TheDocs

Data Center Infrastructure V02 ๐Ÿ”ง

Data_Center_Infrastructure_V02.md Public

Dive into the latest updates on our Data Centers! ๐Ÿš€ Enjoy a streamlined SSH access with ProxyJump, updated VM names, and new configurations that simplify everything for the team! ๐ŸŒโœจ

created_at: 2026-06-04T20:25:06Z updated_at: 2026-06-05T16:53:50Z created_by: claude (opus-4.8) macbook-air modified_by: claude (opus-4.8) macbook-air

Data Center Infrastructure (V02)

Maintenance note: Server names, IP addresses, and ports are defined once in the reference tables at the top of each data-center section โ€” these tables are the single source of truth. The prose below each table refers to machines by their short alias (e.g. fsdc-maestro, nws-nn12prod) rather than repeating concrete names or IPs. The SSH access config on the Mac (~/.ssh/config, see SSH access) mirrors these tables. When an address or port changes, edit the reference table and the matching HostName line in ~/.ssh/config โ€” nowhere else.

Naming convention: VMs are prefixed by data center โ€” fsdc- = Fell Street Data Center, nws- = Nick Web Services (a subset of VMs in the Rochester Data Center).

What changed from V01: Remote SSH access no longer uses the two-terminal tunnel + localhost:PORT process. It now uses a single-command SSH ProxyJump setup (one terminal, jump through the maestro reverse proxy automatically). See SSH access. The internal fsdc-avatar08 VM has been retired and replaced by fsdc-avatar09.

SSH access (ProxyJump)

All internal VMs sit behind a data center's public-facing maestro reverse proxy (Nginx), which is the single public entry point exposed on ports 22, 80, and 443. To reach an internal VM over SSH, the connection jumps through that data center's maestro host.

This is configured once in ~/.ssh/config on the Mac using OpenSSH's ProxyJump directive. Each VM block names its data center's maestro as the jump host, so a single command opens the connection in one terminal โ€” no separate tunnel, no localhost:PORT second step:

ssh fsdc-avatar09        # FSDC VM, jumps through fsdc-maestro
ssh nws-nn12prod         # RDC VM, jumps through nws-maestro

scp, rsync, and git-over-SSH to these host aliases route through the matching maestro automatically as well.

~/.ssh/config

The HostName values below are the only place IPs are duplicated outside the reference tables; keep them in sync with the tables. User is nick for all hosts. No IdentityFile is pinned โ€” SSH falls back to the agent / default key.

# โ”€โ”€ FSDC โ€” jump through fsdc-maestro04 โ”€โ”€
Host fsdc-maestro04
  HostName 69.181.201.250
  User nick

Host fsdc-avatar09
  HostName 192.168.0.55
  User nick
  ProxyJump fsdc-maestro04

# โ”€โ”€ FSDC on-site (same LAN) โ€” direct, no jump (see "On-site access" below) โ”€โ”€
Host fsdc-maestro04-local
  HostName 192.168.0.59
  User nick

Host fsdc-avatar09-local
  HostName 192.168.0.55
  User nick

# โ”€โ”€ RDC โ€” jump through nws-maestro06 โ”€โ”€
Host nws-maestro06
  HostName 69.207.163.8
  User nick

Host nws-nn12prod
  HostName 192.168.100.192
  User nick
  ProxyJump nws-maestro06

Host nws-nn12dev
  HostName 192.168.100.217
  User nick
  ProxyJump nws-maestro06

Host nws-whatsticks13
  HostName 192.168.100.222
  User nick
  ProxyJump nws-maestro06

Host nws-tastermonial
  HostName 192.168.100.202
  User nick
  ProxyJump nws-maestro06

Host nws-kv23
  HostName 192.168.100.193
  User nick
  ProxyJump nws-maestro06

Host nws-golightly-prod
  HostName 192.168.100.154
  User nick
  ProxyJump nws-maestro06

Host nws-golightly-dev
  HostName 192.168.100.214
  User nick
  ProxyJump nws-maestro06

On-site access (-local aliases)

