# Brain Core facts read by all skills. Keep under 1500 words. Update when infrastructure changes. Last updated: 2026-06-19 --- ## Infrastructure **Primary server:** 172.27.40.3 — Ubuntu Server LTS, Docker host, all agent runtimes **Ollama inference host:** 172.27.40.20 — Windows 11 Pro (NxM-AI), Vulkan GPU, Scheduled Task auto-start **TrueNAS NAS:** 172.27.40.220 (data) / 172.27.6.221 (mgmt) — 35.6 TB, NFS shares for ISOs + Proxmox backups **Firewall:** OPNsense at 172.27.6.1 (mgmt UI, not routed gateway) **Proxmox VE:** 172.27.40.2 — PVE 9.1.1, 2× Xeon Gold 6138 (80 vCPUs), 252 GB RAM **Hermes Native VM:** 172.27.40.30 (VM 108) — dedicated agent VM, Honcho memory, WhatsApp connected **Tactical RMM:** 172.27.40.4 (VM 101) — remote management for all Nexum clients **Home Assistant:** 172.27.10.6 (VM 100) — IoT automation **Synology DS423+:** 172.27.40.80 — Coetzee off-site backup NAS, Active Backup via S2S **VLANs:** | VLAN | Name | Subnet | Gateway | |---|---|---|---| | 40 | Servers40 | 172.27.40.0/24 | 172.27.40.1 | | 20 | Workshop20 | 172.27.20.0/24 | 172.27.20.1 | | 10 | IoT10 | 172.27.10.0/24 | 172.27.10.1 | ## Key Services (172.27.40.3) | Service | Port | URL | Role | |---|---|---|---| | Portainer | 9443 | https://172.27.40.3:9443 | Docker management | | Nginx Proxy Manager | 80/81/443 | http://172.27.40.3:81 | Reverse proxy, SSL termination | | Uptime Kuma | 3002 | kuma.nxm.co.za | HTTP monitoring | | Gitea | 3000 | git.nxm.co.za | Self-hosted git, all docs + code | | Headscale | 8080 | headscale.nxm.co.za | VPN (self-hosted Tailscale) | | Vaultwarden | 8222 | vault.nxm.co.za | Password manager | | Open WebUI | 3010 | chat.nxm.co.za | Chat UI for Ollama + MCP | | Plane | 8095 | plane.nxm.co.za | Project/task tracking | | Homarr | 7575 | http://172.27.40.3:7575 | Dashboard | | Grafana | 3020 | grafana.nxm.co.za | Monitoring dashboards | | InfluxDB | 8086 | internal | Time-series DB for monitoring | | NetBox | 8100 | netbox.nxm.co.za | IPAM, network documentation | | NocoDB | 8150 | rvd.nxm.co.za | RvDM birthday DB (personal, NOT Nexum) | | InvenTree | 8160 | inventree.nxm.co.za | IT stock + BOM tracking (testing) | | Directus | 8850 | directus.nxm.co.za | Nexum client CRM | | Nextcloud | — | — | Phone backup | | Wetty | 8450/8451 | terminal.nxm.co.za / term.nxm.co.za | Web SSH terminal | | RustDesk | 21115-21119 | internal | Self-hosted remote desktop relay | | SearXNG | 8600 | internal | Search backend for sam + citadel | | iVentoy | 26000 | internal | PXE boot server | ## AI / Agent Stack **LLM inference:** - **Ollama** on 172.27.40.20:11434 — models: gemma4, llama3.1:8b, phi4 - **Claude Code** on 172.27.40.3 — primary AI assistant (Anthropic API) - **Hermes Native** on 172.27.40.30 — OpenRouter, Honcho memory, WhatsApp - **Hermes Cloud** on 172.27.40.3:8643 — claude-sonnet-4-6, Citadel MCP wired **Named agents (all Docker on 172.27.40.3 unless noted):** | Agent | Port | Role | Schedule | |---|---|---|---| | hodor-gateway | 8200 | Simple Ollama gateway (POST /ask) | On-demand | | citadel-mcp | 8300 | MCP SSE+HTTP server, 37 tools | Always-on | | raven-notify | 8400 | Discord + Gmail notifications | Always-on | | sam-research | 8500 | SearXNG + Ollama research | On-demand | | qyburn-coder | 8700 | LLM coding agent (approve/reject) | On-demand | | maester-reports | 8800 | NIST CSF compliance reports | On-demand | | jon-snow | 8900 | Chief of staff orchestrator | Always-on | | bran-changelog | — | Git changelog generator | Daily 06:00 | | varys-monitor | — | Service HTTP reachability checks | Cron every 15 min | | tarly-backup | 8750 | OPNsense config + Proxmox backup monitor | Daily 04:00 SAST | | hermes-cloud | 8643 | Claude-powered conversational agent | Always-on | | hermes-native | VM 108 | Primary Hermes agent (WhatsApp) | Always-on | | vexis (workshop) | VM 108 | Nexum workshop agent (TRMM scripts) | On-demand via Hermes | **Citadel MCP tools (37):** file ops, Docker management, Plane issues/projects/pages, TRMM (agents/scripts/confirm), Directus CRM, Proxmox backups, Qyburn task/approve, Sam research, web search, propose_file_change. ## Cron Jobs (172.27.40.3) | Schedule | Job | Log | |---|---|---| | Daily 06:00 | bran-changelog/run.sh | logs/bran.log | | Daily 06:00 | zenarmor-pull.py | monitoring/logs/zenarmor-pull.log | | Daily 02:05 | tarly hub-backup.sh | logs/tarly-backup/hub-backup.log | | Every 1 min | ovpn-status.py | logs/ovpn-status.log | | Every 30 min | trmm-frappe-sync.py | logs/trmm-frappe-sync.log | ## OpenVPN S2S Sites | Site | Tunnel IP | Status | Notes | |---|---|---|---| | bezhuis | 172.16.17.2 | COMPLETE | NAT + DNS overrides, LAN access live | | mwp | 172.16.17.3 | COMPLETE | Monitoring live | | coetzee | 172.16.17.4 | COMPLETE | Monitoring-only + Active Backup to Synology | | fwlaw | — | PENDING | Awaiting migration | ## Agent OS Runtime - Files: `/opt/agent-os/` on 172.27.40.3 - Repo: `git.nxm.co.za/admin/agent-os` (SSH remote: `gitea-local:admin/agent-os.git`) - Scheduled jobs: cron on 172.27.40.3 - LLM calls: `http://172.27.40.20:11434` (Ollama) or Anthropic API (Claude Code / Hermes) - Agent web pages: `/opt/sites//` served at agents.nxm.co.za ## Key Paths on Server - Docker stacks: `/opt/stacks/` - Agent OS: `/opt/agent-os/` - Agent web pages: `/opt/sites/` - Credentials: `~/.nxm-keys` (chmod 600) — NEVER write values elsewhere - SSH keys: `~/.ssh/` (ED25519) - NxM infrastructure docs: `/home/nxm/Documents/NxM Linux Server/` - Nexum project docs: `/home/nxm/Documents/Nexum Projects/` ## Standing Decisions - NPM handles all SSL termination — internal services use HTTP - Docker Compose only (no Kubernetes, no Swarm) - All destructive actions require explicit confirmation - Credentials only in `~/.nxm-keys` — never in output, logs, or config files - Netbird fully removed (2026-05-28) — VPN is Headscale + OpenVPN S2S - WireGuard fully removed (2026-05-30) — replaced by OpenVPN S2S - Open WebUI → Citadel MCP: auth_type must be `none` (empty bearer = silent failure) - Docker → OPNsense API: run from host, never from inside a container (HTTP 400) - NocoDB = RvDM personal only — never use for Nexum projects - Nexum client data layer = Directus CRM