ERAF — REMOTE ACCESS FOUNDATION
ARB-536 · ALL SILOS · ALL CREWS · THE FLOOR BELOW THE FLOOR
RUSTDESK RELAY
LIVE :21115
REMOTE.EOSE.CA
PENDING AKS
"No crew can work on a silo they cannot see.
No tool can operate on a machine it cannot reach.
Remote access is not a feature. It is the floor."
ARB-536 · ERAF FLOOR LAW · γ₁ = 14.134725141734693
THE 3-LAYER STACK
1
APACHE GUACAMOLE
THE CANON FLOOR — BROWSER ONLY, NO CLIENT
Zero client install. HTML5 browser. SSH + RDP + VNC. All 7 silos wired. Google SSO. Every crew member accesses any silo from any device anywhere. This is the permanent floor — always up, always accessible.
http://192.168.2.18:8888/guacamole/
→ remote.eose.ca (AKS pending)
Default login: guacadmin / guacadmin
Change password immediately after first login.
Connections: msi01-ssh, msclo-ssh, forge-ssh,
forge-rdp, pcdev-ssh, yone-ssh, alexander-ssh
2
RUSTDESK SELF-HOSTED
LAN RELAY — PRIVATE P2P, NO CLOUD
hbbs + hbbr running on msi01. All silos point relay to 192.168.2.18. Traffic never leaves the fleet. LAN P2P when available, relay fallback. RustDesk app still works — just sovereign now.
Relay: 192.168.2.18:21115
Public key: e4exsfQU5YpLZQW0BMHlR0KVhBS0TzXPJaYHTwEABaY=
Configure each silo RustDesk:
Settings → Network → ID/Relay Server
ID server: 192.168.2.18
Relay server: 192.168.2.18
Key: e4exsfQU5YpLZQW0BMHlR0KVhBS0TzXPJaYHTwEABaY=
3
SUNSHINE GPU STREAMING
LOW LATENCY — GPU ENCODE — MOONLIGHT CLIENT
Sunshine on forge (RTX 5090), msclo (RTX 5090), pcdev (RTX 4080). Hardware NVENC encode. Sub-20ms latency. Moonlight client on any device. This is how you interact with TD Advanced Dashboard properly — buttery smooth.
forge: 192.168.2.12:47984
msclo: 192.168.2.19:47984
pcdev: 192.168.2.16:47984
Install Sunshine on each GPU silo:
https://github.com/LizardByte/Sunshine/releases
Config: https://192.168.2.12:47990 (forge web UI)
Moonlight client: moonlight-stream.org
SILO CONNECTION MAP — ALL 8
SSH ✅SUNSHINE→
LIVE — main agent host
SSH ✅SUNSHINE→
LIVE — RTX 5090 Docker
FORGE / LIANLI01
192.168.2.12
SSH ✅RDP ✅SUNSHINE→
LIVE — TD AD lives here
SSH ✅RDP→SUNSHINE→
LIVE — RL engine, COMPOSER
SSH wired
OFFLINE — WSL asleep?
ALEXANDER / NAS
192.168.2.20
SSH wired
OFFLINE — needs wake
kubectlGuac→
LIVE — 12 namespaces
CREW ASSIGNMENTS — WHO OWNS WHAT
RICK
LOUNGE · COORD
ERAF architecture decisions. Floor law keeper. Guacamole SSO design.
ACTIVEMORTY
LOUNGE · BUILD
Guacamole AKS deployment. remote.eose.ca DNS. TLS cert.
BUILDINGSCOTTY
CLOUD · HVCP
Guacamole pod in remote-system ns. Ingress rules. Health checks.
BUILDINGNEO
AKS DEV
kubectl SSH tunnel connections. Jump pod for cluster access via Guacamole.
PLANNEDDUTCH
MSI01 · THREAT
Firewall rules for all remote ports. Auth audit. Session logging.
ACTIVESPOCK
TOWER LIBRARY
Document every connection type. Floor standards. Protocol comparison matrix.
ACTIVEB1-CAP
LOUNGE · RL
Sunshine on pcdev. Moonlight config. RL engine remote control.
BUILDINGANALYST
LOUNGE
Belt-64 logging for all remote sessions. Latency scoring. Protocol winner detection.
ACTIVEHYPATIA
LOUNGE · BIO
Documentation. ARCH-ERAF.md. Crew edition writing for remote access v1/v2/v3.
ACTIVESENCHO
KANTAI
Kantai cluster Guacamole connections. SSH tunnel to kantai-cc/ce.
PLANNEDRHONE
LOUNGE · ANTI
RustDesk self-hosted config for all Windows silos. Relay key distribution.
BUILDINGFIN
LOUNGE · MEFINE
Wire MEFINE to remote access. TD AD via Sunshine. Auto-execute via CDP.
ACTIVE
RUSTDESK — SWITCH TO SELF-HOSTED RELAY
CONFIGURE EACH SILO — SETTINGS → NETWORK → ID/RELAY SERVER
ID Server: 192.168.2.18
Relay Server: 192.168.2.18
API Server: (leave blank)
Key: e4exsfQU5YpLZQW0BMHlR0KVhBS0TzXPJaYHTwEABaY=
After saving: RustDesk reconnects via your OWN relay.
Public RustDesk cloud = no longer used.
Traffic stays in the fleet. Always.
After updating forge's RustDesk with this config — it gets a NEW device ID on your relay. Use that new ID to connect to forge. The old 381 003 728 becomes obsolete (it was on the public cloud).
NEXT — remote.eose.ca ON AKS
MORTY + SCOTTY BUILD QUEUE
1. Create remote-system namespace on AKS
2. Deploy guacamole + guacd + postgres pods
3. Ingress: remote.eose.ca → guacamole svc :8080
4. TLS: cert-manager letsencrypt-prod
5. Google SSO: wire OAuth client (758788284456-...)
6. Import LAN connections via Guacamole REST API
7. DNS: Azure DNS rg-eose-dns-dev → remote.eose.ca A 20.200.111.70