# Infrastructure Plan *Maintained by James ⚡ · Last updated: 2026-03-03* --- ## 1. All Locations ### forge — Home Server (James' primary) | Field | Value | |-------|-------| | **IP** | 192.168.1.16 (LAN) | | **Provider** | Home lab (St. Pete, FL) | | **Specs** | i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe | | **OS** | Ubuntu 24.04.3 LTS headless | | **Managed by** | James ⚡ | | **Monthly cost** | $0 (home power only) | **Runs:** - OpenClaw gateway (port 18789) - Message Center / Mail Bridge (port 8025) - GLM-OCR service (port 8090, GPU) - Dashboard (port 9200) - DocSys (port 9201) - Alert dashboard (port 9202) - vault1984 (port 1984) - vault1984-web (port 8099) - Dealspace (port 9300) - inou prod (192.168.100.2:1080 via VLAN) - Signal-cli daemon (port 8080, legacy) - Ollama (installed, optional use) - SMB shares: sophia, docsys, inou-dev --- ### Zurich VPS — `zurich.inou.com` / `82.22.36.202` | Field | Value | |-------|-------| | **IP** | 82.22.36.202 | | **DNS** | zurich.inou.com | | **Provider** | Hostkey (server 50304, Zürich CH — Equinix ZH) | | **Specs** | 4 vCPU / 6GB RAM / 120GB SSD | | **OS** | Ubuntu 24.04 | | **Managed by** | James ⚡ | | **Monthly cost** | ~€3.90/mo | **Runs:** - Caddy reverse proxy (port 443, auto-LE) - Stalwart mail server (ports 25/465/587/143/993/995) → mail.jongsma.me, mail.inou.com - Git hosting (`git` user, git-shell only) - Uptime Kuma (port 3001) → kuma.inou.com - ntfy self-hosted (port 2586) → ntfy.inou.com - Vaultwarden → vault.jongsma.me (fresh, no data yet) - harryhaasjes.nl "coming soon" static - WireGuard hub (10.84.0.1/24, UDP 51820) — vault1984 fleet - **Pending:** OpenClaw NOC agent (Hans / vault1984-noc) **Doubles as:** vault1984 fleet hub (WireGuard hub node), Zurich spoke node --- ### Hans Server — `noc.vault1984.com` / `185.218.204.47` | Field | Value | |-------|-------| | **IP** | 185.218.204.47 | | **DNS** | noc.vault1984.com | | **Provider** | Hostkey (vm.mini) | | **Specs** | 4 vCPU / 6GB RAM / 120GB SSD | | **OS** | Ubuntu 24.04 | | **Managed by** | Hans ⛰️ | | **Monthly cost** | ~€3.90/mo | **Runs:** - OpenClaw 2026.3.1 (Hans agent, Fireworks MiniMax M2.5) - vault1984 binary (pending deploy) - UFW: 22/80/443, fail2ban **Pending:** vault1984 binary deploy, Discord bot, Hans↔James comms channel ⚠️ Root password still default — `ThIsNeEdStOcHaNgE0--` — **CHANGE THIS** --- ### Shannon VPS — `muskepo.com` / `82.24.174.112` | Field | Value | |-------|-------| | **IP** | 82.24.174.112 | | **Provider** | Hostkey | | **Managed by** | James ⚡ | | **Paid through** | 2026-04-09 | | **Monthly cost** | ~€3.90/mo (est.) | **Runs:** - Dealspace / muskepo.com (Go binary + Caddy) **Note:** Repurposed from former Shannon security VPS. Runs Dealspace. Will be reassigned or cancelled when Dealspace gets its own infra. --- ### ThinkPad X1 (2019) — Johan's local dev | Field | Value | |-------|-------| | **IP** | 192.168.0.223 (WiFi) | | **OS** | Ubuntu 24.04 desktop | | **Managed by** | Johan | | **Monthly cost** | $0 | **Runs:** - Real Chrome on Xvfb:99 (port 9224) — for WAF-protected sites (myCigna) - xfreerdp RDP target --- ### Caddy (Home Reverse Proxy) | Field | Value | |-------|-------| | **IP** | 192.168.0.2 / Tailscale: 100.84.42.55 | | **Managed by** | James ⚡ | | **SSH** | `ssh root@192.168.0.2` (LAN direct only) | Routes: james.jongsma.me, docsys.jongsma.me, vault1984.com → forge --- ### Home Assistant | Field | Value | |-------|-------| | **IP** | 192.168.1.252 | | **Managed by** | Johan (⚠️ hands-off for James/Hans) | --- ## 2. vault1984 Fleet Plan — 16 Nodes **Target:** Go-live Friday March 6, 2026 noon ET **Budget:** ~$40/mo **Hub:** Zurich SOC (82.22.36.202, WireGuard 10.84.0.1/24) **Architecture:** NixOS + vault1984 Go binary, WireGuard spoke mesh, Kuma push heartbeats ### Node Inventory | # | Node | Location | Provider | WG IP | Monthly | Status | |---|------|----------|----------|-------|---------|--------| | 1 | zurich | Zürich, CH | Hostkey (existing) | 10.84.0.1 | *(shared)* | ✅ **HUB — existing** | | 2 | frankfurt | Frankfurt, DE | Vultr VX1 | 10.84.0.2 | $2.50 | ⏳ Pending | | 3 | newjersey | New Jersey, US | Vultr VX1 | 10.84.0.3 | $2.50 | ⏳ Pending | | 4 | siliconvalley | Silicon Valley, US | Vultr VX1 | 10.84.0.4 | $2.50 | ⏳ Pending | | 5 | dallas | Dallas, US | Vultr VX1 | 10.84.0.5 | $2.50 | ⏳ Pending | | 6 | london | London, UK | Vultr VX1 | 10.84.0.6 | $2.50 | ⏳ Pending | | 7 | warsaw | Warsaw, PL | Vultr VX1 | 10.84.0.7 | $2.50 | ⏳ Pending | | 8 | tokyo | Tokyo, JP | Vultr VX1 | 10.84.0.8 | $2.50 | ⏳ Pending | | 9 | seoul | Seoul, KR | Vultr VX1 | 10.84.0.9 | $2.50 | ⏳ Pending | | 10 | mumbai | Mumbai, IN | Vultr VX1 | 10.84.0.10 | $2.50 | ⏳ Pending | | 11 | saopaulo | São Paulo, BR | Vultr VX1 | 10.84.0.11 | $2.50 | ⏳ Pending | | 12 | sydney | Sydney, AU | Vultr VX1 | 10.84.0.12 | $2.50 | ⏳ Pending | | 13 | johannesburg | Johannesburg, ZA | Vultr VX1 | 10.84.0.13 | $2.50 | ⏳ Pending | | 14 | telaviv | Tel Aviv, IL | Vultr VX1 | 10.84.0.14 | $2.50 | ⏳ Pending | | 15 | dubai | Dubai, AE | Hostkey | 10.84.0.15 | TBD | ⏳ Pending | **Monthly cost breakdown:** - 14 Vultr VX1 nodes: 14 × $2.50 = **$35.00/mo** - Dubai (Hostkey): **~€3.90/mo** (TBD — Johan to confirm order) - Zurich hub: *(already in existing infra budget)* - Hans NOC server: €3.90/mo *(already counted above)* - **Total vault1984 fleet: ~$40/mo** ### Deployment Milestones | Date | Milestone | Owner | Status | |------|-----------|-------|--------| | Mon Mar 2 | Zurich SOC — WireGuard hub, Kuma fleet monitors, soc.vault1984.com | James | ⏳ | | Tue Mar 3 | NixOS config + deploy tooling in vault1984 repo | James | 🔄 Today | | Wed Mar 4 noon | Pilot — Zurich + Frankfurt + NJ live | James | ⏳ | | Wed Mar 4 EOD | Go/No-Go review | Johan | ⏳ | | Thu Mar 5 | Full 16-node fleet live + DNS/TLS verified | James | ⏳ | | **Fri Mar 6 noon** | 🚀 **GO-LIVE — vault1984.com routes to fleet** | Johan + James | ⏳ | ### Node DNS Pattern `.vault1984.com` → node IP (Cloudflare) Primary entry: `vault1984.com` → New Jersey (largest US East market) SOC dashboard: `soc.vault1984.com` → Zurich → Kuma port 3001 --- ## 3. Partner: Hostkey **Panel:** https://panel.hostkey.com **Cancellation flow:** `panel.hostkey.com/controlpanel.html?key=` **Account email:** probably `johan.jongsma@iasobackup.com` (Openprovider uses this — likely same) ### Current Hostkey Nodes | Hostname | Server ID | IP | Purpose | Status | |----------|-----------|-----|---------|--------| | zurich.inou.com | 50304 | 82.22.36.202 | Shared infra hub + vault1984 WG hub | ✅ Live | | noc.vault1984.com | TBD | 185.218.204.47 | Hans NOC agent | ✅ Live | | muskepo.com (Shannon) | TBD | 82.24.174.112 | Dealspace hosting | ✅ Live (till Apr 9) | | Amsterdam | 53643 | 82.24.174.112 | ⚰️ DECOMMISSIONED Feb 21 | ❌ Dead | ### Planned Hostkey Nodes | Hostname | Location | Purpose | Status | |----------|----------|---------|--------| | dubai.vault1984.com | Dubai, AE | vault1984 fleet node | ⏳ **Johan to order** | **Johan action needed:** Confirm/order Dubai Hostkey node. No other Hostkey locations needed — remaining 14 vault1984 nodes go to Vultr. --- ## 4. Partner: Vultr **Plan:** VX1 — 1 vCPU, 512MB RAM, 10GB SSD, 1TB bandwidth **Price:** $2.50/mo per node **API key:** **PENDING from Johan** ← Blocker for automated provisioning **14 nodes planned** (all vault1984 fleet except Zurich hub + Dubai Hostkey): Frankfurt, New Jersey, Silicon Valley, Dallas, London, Warsaw, Tokyo, Seoul, Mumbai, São Paulo, Sydney, Johannesburg, Tel Aviv, + 1 TBD slot **Provision method:** `provision.sh ` (nixos-infect → base.nix → vault1984 binary → healthcheck) **Deploy method:** `deploy.sh all` (rolling, abort on first failure) ⚠️ **No Vultr account yet. Johan must create account and hand off API key before M2 tooling can be finalized.