Nicolas Cantu
c13ce79696
**Motivations:** - Simplify Cursor/custom clients; Bearer caused confusion with Cursor user API key. **Root causes:** - N/A. **Correctifs:** - Drop if map check and Authorization stripping on /ollama/; deploy script no longer emits Bearer map. **Evolutions:** - Optional Bearer documented in http-maps example; README/services/feature/infrastructure updated; proxy redeployed. **Pages affectées:** - deploy/nginx/sites/ia.enso.4nkweb.com.conf - deploy/nginx/deploy-ia-enso-to-proxy.sh - deploy/nginx/README-ia-enso.md - deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example - docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md - docs/services.md - docs/infrastructure.md
3.6 KiB
Infrastructure
Scope
This repository ships shell scripts used on Ubuntu workstations and related LAN hosts. It does not define cloud Terraform or CI; it documents how those scripts map to the private LAN layout used with the 4NK bastion model.
First deployment shape (client / server)
The primary deployment target is a Linux client that connects over SSH to a remote server where the AI stack (Ollama, AnythingLLM, etc.) and Git repositories live. Install scripts in this repo apply mainly to that server (or to a LAN workstation that plays the same role). The client uses SSH (and optionally port forwarding) to reach services that bind to the server’s loopback or internal interfaces. See deployment-target.md.
LAN host roles (reference)
Private segment 192.168.1.0/24 (DHCP with MAC reservations). The table matches the host lists in add-ssh-key.sh.
| IP | Role |
|---|---|
| 192.168.1.100 | Proxy / bastion (public entry via DynDNS 4nk.myftp.biz) |
| 192.168.1.101 | test |
| 192.168.1.102 | pre-production |
| 192.168.1.103 | production |
| 192.168.1.104 | services (Git, Mempool, Rocket.Chat, …) |
| 192.168.1.105 | bitcoin |
| 192.168.1.173 | ia |
| 192.168.1.164 | Example workstation on LAN (included in LAN_DIRECT list) |
Internet access to backends uses SSH ProxyJump via ncantu@4nk.myftp.biz (see JUMP in add-ssh-key.sh). On the same LAN, direct ssh ncantu@192.168.1.x is valid.
Reverse proxy ia.enso.4nkweb.com (Ollama / AnythingLLM)
Hostname TLS sur le proxy 192.168.1.100 : préfixes /ollama et /anythingllm vers l’hôte LAN 192.168.1.164 (ports 11434 et 3001, voir deploy/nginx/sites/ia.enso.4nkweb.com.conf). /ollama/ sans garde Bearer nginx par défaut (option documentée dans deploy/nginx/http-maps/) ; AnythingLLM reste derrière son auth applicative.
Documentation opérationnelle : deploy/nginx/README-ia-enso.md. Fiche évolution : features/ia-enso-nginx-proxy-ollama-anythingllm.md.
Scripts (infrastructure / access)
add-ssh-key.sh
Appends a fixed Ed25519 public key (comment desk@desk) to ~/.ssh/authorized_keys on target hosts.
| Mode | When to use |
|---|---|
| Default | From a machine that can reach JUMP (ncantu@4nk.myftp.biz), then ProxyJump to each backend IP. |
LAN_DIRECT=1 |
Same LAN: direct SSH to each IP in LAN_IPS (proxy, backends, .164). No bastion hostname. |
ADD_KEY_LOCAL=1 |
Already logged in on the target host: update current user only (e.g. workstation .164). |
Do not run with sudo: the SSH client would use /root/.ssh and fail with Permission denied (publickey).
Environment (optional): JUMP, BACKEND_USER, SSH_IDENTITY_FILE, SSH_VERBOSE=1, EXTRA_LAN_IPS (with LAN_DIRECT=1).
add-sudo-nopasswd-ncantu.sh
One-time root execution: creates /etc/sudoers.d/99-ncantu-nopasswd with ncantu ALL=(ALL) NOPASSWD: ALL, chmod 440, visudo -c. Use only where this policy is explicitly required.
Data paths (host)
| Path | Purpose |
|---|---|
$HOME/anythingllm |
AnythingLLM Docker bind mount (storage + .env), default from install-anythingllm-docker.sh |
$HOME/.ssh/authorized_keys |
SSH access; updated by add-ssh-key.sh modes |
Security notes
- SSH is key-based; the embedded key in
add-ssh-key.shis for a designated client (desk@desk). Rotate or replace in script if the key is compromised. - Passwordless sudo reduces interactive friction and increases local privilege impact; scope to trusted machines only.