admin/agent-os
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
agent-os/brain.md
T
Claude Code 6cebab9a4a docs: comprehensive update — bring all Agent OS docs current for LLM onboarding 
All files were 5-7 weeks stale. Updated brain.md (complete service/agent/VPN/cron
inventory), identity.md (current expertise + infra context), CLAUDE.md (full agent
ecosystem table, Citadel tool registry, gotchas), README.md (LLM quick-start guide),
all memory files (current projects, decisions, constraints, persistent facts), and
infra-monitor skill.md (current container list with criticality tiers).

Also fixed: git remote switched from HTTP+embedded-token to SSH, removed references
to decommissioned services (Netbird, WireGuard, Flowise, Zabbix), corrected Ollama
IP (172.27.40.20), TrueNAS IP (172.27.40.220), and added 20+ services/agents that
were built since the last commit.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19 17:15:45 +00:00

128 lines
6.1 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Brain
Core facts read by all skills. Keep under 1500 words. Update when infrastructure changes.
Last updated: 2026-06-19
---
## Infrastructure
**Primary server:** 172.27.40.3 — Ubuntu Server LTS, Docker host, all agent runtimes
**Ollama inference host:** 172.27.40.20 — Windows 11 Pro (NxM-AI), Vulkan GPU, Scheduled Task auto-start
**TrueNAS NAS:** 172.27.40.220 (data) / 172.27.6.221 (mgmt) — 35.6 TB, NFS shares for ISOs + Proxmox backups
**Firewall:** OPNsense at 172.27.6.1 (mgmt UI, not routed gateway)
**Proxmox VE:** 172.27.40.2 — PVE 9.1.1, 2× Xeon Gold 6138 (80 vCPUs), 252 GB RAM
**Hermes Native VM:** 172.27.40.30 (VM 108) — dedicated agent VM, Honcho memory, WhatsApp connected
**Tactical RMM:** 172.27.40.4 (VM 101) — remote management for all Nexum clients
**Home Assistant:** 172.27.10.6 (VM 100) — IoT automation
**Synology DS423+:** 172.27.40.80 — Coetzee off-site backup NAS, Active Backup via S2S
**VLANs:**
| VLAN | Name | Subnet | Gateway |
|---|---|---|---|
| 40 | Servers40 | 172.27.40.0/24 | 172.27.40.1 |
| 20 | Workshop20 | 172.27.20.0/24 | 172.27.20.1 |
| 10 | IoT10 | 172.27.10.0/24 | 172.27.10.1 |
## Key Services (172.27.40.3)
| Service | Port | URL | Role |
|---|---|---|---|
| Portainer | 9443 | https://172.27.40.3:9443 | Docker management |
| Nginx Proxy Manager | 80/81/443 | http://172.27.40.3:81 | Reverse proxy, SSL termination |
| Uptime Kuma | 3002 | kuma.nxm.co.za | HTTP monitoring |
| Gitea | 3000 | git.nxm.co.za | Self-hosted git, all docs + code |
| Headscale | 8080 | headscale.nxm.co.za | VPN (self-hosted Tailscale) |
| Vaultwarden | 8222 | vault.nxm.co.za | Password manager |
| Open WebUI | 3010 | chat.nxm.co.za | Chat UI for Ollama + MCP |
| Plane | 8095 | plane.nxm.co.za | Project/task tracking |
| Homarr | 7575 | http://172.27.40.3:7575 | Dashboard |
| Grafana | 3020 | grafana.nxm.co.za | Monitoring dashboards |
| InfluxDB | 8086 | internal | Time-series DB for monitoring |
| NetBox | 8100 | netbox.nxm.co.za | IPAM, network documentation |
| NocoDB | 8150 | rvd.nxm.co.za | RvDM birthday DB (personal, NOT Nexum) |
| InvenTree | 8160 | inventree.nxm.co.za | IT stock + BOM tracking (testing) |
| Directus | 8850 | directus.nxm.co.za | Nexum client CRM |
| Nextcloud | — | — | Phone backup |
| Wetty | 8450/8451 | terminal.nxm.co.za / term.nxm.co.za | Web SSH terminal |
| RustDesk | 21115-21119 | internal | Self-hosted remote desktop relay |
| SearXNG | 8600 | internal | Search backend for sam + citadel |
| iVentoy | 26000 | internal | PXE boot server |
## AI / Agent Stack
**LLM inference:**
- **Ollama** on 172.27.40.20:11434 — models: gemma4, llama3.1:8b, phi4
