12 KiB
Infrastructure Plan
Maintained by James ⚡ · Last updated: 2026-03-03
1. All Locations
forge — Home Server (James' primary)
| Field | Value |
|---|---|
| IP | 192.168.1.16 (LAN) |
| Provider | Home lab (St. Pete, FL) |
| Specs | i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe |
| OS | Ubuntu 24.04.3 LTS headless |
| Managed by | James ⚡ |
| Monthly cost | $0 (home power only) |
Runs:
- OpenClaw gateway (port 18789)
- Message Center / Mail Bridge (port 8025)
- GLM-OCR service (port 8090, GPU)
- Dashboard (port 9200)
- DocSys (port 9201)
- Alert dashboard (port 9202)
- vault1984 (port 1984)
- vault1984-web (port 8099)
- Dealspace (port 9300)
- inou prod (192.168.100.2:1080 via VLAN)
- Signal-cli daemon (port 8080, legacy)
- Ollama (installed, optional use)
- SMB shares: sophia, docsys, inou-dev
Zurich VPS — zurich.inou.com / 82.22.36.202
| Field | Value |
|---|---|
| IP | 82.22.36.202 |
| DNS | zurich.inou.com |
| Provider | Hostkey (server 50304, Zürich CH — Equinix ZH) |
| Specs | 4 vCPU / 6GB RAM / 120GB SSD |
| OS | Ubuntu 24.04 |
| Managed by | James ⚡ |
| Monthly cost | ~€3.90/mo |
Runs:
- Caddy reverse proxy (port 443, auto-LE)
- Stalwart mail server (ports 25/465/587/143/993/995) → mail.jongsma.me, mail.inou.com
- Git hosting (
gituser, git-shell only) - Uptime Kuma (port 3001) → kuma.inou.com
- ntfy self-hosted (port 2586) → ntfy.inou.com
- Vaultwarden → vault.jongsma.me (fresh, no data yet)
- harryhaasjes.nl "coming soon" static
- WireGuard hub (10.84.0.1/24, UDP 51820) — vault1984 fleet
- Pending: OpenClaw NOC agent (Hans / vault1984-noc)
Doubles as: vault1984 fleet hub (WireGuard hub node), Zurich spoke node
Hans Server — noc.vault1984.com / 185.218.204.47
| Field | Value |
|---|---|
| IP | 185.218.204.47 |
| DNS | noc.vault1984.com |
| Provider | Hostkey (vm.mini) |
| Specs | 4 vCPU / 6GB RAM / 120GB SSD |
| OS | Ubuntu 24.04 |
| Managed by | Hans ⛰️ |
| Monthly cost | ~€3.90/mo |
Runs:
- OpenClaw 2026.3.1 (Hans agent, Fireworks MiniMax M2.5)
- vault1984 binary (pending deploy)
- UFW: 22/80/443, fail2ban
Pending: vault1984 binary deploy, Discord bot, Hans↔James comms channel
⚠️ Root password still default — ThIsNeEdStOcHaNgE0-- — CHANGE THIS
Shannon VPS — muskepo.com / 82.24.174.112
| Field | Value |
|---|---|
| IP | 82.24.174.112 |
| Provider | Hostkey |
| Managed by | James ⚡ |
| Paid through | 2026-04-09 |
| Monthly cost | ~€3.90/mo (est.) |
Runs:
- Dealspace / muskepo.com (Go binary + Caddy)
Note: Repurposed from former Shannon security VPS. Runs Dealspace. Will be reassigned or cancelled when Dealspace gets its own infra.
