ROUTINE / HIGH-VOLUME → MEDIOCRE TIER
Kimi K2 and Nemotron drive triage, health sweeps, updates, cleanup, notifications, and scheduled jobs. The watchdog runs every 2 hours, market alerts every 30 minutes.
THE DOSSIER — FULL FILE
From bare metal to an autonomous AI fleet.
One Lenovo ThinkCentre running Ubuntu. Twenty-one containers. Four AI agents that keep it all alive, and a family of five who just see “our cloud”.
- 21
- Docker containers
- 4
- AI agents
- 0
- open router ports
- 31
- health monitors
- 2
- agent gateways
- 99.9
- % uptime
CH. 01
Four agents. Distinct roles. Real boundaries.
Two gateways host the fleet: Hermes for routing and cron, OpenClaw for heavy agent work. Hermes learns the workflows and understands the system's personality, and each agent has exactly the permissions its job needs.
LENOVO THINKCENTREUbuntu · one box, everything
CH. 02
Frontier brains where it counts. Mediocre models everywhere else.
A tiered model policy keeps the fleet cheap to run: mediocre open-weight models handle scheduled and routine automation, while frontier models are reserved for engineering and market decisions. Failover is automatic, manual override is one command away.
HIGH-STAKES / MANUAL → FRONTIER TIER
Claude Opus and Sonnet take infrastructure changes, security work, secrets, and market analysis. The work that is expensive to get wrong.
CH. 03
Two paths in. Nothing exposed.
The router has zero forwarded ports. Everything reaches the box through outbound-only tunnels or an encrypted mesh.
01 · FAMILY PATH
Cloudflare Tunnel: outbound-only, WAF + TLS. Any device, anywhere, no VPN.
02 · ADMIN PATH
Cloudflare Access (Google SSO, single-account allow-list) or Tailscale mesh VPN.
03 · UNDERNEATH
Zero forwarded router ports. fail2ban active. Secrets stored chmod 600.
CH. 04
One request. It just appears.
The media pipeline is fully autonomous. A family member taps once, and about 30 seconds after download the result is on their screen, subtitled.
- 01
Request
Jellyseerr · family portal
- 02
Match + grab
Sonarr / Radarr
- 03
Search
Prowlarr · 6 indexers
- 04
Download
encrypted client
- 05
Subtitles
Bazarr
- 06
On screen
Jellyfin · ~30s refresh
CH. 05
The full system map.
AI OPERATIONS
- OpenClaw gateway
- Hermes gateway
- Bibi · engineer
- Hermy · router
- Buggy · watchdog
- Trader · markets
EDGE / NETWORK
- Cloudflare Tunnel
- Cloudflare Access
- Tailscale mesh
- fail2ban
MEDIA & PHOTOS
- Jellyfin
- Immich · AI photo search
- Jellyseerr
AUTOMATION
- Sonarr
- Radarr
- Prowlarr
- Bazarr
- media automation (*arr stack)
- FlareSolverr
SECURITY
- Vaultwarden
- Cloudflare WAF
- Google SSO
- forced encryption
OPERATIONS
- Uptime Kuma · 31 monitors
- Homarr dashboard
- Komodo · Docker UI
- restic backups · 7d/4w/6m
CH. 06
Engineering highlights.
Multi-agent orchestration
4 agents with distinct roles and permission boundaries, coordinated across 2 gateways.
Tiered model routing
Mediocre open-weight models drive routine automation; frontier models are reserved for engineering and market decisions.
Zero-trust networking
No inbound ports. Outbound-only tunnels, SSO on every admin panel, fail2ban underneath.
Always-on observability
Uptime Kuma checks 31 endpoints every minute; an AI watchdog triages alerts so nothing pages a human at 3am.
Scheduled autonomy
Watchdog sweeps every 2h, market alerts every 30m, weekday pre-market snapshots. All of it runs as cron-driven agents.
Backed up & recoverable
Nightly restic snapshots with 7d/4w/6m retention, weekly integrity checks, secrets isolated.
CH. 07
The stack.
AI / ORCHESTRATION
- OpenClaw
- Hermes
- Claude Opus / Sonnet
- Kimi K2
- Nemotron
- MCP tools
- Cron automation
INFRASTRUCTURE & NETWORKING
- Docker Compose
- Ubuntu Linux
- Cloudflare Zero Trust
- Tailscale
- Komodo
- Nginx
- fail2ban
SELF-HOSTED SERVICES
- Jellyfin
- Immich
- Vaultwarden
- Prowlarr
- Sonarr
- Radarr
- Bazarr
- Jellyseerr
- Uptime Kuma
- Homarr