# Infrastructure & Internal Services

Complete runbooks for all ALAI internal services: Docker containers, LaunchAgent daemons, Cloudflare tunnel, Vaultwarden, email system, bots, and more.

# ALAI Infrastructure — Service Catalog & Runbooks

# ALAI Infrastructure — Service Catalog & Runbooks

> **Last updated:** 2026-03-11 | **Maintained by:** John (AI Director)
> **Host:** Mac Studio M3 Ultra (ANVIL) | **OS:** macOS
> **Quick health:** `node ~/system/tools/daemon-health.js`

---

## 🐳 Docker Services (23 containers)

### Core Platform Services

| Service | Image | Port | External URL | Health | Restart |
|---------|-------|------|--------------|--------|---------|
| **Vaultwarden** | vaultwarden/server | :8200 | vault.basicconsulting.no | ✅ healthy | `cd ~/system/services/vaultwarden && docker compose restart` |
| **BookStack** | linuxserver/bookstack | :6875 | docs.basicconsulting.no | ✅ running | `cd ~/system/services/bookstack && docker compose restart` |
| **BookStack DB** | linuxserver/mariadb | :3306 (internal) | — | ✅ running | Restarts with BookStack |
| **Planka** | plankanban/planka | :3100 | boards.basicconsulting.no | ✅ healthy | `cd ~/system/services/planka && docker compose restart` |
| **Planka DB** | postgres:15-alpine | internal | — | ✅ healthy | Restarts with Planka |
| **Documenso** | documenso/documenso | :3003 | sign.basicconsulting.no | ✅ running | `cd ~/system/services/documenso && docker compose restart` |
| **Documenso DB** | postgres:15-alpine | internal | — | ✅ healthy | Restarts with Documenso |
| **Documenso MinIO** | minio/minio | :9002/:9003 | — | ✅ running | Restarts with Documenso |
| **Baikal (CalDAV)** | ckulka/baikal:nginx | :5232 | calendar.basicconsulting.no | ✅ running | `cd ~/system/services/baikal && docker compose restart` |
| **Qdrant (Vector DB)** | qdrant/qdrant | :6333/:6334 | — | ✅ running | `docker restart qdrant` |

### Product Database Services

| Service | Port | Product | Health | Restart |
|---------|------|---------|--------|---------|
| **drop-postgres** | :5433 | Drop | ✅ healthy | `cd ~/ALAI/products/Drop && docker compose restart drop-postgres` |
| **plock-db** | :5434 | Plock | ✅ healthy | `cd ~/ALAI/products/Plock && docker compose restart plock-db` |
| **plock-redis** | :6380 | Plock | ✅ healthy | Restarts with plock-db |
| **bilko-postgres** | :5436 | Bilko | ✅ running | `cd ~/ALAI/products/Bilko && docker compose restart bilko-postgres` |
| **bilko-redis** | :6382 | Bilko | ✅ running | Restarts with bilko |
| **lobby-postgres** | :5437 | Lobby | ✅ healthy | `cd ~/ALAI/products/Lobby && docker compose restart lobby-postgres` |
| **lumiscare-postgres** | :5432 | LumisCare | ✅ healthy | Client project |
| **lumiscare-redis** | :6379 | LumisCare | ✅ healthy | Client project |
| **backend-postgres** | :5435 | BasicFakta | ✅ healthy | `cd ~/ALAI/products/BasicFakta && docker compose restart` |
| **backend-redis** | :6381 | BasicFakta | ✅ healthy | Restarts with backend |

### Monitoring Stack (Drop)

| Service | Port | URL | Restart |
|---------|------|-----|---------|
| **Grafana** | :3300 | grafana.basicconsulting.no | `docker restart drop-grafana` |
| **Prometheus** | :9090 | prometheus.basicconsulting.no | `docker restart drop-prometheus` |
| **Node Exporter** | :9100 | — | `docker restart drop-node-exporter` |

---

## ☁️ Cloudflare Tunnel (cloudflared)

**LaunchAgent:** `com.john.cloudflared`
**Config:** `~/.cloudflared/config.yml`
**Tunnel ID:** `3315a609-7934-45c5-ad0c-56d86d16374d`