ThinkPad X1 (2019) — Johan's local dev
| Field | Value |
|---|---|
| IP | 192.168.0.223 (WiFi) |
| OS | Ubuntu 24.04 desktop |
| Managed by | Johan |
| Monthly cost | $0 |
Runs:
- Real Chrome on Xvfb:99 (port 9224) — for WAF-protected sites (myCigna)
- xfreerdp RDP target
Caddy (Home Reverse Proxy)
| Field | Value |
|---|---|
| IP | 192.168.0.2 / Tailscale: 100.84.42.55 |
| Managed by | James ⚡ |
| SSH | ssh root@192.168.0.2 (LAN direct only) |
Routes: james.jongsma.me, docsys.jongsma.me, vault1984.com → forge
Home Assistant
| Field | Value |
|---|---|
| IP | 192.168.1.252 |
| Managed by | Johan (⚠️ hands-off for James/Hans) |
2. vault1984 Fleet Plan — 16 Nodes
Target: Go-live Friday March 6, 2026 noon ET
Budget: ~$40/mo
Hub: Zurich SOC (82.22.36.202, WireGuard 10.84.0.1/24)
Architecture: NixOS + vault1984 Go binary, WireGuard spoke mesh, Kuma push heartbeats
Node Inventory
| # | Node | Location | Provider | WG IP | Monthly | Status |
|---|---|---|---|---|---|---|
| 1 | zurich | Zürich, CH | Hostkey (existing) | 10.84.0.1 | (shared) | ✅ HUB — existing |
| 2 | frankfurt | Frankfurt, DE | Vultr VX1 | 10.84.0.2 | $2.50 | ⏳ Pending |
| 3 | newjersey | New Jersey, US | Vultr VX1 | 10.84.0.3 | $2.50 | ⏳ Pending |
| 4 | siliconvalley | Silicon Valley, US | Vultr VX1 | 10.84.0.4 | $2.50 | ⏳ Pending |
| 5 | dallas | Dallas, US | Vultr VX1 | 10.84.0.5 | $2.50 | ⏳ Pending |
| 6 | london | London, UK | Vultr VX1 | 10.84.0.6 | $2.50 | ⏳ Pending |
| 7 | warsaw | Warsaw, PL | Vultr VX1 | 10.84.0.7 | $2.50 | ⏳ Pending |
| 8 | tokyo | Tokyo, JP | Vultr VX1 | 10.84.0.8 | $2.50 | ⏳ Pending |
| 9 | seoul | Seoul, KR | Vultr VX1 | 10.84.0.9 | $2.50 | ⏳ Pending |
| 10 | mumbai | Mumbai, IN | Vultr VX1 | 10.84.0.10 | $2.50 | ⏳ Pending |
| 11 | saopaulo | São Paulo, BR | Vultr VX1 | 10.84.0.11 | $2.50 | ⏳ Pending |
| 12 | sydney | Sydney, AU | Vultr VX1 | 10.84.0.12 | $2.50 | ⏳ Pending |
| 13 | johannesburg | Johannesburg, ZA | Vultr VX1 | 10.84.0.13 | $2.50 | ⏳ Pending |
| 14 | telaviv | Tel Aviv, IL | Vultr VX1 | 10.84.0.14 | $2.50 | ⏳ Pending |
| 15 | dubai | Dubai, AE | Hostkey | 10.84.0.15 | TBD | ⏳ Pending |
Monthly cost breakdown:
- 14 Vultr VX1 nodes: 14 × $2.50 = $35.00/mo
- Dubai (Hostkey): ~€3.90/mo (TBD — Johan to confirm order)
- Zurich hub: (already in existing infra budget)
- Hans NOC server: €3.90/mo (already counted above)
- Total vault1984 fleet: ~$40/mo
Deployment Milestones
| Date | Milestone | Owner | Status |
|---|---|---|---|
| Mon Mar 2 | Zurich SOC — WireGuard hub, Kuma fleet monitors, soc.vault1984.com | James | ⏳ |
| Tue Mar 3 | NixOS config + deploy tooling in vault1984 repo | James | 🔄 Today |
| Wed Mar 4 noon | Pilot — Zurich + Frankfurt + NJ live | James | ⏳ |
| Wed Mar 4 EOD | Go/No-Go review | Johan | ⏳ |
| Thu Mar 5 | Full 16-node fleet live + DNS/TLS verified | James | ⏳ |
| Fri Mar 6 noon | 🚀 GO-LIVE — vault1984.com routes to fleet | Johan + James | ⏳ |
Node DNS Pattern
<node>.vault1984.com → node IP (Cloudflare)
Primary entry: vault1984.com → New Jersey (largest US East market)
SOC dashboard: soc.vault1984.com → Zurich → Kuma port 3001
3. Partner: Hostkey
Panel: https://panel.hostkey.com
Cancellation flow: panel.hostkey.com/controlpanel.html?key=<key>
Account email: probably johan.jongsma@iasobackup.com (Openprovider uses this — likely same)
Current Hostkey Nodes
| Hostname | Server ID | IP | Purpose | Status |
|---|---|---|---|---|
| zurich.inou.com | 50304 | 82.22.36.202 | Shared infra hub + vault1984 WG hub | ✅ Live |
| noc.vault1984.com | TBD | 185.218.204.47 | Hans NOC agent | ✅ Live |
| muskepo.com (Shannon) | TBD | 82.24.174.112 | Dealspace hosting | ✅ Live (till Apr 9) |
| Amsterdam | 53643 | 82.24.174.112 | ⚰️ DECOMMISSIONED Feb 21 | ❌ Dead |
Planned Hostkey Nodes
| Hostname | Location | Purpose | Status |
|---|---|---|---|
| dubai.vault1984.com | Dubai, AE | vault1984 fleet node | ⏳ Johan to order |
Johan action needed: Confirm/order Dubai Hostkey node. No other Hostkey locations needed — remaining 14 vault1984 nodes go to Vultr.
4. Partner: Vultr
Plan: VX1 — 1 vCPU, 512MB RAM, 10GB SSD, 1TB bandwidth
Price: $2.50/mo per node
API key: PENDING from Johan ← Blocker for automated provisioning
14 nodes planned (all vault1984 fleet except Zurich hub + Dubai Hostkey): Frankfurt, New Jersey, Silicon Valley, Dallas, London, Warsaw, Tokyo, Seoul, Mumbai, São Paulo, Sydney, Johannesburg, Tel Aviv, + 1 TBD slot
Provision method: provision.sh <ip> <node-name> (nixos-infect → base.nix → vault1984 binary → healthcheck)
Deploy method: deploy.sh all (rolling, abort on first failure)
⚠️ No Vultr account yet. Johan must create account and hand off API key before M2 tooling can be finalized.
