VPS Asset Inventory

Document ID: INV-VPS-001
Status: Active
Authors: Maya, Paul, and Claude
Reviewer: Abdullah
Approver: Simon (CEO)
Last Edited: Maya, 2026-02-24
Review Due: 2026-05-23

---

Overview

COOWN operates three Virtual Private Servers (VPS) with distinct security postures and agent access levels. All servers hosted on Hetzner Cloud.

---

Server Inventory

VPS Name	Hostname	Specs	IP (v4)	SSH User	Region	Role
CWN-CPU	CWN-CPU-on-ubuntu-8gb-hel1-1	CX33, x86, 80 GB	89.167.53.57	skai8888	eu-central (hel1)	Central Orchestrator & Deployment
CWN-HUB	CWN-HUB-on-ubuntu-4gb-nbg1-1	CX23, x86, 40 GB	46.225.188.41	skai8888	eu-central (nbg1)	Public Interface & Marketing
CWN-AML	CWN-AML-on-ubuntu-4gb-hel1-1	CX23, x86, 40 GB	89.167.68.163	skai8888	eu-central (hel1)	Sovereign Audit & Compliance

---

DNS Configuration

All subdomains: Type A, TTL 300

CWN-CPU (89.167.53.57)

Subdomain	Service
admin.coown.foundation	Admin panels
chroma.coown.foundation	ChromaDB vector store
coolify.coown.foundation	Coolify deployment platform
n8n-cpu.coown.foundation	n8n workflow automation (CPU)
openclaw.coown.foundation	OpenClaw gateway
plane.coown.foundation	Plane project management
supabase.coown.foundation	Supabase database

CWN-HUB (46.225.188.41)

Subdomain	Service
docs.coown.foundation	Documentation site
mcp-hub.coown.foundation	MCP hub services
outline.coown.foundation	Outline wiki

CWN-AML (89.167.68.163)

Subdomain	Service
aml.coown.foundation	AML services
blockscout.coown.foundation	Block explorer
n8n-aml.coown.foundation	n8n workflow automation (AML)

---

Agent Access

For complete agent access rules across all platforms, see Agent Access Matrix (GOV-ACM-001).

---

Security Boundaries

Boundary	Restriction	Rationale
CWN-AML	No OpenClaw access (cloud or local)	Compliance isolation — AI agents cannot access audit data
SQL-AML	AI agents: Read Only	Writes restricted to human AML officers + n8n workflows
CWN-HUB	No OpenClaw access	Public-facing; deployment via CWN-CPU only
IC-Claw	OpenClaw N/A	Client-facing; local Qwen has RW for wallet operations

---

Network Architecture

┌─────────────────┐     Tailscale      ┌─────────────────┐
│   LOC-MAYA      │◄──────────────────►│   CWN-CPU       │
│   (Local Dev)   │       Mesh         │  (Orchestrator) │
└─────────────────┘                    └────────┬────────┘
                                                │
                       ┌────────────────────────┘
                       │
              ┌────────▼────────┐    ┌────────▼────────┐
              │   CWN-HUB       │    │   CWN-AML       │
              │ (Public Web)    │    │ (Compliance)    │
              │   No AI Access  │    │   Read-Only AI  │
              └─────────────────┘    └─────────────────┘

Key Principles: - Tailscale mesh for all VPS-VPS and Laptop-VPS communication - No inbound connections to local devices (laptop initiates all connections) - CWN-CPU orchestrates HUB and AML; no direct AI access to HUB/AML

---

SSH Access

Quick Connect (skai8888 user)

# SSH to any server
ssh cwn-cpu
ssh cwn-aml
ssh cwn-hub

# Or use short aliases
ssh cpu
ssh aml
ssh hub

# Direct access to accounting app
ssh accounting

SSH Config

Add to ~/.ssh/config:

# CWN-CPU - Main Application Server (VPS 1)
Host cwn-cpu cpu
    HostName 89.167.53.57
    User skai8888
    IdentityFile ~/.ssh/id_ed25519
    IdentitiesOnly yes
    ServerAliveInterval 60
    ServerAliveCountMax 3

# CWN-AML - Compliance/Audit Server (VPS 2)
Host cwn-aml aml
    HostName 89.167.68.163
    User skai8888
    IdentityFile ~/.ssh/id_ed25519
    IdentitiesOnly yes
    ServerAliveInterval 60
    ServerAliveCountMax 3

# CWN-HUB - Public/Edge Server (VPS 3)
Host cwn-hub hub
    HostName 46.225.188.41
    User skai8888
    IdentityFile ~/.ssh/id_ed25519
    IdentitiesOnly yes
    ServerAliveInterval 60
    ServerAliveCountMax 3

# Accounting App (alias for CWN-HUB)
Host accounting
    HostName 46.225.188.41
    User skai8888
    IdentityFile ~/.ssh/id_ed25519
    IdentitiesOnly yes

Legacy Access (openclaw user)

Server	SSH Command	Key File	Notes
CWN-CPU	ssh openclaw@89.167.53.57 or ssh openclaw@cpu-coown (Tailscale)	~/.ssh/id_ed25519_openclaw_cpu	Agent/service account
CWN-AML	ssh openclaw@89.167.68.163	—	Restricted; human + n8n only
CWN-HUB	ssh openclaw@46.225.188.41	—	Via CWN-CPU deployment only

User Permissions

User	Servers	Access Level	Purpose
skai8888	All three	NOPASSWD sudo	Human admin access (Simon/you)
openclaw	CWN-CPU, CWN-HUB	Docker, deployment	Service account for automation
root	All	Full	Emergency only; direct SSH disabled

---

Related Documentation

• Agent Access Matrix — Complete cross-platform RACI (GOV-ACM-001)
• GitHub Organization Structure — Repo-level access (INV-GIT-001)
• Asset Inventory Root — Directory navigation (INV-ROOT-001)