johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/memory/infrastructure-plan.md

330 lines
12 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Infrastructure Plan
*Maintained by James ⚡ · Last updated: 2026-03-03*
---
## 1. All Locations
### forge — Home Server (James' primary)
| Field | Value |
|-------|-------|
| **IP** | 192.168.1.16 (LAN) |
| **Provider** | Home lab (St. Pete, FL) |
| **Specs** | i7-6700K / 64GB RAM / GTX 970 4GB / 469GB NVMe |
| **OS** | Ubuntu 24.04.3 LTS headless |
| **Managed by** | James ⚡ |
| **Monthly cost** | $0 (home power only) |
**Runs:**
- OpenClaw gateway (port 18789)
- Message Center / Mail Bridge (port 8025)
- GLM-OCR service (port 8090, GPU)
- Dashboard (port 9200)
- DocSys (port 9201)
- Alert dashboard (port 9202)
- vault1984 (port 1984)
- vault1984-web (port 8099)
- Dealspace (port 9300)
- inou prod (192.168.100.2:1080 via VLAN)
- Signal-cli daemon (port 8080, legacy)
- Ollama (installed, optional use)
- SMB shares: sophia, docsys, inou-dev
---
### Zurich VPS — `zurich.inou.com` / `82.22.36.202`
| Field | Value |
|-------|-------|
| **IP** | 82.22.36.202 |
| **DNS** | zurich.inou.com |
| **Provider** | Hostkey (server 50304, Zürich CH — Equinix ZH) |
| **Specs** | 4 vCPU / 6GB RAM / 120GB SSD |
| **OS** | Ubuntu 24.04 |
| **Managed by** | James ⚡ |
| **Monthly cost** | ~€3.90/mo |
**Runs:**
- Caddy reverse proxy (port 443, auto-LE)
- Stalwart mail server (ports 25/465/587/143/993/995) → mail.jongsma.me, mail.inou.com
- Git hosting (`git` user, git-shell only)
- Uptime Kuma (port 3001) → kuma.inou.com
- ntfy self-hosted (port 2586) → ntfy.inou.com
- Vaultwarden → vault.jongsma.me (fresh, no data yet)
- harryhaasjes.nl "coming soon" static
- WireGuard hub (10.84.0.1/24, UDP 51820) — vault1984 fleet
- **Pending:** OpenClaw NOC agent (Hans / vault1984-noc)
**Doubles as:** vault1984 fleet hub (WireGuard hub node), Zurich spoke node
---
### Hans Server — `noc.vault1984.com` / `185.218.204.47`
| Field | Value |
|-------|-------|
| **IP** | 185.218.204.47 |
| **DNS** | noc.vault1984.com |
| **Provider** | Hostkey (vm.mini) |
| **Specs** | 4 vCPU / 6GB RAM / 120GB SSD |
| **OS** | Ubuntu 24.04 |
| **Managed by** | Hans ⛰️ |
| **Monthly cost** | ~€3.90/mo |
**Runs:**
- OpenClaw 2026.3.1 (Hans agent, Fireworks MiniMax M2.5)
- vault1984 binary (pending deploy)
- UFW: 22/80/443, fail2ban
**Pending:** vault1984 binary deploy, Discord bot, Hans↔James comms channel
⚠️ Root password still default — `ThIsNeEdStOcHaNgE0--`**CHANGE THIS**
---
### Shannon VPS — `muskepo.com` / `82.24.174.112`
| Field | Value |
|-------|-------|
| **IP** | 82.24.174.112 |
| **Provider** | Hostkey |
| **Managed by** | James ⚡ |
| **Paid through** | 2026-04-09 |
| **Monthly cost** | ~€3.90/mo (est.) |
**Runs:**
- Dealspace / muskepo.com (Go binary + Caddy)
**Note:** Repurposed from former Shannon security VPS. Runs Dealspace. Will be reassigned or cancelled when Dealspace gets its own infra.