5. Network Topology
Internet
│
├── Cloudflare DNS (all public domains)
│ ├── inou.com → Caddy (home, 192.168.0.2)
│ ├── *.jongsma.me → Caddy (home) + Stalwart (mail → Zurich)
│ ├── vault1984.com → vault1984 nodes (direct)
│ ├── zurich.inou.com, kuma.inou.com, ntfy.inou.com → Zurich VPS
│ └── noc.vault1984.com → Hans server
│
├── Home LAN (192.168.1.x + 192.168.0.x + 192.168.100.x)
│ ├── forge (192.168.1.16) — primary server
│ ├── Caddy reverse proxy (192.168.0.2)
│ ├── inou prod (192.168.100.2) — separate VLAN
│ └── Home Assistant (192.168.1.252) — hands-off
│
├── Tailscale (100.x.x.x mesh)
│ ├── forge: 100.123.216.65
│ └── Caddy: 100.84.42.55
│
└── WireGuard vault1984 fleet (10.84.0.x/24)
Hub: Zurich (10.84.0.1), UDP 51820
Spokes: 15 nodes (10.84.0.2–10.84.0.15)
Management traffic: WireGuard only (no public SSH on spoke nodes)
SSH: WireGuard interface only on vault1984 nodes
Key rule: vault1984 spoke nodes expose only ports 80+443 publicly. All SSH + management flows over WireGuard from Zurich hub.
6. Monitoring
Uptime Kuma
- URL: https://kuma.inou.com → Zurich → port 3001
- Admin: james / JamesKuma2026!
- Kuma API password: WW8ipJfY27ELf7nnouaKLCL6
- Current monitors: inou.com HTTP, inou.com API, Forge-OC (push), Forge-MC (push)
- vault1984 fleet monitors: 16 push monitors to be added (one per node, token per monitor)
- Alert topic:
vault1984-alerts(ntfy, to be created) - Thresholds: SEV2 = 2 missed pushes, SEV1 = 5+ min down
ntfy (Push Notifications)
- Server: https://ntfy.inou.com (Zurich, port 2586)
- API token:
tk_ggphzgdis49ddsvu51qam6bgzlyxn - Topics:
forge-alerts— OC/infra alerts (anonymous read, Johan subscribed on iPhone)inou-alerts— inou health platform alerts (anonymous read)vault1984-alerts— vault1984 fleet alerts (to be created at M1.3)
- Johan subscribed on: iPhone 17
Dashboard (forge)
- URL: http://100.123.216.65:9200 (Tailscale) or http://localhost:9200
- Purpose: Tasks, briefings, news, deliveries, system status
- Status API:
GET/POST /api/status— key metrics at top
Health Push (forge)
- Script:
/home/johan/scripts/health-push.sh— runs every minute via cron - Logic: MC + OC health → push to Kuma if healthy
- Alert routing:
- MC down → James via OC webhook (James investigates)
- OC down → Johan direct via ntfy (James IS the thing down)
- Home network down → Johan direct via ntfy
vault1984 Node Telemetry (planned — M2.4)
Each node binary pushes every 30s to its Kuma push URL:
ram_mb, disk_pct, cpu_pct, db_size_mb, db_integrityactive_sessions, req_1h, err_1h, cert_days_remaining, nix_gen, uptime_s
7. Monthly Cost Summary
| Item | Cost |
|---|---|
| Zurich VPS (Hostkey) | ~€3.90/mo |
| Hans NOC server (Hostkey) | ~€3.90/mo |
| Shannon VPS (Dealspace) | ~€3.90/mo (till Apr 9) |
| Vultr VX1 × 14 (vault1984) | $35.00/mo |
| Dubai Hostkey (vault1984) | ~€3.90/mo (TBD) |
| forge (home) | $0 |
| Total (approx) | ~$55/mo |
Excludes: domains (Openprovider), Cloudflare, email (Anthropic API tokens, etc.)
Shannon VPS will be reassigned or cancelled after Apr 9 unless Dealspace needs it.
8. Open Actions
| Item | Owner | Priority |
|---|---|---|
| Provide Vultr API key | Johan | 🔴 Blocker (M2 tooling) |
| Order/confirm Dubai Hostkey node | Johan | 🔴 Blocker (fleet complete) |
| Change Hans root password | Hans | 🔴 Security |
| Deploy vault1984 binary to Hans | James/Hans | 🟡 M2 scope |
| Create Discord bot for Hans | Johan (Chrome tab) | 🟡 After vault1984 launch |
| Add vault1984-alerts ntfy topic | James | 🟡 M1.3 |
| Build 16 Kuma fleet monitors | James | 🟡 M1.3 |
This document is the single source of truth for infrastructure topology. Update after every provisioning event.