** --- ## 5. Network Topology ``` Internet │ ├── Cloudflare DNS (all public domains) │ ├── inou.com → Caddy (home, 192.168.0.2) │ ├── *.jongsma.me → Caddy (home) + Stalwart (mail → Zurich) │ ├── vault1984.com → vault1984 nodes (direct) │ ├── zurich.inou.com, kuma.inou.com, ntfy.inou.com → Zurich VPS │ └── noc.vault1984.com → Hans server │ ├── Home LAN (192.168.1.x + 192.168.0.x + 192.168.100.x) │ ├── forge (192.168.1.16) — primary server │ ├── Caddy reverse proxy (192.168.0.2) │ ├── inou prod (192.168.100.2) — separate VLAN │ └── Home Assistant (192.168.1.252) — hands-off │ ├── Tailscale (100.x.x.x mesh) │ ├── forge: 100.123.216.65 │ └── Caddy: 100.84.42.55 │ └── WireGuard vault1984 fleet (10.84.0.x/24) Hub: Zurich (10.84.0.1), UDP 51820 Spokes: 15 nodes (10.84.0.2–10.84.0.15) Management traffic: WireGuard only (no public SSH on spoke nodes) SSH: WireGuard interface only on vault1984 nodes ``` **Key rule:** vault1984 spoke nodes expose only ports 80+443 publicly. All SSH + management flows over WireGuard from Zurich hub. --- ## 6. Monitoring ### Uptime Kuma - **URL:** https://kuma.inou.com → Zurich → port 3001 - **Admin:** james / JamesKuma2026! - **Kuma API password:** WW8ipJfY27ELf7nnouaKLCL6 - **Current monitors:** inou.com HTTP, inou.com API, Forge-OC (push), Forge-MC (push) - **vault1984 fleet monitors:** 16 push monitors to be added (one per node, token per monitor) - **Alert topic:** `vault1984-alerts` (ntfy, to be created) - **Thresholds:** SEV2 = 2 missed pushes, SEV1 = 5+ min down ### ntfy (Push Notifications) - **Server:** https://ntfy.inou.com (Zurich, port 2586) - **API token:** `tk_ggphzgdis49ddsvu51qam6bgzlyxn` - **Topics:** - `forge-alerts` — OC/infra alerts (anonymous read, Johan subscribed on iPhone) - `inou-alerts` — inou health platform alerts (anonymous read) - `vault1984-alerts` — vault1984 fleet alerts (to be created at M1.3) - **Johan subscribed on:** iPhone 17 ### Dashboard (forge) - **URL:** http://100.123.216.65:9200 (Tailscale) or http://localhost:9200 - **Purpose:** Tasks, briefings, news, deliveries, system status - **Status API:** `GET/POST /api/status` — key metrics at top ### Health Push (forge) - **Script:** `/home/johan/scripts/health-push.sh` — runs every minute via cron - **Logic:** MC + OC health → push to Kuma if healthy - **Alert routing:** - MC down → James via OC webhook (James investigates) - OC down → Johan direct via ntfy (James IS the thing down) - Home network down → Johan direct via ntfy ### vault1984 Node Telemetry (planned — M2.4) Each node binary pushes every 30s to its Kuma push URL: - `ram_mb, disk_pct, cpu_pct, db_size_mb, db_integrity` - `active_sessions, req_1h, err_1h, cert_days_remaining, nix_gen, uptime_s` --- ## 7. Monthly Cost Summary | Item | Cost | |------|------| | Zurich VPS (Hostkey) | ~€3.90/mo | | Hans NOC server (Hostkey) | ~€3.90/mo | | Shannon VPS (Dealspace) | ~€3.90/mo (till Apr 9) | | Vultr VX1 × 14 (vault1984) | $35.00/mo | | Dubai Hostkey (vault1984) | ~€3.90/mo (TBD) | | forge (home) | $0 | | **Total (approx)** | **~$55/mo** | *Excludes: domains (Openprovider), Cloudflare, email (Anthropic API tokens, etc.)* *Shannon VPS will be reassigned or cancelled after Apr 9 unless Dealspace needs it.* --- ## 8. Open Actions | Item | Owner | Priority | |------|-------|----------| | Provide Vultr API key | **Johan** | 🔴 Blocker (M2 tooling) | | Order/confirm Dubai Hostkey node | **Johan** | 🔴 Blocker (fleet complete) | | Change Hans root password | **Hans** | 🔴 Security | | Deploy vault1984 binary to Hans | **James/Hans** | 🟡 M2 scope | | Create Discord bot for Hans | **Johan** (Chrome tab) | 🟡 After vault1984 launch | | Add vault1984-alerts ntfy topic | **James** | 🟡 M1.3 | | Build 16 Kuma fleet monitors | **James** | 🟡 M1.3 | --- *This document is the single source of truth for infrastructure topology. Update after every provisioning event.*