---
### ThinkPad X1 (2019) — Johan's local dev
| Field | Value |
|-------|-------|
| **IP** | 192.168.0.223 (WiFi) |
| **OS** | Ubuntu 24.04 desktop |
| **Managed by** | Johan |
| **Monthly cost** | $0 |
**Runs:**
- Real Chrome on Xvfb:99 (port 9224) — for WAF-protected sites (myCigna)
- xfreerdp RDP target
---
### Caddy (Home Reverse Proxy)
| Field | Value |
|-------|-------|
| **IP** | 192.168.0.2 / Tailscale: 100.84.42.55 |
| **Managed by** | James ⚡ |
| **SSH** | `ssh root@192.168.0.2` (LAN direct only) |
Routes: james.jongsma.me, docsys.jongsma.me, vault1984.com → forge
---
### Home Assistant
| Field | Value |
|-------|-------|
| **IP** | 192.168.1.252 |
| **Managed by** | Johan (⚠️ hands-off for James/Hans) |
---
## 2. vault1984 Fleet Plan — 16 Nodes
**Target:** Go-live Friday March 6, 2026 noon ET
**Budget:** ~$40/mo
**Hub:** Zurich SOC (82.22.36.202, WireGuard 10.84.0.1/24)
**Architecture:** NixOS + vault1984 Go binary, WireGuard spoke mesh, Kuma push heartbeats
### Node Inventory
| # | Node | Location | Provider | WG IP | Monthly | Status |
|---|------|----------|----------|-------|---------|--------|
| 1 | zurich | Zürich, CH | Hostkey (existing) | 10.84.0.1 | *(shared)* | ✅ **HUB — existing** |
| 2 | frankfurt | Frankfurt, DE | Vultr VX1 | 10.84.0.2 | $2.50 | ⏳ Pending |
| 3 | newjersey | New Jersey, US | Vultr VX1 | 10.84.0.3 | $2.50 | ⏳ Pending |
| 4 | siliconvalley | Silicon Valley, US | Vultr VX1 | 10.84.0.4 | $2.50 | ⏳ Pending |
| 5 | dallas | Dallas, US | Vultr VX1 | 10.84.0.5 | $2.50 | ⏳ Pending |
| 6 | london | London, UK | Vultr VX1 | 10.84.0.6 | $2.50 | ⏳ Pending |
| 7 | warsaw | Warsaw, PL | Vultr VX1 | 10.84.0.7 | $2.50 | ⏳ Pending |
| 8 | tokyo | Tokyo, JP | Vultr VX1 | 10.84.0.8 | $2.50 | ⏳ Pending |
| 9 | seoul | Seoul, KR | Vultr VX1 | 10.84.0.9 | $2.50 | ⏳ Pending |
| 10 | mumbai | Mumbai, IN | Vultr VX1 | 10.84.0.10 | $2.50 | ⏳ Pending |
| 11 | saopaulo | São Paulo, BR | Vultr VX1 | 10.84.0.11 | $2.50 | ⏳ Pending |
| 12 | sydney | Sydney, AU | Vultr VX1 | 10.84.0.12 | $2.50 | ⏳ Pending |
| 13 | johannesburg | Johannesburg, ZA | Vultr VX1 | 10.84.0.13 | $2.50 | ⏳ Pending |
| 14 | telaviv | Tel Aviv, IL | Vultr VX1 | 10.84.0.14 | $2.50 | ⏳ Pending |
| 15 | dubai | Dubai, AE | Hostkey | 10.84.0.15 | TBD | ⏳ Pending |
**Monthly cost breakdown:**
- 14 Vultr VX1 nodes: 14 × $2.50 = **$35.00/mo**
- Dubai (Hostkey): **~€3.90/mo** (TBD — Johan to confirm order)
- Zurich hub: *(already in existing infra budget)*
- Hans NOC server: €3.90/mo *(already counted above)*
- **Total vault1984 fleet: ~$40/mo**
### Deployment Milestones
| Date | Milestone | Owner | Status |
|------|-----------|-------|--------|
| Mon Mar 2 | Zurich SOC — WireGuard hub, Kuma fleet monitors, soc.vault1984.com | James | ⏳ |
| Tue Mar 3 | NixOS config + deploy tooling in vault1984 repo | James | 🔄 Today |
| Wed Mar 4 noon | Pilot — Zurich + Frankfurt + NJ live | James | ⏳ |
| Wed Mar 4 EOD | Go/No-Go review | Johan | ⏳ |
| Thu Mar 5 | Full 16-node fleet live + DNS/TLS verified | James | ⏳ |
