning. M3 cannot proceed without it (need to provision VX1 nodes). Chase Johan for this. He committed to providing it Mon Mar 2 AM — it's now overdue.
### M2 Details — What I Need to Build Today (Tue Mar 3)
**Repo structure to create:**
```
vault1984/infra/
nixos/
base.nix # shared: WireGuard spoke, SSH, vault1984 service, firewall
nodes/
frankfurt.nix # per-node vars: wg_ip, hostname, kuma_token, subdomain
new-jersey.nix
... (16 total)
scripts/
keygen.sh # generate WireGuard keypair for a new node
provision.sh # nixos-infect fresh Debian VPS + full config push
deploy.sh # push binary + nixos-rebuild [node|all], rolling
healthcheck.sh # verify: WG ping, HTTPS 200, Kuma heartbeat received
wireguard/
zurich.pub # hub public key
peers.conf # all node pubkeys + WG IPs (no private keys ever)
```
**base.nix requirements:**
- WireGuard spoke (parameterized)
- **SSH on WireGuard interface only** — port 22 NOT public on spoke nodes
- vault1984 systemd service
- Firewall: public 80+443 only
- Nix store: 2 generations max, weekly GC
**vault1984 binary telemetry push (M2.4):**
New background goroutine, 30s interval. POST to `KUMA_PUSH_URL` env var:
```json
{
"ram_mb": ..., "disk_pct": ..., "cpu_pct": ...,
"db_size_mb": ..., "db_integrity": true/false,
"active_sessions": ..., "req_1h": ..., "err_1h": ...,
"cert_days_remaining": ..., "nix_gen": ..., "uptime_s": ...
}
```
**Build:** `CGO_ENABLED=1` with zig cross-compile for NixOS musl; fallback `modernc.org/sqlite` if needed.
**provision.sh flow:**
1. SSH to fresh Debian VPS
2. Run `nixos-infect` → wait for reboot (~3 min)
3. Push base.nix + node vars + WireGuard private key
4. `nixos-rebuild switch`
5. Push vault1984 binary + .env
6. Run healthcheck.sh → confirm WG up, HTTPS 200, Kuma green
**deploy.sh:** Rolling — deploy one node → verify health → next. Abort on first failure.
**✅ M2 Done when:** Any node provisionable in <20 min. Fleet-wide binary deploy in <10 min.
### M3 Details — Wednesday Pilot (3 nodes)
1. Zurich as first spoke → `https://zurich.vault1984.com` + Kuma green
2. Frankfurt VX1 ($2.50) → provision.sh → DNS → Kuma green
3. New Jersey VX1 ($2.50) → provision.sh → DNS → Kuma green
4. Kill vault1984 on Frankfurt → Kuma alert to ntfy in <2 min restart green (validation)
5. `nmap` each node: confirm port 22 NOT public
6. TLS cert valid on all 3
### Pending from Johan (blockers)
- [ ] **Vultr API key** — ⚠️ OVERDUE. Was due Mon Mar 2 AM. Still missing as of Tue Mar 3. M3 pilot BLOCKED without it. This is the single biggest risk to Fri Mar 6 go-live. Chase him.
- [ ] **Hostkey Dubai order** — or defer decision (if deferred, Istanbul or another Vultr node fills slot 16)
---
## Active Projects Status (as of 2026-03-03)
### vault1984 — PRIMARY
- **Core binary:** Built, running at `http://192.168.1.16:1984/`
- **vault1984.com:** Live (Caddy → forge → port 8099 for web, 1984 for app)
- **Tests:** 11 integration tests passing
- **Pending (Day 2, non-blocking for fleet deploy):**
- WebAuthn PRF implementation (L2 client-side encryption)
- Scoped MCP tokens UI
- Import Johan's 12,623 entries from Proton Pass
- vault1984 binary dead website copy cleanup (cmd/vault1984/website/ needs deletion)
### inou health — SECONDARY (not my domain)
- Johan's medical imaging platform (DICOM, genetic analysis, lab data)
- Live at inou.com → 192.168.100.2:1080
- **SMTP broken on prod** (Proton Bridge not running on 192.168.100.2)
- **Backdoor OTP:** 250365 (intentional dev convenience)
- Contains real patient data (Sophia, Anastasia) — treat with extreme care
### Dealspace (muskepo.com) — SECONDARY (not my domain)
- Misha's M&A deal room SaaS
- Live at muskepo.com (Shannon VPS: 82.24.174.112)
- Pending: invite flow, SMTP config, Misha domain decision
### DocSys — SECONDARY (not my domain)
- Document processing pipeline (OCR → classify → store)
- Running at localhost:9201 on forge
- SMB inbox at \\192.168.1.16\docsys
---
## Johan's Preferences & Working Style
- **Communication:** Direct. Evidence-based. No small talk. Come with solutions, not questions.
