johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/memory/infrastructure.md

93 lines
4.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Infrastructure Map
*Updated: 2026-02-15*
## Home Network
### Network Topology
- **Subnet:** 192.168.0.1/22 (covers 192.168.0.x192.168.3.x)
- **Router:** UDM-Pro at 192.168.1.1
- **Primary WAN:** 1Gb Frontier/Verizon fiber
- **Backup WAN:** Starlink (manual hookup, ~15 min setup time) — used during 2024 hurricane floods
### forge (James' Home) — 192.168.1.16
- **Role:** Primary home for James (OpenClaw, MC, dashboards, all agent services)
- **CPU:** Intel i7-6700K @ 4.0GHz (4c/8t)
- **RAM:** 64GB DDR4
- **GPU:** NVIDIA GTX 970 4GB
- **Storage:** 477GB NVMe (Samsung 950 PRO 512GB)
- **OS:** Ubuntu 24.04.1 LTS (headless + minimal GUI for headed Chrome)
- **Hostname:** forge
- **Services:** OpenClaw (18789), MC (8025), Alert Dashboard/Fully (9202), James Dashboard (9200), DocSys (9201), OCR (8090), message-bridge (8030), Xvfb:99 + Chrome CDP (9224)
### james (Old James Home) — 192.168.1.17
- **Role:** Retired/backup — kept running "just to be sure"
- **Hardware:** Lenovo ThinkServer TS140
- **CPU:** Intel Xeon E3-1225 v3 @ 3.20GHz (4c/4t)
- **RAM:** 16GB DDR3 ECC (2×8GB, MB issue prevents upgrade)
- **Storage:** WD Blue SA510 1TB SSD
- **OS:** Ubuntu 24.04.3 LTS
- **Status:** Running but not primary. Candidate for decommission once forge proves stable.
### staging/dev — 192.168.1.253
- **Role:** Home server — personal/family services
- **Hardware:** Lenovo ThinkServer TS140, 4×4TB disks in RAIDZ
- **Services:** Jellyfin, Immich, and other home services
- **Note:** This is Johan's home server, not James' domain
### prod — 192.168.100.2
- **Role:** inou production server
- **Hardware:** Same as staging (TS140 class)
- **Location:** Home network, dedicated to inou prod
- **Status:** BROKEN — Johan wants to fix tonight (2026-02-15)
- **Note:** Different subnet (192.168.100.x)
## VPS / Remote
### zurich — zurich.inou.com (82.22.36.202) ← REAL ZURICH
- **Role:** Primary remote infrastructure (security, monitoring, mail, git, vault)
- **Location:** Zürich, Switzerland (HostKey VPS, separate account from Amsterdam)
- **Hostname:** hostkey50304
- **Specs:** 4 vCore, 6GB RAM, 120GB SSD
- **OS:** Ubuntu 24.04
- **Management:** Full autonomy — James manages
- **Tailscale:** 100.70.148.118 (labeled "zurich" in tailnet)
- **SSH:** root@82.22.36.202 or `tailscale ssh root@zurich`
- **Services:**
- Caddy (80/443) → ntfy.inou.com:2586, kuma.inou.com:3001, vault.inou.com:8080, mail.inou.com/mail.jongsma.me:8880, zurich.inou.com (static), harryhaasjes.nl (static)
- Uptime Kuma (127.0.0.1:3001) — 8 monitors; push tokens: OC=r1G9JcTYCg, MC=rLdedldMLP
- Vaultwarden Docker (127.0.0.1:8080) — 2 users registered; `/opt/vaultwarden/`
- ntfy (systemd, port 2586) — topic: forge-alerts
- **Stalwart mail server** (systemd) — migrated from Amsterdam 2026-02-19; data at `/opt/stalwart/data/` (18GB RocksDB); ports 25/465/587/143/993; ACME certs for mail.inou.com + mail.jongsma.me
- Git server (git user, git-shell) — repos: azure-backup, clawdnode-android, inou-mobile, mail-agent
- **Hardened:** UFW, fail2ban, key-only SSH, services on localhost
- **Updated:** 2026-02-19
### amsterdam/shannon/dealspace — 82.24.174.112
- Role: Dealspace dev/staging server
- IP: 82.24.174.112 (HostKey VPS, server ID 53643)
- **NOT decommissioned** — paid until 2026-04-09 (~mid-April)
- DNS: amsterdam.inou.com → 82.24.174.112 (keep)
- Specs: 4 vCore / 6GB RAM / 120GB SSD
- OS: Ubuntu 24.04 (reinstalled 2026-02-28)
- SSH: root@82.24.174.112 (key auth only, james@forge key)
- Services: (to be deployed — Dealspace)
- Hardened: UFW, fail2ban, key-only SSH, Caddy installed, Tailscale installed (needs auth)
- Updated: 2026-02-28
## Network Notes
- Home LAN: 192.168.1.0/24 (main), 192.168.100.0/24 (prod), 192.168.2.0/24 (IoT), 192.168.3.0/24 (?)
- Tailscale overlay for remote access
- UDM-Pro as core router
## VPS Hardening Checklist (MANDATORY for every new VPS)
1. `PasswordAuthentication no` in sshd
2. `PermitRootLogin prohibit-password`
3. Install & configure UFW (deny incoming, allow SSH/80/443/Tailscale)
4. Install & configure fail2ban (sshd jail, 3 retries, 1h ban)
5. Auto-updates enabled
6. All services bound to 127.0.0.1 unless explicitly needed public
7. Caddy for TLS termination
8. Join Tailscale
9. Verify with `ss -tlnp` — nothing unexpected on 0.0.0.0
Reference in New Issue View Git Blame Copy Permalink