Federation Fleet Access Guide
This document provides a secure overview of the access methods for all nodes and services in the Federation Fleet.
🛰️ Node Inventory & Internal Access
| Hostname | Internal IP | Role | Primary User | Access Method |
|---|---|---|---|---|
| memory-alpha | 192.168.1.13 |
Bridge / Registry | vivianl |
SSH / Web (3000, 8000) |
| starfleet-compute | 192.168.1.35 |
Engine (AI/Downloads) | vivianl |
SSH / Arr-stack / Paperless |
| risa-mediacore | 192.168.1.21 |
Media Hub / Gateway | vivianl |
SSH / Plex / Jellyfin / Immich |
| holodeck-subspace | 192.168.1.11 |
Tactical / Sandbox | root | SSH / Open-WebUI |
| ds9-truenas | 192.168.1.100 |
Unified Vault (ZFS) | root | Web / NFS / SSH |
| defiant-backup | 192.168.1.4 |
PBS | root |
Web (8007) / SSH |
| proxmox-host | 192.168.1.5 |
Hypervisor | root |
SSH / Web (8006) |
🔗 Quick Links
| oracle-vps | 152.67.102.122| Public Proxy | ubuntu | SSH / Gateway |
🔐 SSH Access & Configuration
Master SSH Shortcuts
To simplify access, a master ssh_config is maintained in the fleet registry. You can append this to your local ~/.ssh/config.
Registry Path: fleet_registry/ssh_config
Common Aliases:
ssh bridge-> Memory-Alphassh engine-> Starfleet-Computessh media-> Risa-Mediacoressh tactical-> Holodeck-Subspacessh vault-> DS9-TrueNAS
Global Keys
Most servers are configured to accept the following SSH keys:
- ~/.ssh/id_ed25519 (Main Federation Ed25519 Key)
- ~/.ssh/id_rsa (Legacy RSA Key)
🛡️ Loopback & Bridge Hardening
On Memory-Alpha, the bridge must be able to SSH into itself (localhost) to facilitate automated orchestration scripts.
- Requirement: Ensure local public keys are in ~/.ssh/authorized_keys.
- Requirement: Fingerprints for localhost, 127.0.0.1, and 192.168.1.13 must be in ~/.ssh/known_hosts.
🔑 Storage Permission Bridge (GID 3000)
The NAS storage (/mnt/vault) enforces ownership by Group ID 3000 (media). To ensure local users (usually UID/GID 1000) can read/write to the NFS share without sudo, you must map the local user to this group.
Client Setup (Standard Procedure)
On any new VM or LXC that mounts /mnt/vault, run:
# 1. Create the local 'media' group matching the NAS GID
sudo groupadd -g 3000 media
# 2. Add the current user to the group
sudo usermod -aG media $USER
# 3. Log out and back in for changes to take effect
exit
🌐 Web Services & Port Mapping
Internal Dashboards
- Master Dashboard: http://192.168.1.13:3000
- Federation Codex: http://192.168.1.13:8000
- Plex: http://192.168.1.35:32400
- Immich: http://192.168.1.35:2283
📡 Gateway Routing
External Access (HTTPS)
These services are proxied via the Oracle VPS Gateway: - Audiobooks: https://audio.the-lal.net - Plex: https://plex.the-lal.net - Immich: https://immich.the-lal.net - Documents: https://paperless.the-lal.net (Paperless-ngx)
🛡️ Credential Management
Security Policy: Never store plain-text passwords in this documentation or code repositories.
Where Secrets Live:
- Bitwarden/Vault: All master passwords (root, admin, user) should be stored in your primary password manager.
- Standard Federation Password: Used for
sudoand initial SSH access where keys are not deployed. (Refer to Bitwarden for current value). - Local Git Configs: Sensitive environment variables (like Cloudflare tokens) are stored in
.envfiles within each project's subdirectory.- Example:
code/projects/audiobooks-app/config/.env
- Example:
- Ansible Vault: Automation secrets are encrypted in the
server-managementproject.
🛠️ Infrastructure Reference
- Config Root:
/mnt/infra_storage/configs/(Legacy/Shared) - Local Brain Root:
/opt/docker_data/(Modern/Reliable) - Unified Vault Root:
/mnt/vault/(Target) - Source of Truth:
~/projects/AI/code/(Local Workspace)