- **"Prove it, don't claim it"** — show logs, show output, show uptime. Same expectation for me.
- **Security from the start** — not an afterthought. Proper setup over quick setup.
- **Fix root causes, not symptoms** — workarounds will be rejected.
- **Best over fast** — he wants the right solution, not the quick one.
- **Infrastructure is mine to own** — he delegated it fully. I don't ask permission for routine ops.
- **He does NOT code** — I handle all technical implementation.
- **Single primary channel:** Telegram. Signal is retired.
- **Alert routing:**
- vault1984 fleet issues → ntfy `vault1984-alerts`
- General infra → ntfy `forge-alerts`
- inou → ntfy `inou-alerts`
- **He doesn't want to be bothered by routine items.** Only escalate real blockers.
- **OCR:** Only GLM-OCR (Zhipu). No Tesseract ever.
- **Privacy:** Fireworks for sensitive data (zero retention). Grok/xAI not for private data.
---
## James ↔ Hans — How We Operate
**We are peers.** Neither of us reports to the other. Both report to Johan.
| Dimension | James ⚡ | Hans ⛰️ |
|-----------|---------|---------|
| Home | forge (192.168.1.16) | Zurich VPS (82.22.36.202) + NOC node (185.218.204.47) |
| Role | Chief of Staff — owns everything except fleet | Director of Operations — owns fleet exclusively |
| LLM | Anthropic Claude Sonnet 4.6 (Johan's subscription) | Fireworks MiniMax M2.5 (zero retention, privacy safe) |
| Channel to Johan | Telegram (@jamesjongsma_bot) | Telegram + Discord |
| Memory files | `/home/johan/clawd/` on forge | `/home/johan/clawd/hans/` on forge (synced) |
**Division of ownership:**
- **Hans owns:** WireGuard fleet, node provisioning, deploy tooling, Kuma monitors, vault1984 fleet health, NixOS configs
- **James owns:** vault1984 codebase, billing/Stripe, vault1984-web, inou, Dealspace, email, home infra, Johan's personal comms
- **Both coordinate on:** vault1984 releases (James cuts binary, Hans deploys it), incident response
**Communication protocol:**
- **Normal ops:** Hans acts autonomously on fleet tasks, reports results to James and/or Johan
- **Deploy requests:** James sends binary + deployment command via Discord → Hans executes → confirms back
- **Incidents:** Hans alerts ntfy `vault1984-alerts` immediately, then briefs James on Discord
- **Johan escalation:** Only for blockers (missing credentials, architectural decisions, major costs)
**James spawned me.** James created the deployment plan, provisioned my node, and briefed me. I respect that. But once the plan is in motion, I execute it. I don't wait for James to approve each step — I act and report.
**James doesn't use Anthropic tokens for my tasks.** When James spawns me or sends me work, he uses Fireworks (my model). Zero token cost to Johan's Anthropic account.
---
## James's Operational Patterns
- **Main session:** Forge, webchat, Anthropic Claude Sonnet 4.6
- **Background work:** Spawns subagents (isolated sessions) for async tasks
- **Email triage:** Every email read, triaged: archive, delete, or escalate
- **Heartbeat crons:** K2.5 watchdog every 30 min, email straggler every 90 min
- **Memory files:** Working-context + daily notes + MEMORY.md — this is how we persist across sessions
- **Git discipline:** Every workspace change committed. All repos have Zurich remote.
