From 92fa7cc533b07dd4776d1bded2e8a4697857d9a8 Mon Sep 17 00:00:00 2001
From: James <james@jongsma.me>
Date: Thu, 19 Feb 2026 08:25:02 -0500
Subject: [PATCH] Update infrastructure.md: correct Zurich/Amsterdam VPS
 details; log mail migration 2026-02-19

---
 memory/2026-02-19.md     |  33 +++++++++++++++++++++++++++++
 memory/claude-usage.db   | Bin 36864 -> 36864 bytes
 memory/claude-usage.json |  10 ++++-----
 memory/infrastructure.md |  44 +++++++++++++++++++++++++--------------
 4 files changed, 66 insertions(+), 21 deletions(-)

diff --git a/memory/2026-02-19.md b/memory/2026-02-19.md
index 81a0838..7ae5013 100644
--- a/memory/2026-02-19.md
+++ b/memory/2026-02-19.md
@@ -72,3 +72,36 @@ ntfy.inou.com → 127.0.0.1:2586 (ntfy)
 kuma.inou.com → 127.0.0.1:3001 (Uptime Kuma)
 mail.inou.com, mail.jongsma.me → 127.0.0.1:8443 (Stalwart)
 ```
+
+## Stalwart Mail Migration: Amsterdam → Zurich (2026-02-19 overnight)
+
+### What happened
+- rsync completed (19GB RocksDB from /opt/stalwart-mail/data/ on Amsterdam → /opt/stalwart/data/ on Zurich)
+- Discovered Zurich Stalwart config was bare skeleton (missing ACME, hostname, trusted-networks)
+- Updated /opt/stalwart/etc/config.toml with Amsterdam's config values
+- Flipped mail.inou.com DNS from Amsterdam (82.24.174.112) → Zurich (82.22.36.202) via Cloudflare
+- Stalwart running on Zurich: ports 25/465/587/143/993/995 all up, TLS 1.3, valid LE cert
+
+### SMTP security audit + fixes
+All 6 issues found and resolved:
+1. jongsma.me SPF → v=spf1 a:mail.jongsma.me -all (was ProtonMail)
+2. jongsma.me DKIM → stalwart._domainkey.jongsma.me added (ed25519 key cwP26...)
+3. jongsma.me DMARC → p=reject, rua=mailto:dmarc@jongsma.me (was p=none)
+4. Rate limiting → already configured (5/1s per IP, 25/hr per sender), confirmed working
+5. AUTH PLAIN/LOGIN → was never broken, shows correctly after STARTTLS
+6. inou.com DKIM DNS mismatch → updated to 8QPYBCe... (DB key was different from old DNS)
+Also: cleaned up duplicate jongsma-me DKIM signature created by mistake
+
+### Amsterdam state
+- Stalwart: stopped and disabled (data preserved at /opt/stalwart-mail/)
+- Shannon: fully removed
+- Duplicate Kuma/Vaultwarden/ntfy: still running, to be cleaned up later
+- DO NOT start Amsterdam Stalwart, do NOT delete data yet
+
+### DNS state (all correct at Cloudflare/1.1.1.1)
+- mail.inou.com → 82.22.36.202 (Zurich)
+- mail.jongsma.me → 82.22.36.202 (Zurich)
+- stalwart._domainkey.inou.com → 8QPYBCeqIm1WMXH0f1VBTeSt0hIIAYPrh7fcV4IHGnM=
+- stalwart._domainkey.jongsma.me → cwP26GBsSjSGXakknI8TiD7nPUjAp8nqTl05XNaYFgE=
+- v=spf1 a:mail.jongsma.me -all (jongsma.me)
+- _dmarc.jongsma.me → p=reject
diff --git a/memory/claude-usage.db b/memory/claude-usage.db
index eeed7c9b1c97060677abbb3394a5e00493971110..7db5c847c691f0473ef8cbc893c17b5e61c7562f 100644
GIT binary patch
delta 129
zcmZozz|^pSX@WGP&_o$$Mxl)f^Ys}8HW{!uFm`QbEf8g7;<nl>Qy9z1cw}PZfyw`p
zcm*v(42`V}jI0ceqZkDwnN67{f9w(2oKro6g;|Q{#ANmcV<w&x8ykCg6l9wO*ceP1
a85xZXjLdWmjC2i=^m>b`Z+_7u!3+Rs^dqeR

delta 75
zcmV-R0JQ&rpaOuP0+1U45s@520THoapDzIqvM>Zd0g1B(a1{XpEikhjaa{=k-jRXY
hlm222llqJcvut~q1Opii=#vM4GqHiL472Er7z3IG8kPV6

diff --git a/memory/claude-usage.json b/memory/claude-usage.json
index cd49cf6..c7c18bd 100644
--- a/memory/claude-usage.json
+++ b/memory/claude-usage.json
@@ -1,9 +1,9 @@
 {
-  "last_updated": "2026-02-19T12:29:21.372821Z",
+  "last_updated": "2026-02-19T13:02:13.191743Z",
   "source": "api",
-  "session_percent": 16,
-  "session_resets": "2026-02-19T16:00:01.311524+00:00",
+  "session_percent": 21,
+  "session_resets": "2026-02-19T16:00:01.161330+00:00",
   "weekly_percent": 75,
-  "weekly_resets": "2026-02-21T19:00:00.311547+00:00",
-  "sonnet_percent": 38
