Hardware Manifest
Opplet Operations: Hardware Manifest
You're reading the public edition of Hardware Manifest. The working source — drafts, change discussion, and member resources — lives in the community library.
Purpose and Scope
This document records the current physical inventory and specifications of every node in the enclave. It is operational truth, not architectural law. Hardware refreshes update this document; they do not bump the Constitution.
The Constitution (§1 Hemispheric Strategy) mandates four physical nodes with specific roles. This Manifest specifies the actual machines fulfilling those roles right now.
1. The Den — Zone 1 (Sovereign Life)
The Den consists of two cloud VPSs, physically separated to isolate life-critical services from application workloads.
1A. Gateway VPS (“The Front Door”)
Role: Life-critical public services (email, telephony, control panel, reverse proxy). Traditionally managed; no Docker.
| Spec | Value |
|---|---|
| Provider | Hetzner Cloud |
| Type | CPX21 |
| vCPU | 3 |
| RAM | 4 GB |
| Storage | 80 GB SSD |
| OS | Ubuntu Server (current LTS) |
| Estimated cost | ~€8/mo |
RAM allocation:
| Component | RAM |
|---|---|
| Email subsystem (Exim + Dovecot + SpamAssassin) | 1 GB |
| Telephony (FreePBX / Asterisk) | 512 MB |
| Web control panel + Nginx reverse proxy | 512 MB |
| OS + overhead | ~1 GB |
| Headroom | ~1 GB |
1B. Engine VPS (“The Workshop”)
Role: Personal applications, containerized via Docker.
| Spec | Value |
|---|---|
| Provider | Hetzner Cloud |
| Type | CPX31 |
| vCPU | 4 |
| RAM | 8 GB |
| Storage | 160 GB SSD + Hetzner Storage Box mount (1 TB) |
| OS | Ubuntu Server (current LTS) |
| Estimated cost | ~€15/mo + ~€4/mo storage |
RAM allocation:
| Component | RAM |
|---|---|
| Personal Identity & SSO | 2 GB |
| File sync & storage | 1 GB |
| Automation glue | 1 GB |
| Personal CRM | 512 MB |
| Personal Finance | 256 MB |
| Personal Task Management | 256 MB |
| CalDAV/CardDAV server | 128 MB |
| Personal Dashboard | 256 MB |
| Credential storage | ~256 MB |
| OS + Docker overhead | ~1 GB |
| Headroom (must maintain ≥1 GB free per SOP §6) | ~1.3 GB |
1C. Den Networking
- Gateway and Engine connected via Tailscale private mesh.
- Engine has no public-facing ports; all traffic reverse-proxied through Gateway.
- No connectivity to any Hetzner enclave node (Constitution §5D Den Network Isolation).
1D. Den External Dependencies
| Service | Provider | Purpose |
|---|---|---|
| SIP Trunk | Telnyx or JMP.chat (selection pending) | PSTN bridge for phone number |
| Storage Box | Hetzner (1 TB) | Mounted to Engine for file storage |
| Prepaid SIM | Any carrier | Emergency calls (911/112) fallback independent of SIP |
2. The Manor — Zones 0, 2 (Sovereign Core)
Role: Business identity, internal automation, capital preservation, observability. High-availability cluster.
2A. Manor Cluster
Topology: Three-node Proxmox VE cluster with HA enabled.
| Node | CPU | RAM | Storage | Role |
|---|---|---|---|---|
Manor 1 (pve-m1.opplet.com) | Xeon E3-1275v5 | 64 GB ECC DDR4 | Local ZFS (specs TBD) | Cluster Node 1 |
Manor 2 (pve-m2.opplet.com) | Xeon E3-1275v5 | 64 GB ECC DDR4 | Local ZFS (specs TBD) | Cluster Node 2 |
Manor 3 (pve-m3.opplet.com) | Xeon E3-1275v5 | 64 GB ECC DDR4 | Local ZFS (specs TBD) | Cluster Node 3 |
Storage policy: Local ZFS replication on a 15-minute interval (SOP §5A) across the three nodes. No distributed storage spanning physical nodes (Constitution §5B Storage Isolation Mandate).
2B. RAM Allocation by Zone
Zone 0 (Basement) — total ~30 GB:
| Component | RAM |
|---|---|
| Authentik-Business | 4 GB |
| LDAP-Alpha (OpenLDAP) | 2 GB |
| Watchtower (Wazuh + Loki + Grafana + Matomo) | 8 GB |
| n8n-Alpha | 4 GB |
| BookStack-Alpha | 6 GB |
| Vaultwarden-Biz | ~1 GB |
| OPNsense edge router | ~4 GB |
| Proxmox + ZFS overhead | ~1 GB |
Zone 2 (Office) — total ~14 GB:
| Component | RAM |
|---|---|
| ERPNext (the Bursar) | 14 GB |
Combined Manor cluster utilization: ~44 GB allocated across 192 GB physical (3 × 64 GB). Comfortable headroom for HA failover (any single node can absorb the others’ workloads).
3. The Annex — Zones 3, 4 (Delivery Edge)
Role: Heavy I/O, CI/CD compilation, source code management, public/talent web traffic proxying.
