Update infrastructure.md: correct Zurich/Amsterdam VPS details; log mail migration 2026-02-19

memory/2026-02-19.md

@@ -72,3 +72,36 @@ ntfy.inou.com → 127.0.0.1:2586 (ntfy)
 kuma.inou.com → 127.0.0.1:3001 (Uptime Kuma)
 mail.inou.com, mail.jongsma.me → 127.0.0.1:8443 (Stalwart)
 ```
+
+## Stalwart Mail Migration: Amsterdam → Zurich (2026-02-19 overnight)
+
+### What happened
+- rsync completed (19GB RocksDB from /opt/stalwart-mail/data/ on Amsterdam → /opt/stalwart/data/ on Zurich)
+- Discovered Zurich Stalwart config was bare skeleton (missing ACME, hostname, trusted-networks)
+- Updated /opt/stalwart/etc/config.toml with Amsterdam's config values
+- Flipped mail.inou.com DNS from Amsterdam (82.24.174.112) → Zurich (82.22.36.202) via Cloudflare
+- Stalwart running on Zurich: ports 25/465/587/143/993/995 all up, TLS 1.3, valid LE cert
+
+### SMTP security audit + fixes
+All 6 issues found and resolved:
+1. jongsma.me SPF → v=spf1 a:mail.jongsma.me -all (was ProtonMail)
+2. jongsma.me DKIM → stalwart._domainkey.jongsma.me added (ed25519 key cwP26...)
+3. jongsma.me DMARC → p=reject, rua=mailto:dmarc@jongsma.me (was p=none)
+4. Rate limiting → already configured (5/1s per IP, 25/hr per sender), confirmed working
+5. AUTH PLAIN/LOGIN → was never broken, shows correctly after STARTTLS
+6. inou.com DKIM DNS mismatch → updated to 8QPYBCe... (DB key was different from old DNS)
+Also: cleaned up duplicate jongsma-me DKIM signature created by mistake
+
+### Amsterdam state
+- Stalwart: stopped and disabled (data preserved at /opt/stalwart-mail/)
+- Shannon: fully removed
+- Duplicate Kuma/Vaultwarden/ntfy: still running, to be cleaned up later
+- DO NOT start Amsterdam Stalwart, do NOT delete data yet
+
+### DNS state (all correct at Cloudflare/1.1.1.1)
+- mail.inou.com → 82.22.36.202 (Zurich)
+- mail.jongsma.me → 82.22.36.202 (Zurich)
+- stalwart._domainkey.inou.com → 8QPYBCeqIm1WMXH0f1VBTeSt0hIIAYPrh7fcV4IHGnM=
+- stalwart._domainkey.jongsma.me → cwP26GBsSjSGXakknI8TiD7nPUjAp8nqTl05XNaYFgE=
+- v=spf1 a:mail.jongsma.me -all (jongsma.me)
+- _dmarc.jongsma.me → p=reject

memory/claude-usage.json

@@ -1,9 +1,9 @@
 {
-  "last_updated": "2026-02-19T12:29:21.372821Z",
+  "last_updated": "2026-02-19T13:02:13.191743Z",
   "source": "api",
-  "session_percent": 16,
+  "session_percent": 21,
-  "session_resets": "2026-02-19T16:00:01.311524+00:00",
+  "session_resets": "2026-02-19T16:00:01.161330+00:00",
   "weekly_percent": 75,
-  "weekly_resets": "2026-02-21T19:00:00.311547+00:00",
+  "weekly_resets": "2026-02-21T19:00:00.161351+00:00",
-  "sonnet_percent": 38
+  "sonnet_percent": 39
 }

memory/infrastructure.md

@@ -38,27 +38,39 @@
 
 ## VPS / Remote
 
-### zurich — zurich.inou.com (82.24.174.112)
+### zurich — zurich.inou.com (82.22.36.202) ← REAL ZURICH
-- **Role:** inou supervising/security tools
+- **Role:** Primary remote infrastructure (security, monitoring, mail, git, vault)
-- **Location:** Zurich, Switzerland (VPS)
+- **Location:** Zürich, Switzerland (HostKey VPS, separate account from Amsterdam)