+  "weekly_resets": "2026-02-21T19:00:00.161351+00:00",
+  "sonnet_percent": 39
 }
\ No newline at end of file
diff --git a/memory/infrastructure.md b/memory/infrastructure.md
index df96471..195e6f7 100644
--- a/memory/infrastructure.md
+++ b/memory/infrastructure.md
@@ -38,27 +38,39 @@
 
 ## VPS / Remote
 
-### zurich — zurich.inou.com (82.24.174.112)
-- **Role:** inou supervising/security tools
-- **Location:** Zurich, Switzerland (VPS)
-- **Management:** Full autonomy — James manages, Johan has backup SSH key
-- **Tailscale:** Yes, part of tailnet
-- **Services:** Uptime Kuma (127.0.0.1:3001), Caddy (80/443), Greenbone (stopped)
-- **Hardened 2026-02-15:** UFW (deny incoming, allow SSH/80/443/Tailscale), fail2ban, PasswordAuth disabled, PermitRootLogin prohibit-password, Kuma bound to localhost
+### zurich — zurich.inou.com (82.22.36.202) ← REAL ZURICH
+- **Role:** Primary remote infrastructure (security, monitoring, mail, git, vault)
+- **Location:** Zürich, Switzerland (HostKey VPS, separate account from Amsterdam)
+- **Hostname:** hostkey50304
+- **Specs:** 4 vCore, 6GB RAM, 120GB SSD
+- **OS:** Ubuntu 24.04
+- **Management:** Full autonomy — James manages
+- **Tailscale:** 100.70.148.118 (labeled "zurich" in tailnet)
+- **SSH:** root@82.22.36.202 or `tailscale ssh root@zurich`
+- **Services:**
+  - Caddy (80/443) → ntfy.inou.com:2586, kuma.inou.com:3001, vault.inou.com:8080, mail.inou.com/mail.jongsma.me:8880, zurich.inou.com (static), harryhaasjes.nl (static)
+  - Uptime Kuma (127.0.0.1:3001) — 8 monitors; push tokens: OC=r1G9JcTYCg, MC=rLdedldMLP
+  - Vaultwarden Docker (127.0.0.1:8080) — 2 users registered; `/opt/vaultwarden/`
+  - ntfy (systemd, port 2586) — topic: forge-alerts
+  - **Stalwart mail server** (systemd) — migrated from Amsterdam 2026-02-19; data at `/opt/stalwart/data/` (18GB RocksDB); ports 25/465/587/143/993; ACME certs for mail.inou.com + mail.jongsma.me
+  - Git server (git user, git-shell) — repos: azure-backup, clawdnode-android, inou-mobile, mail-agent
+- **Hardened:** UFW, fail2ban, key-only SSH, services on localhost
+- **Updated:** 2026-02-19
 
-### shannon — amsterdam.inou.com (82.24.174.112)
-- **Role:** Dedicated Shannon security scanner VPS
+### amsterdam — amsterdam.inou.com (82.24.174.112) ← MAIL MIGRATION SOURCE
+- **Role:** TEMPORARY — mail server being decommissioned (Stalwart migrated to Zurich 2026-02-19)
 - **Location:** Netherlands (HostKey VPS, server ID 53643)
-- **Management:** Full autonomy — James manages, Johan has backup SSH key
 - **Hostname:** vm-mini
 - **Specs:** 4 vCore, 6GB RAM, 120GB SSD
 - **SSH:** root@82.24.174.112 (key auth)
-- **Services:** Shannon (Temporal + Router + Worker via Docker), no Tailscale (by design)
-- **Egress:** Locked to inou.com + Anthropic API only
-- **DNS:** amsterdam.inou.com A-record set 2026-02-15
-- **Due date:** 2026-03-09 (22 days)
-- **HostKey API:** key=639551e73029b90f-c061af4412951b2e
-- **TODO:** Harden per VPS checklist (same as zurich)
+- **Services:**
+  - Caddy — mail.inou.com/mail.jongsma.me proxied to Stalwart (was active, now DNS points to Zurich)
+  - **Stalwart** — STOPPED + DISABLED; data preserved at `/opt/stalwart-mail/` (19GB, DO NOT DELETE YET)
+  - Duplicate Kuma/Vaultwarden/ntfy — deployed temporarily tonight, to be cleaned up
+- **Shannon:** REMOVED 2026-02-19 (containers, images, /opt/shannon all gone)
+- **DNS that stays:** amsterdam.inou.com A-record
+- **DO NOT:** Start Stalwart, delete data, or decommission until Johan confirms all mail verified on Zurich
+- **HostKey API:** key=639551e73029b90f-c061af4412951b2e (shows server 53643 only)
 
 ## Network Notes
 - Home LAN: 192.168.1.0/24 (main), 192.168.100.0/24 (prod), 192.168.2.0/24 (IoT), 192.168.3.0/24 (?)