3A. Annex Node
| Spec | Value |
|---|---|
| Hostname | pve-annex.opplet.com |
| CPU | AMD Ryzen 9 7950X3D |
| RAM | 128 GB DDR5 ECC |
| Storage | 2 × 1.92 TB Gen4 Datacenter NVMe SSDs (local ZFS mirror) |
| Role | Standalone Proxmox host (not part of Manor cluster) |
3B. RAM Allocation by Zone
Zone 3 (Kitchen) — total ~64 GB:
| Component | RAM |
|---|---|
| GitLab Core (The Forge) | 24 GB |
| LDAP-Beta (OpenLDAP) | 4 GB |
| Build Farm (CI/CD runners) | 32 GB |
| Discourse (developer forum) | 4 GB |
Zone 4 (Lounge) — total ~48 GB:
| Component | RAM |
|---|---|
| Moodle (The Ledger) | 16 GB |
| HumHub (CNMCyber Arena) | 8 GB |
| Jitsi | 8 GB |
| BookStack-Beta (The Common Library) | 4 GB |
| Traefik + Authentik outpost + Guacamole | 12 GB |
Combined Annex utilization: ~112 GB allocated across 128 GB physical. Approaching the 75% ceiling defined in SOP §6 — first scheduled RAM Headroom Audit (October 2026) will assess whether rebalancing or upgrade is required.
4. The Outpost — Zone 5 (Live Fire Range)
Role: Host vulnerable target VMs and defensible exploitation infrastructure in a network-isolated environment.
4A. Outpost Node
| Spec | Value |
|---|---|
| Hostname | pve-outpost.opplet.com |
| CPU | AMD Ryzen 9 3900 (Hetzner Server Auction) |
| RAM | 128 GB DDR4 ECC |
| Storage | 2 × 1+ TB U.2 Datacenter NVMe SSDs (local ZFS mirror) |
| Role | Standalone Proxmox host (not part of Manor cluster) |
4B. RAM Allocation
Zone 5 (Range) — total ~128 GB:
| Component | RAM |
|---|---|
| Range Targets (defensible VMs, payloads, exploitation targets) | 120 GB |
| Local Wazuh forwarders (telemetry) | 8 GB |
5. Backup Infrastructure
5A. Proxmox Backup Server (PBS)
Location: The Manor (Zone 0). Role: Receives state pushes from the Annex per Constitution §5A Exception 3 and SOP §1A. Permissions: Drop-only from the Annex side; Annex cannot read or delete existing backups.
Specs: Allocated within the Manor cluster (RAM and storage drawn from the shared pool; not a separate physical node).
5B. External Watchdog
Location: Micro-VPS (separate provider from Hetzner, exact provider TBD). Role: Uptime Kuma monitoring per SOP §2. Specs: Smallest available tier sufficient to run Uptime Kuma — typically 1 vCPU, 1 GB RAM, 20 GB storage.
6. Network Topology
6A. Edge Router
OPNsense is virtualized on The Manor (Basement) per Constitution §5E. Single-instance with HA priority on the Manor cluster; SOP §4 defines resilience procedures.
6B. Hetzner vSwitch
The Manor, Annex, and Outpost are interconnected via Hetzner vSwitch (private layer-2 network). The Talent Proxy (Constitution §5C) routes through this network from the Annex Guacamole to the Outpost targets.
6C. Den Isolation
The Den (Gateway and Engine VPSs) is on entirely separate Hetzner Cloud infrastructure with no connectivity to the vSwitch above. See Constitution §5D and the Den Migration Project document for network isolation enforcement.
7. Hypervisor Standard
All Hetzner physical nodes run Proxmox VE on Debian. The Den VPSs run Ubuntu Server directly (no nested hypervisor — Docker on the Engine, native services on the Gateway).
Specific Proxmox versions and Debian releases are tracked in the Software Stack Manifest.
8. Open Questions for Future Refresh
- Manor cluster storage: Specific NVMe model and capacity per Manor node not yet captured. Add when next hardware audit confirms current state.
- External Watchdog provider: Selection pending. Should not be Hetzner to maintain external observation.
- SIP Trunk provider: Telnyx vs. JMP.chat selection pending (see Den Migration Project).
- Annex RAM pressure: Combined allocation at ~88% of physical. Plan for either workload rebalancing, vertical upgrade (256 GB), or workload migration to a future second Annex node.
- Outpost CPU age: AMD Ryzen 9 3900 is auction hardware. Replacement plan should exist before failure becomes likely.
Changelog
v1.0 (2026-06-02)
- Initial document, extracted from Constitution v9.3 §3 during the Charter Split refactor.
- All values carried forward from Constitution v9.3 §3A–3D without substantive change.
- Open questions §8 added to flag information gaps that should be filled during the next operational review.
END OF DOCUMENT
All charter documents
- Opplet Master Architecture: Enclave Constitution, URL Strategy
- Opplet Operations: Enclave SOP, Hardware Manifest (this document), Software Stack
- Opplet Development Plan: Den Migration