Out Brush Infrastructure

All Systems Nominal Last updated: 2026-04-10 Internal Ops Reference
Architecture Overview
External APIs + Services
Anthropic API
OpenAI API
Doppler
1Password
GitHub
Linear
Telegram
HTTPS / API calls
Cloudflare Edge
CF Pages (outbrush.com)
CF Access (Zero Trust)
CF Workers
CF D1 (SQLite)
CF Queue (eda-events)
CF DNS
Tunnel: outbrush-outline
Tunnel: bigtime
CF Tunnels (cloudflared)
Docker Services (30+ containers)
Postgres :5432
Authentik :9090
n8n :5678
Outline :3002
LiteLLM :4000
Ollama :11434
Immich :2283
Jellyfin :8096
MinIO :9000
NGINX PM :80/443
Uptime Kuma :3001
Grafana :3000
Prometheus :9090
Loki :3100
Docker Engine / Host Network
Physical Hosts + Network (10.0.4.0/24 + Tailscale 100.x)
RogAI 10.0.4.80 (Production)
Dell 7530 10.0.4.115 (Hot Standby)
Smallfry 10.0.4.111 (Monitoring)
MacBook 10.0.4.35 (Dev)
Synology DS1522+ (Offsite DR)
Physical Hosts
RogAI
Primary Production Host -- 22 Containers
10.0.4.80 SSH: admrick@10.0.4.80

Hardware

  • ASUS ROG STRIX Z390-E
  • Intel i9, 32 GB RAM
  • NVIDIA RTX 2070 8 GB (driver 580, CUDA 13.0)

Storage

  • Samsung 980 PRO 2 TB (root)
  • Samsung 970 PRO 1 TB (KVM VMs)
  • RAID1 2x2 TB (Immich + backups)
  • Seagate 16 TB NTFS (media)

OS

  • Ubuntu 24.04 LTS headless
  • GPU: Ollama + Jellyfin NVENC

Docker Services

ServiceImagePort(s)Purpose
postgrespostgres:185432Primary DB (8 databases)
immich-postgresghcr.io/immich-app/postgres:14-vectorchordinternalImmich-dedicated Postgres + pgvector
redisredis:8-alpineinternalCache / queue for n8n, Authentik
ollamaollama/ollama (GPU)11434Local LLM inference (RTX 2070)
jellyfinjellyfin/jellyfin8096Media server (GPU NVENC)
immich-serverghcr.io/immich-app/immich-server v2.6.32283Photo / video management
immich-mlghcr.io/immich-app/immich-machine-learninginternalFace detection, CLIP embeddings
authentikghcr.io/goauthentik/server:2026.2.19000 / 9090SSO identity provider (OIDC)
outlineoutlinewiki/outline3002Internal documentation wiki
n8nn8nio/n8n5678Workflow automation
litellmghcr.io/berriai/litellm4000AI model proxy (Anthropic, OpenAI, Ollama)
minio (primary)minio/minio9000 / 9001Object storage (photos, artifacts, backups)
minio (secondary)minio/minio9002 / 9003Secondary MinIO console
nginx-proxy-managerjc21/nginx-proxy-manager80 / 443 / 81Reverse proxy + SSL termination
pgadmin4dpage/pgadmin45050Postgres admin UI
portainer-agentportainer/agent9001Managed by Smallfry Portainer CE
uptime-kumalouislam/uptime-kuma300130-monitor status page (MariaDB)
outbrush-apicustom3000Out Brush API service
node-exporterprom/node-exporter9100Host metrics to Prometheus
cadvisorgcr.io/cadvisor/cadvisor9101Container metrics to Prometheus
cloudflaredcloudflare/cloudflared--Tunnel: outbrush-outline (f07e4148)
cloudflared-bigtimecloudflare/cloudflared--Tunnel: bigtime (36a3f0ed)
Dell 7530
Hot Standby + AI Node -- 4 Containers
10.0.4.115 TS: 100.118.36.51 SSH: admrick@10.0.4.115

Hardware

  • Dell Precision 7530
  • NVIDIA Quadro P2000 4 GB
  • Single 476 GB NVMe

OS

  • Ubuntu 24.04.4 LTS bare metal
  • Proxmox wiped

Docker Services

ServicePurposePort(s)
postgres-replicaStreaming WAL replication from RogAI (auto-promotes in ~30s)5432
minio-dellBidirectional site replication from RogAI MinIO9000
openclawClaude Haiku direct (bypasses LiteLLM)18789
portainer-agentManaged by Smallfry Portainer CE9001
Smallfry
Monitoring + Portainer Server -- 6 Containers
10.0.4.111 TS: 100.123.123.86 Portainer: :9443

Access

  • Ubuntu VM
  • SSH port 22 not open
  • Access via Portainer API at https://100.123.123.86:9443

Docker Services

ServicePortPurpose
portainer-ce9443Portainer CE v2.39.1 -- manages RogAI, Dell, local
prometheus9090Scrapes RogAI node-exporter, cadvisor, Dell
grafana3000Dashboards -- SSO via Authentik
loki3100Log aggregation
promtail--Log shipping to Loki
portainer-agentlocalSmallfry self-management
MacBook Pro M3 Max
Primary Developer Workstation
10.0.4.35 TS: 100.102.226.104