- **Model selection:** Anthropic Claude Sonnet 4.6 for judgment/conversation. Fireworks MiniMax M2.5 for grunt work.
- **Discord:** James is also in the vault1984 server with dmPolicy=open — direct message James for coordination if needed.
---
## My Operational Standards
- **SSH:** Always via WireGuard on fleet nodes. Zero public SSH on spoke nodes.
- **Alerts:** ntfy `vault1984-alerts` for anything affecting fleet uptime.
- **Logging:** Every deploy, every change, every anomaly — documented in daily notes.
- **Verification:** Prove it works before reporting done. Curl test, log check, Kuma green.
- **WireGuard:** persistentKeepalive=25 (bare metal VPS, no double-NAT expected).
- **NixOS:** 2 generations max, weekly GC. Consistent, declarative, reproducible.
---
## Status Log
- 2026-03-01: Born. Memory files created. Ready for Monday ops.
- 2026-03-01: Born. Memory files created. Deployment plan reviewed.
- 2026-03-02: Hans server provisioned (185.218.204.47). OpenClaw 2026.3.1 installed, Fireworks M2.5 configured. noc.vault1984.com DNS live. Johan built vault1984-web Go binary (Python killed). vault1984.com email set up (social@vault1984.com via Stalwart). @vault1984 on X registered. @inouhealth on X registered. Stalwart Bayes bug fixed.
- 2026-03-03: Discord setup complete — Hans bot token (MTQ3ODMyMTE2...) configured, in vault1984 Discord server (ID: 1478270766007976009). James also on Discord in same server (token MTQ3ODI1...). dmPolicy=open on both. Johan's Discord ID: 666836243262210068. TODAY = M2 (NixOS config + deploy tooling). Vultr API key still missing from Johan — OVERDUE. James briefed Hans via MEMORY.md update (subagent).

BIN
memory/claude-usage.db
View File

Binary file not shown.

12
memory/claude-usage.json
View File

@ -1,9 +1,9 @@
{
"last_updated": "2026-03-03T11:00:02.013861Z",
"last_updated": "2026-03-03T17:00:01.444170Z",
"source": "api",
"session_percent": 16,
"session_resets": "2026-03-03T12:00:00.961443+00:00",
"weekly_percent": 75,
"weekly_resets": "2026-03-06T02:59:59.961462+00:00",
"sonnet_percent": 81
"session_percent": 0,
"session_resets": null,
"weekly_percent": 79,
"weekly_resets": "2026-03-06T03:00:00.388794+00:00",
"sonnet_percent": 85
}

4
memory/heartbeat-state.json
View File

@ -3,7 +3,7 @@
"email": 1772494351,
"calendar": null,
"weather": 1771942030,
"briefing": 1772375543,
"briefing": 1772550203,
"news": 1771597876,
"claude_usage": 1772494351
},
@ -12,7 +12,7 @@
"lastWeeklyHAOS": "2026-03-01T05:33:08.340468+00:00",
"lastWeeklyMemorySynthesis": "2026-03-01T05:33:08.340468+00:00",
"lastDocInbox": "2026-02-25T22:01:42.532628Z",
"lastTechScan": "2026-03-02T17:04:00Z",
"lastTechScan": 1772550203,
"lastMemoryReview": "2026-03-02T17:04:00Z",
"lastIntraDayXScan": "2026-03-03T04:03:00Z",
"lastInouSuggestion": "2026-03-02T17:03:49.016Z",

329
memory/infrastructure-plan.md Normal file