- **Claude Code** on 172.27.40.3 — primary AI assistant (Anthropic API)
- **Hermes Native** on 172.27.40.30 — OpenRouter, Honcho memory, WhatsApp
- **Hermes Cloud** on 172.27.40.3:8643 — claude-sonnet-4-6, Citadel MCP wired
**Named agents (all Docker on 172.27.40.3 unless noted):**
| Agent | Port | Role | Schedule |
|---|---|---|---|
| hodor-gateway | 8200 | Simple Ollama gateway (POST /ask) | On-demand |
| citadel-mcp | 8300 | MCP SSE+HTTP server, 37 tools | Always-on |
| raven-notify | 8400 | Discord + Gmail notifications | Always-on |
| sam-research | 8500 | SearXNG + Ollama research | On-demand |
| qyburn-coder | 8700 | LLM coding agent (approve/reject) | On-demand |
| maester-reports | 8800 | NIST CSF compliance reports | On-demand |
| jon-snow | 8900 | Chief of staff orchestrator | Always-on |
| bran-changelog | — | Git changelog generator | Daily 06:00 |
| varys-monitor | — | Service HTTP reachability checks | Cron every 15 min |
| tarly-backup | 8750 | OPNsense config + Proxmox backup monitor | Daily 04:00 SAST |
| hermes-cloud | 8643 | Claude-powered conversational agent | Always-on |
| hermes-native | VM 108 | Primary Hermes agent (WhatsApp) | Always-on |
| vexis (workshop) | VM 108 | Nexum workshop agent (TRMM scripts) | On-demand via Hermes |
**Citadel MCP tools (37):** file ops, Docker management, Plane issues/projects/pages, TRMM (agents/scripts/confirm), Directus CRM, Proxmox backups, Qyburn task/approve, Sam research, web search, propose_file_change.
## Cron Jobs (172.27.40.3)
| Schedule | Job | Log |
|---|---|---|
| Daily 06:00 | bran-changelog/run.sh | logs/bran.log |
| Daily 06:00 | zenarmor-pull.py | monitoring/logs/zenarmor-pull.log |
| Daily 02:05 | tarly hub-backup.sh | logs/tarly-backup/hub-backup.log |
| Every 1 min | ovpn-status.py | logs/ovpn-status.log |
| Every 30 min | trmm-frappe-sync.py | logs/trmm-frappe-sync.log |
## OpenVPN S2S Sites
| Site | Tunnel IP | Status | Notes |
|---|---|---|---|
| bezhuis | 172.16.17.2 | COMPLETE | NAT + DNS overrides, LAN access live |
| mwp | 172.16.17.3 | COMPLETE | Monitoring live |
| coetzee | 172.16.17.4 | COMPLETE | Monitoring-only + Active Backup to Synology |
| fwlaw | — | PENDING | Awaiting migration |
## Agent OS Runtime
- Files: `/opt/agent-os/` on 172.27.40.3
- Repo: `git.nxm.co.za/admin/agent-os` (SSH remote: `gitea-local:admin/agent-os.git`)
- Scheduled jobs: cron on 172.27.40.3
- LLM calls: `http://172.27.40.20:11434` (Ollama) or Anthropic API (Claude Code / Hermes)
- Agent web pages: `/opt/sites/<name>/` served at agents.nxm.co.za
## Key Paths on Server
- Docker stacks: `/opt/stacks/`
- Agent OS: `/opt/agent-os/`
- Agent web pages: `/opt/sites/`
- Credentials: `~/.nxm-keys` (chmod 600) — NEVER write values elsewhere
- SSH keys: `~/.ssh/` (ED25519)
- NxM infrastructure docs: `/home/nxm/Documents/NxM Linux Server/`
- Nexum project docs: `/home/nxm/Documents/Nexum Projects/`
## Standing Decisions
- NPM handles all SSL termination — internal services use HTTP
- Docker Compose only (no Kubernetes, no Swarm)
- All destructive actions require explicit confirmation
- Credentials only in `~/.nxm-keys` — never in output, logs, or config files
- Netbird fully removed (2026-05-28) — VPN is Headscale + OpenVPN S2S
- WireGuard fully removed (2026-05-30) — replaced by OpenVPN S2S
- Open WebUI → Citadel MCP: auth_type must be `none` (empty bearer = silent failure)
- Docker → OPNsense API: run from host, never from inside a container (HTTP 400)
- NocoDB = RvDM personal only — never use for Nexum projects
- Nexum client data layer = Directus CRM
Reference in New Issue View Git Blame Copy Permalink