Role

  • Developer workstation -- no inbound connections
  • Not a server

Tools

  • Claude Code
  • VS Code + Cursor
  • GitHub CLI
  • Doppler CLI
  • Wrangler CLI
Synology DS1522+
Offsite Disaster Recovery
Tailscale Only Paul's House (~8 mi)

Purpose

  • Pure offsite backup target
  • Access via Tailscale mesh VPN only
  • Future: Dell MinIO replication target
Cloudflare Edge
DNS, CDN, Pages, Workers, D1, Access
outbrush.com bigtime4.me

Zero Trust Tunnels (on RogAI)

  • outbrush-outline (f07e4148) -- all *.outbrush.com
  • bigtime (36a3f0ed) -- movies/pics.bigtime4.me

CF Pages

  • Next.js 15.5.2 + @cloudflare/next-on-pages
  • Envs: production (main), staging, develop, demo1
  • CI/CD: GitHub Actions to wrangler pages deploy

D1 Databases

  • outbrush-webdata-prod
  • outbrush-webdata-staging
  • outbrush-webdata-dev
  • outbrush-webdata-demo
  • outbrush-webdata-global

Workers + Queue

  • outbrush-webdata-worker -- contact form to CF Queue
  • outbrush-event-router -- queue consumer to D1 + n8n
  • Queue: eda-events

Access Policies

  • docs + status -- outbrush-team (Rick, Michelle, Paul, Cliff)
  • All others -- outbrush-admins (Rick, Michelle)
  • IdP: Authentik OIDC (auth.outbrush.com)
Service Catalog
Service Host Port(s) URL Purpose
Key Data Flows

W Website Lead Flow

Browser
User visits outbrush.com (CF Pages)
outbrush-webdata-worker
Contact form submission to CF Worker
CF Queue (eda-events)
Queued for async processing
outbrush-event-router
Queue consumer writes to D1: web_contact_leads
n8n (RogAI :5678)
Webhook triggers automation workflow
LiteLLM (RogAI :4000)
Routes to Anthropic claude-haiku-4-5
Telegram Alert
Notification delivered to Rick

AI AI Inference Flow

Any Service
n8n, outbrush-api, chat-brain, etc.
LiteLLM :4000
Unified AI model proxy on RogAI
Route: claude-*
Anthropic API (claude-sonnet-4-6, claude-haiku-4-5)
Route: gemini-*
Google API
Route: ollama/*
Ollama :11434 (local GPU: qwen3:8b, deepseek-r1:7b, llama3.1:8b, etc.)

M Monitoring Flow

RogAI node-exporter :9100
Host metrics (CPU, RAM, disk, network)
RogAI cadvisor :9101
Container-level metrics
Prometheus (Smallfry :9090)
Scrapes all exporters + Dell
Promtail (all hosts)
Ships logs to Loki (Smallfry :3100)
Grafana (Smallfry :3000)
Dashboards -- SSO via Authentik

DB Postgres Replication

RogAI Postgres :5432
Primary -- 8 databases (outbrush_services, n8n, authentik, outline, litellm, immich, etc.)
Streaming WAL Replication
Continuous write-ahead log shipping
Dell Postgres :5432
Hot standby -- auto-promotes in ~30s on primary failure

S3 MinIO + Object Storage

RogAI MinIO (primary)
S3-compatible object storage -- photos, artifacts, backups
Bidirectional Site Replication
RogAI MinIO <-> Dell MinIO (real-time sync)
Dell MinIO
Replica -- future push to Synology DS1522+ (offsite DR)

ID SSO Authentication

User
Navigates to any internal subdomain
CF Access (Zero Trust)
Intercepts request, checks for valid JWT
Authentik OIDC
auth.outbrush.com (RogAI :9090) -- user authenticates
CF Access Issues JWT
Session cookie set, user proceeds to service

K Secrets Management

Doppler (outbrush-prod/prd)
Machine-to-machine secret store
Docker Compose env injection
RogAI + Dell services
GitHub Secrets
CI/CD pipelines (CF Pages deploys)
1Password
Human credential vault (Rick, Michelle)
Subdomain Map
Quick Reference

SSH Access

RogAI: ssh admrick@10.0.4.80 Dell: ssh admrick@10.0.4.115 Smallfry: Portainer at https://100.123.123.86:9443

LAN IPs

RogAI: 10.0.4.80 Dell: 10.0.4.115 Smallfry: 10.0.4.111 MacBook: 10.0.4.35

Tailscale IPs

MacBook: 100.102.226.104 Dell: 100.118.36.51 Smallfry: 100.123.123.86

Secrets

Doppler Project: outbrush-prod Doppler Config: prd Human Vault: 1Password

GitHub Repos

Docs: RickRhodes/Out-Brush Infra: RickRhodes/outbrush-infra App: RickRhodes/outbrush-app Web: RickRhodes/outbrush-web Private: RickRhodes/outbrush-private

Portainer

Server: Smallfry 10.0.4.111:9443 Version: CE v2.39.1 URL: containers.outbrush.com Agents: rogai, dell, smallfry (local)

Ollama Models

qwen3:8b qwen2.5-coder:7b deepseek-r1:7b llama3.1:8b nomic-embed-text

D1 Tables

web_contact_leads cfg_site eda_events eda_event_handlers crm_identity_links ana_visitor_sessions
Copied!