When physically on the FSDC LAN (or on the FSDC WireGuard VPN), the Mac can reach servers directly on their 192.168.0.x addresses without bouncing out to the public IP and back through fsdc-maestro04. The *-local aliases do exactly that โ€” same HostName LAN IP, but no ProxyJump:

ssh fsdc-maestro04-local     # direct to 192.168.0.59 on the LAN
ssh fsdc-avatar09-local      # direct to 192.168.0.55 on the LAN

Notes:

  • The -local aliases only work on the FSDC network. Off-site they hang or fail โ€” use the plain fsdc-maestro04 / fsdc-avatar09 aliases, which route through the public entry point.
  • fsdc-maestro04-local connects to maestro on its LAN IP, a different address than the public one, so SSH records a separate known_hosts entry and prompts for the fingerprint on first connect (same server, same key, new address).
  • RDC has no -local aliases โ€” those VMs live at a remote site, so they are always reached through nws-maestro06.

Future option โ€” Tailscale

Tailscale (already running on fsdc-macmini) can later put every VM on a private mesh network, allowing direct SSH by name without the maestro jump host. This would be an overlay alongside โ€” not a replacement for โ€” maestro's public web entry point (ports 80/443 and Nginx routing stay as-is). Two deployment shapes: install Tailscale on each VM (best experience, stable per-VM names), or run a subnet router on each maestro advertising the internal subnet (one install per data center). Not yet adopted; recorded here as the planned next step.

Fell St Data Center (FSDC)

Reference โ€” FSDC hosts & addresses

| Alias | Concrete name | Address | Role / Notes | | --- | --- | --- | --- | | fsdc-maestro | maestro04 | Public: 69.181.201.250 (via router) ยท LAN: 192.168.0.59 | Reverse proxy (Nginx), Ubuntu. Single public entry point. On-site, reach it directly on the LAN IP. | | fsdc-router | TP-Link AX6000 | App: http://192.168.0.1/ ยท Public IP: 69.181.201.250 | Wi-Fi 6 router, WireGuard VPN. | | fsdc-modem | Xfinity XB8-T | โ€” | Modem/router in bridge mode. | | fsdc-proxmox | Neosmay Mini PC | https://192.168.0.38:8006 | Proxmox VE host. | | fsdc-avatar09 | Avatar09 | 192.168.0.55 | Ubuntu VM, SSH access (replaces retired Avatar08). | | fsdc-macmini | Mac mini (M1) | macmini.the404api.dashanddata.com โ†’ port 8000 | Accessible via TailScale. |

Overview

The Fell St Data Center consists of a home router (fsdc-router) forwarding all inbound HTTP, HTTPS, and SSH traffic (ports 80, 443, and 22) directly to the reverse proxy server fsdc-maestro. fsdc-maestro handles public exposure of internal services and performs routing using Nginx. It runs Ubuntu. Remote SSH to internal machines jumps through fsdc-maestro (see SSH access).

Router and Internet access

The apartment has Xfinity internet using the fsdc-modem (Xfinity XB8-T modem / router / wifi device) turned to bridge mode. The fsdc-router (TP-Link AX6000 8-Stream Wi-Fi 6 Router) is what routes traffic to fsdc-maestro and all other servers in the apartment. The fsdc-router displays the public IP address listed in the reference table. The fsdc-router has WireGuard set up for users to VPN into the home network. This allows access to the router app and to fsdc-proxmox (see the reference table for addresses).

  • The fsdc-router app does not seem to have the ability to restrict SSH access by IP address. IP address restrictions occur on fsdc-maestro using Nginx and Uncomplicated Firewall (UFW).
  • When users are on the VPN they cannot access the internet. It is not clear if this is a setting that has not been fixed or if the fsdc-router is not permitting this.

Proxmox and Neosmay Mini PC

Proxmox Virtual Environment (fsdc-proxmox) runs on the Neosmay Mini PC.

  • Model: AC8-N6005
  • RAM: 16 Gb, DDR4
  • SSD: M.2 2280 512 Gb SATA SSD
  • CPU: Intel Pentium N6005

Mac Mini

fsdc-macmini runs on FSDC, accessible through TailScale.

  • Model: M1, 2020
  • RAM: 8 Gb
  • SSD: 250 Gb
  • CPU: Apple Silicon

Basic Architecture of Virtual Machines Behind fsdc-maestro

The VMs behind fsdc-maestro are Ubuntu OS that run mostly Node.js and Python apps. Most of the apps are web facing. There is a user with admin sudo privileges named nick (it has a group). There is also a limited_user user that has a /home/limited_user/ directory but no login and no sudo privileges. See General Server Architecture for details.

