Federation Fleet Access Guide
This document provides a secure overview of the access methods for all nodes and services in the Federation Fleet.
🛰️ Node Inventory & Internal Access
| Hostname | Internal IP | Role | Primary User | Access Method |
|---|---|---|---|---|
| proxmox-host | 192.168.1.5 |
Hypervisor | root |
SSH / Web (8006) |
| ds9-truenas | 192.168.1.100 |
Storage (ZFS) | admin |
Web / NFS / SSH |
| defiant-backup | 192.168.1.4 |
PBS | root |
Web (8007) / SSH |
| memory-alpha | 192.168.1.13 |
Admin / Gateway | vivianl |
SSH / Web (3000, 8000) |
| starfleet-compute | 192.168.1.35 |
AI Core / Media | vivianl |
SSH / Plex / Immich |
| risa-recreation | 192.168.1.21 |
Gaming Hub | vivianl |
SSH / CS2 / Palworld |
| holodeck-subspace | 192.168.1.11 |
Media Acquisition | vivianl |
SSH / Audiobookshelf |
| enterprise-dev | 192.168.1.20 |
Dev / Testbed | vivianl |
SSH (LXC 110) |
| oracle-vps | 152.67.102.122 |
Public Proxy | ubuntu |
SSH / Gateway |
🔐 SSH Access
Global Keys
Most servers are configured to accept the following SSH keys:
- ~/.ssh/id_ed25519 (Main Federation Key)
- ~/.ssh/oracle_key (Oracle VPS specific)
Standard SSH Commands
- Local Nodes:
ssh vivianl@<IP> - Proxmox/PBS:
ssh root@<IP> - Oracle:
ssh ubuntu@152.67.102.122
🔑 Storage Permission Bridge (GID 3000)
The NAS storage (/mnt/vault) enforces ownership by Group ID 3000 (media). To ensure local users (usually UID/GID 1000) can read/write to the NFS share without sudo, you must map the local user to this group.
Client Setup (Standard Procedure)
On any new VM or LXC that mounts /mnt/vault, run:
# 1. Create the local 'media' group matching the NAS GID
sudo groupadd -g 3000 media
# 2. Add the current user to the group
sudo usermod -aG media $USER
# 3. Log out and back in for changes to take effect
exit
🌐 Web Services & Port Mapping
Internal Dashboards
- Master Dashboard: http://192.168.1.13:3000
- Federation Codex: http://192.168.1.13:8000
- Audiobookshelf: http://192.168.1.11:13378
- Plex: http://192.168.1.35:32400
- Immich: http://192.168.1.35:2283
- Stirling-PDF: http://192.168.1.20:8081
External Access (HTTPS)
These services are proxied via the Oracle VPS Gateway: - Audiobooks: https://audio.the-lal.net - Plex: https://plex.the-lal.net - Immich: https://immich.the-lal.net - Documents: https://pdf.the-lal.net
🛡️ Credential Management
Security Policy: Never store plain-text passwords in this documentation or code repositories.
Where Secrets Live:
- Bitwarden/Vault: All master passwords (root, admin, user) should be stored in your primary password manager.
- Standard Federation Password: Used for
sudoand initial SSH access where keys are not deployed. (Refer to Bitwarden for current value). - Local Git Configs: Sensitive environment variables (like Cloudflare tokens) are stored in
.envfiles within each project's subdirectory.- Example:
code/projects/audiobooks-app/config/.env
- Example:
- Ansible Vault: Automation secrets are encrypted in the
server-managementproject.
🛠️ Infrastructure Reference
- Config Root:
/mnt/infra_storage/configs/(Legacy/Shared) - Local Brain Root:
/opt/docker_data/(Modern/Reliable) - Unified Vault Root:
/mnt/vault/(Target) - Source of Truth:
~/projects/AI/code/(Local Workspace)