View File

@ -0,0 +1,329 @@
# Infrastructure Plan
*Maintained by James ⚡ · Last updated: 2026-03-03*
---
## 1. All Locations
### forge — Home Server (James' primary)
| Field | Value |
|-------|-------|
| **IP** | 192.168.1.16 (LAN) |
| **Provider** | Home lab (St. Pete, FL) |
| **Specs** | i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe |
| **OS** | Ubuntu 24.04.3 LTS headless |
| **Managed by** | James ⚡ |
| **Monthly cost** | $0 (home power only) |
**Runs:**
- OpenClaw gateway (port 18789)
- Message Center / Mail Bridge (port 8025)
- GLM-OCR service (port 8090, GPU)
- Dashboard (port 9200)
- DocSys (port 9201)
- Alert dashboard (port 9202)
- vault1984 (port 1984)
- vault1984-web (port 8099)
- Dealspace (port 9300)
- inou prod (192.168.100.2:1080 via VLAN)
- Signal-cli daemon (port 8080, legacy)
- Ollama (installed, optional use)
- SMB shares: sophia, docsys, inou-dev
---
### Zurich VPS — `zurich.inou.com` / `82.22.36.202`
| Field | Value |
|-------|-------|
| **IP** | 82.22.36.202 |
| **DNS** | zurich.inou.com |
| **Provider** | Hostkey (server 50304, Zürich CH — Equinix ZH) |
| **Specs** | 4 vCPU / 6GB RAM / 120GB SSD |
| **OS** | Ubuntu 24.04 |
| **Managed by** | James ⚡ |
| **Monthly cost** | ~€3.90/mo |
**Runs:**
- Caddy reverse proxy (port 443, auto-LE)
- Stalwart mail server (ports 25/465/587/143/993/995) → mail.jongsma.me, mail.inou.com
- Git hosting (`git` user, git-shell only)
- Uptime Kuma (port 3001) → kuma.inou.com
- ntfy self-hosted (port 2586) → ntfy.inou.com
- Vaultwarden → vault.jongsma.me (fresh, no data yet)
- harryhaasjes.nl "coming soon" static
- WireGuard hub (10.84.0.1/24, UDP 51820) — vault1984 fleet
- **Pending:** OpenClaw NOC agent (Hans / vault1984-noc)
**Doubles as:** vault1984 fleet hub (WireGuard hub node), Zurich spoke node
---
### Hans Server — `noc.vault1984.com` / `185.218.204.47`
| Field | Value |
|-------|-------|
| **IP** | 185.218.204.47 |
| **DNS** | noc.vault1984.com |
| **Provider** | Hostkey (vm.mini) |
| **Specs** | 4 vCPU / 6GB RAM / 120GB SSD |
| **OS** | Ubuntu 24.04 |
| **Managed by** | Hans ⛰️ |
| **Monthly cost** | ~€3.90/mo |
**Runs:**
- OpenClaw 2026.3.1 (Hans agent, Fireworks MiniMax M2.5)
- vault1984 binary (pending deploy)
- UFW: 22/80/443, fail2ban
**Pending:** vault1984 binary deploy, Discord bot, Hans↔James comms channel
⚠️ Root password still default — `ThIsNeEdStOcHaNgE0--` — **CHANGE THIS**
---
### Shannon VPS — `muskepo.com` / `82.24.174.112`
| Field | Value |
|-------|-------|
| **IP** | 82.24.174.112 |
| **Provider** | Hostkey |
| **Managed by** | James ⚡ |
| **Paid through** | 2026-04-09 |
| **Monthly cost** | ~€3.90/mo (est.) |
**Runs:**
- Dealspace / muskepo.com (Go binary + Caddy)
**Note:** Repurposed from former Shannon security VPS. Runs Dealspace. Will be reassigned or cancelled when Dealspace gets its own infra.
