- Default project host: `atom`.

- Tailnet domain: `tail6a522.ts.net`.

- Host-addressed atom DNS: `atom.tail6a522.ts.net`.

- Atom LAN IP used by many services: `192.168.1.12`.

- Durable Docker config/state convention: `/zpool1/docker_configs/<service>/`.

- Larger service data may live under `/zpool1/docker_data/<service>/`.

- Hermes workspace/repo path: `/opt/data/workspace` inside the Hermes container, mapped to `/home/hermes/workspace` on atom.

- Prefer Portainer-managed stacks for long-lived services on atom.

- Do not assume `hermes` has passwordless sudo on atom. It does not.

- Do not edit/redeploy the Hermes stack casually; restarting it can interrupt the active agent session.

- Do not print secrets. This page lists secret *locations*, not secret values.

| Need | Use |

|---|---|

| Host shell/build orchestration | SSH to `hermes@atom.tail6a522.ts.net` |

| Long-lived Docker services | Portainer API / Portainer stack on endpoint `2` |

| Repo/work files | `/home/hermes/workspace` on atom or `/opt/data/workspace` in Hermes |

| Routine agent memory | MCP memory service |

| Bulk vector/RAG storage | Qdrant |

| Credentials | 1Password MCP or configured secret files; never hardcode |

| Monitoring | Uptime Kuma |

| Workflow automation | n8n |

| Field | Value |

|---|---|

| Tailnet hostname | `atom.tail6a522.ts.net` |

| Common LAN IP | `192.168.1.12` |

| Primary agent user | `hermes` |

| Hermes UID/GID in container | `10000:10000` |

| Docker manager | Portainer |

| Portainer endpoint ID | `2` |

| Portainer API from atom | `https://localhost:9443/api` |

| Portainer API token path | `/home/hermes/.config/portainer/api_token` |

| Preferred bind root | `/zpool1/docker_configs/<service>/` |

| Shared workspace | `/home/hermes/workspace` |

1. Use SSH for host commands: `ssh atom.tail6a522.ts.net '...'`.

2. Use Portainer API for Docker inspection/mutation; `hermes` does not have direct Docker socket access.

3. Use host-visible bind mounts for service persistence.

4. For services needing tailnet identity, prefer a Tailscale sidecar with `network_mode: service:<tailscale-service>`.

5. Verify service health after stack changes through the service API, not just container state.

| Field | Value |

|---|---|

| Purpose | Docker stack/container management |

| Container | `portainer` |

| API from atom | `https://localhost:9443/api` |

| UI/API host port | `9443/tcp` on atom |

| Edge port | `8000/tcp` on atom |

| Endpoint ID | `2` |

| Token path | `/home/hermes/.config/portainer/api_token` |

Use for creating/updating/verifying stacks. TLS is self-signed locally; API clients usually need TLS verification disabled.

| Field | Value |

|---|---|

| Stack | `hermes` / Portainer stack ID `100` |

| Containers | `hermes`, `hermes-dashboard` |

| Gateway port | `8642/tcp` on atom |

| Dashboard port | `9119/tcp` on atom |

| Container image | `ghcr.io/1kpio/hermes-ssh-image:latest` |

| Hermes home in container | `/opt/data` |

| Host config mount | `/zpool1/docker_configs/hermes-agent/home:/opt/data` |

| Workspace mount | `/home/hermes/workspace:/opt/data/workspace` |

| Config file | `/opt/data/config.yaml` |

| Env file on host | `/zpool1/docker_configs/hermes-agent/home/.env` |

Notes:

- Current active agent may be running here. Treat stack edits as disruptive.

- SSH key behavior inside Hermes resolves under `HERMES_HOME` (`/opt/data/.ssh`) unless an explicit `IdentityFile` is used.

- Hermes external memory provider is Supermemory; see memory section.

| Field | Value |

|---|---|

| Stack | `n8n` / Portainer stack ID `101` |

| Containers | `ts-n8n`, `n8n` |

| Tailnet URL | `https://n8n.tail6a522.ts.net/` |

| Health URL | `https://n8n.tail6a522.ts.net/healthz` |

| LAN bind | `192.168.1.12:5678` |

| App port | `5678/tcp` |

| Persistent data | `/zpool1/docker_configs/n8n/data:/home/node/.n8n` |

| Cache | `/zpool1/docker_configs/n8n/cache:/home/node/.cache` |

| Local files | `/zpool1/docker_configs/n8n/local-files:/files` |

Use for workflow automation and webhook glue. Webhook base is `https://n8n.tail6a522.ts.net/`.

| Field | Value |

|---|---|

| Stack | `mcp-memory` / Portainer stack ID `99` |

| Containers | `ts-memory`, `mcp-memory` |

| Tailnet URL | `https://mcp-memory-service.tail6a522.ts.net/` |

| Internal app port | `8000/tcp` |

| Backend | `sqlite_vec` |

| SQLite DB in container | `/app/data/memory.db` |

| Host data | `/zpool1/docker_configs/mcp-memory/data` |

| Anonymous access | Enabled in current stack config |

Known REST endpoints:

POST /api/memories

GET /api/memories

POST /api/search

POST /api/search/by-tag

POST /api/search/by-time

GET /api/search/similar/{content_hash}

Use this for routine cross-agent durable memory. Do not use Qdrant directly for small preference/fact writes unless building a bulk RAG workflow.

| Field | Value |

|---|---|

| Stack | `qdrant` / Portainer stack ID `102` |

| Container | `qdrant` |

| Image | `qdrant/qdrant:v1.17.1` |

| HTTP API | `http://100.81.104.62:6333` |

| gRPC API | `100.81.104.62:6334` |

| Readiness | `http://100.81.104.62:6333/readyz` |

| Health | `http://100.81.104.62:6333/healthz` |

| API key path on atom | `/home/hermes/.config/qdrant/api_key` |

| Storage | `/zpool1/docker_configs/qdrant/storage:/qdrant/storage` |

| Snapshots | `/zpool1/docker_configs/qdrant/snapshots:/qdrant/snapshots` |

Use for bulk vector search, RAG corpora, document/session archives, and embeddings-backed project indexes.

| Field | Value |

|---|---|

| Stack | `ollama` / Portainer stack ID `63` |

| Containers | `ts-aichat-server`, `ollama`, `open-webui`, `litellm` |

| Tailnet URL | `https://aichat.tail6a522.ts.net/` |

| Ollama API via Tailnet | `https://aichat.tail6a522.ts.net/ollama` |

| Chat API example | `https://aichat.tail6a522.ts.net/ollama/api/chat` |

| Tailscale hostname | `aichat` |

| Ollama persistence | `/zpool1/docker_data/ollama:/root/.ollama` |

| Open WebUI persistence | `/zpool1/docker_data/open-webui:/app/backend/data` |

| GPU | Ollama stack reserves NVIDIA GPUs |

Use for local/open model inference when an agent needs tailnet-accessible model serving.

| Field | Value |

|---|---|

| Stack | `uptime-kuma` / Portainer stack ID `103` |

| Containers | `ts-uptime-kuma`, `uptime-kuma` |

| Tailnet URL | `https://uptime-kuma.tail6a522.ts.net/` |

| LAN bind | `192.168.1.12:3001` |

| App port | `3001/tcp` |

| Data | `/zpool1/docker_configs/uptime-kuma/data:/app/data` |

| Docker socket | `/var/run/docker.sock:/var/run/docker.sock:ro` |

| Admin password path | `/home/hermes/.config/uptime-kuma/admin_password` |

Use for service monitoring. Prefer application-level HTTP/API probes over container-only checks.

| Field | Value |

|---|---|

| Stack | `ntfy` / Portainer stack ID `38` |

| Container | `ntfy` |

| Tailnet URL | `https://ntfy.tail6a522.ts.net/` |

| Health URL | `https://ntfy.tail6a522.ts.net/v1/health` |

| LAN bind | `192.168.1.12:5080` |

| App port | `80/tcp` in container |

| Cache | `/zpool1/docker_configs/ntfy/var/cache/ntfy` |

| Config | `/zpool1/docker_configs/ntfy/etc/ntfy` |

| Common alerts topic | `alerts` |

Use for push notifications and alert delivery. Verify message history via `/alerts/json?...` when debugging mobile display problems.

| Field | Value |

|---|---|

| Stack | `otter` / Portainer stack ID `79` |

| Containers | `ts-otter-server`, `otter-otterwiki-1` |

| Tailnet URL | `https://otter.tail6a522.ts.net/` |

| App image | `redimp/otterwiki:2` |

| Host data | `/zpool1/docker_configs/otter/app-data` |

| Wiki repository | `/zpool1/docker_configs/otter/app-data/repository` |

This page is hosted here. OtterWiki stores pages as Markdown files in a Git-backed repository.

| Field | Value |

|---|---|

| Stack | `caddy` / Portainer stack ID `11` |

| Container | `caddy` |

| Public HTTP | `80/tcp` on atom |

| Public HTTPS | `443/tcp` on atom |

| Caddyfile | `/zpool1/docker_configs/caddy/Caddyfile` |

| Site root | `/zpool1/srv` mounted at `/srv` |

| Config/data | `/zpool1/docker_configs/caddy/config`, `/zpool1/docker_configs/caddy/data` |

Use for conventional HTTP reverse proxy/site hosting when not using Tailscale Serve.

| Field | Value |

|---|---|

| Stack | `searxng` / Portainer stack ID `66` |

| Containers | `ts-searxng-server`, `searxng-searxng-1` |

| Tailnet URL | `https://searxng.tail6a522.ts.net/` |

Use as a private metasearch endpoint when browser/search tools are constrained.

| Field | Value |

|---|---|

| Stack | `openclaw` / Portainer stack ID `96` |

| Containers | `ts-openclaw`, `openclaw-gateway` |

| Image | `openclaw:local` |

| Host config referenced by Hermes | `/zpool1/docker_configs/openclaw/.openclaw` mounted at `/opt/openclaw` |

Use only if the current task specifically needs OpenClaw. Do not infer its API surface from this page alone.

| Stack | Containers | Published port / URL hints |

|---|---|---|

| `kasm-ubuntu` / ID `97` | `tailscale-kasm-ubuntu`, `kasm-ubuntu` | `6901/tcp` published |

| `kasm-claw` / ID `98` | `tailscale-kasm-claw`, `kasm-claw` | `6910/tcp` published |

Use for GUI/browser desktop workloads when available. Check current health before depending on them.

