Stack Status
Public-safe infrastructure snapshot. High-level VM health, service status, and sanitized change notes, transparency without free recon.
Security posture: Internal hostnames, IPs, and admin surfaces are not published here. All admin access is VPN-only. Public access routes exclusively through the edge layer. Audit entries are delayed and generalized before appearing.
Trust Plane Model
Everything operates within one of four trust planes. Plane membership determines access rules, not role, not convenience.
Core Platform Services
Cross-domain infrastructure serving all workloads. Internal hostnames are masked.
Domain VM Inventory
Each domain runs a minimum 4-VM model. Business and personal automation are strictly separated. VM designators are masked.
SKALD / Intelligence Layer
A logical layer spanning the infrastructure, not a VM but a system-of-systems. Memory, reasoning, automation, and awareness are independently deployed and coordinated.
Audit Trail
Change notes and deployment summaries. Delayed and sanitized; no internal paths, IPs, or admin surfaces.
-
Sportsball Tournament released -- open-source Android bracket app, MIT licensedStandalone tournament bracket manager (single-elim, double-elim, pool play + bracket, round robin) shipped as an offline-first Capacitor Android app and public GitHub repo, MIT licensed. Live-tested end to end on fifteen teams during an actual tournament. A private MySportsball fork with live results sync remains internal, separate storage and infrastructure. Full writeup in the Writing section.
-
ForgeAtlas and ForgeMimir folded into Norn -- unified 6-pillar app suiteForgeAtlas and ForgeMimir are no longer standalone tools -- they're two of six pillars in Norn, a single self-hosted app suite with unified navigation and cross-pillar linking. The other four: Fountain (health tracking), Shop (procurement), Vault (inventory), and Ledger (manual finance tracking). Ships as a native Android app plus a static web build for internal use; not publicly hosted.
-
Duties app deployed to managed endpoint via Headwind MDMSingle-file Capacitor app packaged and pushed to the existing managed device through the self-hosted MDM platform -- same enrollment and update pipeline as the platform's original deployment, silent push on next check-in, no vendor cloud involved.
-
UPS deployed on hypervisor host -- battery backup and graceful shutdown liveBattery backup installed on the primary hypervisor host with automated monitoring. Configured shutdown thresholds trigger a graceful power-loss response before battery exhaustion, rather than a hard outage across the whole stack.
-
ForgeBridge-SW1 deployed -- 5-VLAN network segmentation liveManaged switch deployed with segmentation across untrusted, trusted, hypervisor, server, and voice VLANs. A single tagged trunk carries all segments to the firewall, which owns per-segment gateway interfaces. Switch management itself lives on an internal segment and only comes up once the corresponding firewall interface is configured.
-
ForgeCharon (OPNsense) hardware staged -- install and config in progressDedicated inline firewall hardware racked and trunked to the managed switch across all network segments. Install and per-segment interface configuration in progress; internal DNS and several dependent projects remain gated until this completes.
-
ForgeMind launched -- anon publishing surface liveNew public-facing publishing surface deployed, routed through the same edge layer as every other domain -- Cloudflare-proxied ingress to the smart edge, no direct public ports on the origin VM. Separate identity and content from the TekForge and Keep domains by design.
-
React2Shell (CVE-2025-55182) probes blocked, systems confirmed unaffectedElevated probe activity traced to a critical pre-auth RCE vulnerability affecting a subset of React 19 releases. Traffic was blocked at the edge before reaching any origin. Audit of every public-facing service confirmed none run the affected stack -- static builds and non-Node services throughout.
-
ForgeAtlas + ForgeMimir documented -- operations console and memory layer liveForgeAtlas and ForgeMimir documented and deployed as TekForge internal support surfaces. ForgeAtlas tracks active work, dependencies, deadlines, blockers, and review triggers. ForgeMimir stores SOPs, durable notes, planning context, and archived knowledge. Public writeup added to the Writing section with screenshots from the live system.
-
ForgeHound deployed -- MDM platform live, first managed endpoint enrolledSelf-hosted MDM platform deployed. Android Device Owner enrollment via QR provisioning. Custom branded launcher, OS-level policy restrictions, and MQTT-based telemetry reporting active. First managed endpoint enrolled and locked down. Real-world use case: family device management at enterprise posture. All free tooling.
-
TekForge Commons launched -- Revolt community platform liveSelf-hosted Revolt instance live at thecommons.tekforge.dev. Private, invite-only community running on TekForge infrastructure. Seven channels at launch. Entry by request only -- no open registration. The operator is the same person in the server with you.
-
Internal CA operational -- admin surface cert issuedInternal certificate authority established. Admin-facing surface now running a CA-issued cert with 90-day rotation. Root CA distributed to managed endpoints. Admin surface remains VPN-only; no change to public routing.
-
ACME challenge passthrough added to ingress layerIngress layer updated to pass ACME challenges through to the mail server for automated Let's Encrypt cert renewal. UFW updated to allow challenge traffic only. No additional services exposed.
-
Mail server updated -- Let's Encrypt cert deployedMail server updated to current release. Self-signed cert replaced with a valid Let's Encrypt certificate. No service interruption during the update window.
-
ForgeGolem Phase 3h complete -- Ansible baseline extended to full fleetAnsible-enforced baseline now covers all in-scope TekForge VMs. Packages, time sync, SSH hardening, and firewall rules are idempotently managed and verified clean across the fleet. Multi-host runs stable.
-
ops.tekforge.dev migrated to dedicated internal VMInternal ops surface moved off shared infrastructure to a dedicated VM. VPN-only access enforced throughout. Public routing and external services unaffected.
-
Site v2 deployed: dynamic dashboard, architecture v2 write-upDashboard now pulls live VM health from Proxmox API via an internal polling script. Real VM names never leave the script; only aliases are written to the public status.json.
-
Contact form automation live -- webhook-driven email confirmationsSelf-hosted workflow automation deployed for a domain's public contact form. Submissions route through an internal webhook that triggers both client-facing and internal confirmation emails -- no third-party form service involved.
-
User-endpoint credential-stealer incident, containedCommodity credential-stealer on a family Windows endpoint. Network isolated within ~5 minutes. Three-tool offline scan pass performed. IR SOP v1.0 drafted and published. Full writeup in Writing section.
-
Default-deny egress enforced across container runtimeAll containers now require explicit allowlists for external access. Prompted by post-incident network boundary audit. Hardcoded vendor update URLs identified and removed from three services.
-
IAM layer pre-work complete, rollout stagedAuthentik SSO/MFA pre-work complete. Domain-scoped identity model finalized; no cross-domain identity mesh. Rollout sequenced: TekForge first. Target: Q2 2026.
-
Edge routing model finalizedSingle public ingress confirmed for all domains. Admin surfaces remain VPN-only; no overlap with public routing. SSO subdomain routing documented and staged per domain.
-
Backup posture verified, dedicated vault VM scopedFull restore test completed. Dedicated backup/audit VM formally scoped and added to roadmap, replacing ad-hoc backup scripts.