-- **Management:** Full autonomy — James manages, Johan has backup SSH key
+- **Hostname:** hostkey50304
-- **Tailscale:** Yes, part of tailnet
+- **Specs:** 4 vCore, 6GB RAM, 120GB SSD
-- **Services:** Uptime Kuma (127.0.0.1:3001), Caddy (80/443), Greenbone (stopped)
+- **OS:** Ubuntu 24.04
-- **Hardened 2026-02-15:** UFW (deny incoming, allow SSH/80/443/Tailscale), fail2ban, PasswordAuth disabled, PermitRootLogin prohibit-password, Kuma bound to localhost
+- **Management:** Full autonomy — James manages
+- **Tailscale:** 100.70.148.118 (labeled "zurich" in tailnet)
+- **SSH:** root@82.22.36.202 or `tailscale ssh root@zurich`
+- **Services:**
+  - Caddy (80/443) → ntfy.inou.com:2586, kuma.inou.com:3001, vault.inou.com:8080, mail.inou.com/mail.jongsma.me:8880, zurich.inou.com (static), harryhaasjes.nl (static)
+  - Uptime Kuma (127.0.0.1:3001) — 8 monitors; push tokens: OC=r1G9JcTYCg, MC=rLdedldMLP
+  - Vaultwarden Docker (127.0.0.1:8080) — 2 users registered; `/opt/vaultwarden/`
+  - ntfy (systemd, port 2586) — topic: forge-alerts
+  - **Stalwart mail server** (systemd) — migrated from Amsterdam 2026-02-19; data at `/opt/stalwart/data/` (18GB RocksDB); ports 25/465/587/143/993; ACME certs for mail.inou.com + mail.jongsma.me
+  - Git server (git user, git-shell) — repos: azure-backup, clawdnode-android, inou-mobile, mail-agent
+- **Hardened:** UFW, fail2ban, key-only SSH, services on localhost
+- **Updated:** 2026-02-19
 
-### shannon — amsterdam.inou.com (82.24.174.112)
+### amsterdam — amsterdam.inou.com (82.24.174.112) ← MAIL MIGRATION SOURCE
-- **Role:** Dedicated Shannon security scanner VPS
+- **Role:** TEMPORARY — mail server being decommissioned (Stalwart migrated to Zurich 2026-02-19)
 - **Location:** Netherlands (HostKey VPS, server ID 53643)
-- **Management:** Full autonomy — James manages, Johan has backup SSH key
 - **Hostname:** vm-mini
 - **Specs:** 4 vCore, 6GB RAM, 120GB SSD
 - **SSH:** root@82.24.174.112 (key auth)
-- **Services:** Shannon (Temporal + Router + Worker via Docker), no Tailscale (by design)
+- **Services:**
-- **Egress:** Locked to inou.com + Anthropic API only
+  - Caddy — mail.inou.com/mail.jongsma.me proxied to Stalwart (was active, now DNS points to Zurich)
-- **DNS:** amsterdam.inou.com A-record set 2026-02-15
+  - **Stalwart** — STOPPED + DISABLED; data preserved at `/opt/stalwart-mail/` (19GB, DO NOT DELETE YET)
-- **Due date:** 2026-03-09 (22 days)
+  - Duplicate Kuma/Vaultwarden/ntfy — deployed temporarily tonight, to be cleaned up
-- **HostKey API:** key=639551e73029b90f-c061af4412951b2e
+- **Shannon:** REMOVED 2026-02-19 (containers, images, /opt/shannon all gone)
-- **TODO:** Harden per VPS checklist (same as zurich)
+- **DNS that stays:** amsterdam.inou.com A-record
+- **DO NOT:** Start Stalwart, delete data, or decommission until Johan confirms all mail verified on Zurich
+- **HostKey API:** key=639551e73029b90f-c061af4412951b2e (shows server 53643 only)
 
 ## Network Notes
 - Home LAN: 192.168.1.0/24 (main), 192.168.100.0/24 (prod), 192.168.2.0/24 (IoT), 192.168.3.0/24 (?)