---
### ThinkPad X1 (2019) — Johan's local dev
| Field | Value |
|-------|-------|
| **IP** | 192.168.0.223 (WiFi) |
| **OS** | Ubuntu 24.04 desktop |
| **Managed by** | Johan |
| **Monthly cost** | $0 |
**Runs:**
- Real Chrome on Xvfb:99 (port 9224) — for WAF-protected sites (myCigna)
- xfreerdp RDP target
---
### Caddy (Home Reverse Proxy)
| Field | Value |
|-------|-------|
| **IP** | 192.168.0.2 / Tailscale: 100.84.42.55 |
| **Managed by** | James ⚡ |
| **SSH** | `ssh root@192.168.0.2` (LAN direct only) |
Routes: james.jongsma.me, docsys.jongsma.me, vault1984.com → forge
---
### Home Assistant
| Field | Value |
|-------|-------|
| **IP** | 192.168.1.252 |
| **Managed by** | Johan (⚠️ hands-off for James/Hans) |
---
## 2. vault1984 Fleet Plan — 16 Nodes
**Target:** Go-live Friday March 6, 2026 noon ET
**Budget:** ~$40/mo
**Hub:** Zurich SOC (82.22.36.202, WireGuard 10.84.0.1/24)
**Architecture:** NixOS + vault1984 Go binary, WireGuard spoke mesh, Kuma push heartbeats
### Node Inventory
| # | Node | Location | Provider | WG IP | Monthly | Status |
|---|------|----------|----------|-------|---------|--------|
| 1 | zurich | Zürich, CH | Hostkey (existing) | 10.84.0.1 | *(shared)* | ✅ **HUB — existing** |
| 2 | frankfurt | Frankfurt, DE | Vultr VX1 | 10.84.0.2 | $2.50 | ⏳ Pending |
| 3 | newjersey | New Jersey, US | Vultr VX1 | 10.84.0.3 | $2.50 | ⏳ Pending |
| 4 | siliconvalley | Silicon Valley, US | Vultr VX1 | 10.84.0.4 | $2.50 | ⏳ Pending |
| 5 | dallas | Dallas, US | Vultr VX1 | 10.84.0.5 | $2.50 | ⏳ Pending |
| 6 | london | London, UK | Vultr VX1 | 10.84.0.6 | $2.50 | ⏳ Pending |
| 7 | warsaw | Warsaw, PL | Vultr VX1 | 10.84.0.7 | $2.50 | ⏳ Pending |
| 8 | tokyo | Tokyo, JP | Vultr VX1 | 10.84.0.8 | $2.50 | ⏳ Pending |
| 9 | seoul | Seoul, KR | Vultr VX1 | 10.84.0.9 | $2.50 | ⏳ Pending |
| 10 | mumbai | Mumbai, IN | Vultr VX1 | 10.84.0.10 | $2.50 | ⏳ Pending |
| 11 | saopaulo | São Paulo, BR | Vultr VX1 | 10.84.0.11 | $2.50 | ⏳ Pending |
| 12 | sydney | Sydney, AU | Vultr VX1 | 10.84.0.12 | $2.50 | ⏳ Pending |
| 13 | johannesburg | Johannesburg, ZA | Vultr VX1 | 10.84.0.13 | $2.50 | ⏳ Pending |
| 14 | telaviv | Tel Aviv, IL | Vultr VX1 | 10.84.0.14 | $2.50 | ⏳ Pending |
| 15 | dubai | Dubai, AE | Hostkey | 10.84.0.15 | TBD | ⏳ Pending |
**Monthly cost breakdown:**
- 14 Vultr VX1 nodes: 14 × $2.50 = **$35.00/mo**
- Dubai (Hostkey): **~€3.90/mo** (TBD — Johan to confirm order)
- Zurich hub: *(already in existing infra budget)*
- Hans NOC server: €3.90/mo *(already counted above)*
- **Total vault1984 fleet: ~$40/mo**
### Deployment Milestones
| Date | Milestone | Owner | Status |
|------|-----------|-------|--------|
| Mon Mar 2 | Zurich SOC — WireGuard hub, Kuma fleet monitors, soc.vault1984.com | James | ⏳ |
| Tue Mar 3 | NixOS config + deploy tooling in vault1984 repo | James | 🔄 Today |
| Wed Mar 4 noon | Pilot — Zurich + Frankfurt + NJ live | James | ⏳ |
| Wed Mar 4 EOD | Go/No-Go review | Johan | ⏳ |
| Thu Mar 5 | Full 16-node fleet live + DNS/TLS verified | James | ⏳ |
| **Fri Mar 6 noon** | 🚀 **GO-LIVE — vault1984.com routes to fleet** | Johan + James | ⏳ |