Machines on FSDC

Internal machines include:

  • fsdc-avatar09 (Avatar09) โ€” Ubuntu VM accessible via SSH, used for additional hosted applications or development services. Reach it with ssh fsdc-avatar09, which jumps through fsdc-maestro automatically.

fsdc-maestro serves as the single public entry point, proxying traffic to the internal machines based on ports or hostnames (e.g. the fsdc-macmini hostname for the Mac mini's port 8000 service). This setup centralizes exposure of LAN-hosted services while keeping the internal network private.

Rochester Data Center (RDC)

The Rochester Data Center (RDC) is home to many VMs stored on my brother's server. Its public-facing reverse proxy is nws-maestro. Most RDC VMs use the nws- prefix (Nick Web Services). Like all my VMs they run Ubuntu 24.04 LTS.

Reference โ€” RDC hosts & addresses

| Alias | Concrete name | Address | Role / Notes | | --- | --- | --- | --- | | nws-maestro | maestro06 | Public: 69.207.163.8 | Reverse proxy (Nginx), Ubuntu 24.04 LTS. Single public entry point. | | rdc-router | Unifi router | https://192.168.211.1/network/default/dashboard | VPN: L2TP over IPSec. Can restrict SSH/ports by IP. | | rdc-vmware | VMware | https://192.168.211.100/ui/#/login | Accessible when on VPN. |

Reference โ€” RDC VMs (behind nws-maestro)

| Alias | Concrete name | Internal IP | | --- | --- | --- | | nws-nn12prod | nn12prod | 192.168.100.192 | | nws-nn12dev | nn12dev | 192.168.100.217 | | nws-whatsticks13 | WhatSticks13 | 192.168.100.222 | | nws-tastermonial | tastermonial | 192.168.100.202 | | nws-kv23 | Kv23 | 192.168.100.193 | | nws-golightly-prod | go-lightly-prod | 192.168.100.154 | | nws-golightly-dev | go-lightly-dev | 192.168.100.214 |

Access

Behind nws-maestro are many VMs (see the VM reference table). They are reached over SSH by jumping through nws-maestro โ€” one command per VM, no tunnel:

ssh nws-nn12prod
ssh nws-golightly-dev

The ProxyJump configuration for each VM lives in ~/.ssh/config on the Mac (see SSH access); each VM block uses its Internal IP from the table above and names nws-maestro as the jump host.

RDC Router

The RDC uses a Unifi router app (rdc-router). This router app can be accessed using the VPN. The VPN access uses L2TP over IPSec. When the user is on the VPN, the router app is accessed at the address in the reference table. The Unifi router allows restricting SSH and other ports by IP address.

The RDC uses VMware (rdc-vmware), accessible on the network when on the VPN (see the reference table for the address).

General Server Architecture

The virtual machines in these data centers run Ubuntu 24.04 LTS server and use three users to separate administration from application runtime.

Users

nick

The primary admin user. Responsible for:

  • configuring the server (packages, nginx, fail2ban, firewall, etc.)
  • managing systemd service files in /etc/systemd/system/
  • managing sudoer permissions
  • cloning repositories and setting up application directories
  • running Claude Code and other dev tools

Nick's home directory is /home/nick/. The agent_resources/ folder inside it contains documentation and reference files for the server's setup.

limited_user

A system user with no login shell. Runs all production applications via systemd services. Its home directory at /home/limited_user/ is organized as follows:

  • applications/ โ€” cloned app repositories
  • environments/ โ€” Python virtual environments, one per app
  • databases/ โ€” SQLite or other file-based databases
  • logs/ โ€” application log files
  • project_resources/ โ€” shared data or assets used by apps
  • _config_files/ โ€” app-specific config files

Service Files

Each application has a corresponding systemd service file in /etc/systemd/system/. Services run as limited_user and reference paths inside /home/limited_user/. Environment variables are loaded from a .env file inside the application directory.

Key Principle

Nick configures the server; limited_user runs the apps. This separation limits the blast radius of any compromised application process.