### Exposed Services

| Hostname | Backend | Purpose |
|----------|---------|---------|
| docs.basicconsulting.no | localhost:6875 | BookStack wiki |
| vault.basicconsulting.no | localhost:8200 | Vaultwarden |
| sign.basicconsulting.no | localhost:3003 | Documenso (e-signing) |
| boards.basicconsulting.no | localhost:3100 | Planka (kanban) |
| calendar.basicconsulting.no | localhost:5232 | Baikal (CalDAV) |
| mc.basicconsulting.no | localhost:3030 | MC Dashboard |
| api.basicconsulting.no | localhost:3001 | API gateway |
| drop-api.basicconsulting.no | localhost:3201 | Drop API |
| lobby.basicconsulting.no | localhost:3010 | Lobby frontend |
| lobby-api.basicconsulting.no | localhost:3009 | Lobby API |
| auth.basicconsulting.no | localhost:9000 | Authentik (SSO) |
| grafana.basicconsulting.no | localhost:3300 | Grafana dashboards |
| prometheus.basicconsulting.no | localhost:9090 | Prometheus metrics |
| track.basicconsulting.no | localhost:3456 | Email tracking pixel |
| ssh.basicconsulting.no | localhost:22 | SSH access |
| vnc.basicconsulting.no | localhost:5900 | VNC screen sharing |

### Runbook: Tunnel down

```bash
# Check status
launchctl list | grep cloudflared

# Restart
launchctl stop com.john.cloudflared
launchctl start com.john.cloudflared

# Verify
cloudflared tunnel info 3315a609-7934-45c5-ad0c-56d86d16374d

# Logs
tail -50 ~/system/logs/cloudflared.log
```

---

## 🔐 Vaultwarden

**Container:** vaultwarden | **Port:** :8200
**URL:** vault.basicconsulting.no (Cloudflare Access protected)
**Local:** http://localhost:8200 | **HTTPS proxy:** https://localhost:8443 (Caddy)
**Admin token:** In `~/system/services/vaultwarden/.env`

### Dependencies
- Docker
- Caddy HTTPS proxy (`com.john.caddy-vault`) — needed for `bw` CLI
- vault-keeper daemon (`com.john.vault-keeper`) — auto-unlock

### Runbook: Vault locked/unauthenticated

```bash
# Check status
NODE_TLS_REJECT_UNAUTHORIZED=0 bw status

# If "locked" — vault-keeper auto-fixes every 15 min. Manual:
NODE_TLS_REJECT_UNAUTHORIZED=0 bw unlock --raw > /tmp/bw-session

# If "unauthenticated" — needs full re-login:
NODE_TLS_REJECT_UNAUTHORIZED=0 bw login --apikey
# Enter client_id and client_secret from ~/system/config/vault-apikey.json
# Then unlock:
NODE_TLS_REJECT_UNAUTHORIZED=0 bw unlock --raw > /tmp/bw-session

# Verify
NODE_TLS_REJECT_UNAUTHORIZED=0 BW_SESSION=$(cat /tmp/bw-session) bw list items --search "Email" | head
```

### Runbook: Caddy proxy down

```bash
# Caddy provides HTTPS for bw CLI (self-signed cert)
launchctl list | grep caddy-vault
# Restart
launchctl stop com.john.caddy-vault && launchctl start com.john.caddy-vault
# Verify
curl -sk https://localhost:8443 | head -1
```

---

## 📧 Email System

**Daemon:** `com.john.email-agent` (every 5 min)
**Accounts:** john@basicconsulting.no, info@basicconsulting.no, john@alai.no, alem@alai.no, dev@alai.no
**IMAP:** imap.one.com:993 | **SMTP:** send.one.com:465
**Credentials:** Vaultwarden (via bw CLI)

### Runbook: Email agent not processing

```bash
# Check logs
tail -30 ~/system/logs/email-agent-launchd.log

# Common issue: Vault not unlocked
NODE_TLS_REJECT_UNAUTHORIZED=0 bw status
# Fix: See Vaultwarden runbook above

# Manual test run
NODE_TLS_REJECT_UNAUTHORIZED=0 node ~/system/daemons/email-agent.js --dry-run

# Restart daemon
launchctl stop com.john.email-agent && launchctl start com.john.email-agent

# Check inbox DB
node -e "const e=require('$HOME/system/tools/email-inbox.js');console.log(JSON.stringify(e.getStats(),null,2))"
```

---

## 💬 Telegram Bot

**Daemon:** `com.john.telegram-agent` (KeepAlive)
**Bot:** @johnbasicas_bot
**Config:** macOS Keychain (telegram-bot-token)
**AI Backend:** Claude CLI → Ollama (llama3.1:8b) → static fallback

### Runbook: Bot not responding

```bash
# Check daemon
launchctl list | grep telegram-agent

# Check logs
tail -20 ~/system/logs/telegram-agent.log

# Restart
launchctl stop com.john.telegram-agent && launchctl start com.john.telegram-agent

# Test AI backend
node -e "const{getResponse}=require('$HOME/system/tools/comms-responder.js');getResponse('test',[]).then(r=>console.log(r.backend,r.text.substring(0,100)))"

# Test connection
node ~/system/tools/telegram-agent.js --test
```