### Node DNS Pattern
`<node>.vault1984.com` → node IP (Cloudflare)
Primary entry: `vault1984.com` → New Jersey (largest US East market)
SOC dashboard: `soc.vault1984.com` → Zurich → Kuma port 3001
---
## 3. Partner: Hostkey
**Panel:** https://panel.hostkey.com
**Cancellation flow:** `panel.hostkey.com/controlpanel.html?key=<key>`
**Account email:** probably `johan.jongsma@iasobackup.com` (Openprovider uses this — likely same)
### Current Hostkey Nodes
| Hostname | Server ID | IP | Purpose | Status |
|----------|-----------|-----|---------|--------|
| zurich.inou.com | 50304 | 82.22.36.202 | Shared infra hub + vault1984 WG hub | ✅ Live |
| noc.vault1984.com | TBD | 185.218.204.47 | Hans NOC agent | ✅ Live |
| muskepo.com (Shannon) | TBD | 82.24.174.112 | Dealspace hosting | ✅ Live (till Apr 9) |
| Amsterdam | 53643 | 82.24.174.112 | ⚰️ DECOMMISSIONED Feb 21 | ❌ Dead |
### Planned Hostkey Nodes
| Hostname | Location | Purpose | Status |
|----------|----------|---------|--------|
| dubai.vault1984.com | Dubai, AE | vault1984 fleet node | ⏳ **Johan to order** |
**Johan action needed:** Confirm/order Dubai Hostkey node. No other Hostkey locations needed — remaining 14 vault1984 nodes go to Vultr.
---
## 4. Partner: Vultr
**Plan:** VX1 — 1 vCPU, 512MB RAM, 10GB SSD, 1TB bandwidth
**Price:** $2.50/mo per node
**API key:** **PENDING from Johan** ← Blocker for automated provisioning
**14 nodes planned** (all vault1984 fleet except Zurich hub + Dubai Hostkey):
Frankfurt, New Jersey, Silicon Valley, Dallas, London, Warsaw, Tokyo, Seoul, Mumbai, São Paulo, Sydney, Johannesburg, Tel Aviv, + 1 TBD slot
**Provision method:** `provision.sh <ip> <node-name>` (nixos-infect → base.nix → vault1984 binary → healthcheck)
**Deploy method:** `deploy.sh all` (rolling, abort on first failure)
⚠️ **No Vultr account yet. Johan must create account and hand off API key before M2 tooling can be finalized.**
---
## 5. Network Topology
```
Internet
├── Cloudflare DNS (all public domains)
│ ├── inou.com → Caddy (home, 192.168.0.2)
│ ├── *.jongsma.me → Caddy (home) + Stalwart (mail → Zurich)
│ ├── vault1984.com → vault1984 nodes (direct)
│ ├── zurich.inou.com, kuma.inou.com, ntfy.inou.com → Zurich VPS
│ └── noc.vault1984.com → Hans server
├── Home LAN (192.168.1.x + 192.168.0.x + 192.168.100.x)
│ ├── forge (192.168.1.16) — primary server
│ ├── Caddy reverse proxy (192.168.0.2)
│ ├── inou prod (192.168.100.2) — separate VLAN
│ └── Home Assistant (192.168.1.252) — hands-off
├── Tailscale (100.x.x.x mesh)
│ ├── forge: 100.123.216.65
│ └── Caddy: 100.84.42.55
└── WireGuard vault1984 fleet (10.84.0.x/24)
Hub: Zurich (10.84.0.1), UDP 51820
Spokes: 15 nodes (10.84.0.210.84.0.15)
Management traffic: WireGuard only (no public SSH on spoke nodes)
SSH: WireGuard interface only on vault1984 nodes
```
**Key rule:** vault1984 spoke nodes expose only ports 80+443 publicly. All SSH + management flows over WireGuard from Zurich hub.
---
## 6. Monitoring
### Uptime Kuma
- **URL:** https://kuma.inou.com → Zurich → port 3001
- **Admin:** james / JamesKuma2026!
