Last Updated: August 2020


This diagram was created with To edit it, download the diagram file and edit it with the web application, or you may run the application from source if you wish.

#Physical Hosts
  • baikal

    • cyberia's first rack server, installed in CyberWurx datacenter in Atlanta Georgia
    • j3s is the only authorized support contact right now and the only one who can log into the CyberWurx portal
  • gibson

    • dynamic(ish) ip address
    • consumer grade desktop located in fack's house
    • NOTE: gibson uses port 3215 for ssh. connect with ssh -p 3215

    • dynamic(ish) ip address
    • olde desktop located in j3s's house
#Cloud Service Accounts
  • namecheap

    • fack's namecheap account is currently being used to manage DNS entires for:
    • all DNS updates are being done manually by j3s.
    • conventions:
      • A records are named after hostnames & point to VMs / physical hosts
      • CNAMEs are named after the service & point to the A record of the host the service runs on
  • CyberWurx portal

    • Allows us to add reverse DNS entries for Capsuls
    • View metrics, get datacenter information, support tickets, etc
    • Right now j3s is the only one who can log in / be authorized for support. Can add others though!

Most of cyberia's services run on Capsul, our Virtual Machine Management tool & service.

Ansible Managed Capsuls:
capsul-ay3yh10q2q  f1-xs  alpine311  Jun 20 2020  (new email server)
capsul-c04bbf593b  f1-s  alpine311  Jun 01 2020       (NSHC / North Star Health Collective) 
capsul-pfgy2tthx9  f1-xs  alpine311  May 10 2020     (postgres for forge & others in the future)
capsul-id502edkg0  f1-xs  alpine311  Apr 01 2020  (cyberia forge)
capsul-t6tfb2dh5p  f1-m  alpine311  May 10 2020 (prometheus & grafana & future logg agg)
capsul-w6hsx09r7v  f1-xs  alpine311  Aug 20 2020     (ansible bastion + build submitter)

Legacy Capsuls:
capsul-qnx33xmi6f  f1-s  debian10   Mar 13 2020          (old mail server) 
capsul-yi9ffqbjly  f1-x  debian10   Apr 15 2020     (btcpay) 
cvm-lqj2x9nxic	   f1-l  debian10   Mar 07 2020     (cyberia matrix) 
cvm-m1tjv0lljd	   f1-xs  debian10   Mar 10 2020     (websites &,

The Ansible Managed servers should have a user account for each user. The Legacy servers & baikal only have one user named cyberian, with everyone's keys authorized for that server.

Contact j3s, forest, or vvesley for more information on cyberia's capsul account.

#Host Key Fingerprints

NOTE: you can control what kind of host key your ssh client will use like this:

ssh -o HostKeyAlgorithms=ssh-ed25519
  ECDSA    SHA256:85GTFfUpDDefcNcIROtFpuTiHC1j3iNU74aaKFO03+0
  ED25519  SHA256:v9MEa97wnmA75CyzQC5lW8nOI56LJ4jTmD2f68udK80
  NOTE:    gibson uses port 3215 for ssh. connect with ssh -p 3215
  ECDSA    SHA256:/YSNMdW1oY5svUb7kBk213Le8+zUCWVIJcR11Agdtiw
  ED25519  SHA256:BIEMaNLaN8iPiB5GuBIr37Wlz+xKj3ZlUEasgFwsGQc
  ECDSA    SHA256:3XJG2fyaPDJWjnEOW3q2KiWg5qLV6hmEPczvp8GqhE0
  ED25519  SHA256:njIT2k1t6hHuOO0VjBNmHW1QSGN4GEqQQMj/BGpnBa0
  ECDSA    SHA256:IQqTPv14u3dG62hS0q2Mr6pef6KwpjPKM2uVP+SK+qA
  ED25519  SHA256:3z5BI2ZEZjzDEh0B7a2GxgMa4faqA3Y6bQdGcQp4G88
  ECDSA    SHA256:dAbABreDUpV9AG7kChcx9S6+6f+fmnhqwwInqYoxcwU
  ED25519  SHA256:nT+ISIGV95MBKkIpcHTKo30lx4qRQ0Cpu1iM3w6+Sh0
  ECDSA    SHA256:EW9ydcgLg/pwoA0GPsI0VVeIBpnSi7aIHhvXOQBa+Xg
  ED25519  SHA256:cWLBFESOHrmVFrLRLjxrY4tcPmVRerJe1SB/+6tXSxAv
  ECDSA    SHA256:KbzxzEKP21B0S3A/SKqqGmjiymnkk7byvoc6W4SxEwM
  ED25519  SHA256:M1QPflfIrsbhVlMaomvGQsr5AZS5YRkBHv+pnyI7bg4
  ECDSA    SHA256:AJb0bZN2PTTm83zf5zI1IOEIVfeXUxQl/vTode/88jA
  ED25519  SHA256:zJv6E6lG4dAsqNmDHTO/qFVlTESKYq/KD29e8Nt/6j4
  ECDSA    SHA256:VlRPAqLGxY4JUVhYirOVlfuDFtgTbaiw3x29xYizEeU
  ED25519  SHA256:BExhsVPNTp49jyJ6ezRf+Nn4TxPj8D9VZMhnjMABq6g
  ECDSA    SHA256:/tsASDZ+MX519DC/Y7mHbV2CYCPnyMAbX1e0GHBOin0
  ED25519  SHA256:B9QNCnz57agsI40tMVU8UwyvZqMbz/p1ZNH5E1gL3io
  ECDSA    SHA256:Qe1QQ2XtlKkP0pSL5qxIJp/Iosy30bJFdmE1A2YCz34
  ED25519  SHA256:r4ZZ4uct7hVb0ZD5WbJNiHv/nWCfddpQx5uwt3mhtUE
  ECDSA    SHA256:CdqdUvG0Obfdq9kkeQSETVhSJO2oCAdEAjDCydQWcDI
  ED25519  SHA256:WcjrJtvev3+rAu98TFGJoxx/CytLCg+GfEXBMVOl5Hw
#Automation (Ansible)

The Ops Handbook is still on the old git server, it is the main repo with the ansible inventory & playbooks.

Ansible bastion host/automation is on

#Service Inventory
User-oriented Name URL Developer-oriented Name Host Deployment Code Application Code
cyberia's matrix server synapse ansible/roles/synapse matrix-org/synapse
cyberia's matrix server element (used to be called riot) ansible/roles/riot vector-im/element-web
cyberia's matrix server N/A postgres ansible/roles/postgresql
cyberia's matrix server N/A irc bridge to freenode TBD matrix-org/matrix-appservice-irc
cyberia's matrix server matrix prometheus exporter TBD matrix-org/synapse/metrics
nullhex email alps TBD ~emersion/alps/
nullhex email ports 25 & 587 (STARTTLS) opensmtpd ansible/roles/opensmtpd OpenSMTPD/OpenSMTPD
nullhex email (imap) dovecot ansible/roles/dovecot dovecot/core
nullhex email N/A rspamd TBD rspamd/rspamd
capsul capsul TBD ~forest/capsul-flask/
forge (cyberia's git server) sourcehut TBD ~sircmpwn/sourcehut
forge (cyberia's git server) N/A postgres TBD
cyberia's website nginx static site TBD services/website
the old git server cgit TBD
prometheus prometheus rules & ansible/roles/prometheus prometheus/prometheus
alertmanager N/A alertmanager same as prometheus prometheus/alertmanager
grafana grafana ansible/roles/grafana grafana/grafana
Jackal matrix alert bot TBD matrix-org/go-neb (forest's fork)
#LetsEncrypt Certificate Inventory

For information on certificates which are managed by uacme automatically, see and the tls_certs variable in

Certificates which are exceptions to the rule:
 - certificate is automatically managed by btcpayserver-docker
The following are managed by a script called located at `/root/`
The following are managed by a script called located at `/root/`
The following are managed by Caddy on the router which sits in front of gibson. Ask j3s or fack about this.

How to use

systemctl stop nginx ; --renew --domain; systemctl start nginx ;

The certificate expiry alerts are defined here:

The probe_ssl_earliest_cert_expiry metric is written by the blackbox exporter, configured here:


About this wiki

commit 1c29c021af0a00ad03b20d6215bd39a566d3eafb
Author: j3s <>
Date:   2021-02-22T17:20:53-06:00

Update docs according to last congress
Clone this wiki (read-only) (read/write)