clawd/memory/infrastructure.md

# Infrastructure Map

*Updated: 2026-02-15*

## Home Network

### forge (James' Home) — 192.168.1.16
- **Role:** Primary home for James (OpenClaw, MC, dashboards, all agent services)
- **CPU:** Intel i7-6700K @ 4.0GHz (4c/8t)
- **RAM:** 64GB DDR4
- **GPU:** NVIDIA GTX 970 4GB
- **Storage:** 477GB NVMe (Samsung 950 PRO 512GB)
- **OS:** Ubuntu 24.04.1 LTS (headless + minimal GUI for headed Chrome)
- **Hostname:** forge
- **Services:** OpenClaw (18789), MC (8025), Alert Dashboard/Fully (9202), James Dashboard (9200), DocSys (9201), OCR (8090), message-bridge (8030), Xvfb:99 + Chrome CDP (9224)

### james (Old James Home) — 192.168.1.17
- **Role:** Retired/backup — kept running "just to be sure"
- **Hardware:** Lenovo ThinkServer TS140
- **CPU:** Intel Xeon E3-1225 v3 @ 3.20GHz (4c/4t)
- **RAM:** 16GB DDR3 ECC (2×8GB, MB issue prevents upgrade)
- **Storage:** WD Blue SA510 1TB SSD
- **OS:** Ubuntu 24.04.3 LTS
- **Status:** Running but not primary. Candidate for decommission once forge proves stable.

### staging/dev — 192.168.1.253
- **Role:** Home server — personal/family services
- **Hardware:** Lenovo ThinkServer TS140, 4×4TB disks in RAIDZ
- **Services:** Jellyfin, Immich, and other home services
- **Note:** This is Johan's home server, not James' domain

### prod — 192.168.100.2
- **Role:** inou production server
- **Hardware:** Same as staging (TS140 class)
- **Location:** Home network, dedicated to inou prod
- **Status:** BROKEN — Johan wants to fix tonight (2026-02-15)
- **Note:** Different subnet (192.168.100.x)

## VPS / Remote

### zurich — zurich.inou.com (82.22.36.202) ← REAL ZURICH
- **Role:** Primary remote infrastructure (security, monitoring, mail, git, vault)
- **Location:** Zürich, Switzerland (HostKey VPS, separate account from Amsterdam)
- **Hostname:** hostkey50304
- **Specs:** 4 vCore, 6GB RAM, 120GB SSD
- **OS:** Ubuntu 24.04
- **Management:** Full autonomy — James manages
- **Tailscale:** 100.70.148.118 (labeled "zurich" in tailnet)
- **SSH:** root@82.22.36.202 or `tailscale ssh root@zurich`
- **Services:**
  - Caddy (80/443) → ntfy.inou.com:2586, kuma.inou.com:3001, vault.inou.com:8080, mail.inou.com/mail.jongsma.me:8880, zurich.inou.com (static), harryhaasjes.nl (static)
  - Uptime Kuma (127.0.0.1:3001) — 8 monitors; push tokens: OC=r1G9JcTYCg, MC=rLdedldMLP
  - Vaultwarden Docker (127.0.0.1:8080) — 2 users registered; `/opt/vaultwarden/`
  - ntfy (systemd, port 2586) — topic: forge-alerts
  - **Stalwart mail server** (systemd) — migrated from Amsterdam 2026-02-19; data at `/opt/stalwart/data/` (18GB RocksDB); ports 25/465/587/143/993; ACME certs for mail.inou.com + mail.jongsma.me
  - Git server (git user, git-shell) — repos: azure-backup, clawdnode-android, inou-mobile, mail-agent
- **Hardened:** UFW, fail2ban, key-only SSH, services on localhost
- **Updated:** 2026-02-19

### shannon/dealspace — 82.24.174.112
- Role: Dealspace dev/staging server
- IP: 82.24.174.112 (HostKey VPS, server ID 53643 — formerly amsterdam)
- Paid until: 2026-04-09
- Specs: 4 vCore / 6GB RAM / 120GB SSD
- OS: Ubuntu 24.04 (reinstalled 2026-02-28)
- SSH: root@82.24.174.112 (key auth only, james@forge key)
- Services: (to be deployed — Dealspace)
- Hardened: UFW, fail2ban, key-only SSH, Caddy installed, Tailscale installed (needs auth)
- Updated: 2026-02-28

## Network Notes
- Home LAN: 192.168.1.0/24 (main), 192.168.100.0/24 (prod), 192.168.2.0/24 (IoT), 192.168.3.0/24 (?)
- Tailscale overlay for remote access
- UDM-Pro as core router

## VPS Hardening Checklist (MANDATORY for every new VPS)
1. `PasswordAuthentication no` in sshd
2. `PermitRootLogin prohibit-password`
3. Install & configure UFW (deny incoming, allow SSH/80/443/Tailscale)
4. Install & configure fail2ban (sshd jail, 3 retries, 1h ban)
5. Auto-updates enabled
6. All services bound to 127.0.0.1 unless explicitly needed public
7. Caddy for TLS termination
8. Join Tailscale
9. Verify with `ss -tlnp` — nothing unexpected on 0.0.0.0