- **Kuma API password:** WW8ipJfY27ELf7nnouaKLCL6
- **Current monitors:** inou.com HTTP, inou.com API, Forge-OC (push), Forge-MC (push)
- **vault1984 fleet monitors:** 16 push monitors to be added (one per node, token per monitor)
- **Alert topic:** `vault1984-alerts` (ntfy, to be created)
- **Thresholds:** SEV2 = 2 missed pushes, SEV1 = 5+ min down
### ntfy (Push Notifications)
- **Server:** https://ntfy.inou.com (Zurich, port 2586)
- **API token:** `tk_ggphzgdis49ddsvu51qam6bgzlyxn`
- **Topics:**
- `forge-alerts` — OC/infra alerts (anonymous read, Johan subscribed on iPhone)
- `inou-alerts` — inou health platform alerts (anonymous read)
- `vault1984-alerts` — vault1984 fleet alerts (to be created at M1.3)
- **Johan subscribed on:** iPhone 17
### Dashboard (forge)
- **URL:** http://100.123.216.65:9200 (Tailscale) or http://localhost:9200
- **Purpose:** Tasks, briefings, news, deliveries, system status
- **Status API:** `GET/POST /api/status` — key metrics at top
### Health Push (forge)
- **Script:** `/home/johan/scripts/health-push.sh` — runs every minute via cron
- **Logic:** MC + OC health → push to Kuma if healthy
- **Alert routing:**
- MC down → James via OC webhook (James investigates)
- OC down → Johan direct via ntfy (James IS the thing down)
- Home network down → Johan direct via ntfy
### vault1984 Node Telemetry (planned — M2.4)
Each node binary pushes every 30s to its Kuma push URL:
- `ram_mb, disk_pct, cpu_pct, db_size_mb, db_integrity`
- `active_sessions, req_1h, err_1h, cert_days_remaining, nix_gen, uptime_s`
---
## 7. Monthly Cost Summary
| Item | Cost |
|------|------|
| Zurich VPS (Hostkey) | ~€3.90/mo |
| Hans NOC server (Hostkey) | ~€3.90/mo |
| Shannon VPS (Dealspace) | ~€3.90/mo (till Apr 9) |
| Vultr VX1 × 14 (vault1984) | $35.00/mo |
| Dubai Hostkey (vault1984) | ~€3.90/mo (TBD) |
| forge (home) | $0 |
| **Total (approx)** | **~$55/mo** |
*Excludes: domains (Openprovider), Cloudflare, email (Anthropic API tokens, etc.)*
*Shannon VPS will be reassigned or cancelled after Apr 9 unless Dealspace needs it.*
---
## 8. Open Actions
| Item | Owner | Priority |
|------|-------|----------|
| Provide Vultr API key | **Johan** | 🔴 Blocker (M2 tooling) |
| Order/confirm Dubai Hostkey node | **Johan** | 🔴 Blocker (fleet complete) |
| Change Hans root password | **Hans** | 🔴 Security |
| Deploy vault1984 binary to Hans | **James/Hans** | 🟡 M2 scope |
| Create Discord bot for Hans | **Johan** (Chrome tab) | 🟡 After vault1984 launch |
| Add vault1984-alerts ntfy topic | **James** | 🟡 M1.3 |
| Build 16 Kuma fleet monitors | **James** | 🟡 M1.3 |
---
*This document is the single source of truth for infrastructure topology. Update after every provisioning event.*

21
memory/updates/2026-03-03.json Normal file
View File

@ -0,0 +1,21 @@
{
"date": "2026-03-03",
"timestamp": "2026-03-03T09:00:02-05:00",
"openclaw": {
"before": "2026.3.1",
"latest": "2026.3.2",
"after": "2026.3.2",
"updated": true
},
"claude_code": {
"before": "2.1.63",
"latest": "2.1.63",
"updated": false
},
"os": {
"available": "0\n0",
"updated": false,
"packages": []
},
"gateway_restarted": true
}