---

## 💬 Slack Bot

**Daemon:** `com.john.slack-bot` (KeepAlive)
**Workspace:** ALAI Holding AS

### Runbook: Slack bot not responding

```bash
launchctl list | grep slack-bot
tail -20 ~/system/logs/slack-bot.log
launchctl stop com.john.slack-bot && launchctl start com.john.slack-bot
```

---

## 📋 BookStack (Wiki)

**Container:** bookstack + bookstack_db
**Port:** :6875 | **URL:** docs.basicconsulting.no
**API config:** ~/system/config/bookstack.json (creds in Vaultwarden)

### Runbook: BookStack down

```bash
cd ~/system/services/bookstack
docker compose ps
docker compose restart
# Check logs
docker logs bookstack --tail 20
```

---

## 📝 Documenso (E-Signing)

**Containers:** documenso + documenso-db + documenso-minio
**Port:** :3003 | **URL:** sign.basicconsulting.no

### Runbook: Documenso down

```bash
cd ~/system/services/documenso
docker compose ps
docker compose restart
docker logs documenso --tail 20
```

---

## 📋 Planka (Kanban)

**Containers:** planka + planka-db
**Port:** :3100 | **URL:** boards.basicconsulting.no

### Runbook: Planka down

```bash
cd ~/system/services/planka
docker compose ps
docker compose restart
docker logs planka --tail 20
```

---

## 📅 Baikal (CalDAV/CardDAV)

**Container:** baikal
**Port:** :5232 | **URL:** calendar.basicconsulting.no

### Runbook: Baikal down

```bash
cd ~/system/services/baikal
docker compose ps
docker compose restart
docker logs baikal --tail 20
```

---

## 🤖 Ollama (Local AI)

**Process:** ollama serve (background)
**Port:** :11434
**Models:** llama3.1:8b, qwen2.5-coder:32b, bge-m3, llama-guard3:8b, custom ALAI models

### Runbook: Ollama down

```bash
# Check
curl -s http://localhost:11434/api/tags | python3 -m json.tool | head

# Restart
ollama serve &

# Verify models
ollama list
```

---

## ⚙️ Key LaunchAgent Daemons

| Daemon | Label | Purpose | Priority |
|--------|-------|---------|----------|
| Cloudflared | com.john.cloudflared | Tunnel to internet | P1 |
| Vault Keeper | com.john.vault-keeper | Auto-unlock Vaultwarden | P1 |
| Caddy Vault | com.john.caddy-vault | HTTPS proxy for bw CLI | P1 |
| Slack Bot | com.john.slack-bot | Slack communication | P1 |
| Telegram Agent | com.john.telegram-agent | Telegram bot | P1 |
| Email Agent | com.john.email-agent | Email processing | P1 |
| Email Tracker | com.john.email-tracker | Open/click tracking | P2 |
| Comms Agent | com.john.comms-agent | Cross-platform comms | P2 |
| Ops Watchdog | com.john.ops-watchdog | Service health checks | P1 |
| Event Dispatcher | com.john.event-dispatcher | Event bus processing | P1 |
| Pi Orchestrator | com.john.pi-orchestrator | Task delegation to agents | P1 |
| Autowork | com.john.autowork | Background task execution | P2 |
| N8N | com.john.n8n | Workflow automation | P2 |
| MC Dashboard | com.john.mc-dashboard | Mission Control web UI | P2 |

### Generic daemon restart

```bash
# Stop
launchctl stop com.john.<name>
# Start
launchctl start com.john.<name>
# Full reload
launchctl unload ~/Library/LaunchAgents/com.john.<name>.plist
launchctl load ~/Library/LaunchAgents/com.john.<name>.plist
# Check status
launchctl list | grep <name>
```

---

## 🔄 Cold Start (Full System Bring-Up)

If the Mac Studio reboots:

```bash
# 1. Docker starts automatically (Docker Desktop)
# 2. LaunchAgents auto-load (RunAtLoad=true)
# 3. vault-keeper unlocks Vaultwarden (reads Keychain)
# 4. All services come up within ~2 minutes

# Verify everything:
bash ~/system/ops/cold-start.sh
node ~/system/tools/daemon-health.js
docker ps
```

---

## 🆘 Emergency Contacts

- **Alem Basic** (CEO): alem@alai.no
- **John** (AI Director): john@basicconsulting.no, @johnbasicas_bot (Telegram), #exec (Slack)