| **Fri Mar 6 noon** | 🚀 **GO-LIVE — vault1984.com routes to fleet** | Johan + James | ⏳ |
### Node DNS Pattern
`<node>.vault1984.com` → node IP (Cloudflare)
Primary entry: `vault1984.com` → New Jersey (largest US East market)
SOC dashboard: `soc.vault1984.com` → Zurich → Kuma port 3001
---
## 3. Partner: Hostkey
**Panel:** https://panel.hostkey.com
**Cancellation flow:** `panel.hostkey.com/controlpanel.html?key=<key>`
**Account email:** probably `johan.jongsma@iasobackup.com` (Openprovider uses this — likely same)
### Current Hostkey Nodes
| Hostname | Server ID | IP | Purpose | Status |
|----------|-----------|-----|---------|--------|
| zurich.inou.com | 50304 | 82.22.36.202 | Shared infra hub + vault1984 WG hub | ✅ Live |
| noc.vault1984.com | TBD | 185.218.204.47 | Hans NOC agent | ✅ Live |
| muskepo.com (Shannon) | TBD | 82.24.174.112 | Dealspace hosting | ✅ Live (till Apr 9) |
| Amsterdam | 53643 | 82.24.174.112 | ⚰️ DECOMMISSIONED Feb 21 | ❌ Dead |
### Planned Hostkey Nodes
| Hostname | Location | Purpose | Status |
|----------|----------|---------|--------|
| dubai.vault1984.com | Dubai, AE | vault1984 fleet node | ⏳ **Johan to order** |
**Johan action needed:** Confirm/order Dubai Hostkey node. No other Hostkey locations needed — remaining 14 vault1984 nodes go to Vultr.
---
## 4. Partner: Vultr
**Plan:** VX1 — 1 vCPU, 512MB RAM, 10GB SSD, 1TB bandwidth
**Price:** $2.50/mo per node
**API key:** **PENDING from Johan** ← Blocker for automated provisioning
**14 nodes planned** (all vault1984 fleet except Zurich hub + Dubai Hostkey):
Frankfurt, New Jersey, Silicon Valley, Dallas, London, Warsaw, Tokyo, Seoul, Mumbai, São Paulo, Sydney, Johannesburg, Tel Aviv, + 1 TBD slot
**Provision method:** `provision.sh <ip> <node-name>` (nixos-infect → base.nix → vault1984 binary → healthcheck)
**Deploy method:** `deploy.sh all` (rolling, abort on first failure)
⚠️ **No Vultr account yet. Johan must create account and hand off API key before M2 tooling can be finalized.**
---
## 5. Network Topology
```
Internet
├── Cloudflare DNS (all public domains)
│ ├── inou.com → Caddy (home, 192.168.0.2)
│ ├── *.jongsma.me → Caddy (home) + Stalwart (mail → Zurich)
│ ├── vault1984.com → vault1984 nodes (direct)
│ ├── zurich.inou.com, kuma.inou.com, ntfy.inou.com → Zurich VPS
│ └── noc.vault1984.com → Hans server
├── Home LAN (192.168.1.x + 192.168.0.x + 192.168.100.x)
│ ├── forge (192.168.1.16) — primary server
│ ├── Caddy reverse proxy (192.168.0.2)
│ ├── inou prod (192.168.100.2) — separate VLAN
│ └── Home Assistant (192.168.1.252) — hands-off
├── Tailscale (100.x.x.x mesh)
│ ├── forge: 100.123.216.65
│ └── Caddy: 100.84.42.55
└── WireGuard vault1984 fleet (10.84.0.x/24)
Hub: Zurich (10.84.0.1), UDP 51820
Spokes: 15 nodes (10.84.0.210.84.0.15)
Management traffic: WireGuard only (no public SSH on spoke nodes)
SSH: WireGuard interface only on vault1984 nodes
```
**Key rule:** vault1984 spoke nodes expose only ports 80+443 publicly. All SSH + management flows over WireGuard from Zurich hub.