These exist and may be useful, but many are personal/media/home services rather than agent infrastructure.

| Service/stack | Known port or endpoint |

|---|---|

| `adguardhome` | DNS `192.168.1.12:53` TCP/UDP; UI `192.168.1.12:8008` |

| `frigate` | HTTP `:5000`, RTSP `:8554`, WebRTC `:8555`, go2rtc `:1984` |

| `mealie` | `:9925` |

| `scrutiny` | `192.168.1.12:4080`, collector `:4086` |

| `rebootcontrol` | `:7234` |

| `radarr` | `:7878` |

| `sonarr` | `:8989` |

| `bazarr` | `:6767` |

| `sabnzbd` | `:8080` |

| `overseerr` | `:5055` |

| `tautulli` | `:8181` |

| `readarr` | `:9157` |

| `calibre` | `:19901`, `:19902`, `:19903` |

| `heimdall` | `:7080`, `:7443` |

| `pairdrop` | `:4000` |

| `homarr` | `:7575` |

| `stash` / `xbvr` | `:9999`; xbvr also `:12345` |

Check live Portainer state before using any of these.

| Layer | Role | Endpoint / location |

|---|---|---|

| Hermes Supermemory provider | Hermes's own external long-term memory provider | Configured in `/opt/data/config.yaml`; API key in `/opt/data/.env` |

| MCP memory service | Shared agent-facing memory front door | `https://mcp-memory-service.tail6a522.ts.net/` |

| Qdrant | Bulk vector/RAG/document/session substrate | `100.81.104.62:6333/6334` |

| Shared-memory skill repo | Policy/runbook for other agents | `https://github.com/dixie-rom/agent-shared-memory-skill` |

Rules:

- Store durable facts/preferences/architecture decisions in MCP memory or the agent's native memory layer.

- Store large documents, session archives, and embedding corpora in Qdrant-backed workflows.

- Never store secrets in memory or Qdrant.

- Prefer concise, stable facts over task-progress logs.

- Stay on GitHub. Sean decided not to migrate Git hosting.

- Host-side `gh` is authenticated on atom as the working GitHub identity.

- For coding work on atom, use `/home/hermes/workspace`.

- For agents that need reusable shared-memory behavior, install the skill repo:

npx skills add dixie-rom/agent-shared-memory-skill --all

| Field | Value |

|---|---|

| Hermes-accessible vault name | `Dixie` |

| Preferred access | 1Password MCP tools when present |

Do not dump secret values into chat/wiki/logs. If a secret must be referenced, document only its vault/item/field or local file path.

Status codes are Portainer status values from live inspection. `1` generally means active; `2` means inactive/stopped/limited depending on stack state.

| ID | Stack | Status | Agent relevance |

|---:|---|---:|---|

| 11 | `caddy` | 1 | Public reverse proxy/site host |

| 38 | `ntfy` | 1 | Notifications/alerts |

| 63 | `ollama` | 1 | Local model serving / Open WebUI |

| 66 | `searxng` | 1 | Search endpoint |

| 79 | `otter` | 1 | Wiki/docs hosting |

| 96 | `openclaw` | 1 | Specialized agent/browser gateway |

| 97 | `kasm-ubuntu` | 1 | GUI desktop/browser |

| 98 | `kasm-claw` | 1 | GUI desktop/browser |

| 99 | `mcp-memory` | 1 | Shared agent memory |

| 100 | `hermes` | 1 | Active assistant/gateway |

| 101 | `n8n` | 1 | Workflow automation |

| 102 | `qdrant` | 1 | Vector DB/RAG |

| 103 | `uptime-kuma` | 1 | Monitoring |

Other stacks exist on atom. Query Portainer before making assumptions.

ssh atom.tail6a522.ts.net 'python3 - <<"PY"

ssh atom.tail6a522.ts.net 'curl -fsS http://100.81.104.62:6333/readyz'

ssh atom.tail6a522.ts.net 'curl -fsS https://n8n.tail6a522.ts.net/healthz'

ssh atom.tail6a522.ts.net 'curl -fsS https://ntfy.tail6a522.ts.net/v1/health'

- `atom.tail6a522.ts.net` is the host. Service-specific Tailscale names like `n8n.tail6a522.ts.net` or `aichat.tail6a522.ts.net` may belong to sidecars.

- Tailscale Docker env var is usually `TS_AUTHKEY`, not `TS_AUTH_KEY`; old stacks may still show historical variants.

- Secret gists are unlisted, not private. Do not use them as a vault.

- Portainer stack files may contain secret values in environment fields. Redact before quoting.

- Container state `running` is not enough. Hit the health/API endpoint.

- The OtterWiki repository on disk is owned by the wiki container user, so host writes may require container/Portainer-side file updates.