# Infrastructure Map *Updated: 2026-02-15* ## Home Network ### forge (James' Home) — 192.168.1.16 - **Role:** Primary home for James (OpenClaw, MC, dashboards, all agent services) - **CPU:** Intel i7-6700K @ 4.0GHz (4c/8t) - **RAM:** 64GB DDR4 - **GPU:** NVIDIA GTX 970 4GB - **Storage:** 477GB NVMe (Samsung 950 PRO 512GB) - **OS:** Ubuntu 24.04.1 LTS (headless + minimal GUI for headed Chrome) - **Hostname:** forge - **Services:** OpenClaw (18789), MC (8025), Alert Dashboard/Fully (9202), James Dashboard (9200), DocSys (9201), OCR (8090), message-bridge (8030), Xvfb:99 + Chrome CDP (9224) ### james (Old James Home) — 192.168.1.17 - **Role:** Retired/backup — kept running "just to be sure" - **Hardware:** Lenovo ThinkServer TS140 - **CPU:** Intel Xeon E3-1225 v3 @ 3.20GHz (4c/4t) - **RAM:** 16GB DDR3 ECC (2×8GB, MB issue prevents upgrade) - **Storage:** WD Blue SA510 1TB SSD - **OS:** Ubuntu 24.04.3 LTS - **Status:** Running but not primary. Candidate for decommission once forge proves stable. ### staging/dev — 192.168.1.253 - **Role:** Home server — personal/family services - **Hardware:** Lenovo ThinkServer TS140, 4×4TB disks in RAIDZ - **Services:** Jellyfin, Immich, and other home services - **Note:** This is Johan's home server, not James' domain ### prod — 192.168.100.2 - **Role:** inou production server - **Hardware:** Same as staging (TS140 class) - **Location:** Home network, dedicated to inou prod - **Status:** BROKEN — Johan wants to fix tonight (2026-02-15) - **Note:** Different subnet (192.168.100.x) ## VPS / Remote ### zurich — zurich.inou.com (82.22.36.202) ← REAL ZURICH - **Role:** Primary remote infrastructure (security, monitoring, mail, git, vault) - **Location:** Zürich, Switzerland (HostKey VPS, separate account from Amsterdam) - **Hostname:** hostkey50304 - **Specs:** 4 vCore, 6GB RAM, 120GB SSD - **OS:** Ubuntu 24.04 - **Management:** Full autonomy — James manages - **Tailscale:** 100.70.148.118 (labeled "zurich" in tailnet) - **SSH:** root@82.22.36.202 or `tailscale ssh root@zurich` - **Services:** - Caddy (80/443) → ntfy.inou.com:2586, kuma.inou.com:3001, vault.inou.com:8080, mail.inou.com/mail.jongsma.me:8880, zurich.inou.com (static), harryhaasjes.nl (static) - Uptime Kuma (127.0.0.1:3001) — 8 monitors; push tokens: OC=r1G9JcTYCg, MC=rLdedldMLP - Vaultwarden Docker (127.0.0.1:8080) — 2 users registered; `/opt/vaultwarden/` - ntfy (systemd, port 2586) — topic: forge-alerts - **Stalwart mail server** (systemd) — migrated from Amsterdam 2026-02-19; data at `/opt/stalwart/data/` (18GB RocksDB); ports 25/465/587/143/993; ACME certs for mail.inou.com + mail.jongsma.me - Git server (git user, git-shell) — repos: azure-backup, clawdnode-android, inou-mobile, mail-agent - **Hardened:** UFW, fail2ban, key-only SSH, services on localhost - **Updated:** 2026-02-19 ### amsterdam — amsterdam.inou.com (82.24.174.112) ← MAIL MIGRATION SOURCE - **Role:** TEMPORARY — mail server being decommissioned (Stalwart migrated to Zurich 2026-02-19) - **Location:** Netherlands (HostKey VPS, server ID 53643) - **Hostname:** vm-mini - **Specs:** 4 vCore, 6GB RAM, 120GB SSD - **SSH:** root@82.24.174.112 (key auth) - **Services:** - Caddy — mail.inou.com/mail.jongsma.me proxied to Stalwart (was active, now DNS points to Zurich) - **Stalwart** — STOPPED + DISABLED; data preserved at `/opt/stalwart-mail/` (19GB, DO NOT DELETE YET) - Duplicate Kuma/Vaultwarden/ntfy — deployed temporarily tonight, to be cleaned up - **Shannon:** REMOVED 2026-02-19 (containers, images, /opt/shannon all gone) - **DNS that stays:** amsterdam.inou.com A-record - **DO NOT:** Start Stalwart, delete data, or decommission until Johan confirms all mail verified on Zurich - **HostKey API:** key=639551e73029b90f-c061af4412951b2e (shows server 53643 only) ## Network Notes - Home LAN: 192.168.1.0/24 (main), 192.168.100.0/24 (prod), 192.168.2.0/24 (IoT), 192.168.3.0/24 (?) - Tailscale overlay for remote access - UDM-Pro as core router ## VPS Hardening Checklist (MANDATORY for every new VPS) 1. `PasswordAuthentication no` in sshd 2. `PermitRootLogin prohibit-password` 3. Install & configure UFW (deny incoming, allow SSH/80/443/Tailscale) 4. Install & configure fail2ban (sshd jail, 3 retries, 1h ban) 5. Auto-updates enabled 6. All services bound to 127.0.0.1 unless explicitly needed public 7. Caddy for TLS termination 8. Join Tailscale 9. Verify with `ss -tlnp` — nothing unexpected on 0.0.0.0