---
## 6. Monitoring
### Uptime Kuma
- **URL:** https://kuma.inou.com → Zurich → port 3001
- **Admin:** james / JamesKuma2026!
- **Kuma API password:** WW8ipJfY27ELf7nnouaKLCL6
- **Current monitors:** inou.com HTTP, inou.com API, Forge-OC (push), Forge-MC (push)
- **vault1984 fleet monitors:** 16 push monitors to be added (one per node, token per monitor)
- **Alert topic:** `vault1984-alerts` (ntfy, to be created)
- **Thresholds:** SEV2 = 2 missed pushes, SEV1 = 5+ min down
### ntfy (Push Notifications)
- **Server:** https://ntfy.inou.com (Zurich, port 2586)
- **API token:** `tk_ggphzgdis49ddsvu51qam6bgzlyxn`
- **Topics:**
- `forge-alerts` — OC/infra alerts (anonymous read, Johan subscribed on iPhone)
- `inou-alerts` — inou health platform alerts (anonymous read)
- `vault1984-alerts` — vault1984 fleet alerts (to be created at M1.3)
- **Johan subscribed on:** iPhone 17
### Dashboard (forge)
- **URL:** http://100.123.216.65:9200 (Tailscale) or http://localhost:9200
- **Purpose:** Tasks, briefings, news, deliveries, system status
- **Status API:** `GET/POST /api/status` — key metrics at top
### Health Push (forge)
- **Script:** `/home/johan/scripts/health-push.sh` — runs every minute via cron
- **Logic:** MC + OC health → push to Kuma if healthy
- **Alert routing:**
- MC down → James via OC webhook (James investigates)
- OC down → Johan direct via ntfy (James IS the thing down)
- Home network down → Johan direct via ntfy
### vault1984 Node Telemetry (planned — M2.4)
Each node binary pushes every 30s to its Kuma push URL:
- `ram_mb, disk_pct, cpu_pct, db_size_mb, db_integrity`
- `active_sessions, req_1h, err_1h, cert_days_remaining, nix_gen, uptime_s`
---
## 7. Monthly Cost Summary
| Item | Cost |
|------|------|
| Zurich VPS (Hostkey) | ~€3.90/mo |
| Hans NOC server (Hostkey) | ~€3.90/mo |
| Shannon VPS (Dealspace) | ~€3.90/mo (till Apr 9) |
| Vultr VX1 × 14 (vault1984) | $35.00/mo |
| Dubai Hostkey (vault1984) | ~€3.90/mo (TBD) |
| forge (home) | $0 |
| **Total (approx)** | **~$55/mo** |
*Excludes: domains (Openprovider), Cloudflare, email (Anthropic API tokens, etc.)*
*Shannon VPS will be reassigned or cancelled after Apr 9 unless Dealspace needs it.*
---
## 8. Open Actions
| Item | Owner | Priority |
|------|-------|----------|
| Provide Vultr API key | **Johan** | 🔴 Blocker (M2 tooling) |
| Order/confirm Dubai Hostkey node | **Johan** | 🔴 Blocker (fleet complete) |
| Change Hans root password | **Hans** | 🔴 Security |
| Deploy vault1984 binary to Hans | **James/Hans** | 🟡 M2 scope |
| Create Discord bot for Hans | **Johan** (Chrome tab) | 🟡 After vault1984 launch |
| Add vault1984-alerts ntfy topic | **James** | 🟡 M1.3 |
| Build 16 Kuma fleet monitors | **James** | 🟡 M1.3 |
---
*This document is the single source of truth for infrastructure topology. Update after every provisioning event.*
Reference in New Issue View Git Blame Copy Permalink