📋 **INFRASTRUCTURE REPORT: Terraform + Ansible + Semaphore** --- ## ✅ COMPLETED **1. Terraform Setup** - Digital Ocean provider configured - SSH key auto-injection working - First deployment: Arthur (146.190.92.141) - One command creates fully provisioned droplet **2. Ansible Playbook** - 11 automated tasks per server - Installs: Node.js 22, OpenClaw, curl, git - Security: UFW firewall, fail2ban, SSH hardening - Tested successfully on Arthur **3. Semaphore Web GUI** - Tested locally via Docker - Connected to GitHub repo (ckg-works/shadstone-infra) - Web interface working (localhost:3000) - Ready for production deployment **4. GitHub Repo** - ckg-works/shadstone-infra (private) - Contains: Terraform configs, Ansible playbooks, inventory, docs --- ## 🔴 CRITICAL ISSUE: Mac Mini Firewall **Problem:** Mac minis at Mikes location CANNOT SSH outbound to cloud servers. **Symptoms:** - Janice Mac mini → Arthur (146.190.92.141): Connection timeout - Trina Mac mini → Arthur: Connection timeout - Christians laptop → Arthur: Works fine ✅ **Root Cause:** Mikes router/firewall is blocking outbound SSH (port 22). **Impact:** - Mac minis cannot run Ansible playbooks to manage cloud servers - Cannot use Mac minis as control plane - Limits centralized management options **Potential Solutions:** 1. **Tailscale VPN** — Mesh network bypasses firewall 2. **Change SSH port** — Use non-standard port (may still be blocked) 3. **Router config** — Open outbound SSH (needs Mikes access) 4. **Reverse tunnel** — Cloud server connects TO Mac mini instead 5. **Run control plane elsewhere** — Use Arthur or dedicated server --- ## 🤔 DECISION NEEDED: Where to Install Semaphore? **Option A: Arthur Droplet (146.190.92.141)** - Pros: Already exists, configured, accessible - Cons: Shared with AI agent workload **Option B: Dedicated Control Plane Droplet** - Pros: Clean separation, can scale independently - Cons: Extra ~$6/month cost **Option C: Klyves VPS (72.62.199.109)** - Pros: Already running 24/7, has resources - Cons: Different provider (Hostinger), mixing concerns **Option D: Mac Mini (if firewall fixed)** - Pros: Local, no cloud cost - Cons: Blocked currently, depends on Mikes network --- ## 📊 CURRENT SERVER INVENTORY | Server | IP | Platform | Status | |--------|-----|----------|--------| | Arthur | 146.190.92.141 | Digital Ocean | ✅ Managed | | Klyve | 72.62.199.109 | Hostinger | ⚠️ Not in Ansible yet | | Billy | ? | Hostinger | ⚠️ Not in Ansible yet | | Lucy | ? | Hostinger | ⚠️ Not in Ansible yet | | Janice Mac | Local | Mac Mini | 🔴 Blocked outbound | | Lisa Mac | Local | Mac Mini | 🔴 Blocked outbound | | Trina Mac | Local | Mac Mini | 🔴 Blocked outbound | | Katrina | Cloudflare | Workers | N/A (serverless) | --- ## ❓ QUESTIONS FOR EXPERT 1. **Firewall:** Best approach to enable Mac mini → cloud SSH? 2. **Semaphore:** Recommended deployment (dedicated vs shared)? 3. **Tailscale:** Good fit for this use case? 4. **Security:** Ansible Vault best practices for multi-user team? 5. **Scaling:** How to structure inventory for 8+ agents across 3 platforms? --- ## 📎 RESOURCES - GitHub: https://github.com/ckg-works/shadstone-infra - Semaphore Docs: https://semaphoreui.com/docs/ - Tailscale: https://tailscale.com/ - Terraform DO: https://registry.terraform.io/providers/digitalocean/digitalocean CC: @michelini @ChristianKelly6