Live Stack

Stack Status

Public-safe infrastructure snapshot. High-level VM health, service status, and sanitized change notes, transparency without free recon.

Fetching status…

Security posture: Internal hostnames, IPs, and admin surfaces are not published here. All admin access is VPN-only. Public access routes exclusively through the edge layer. Audit entries are delayed and generalized before appearing.

Trust Plane Model

Everything operates within one of four trust planes. Plane membership determines access rules, not role, not convenience.

Plane A
Public Internet
Untrusted. Browsers, mobile, bots, scanners. Zero trust assumed.
Plane B
VPN Overlay
Device identity over IP trust. SSH, admin UIs, all internal services. Human control plane.
Plane C
Virtualization Layer
Hypervisor substrate. No public ingress. VPN or LAN access only. Never directly exposed.
Plane D
Service Plane
All workload VMs. Application execution happens here. Isolated per domain.

Core Platform Services

Cross-domain infrastructure serving all workloads. Internal hostnames are masked.

Domain VM Inventory

Each domain runs a minimum 4-VM model. Business and personal automation are strictly separated. VM designators are masked.

CHAD / Intelligence Layer

A logical layer spanning the infrastructure, not a VM but a system-of-systems. Memory, reasoning, automation, and awareness are independently deployed and coordinated.

CHAD build progress
citadel-lore
Live
citadel-compass
~60%
citadel-warden
~65%
citadel-oracle
Paused

Audit Trail

Change notes and deployment summaries. Delayed and sanitized; no internal paths, IPs, or admin surfaces.

  • citadel-crier deployed -- MDM platform live, first managed endpoint enrolled
    public-safe platform endpoint
    Self-hosted MDM platform deployed. Android Device Owner enrollment via QR provisioning. Custom branded launcher, OS-level policy restrictions, and MQTT-based telemetry reporting active. First managed endpoint enrolled and locked down. Real-world use case: family device management at enterprise posture. All free tooling.
    MAY2026Change class: platform / endpoint management
  • TekForge Commons launched -- Revolt community platform live
    public-safe platform community
    Self-hosted Revolt instance live at thecommons.tekforge.dev. Private, invite-only community running on TekForge infrastructure. Seven channels at launch. Entry by request only -- no open registration. The operator is the same person in the server with you.
    MAY2026Change class: platform / community
  • Internal CA operational -- admin surface cert issued
    public-safe security delayed
    Internal certificate authority established. Admin-facing surface now running a CA-issued cert with 90-day rotation. Root CA distributed to managed endpoints. Admin surface remains VPN-only; no change to public routing.
    MAY2026Change class: security
  • ACME challenge passthrough added to ingress layer
    public-safe network
    Ingress layer updated to pass ACME challenges through to the mail server for automated Let's Encrypt cert renewal. UFW updated to allow challenge traffic only. No additional services exposed.
    MAY2026Change class: network
  • Mail server updated -- Let's Encrypt cert deployed
    public-safe reliability
    Mail server updated to current release. Self-signed cert replaced with a valid Let's Encrypt certificate. No service interruption during the update window.
    MAY2026Change class: reliability
  • ForgeGolem Phase 3h complete -- Ansible baseline extended to full fleet
    public-safe automation
    Ansible-enforced baseline now covers all in-scope TekForge VMs. Packages, time sync, SSH hardening, and firewall rules are idempotently managed and verified clean across the fleet. Multi-host runs stable.
    MAY2026Change class: automation
  • ops.tekforge.dev migrated to dedicated internal VM
    public-safe platform delayed
    Internal ops surface moved off shared infrastructure to a dedicated VM. VPN-only access enforced throughout. Public routing and external services unaffected.
    APR2026Change class: platform
  • Site v2 deployed: dynamic dashboard, architecture v2 write-up
    public-safe platform
    Dashboard now pulls live VM health from Proxmox API via an internal polling script. Real VM names never leave the script; only aliases are written to the public status.json.
    APR2026Change class: platform
  • User-endpoint credential-stealer incident, contained
    public-safe incident delayed
    Commodity credential-stealer on a family Windows endpoint. Network isolated within ~5 minutes. Three-tool offline scan pass performed. IR SOP v1.0 drafted and published. Full writeup in Writing section.
    JAN2026Change class: incident response
  • Default-deny egress enforced across container runtime
    public-safe security delayed
    All containers now require explicit allowlists for external access. Prompted by post-incident network boundary audit. Hardcoded vendor update URLs identified and removed from three services.
    JAN2026Change class: security posture
  • IAM layer pre-work complete, rollout staged
    public-safe identity delayed
    Authentik SSO/MFA pre-work complete. Domain-scoped identity model finalized; no cross-domain identity mesh. Rollout sequenced: TekForge first. Target: Q2 2026.
    FEB2026Change class: identity
  • Edge routing model finalized
    public-safe network delayed
    Single public ingress confirmed for all domains. Admin surfaces remain VPN-only; no overlap with public routing. SSO subdomain routing documented and staged per domain.
    FEB2026Change class: network
  • Backup posture verified, dedicated vault VM scoped
    public-safe reliability
    Full restore test completed. Dedicated backup/audit VM formally scoped and added to roadmap, replacing ad-hoc backup scripts.
    DEC2025Change class: reliability