Empire Ring - Empire Node (Server) Tech Stack

Empire Ring - Empire Node (Server) Tech Stack
Here’s a structured tech stack inventory broken into categories, tuned for your Empire Node + Agentic Node + mobile nodes + forum/Code Night pipeline.

High Level Tour:

Core Operating Systems & Base​

Software	Category	Purpose / Use
Ubuntu 22.04 LTS	Operating System	Stable, Jetson-supported OS for Empire & Agentic nodes.
Raspberry Pi OS Lite / DietPi	Operating System	Lightweight OS for mobile/onboarding nodes.
Docker / docker-compose	Containerization	Package and run services (Django, MySQL, Redis, MQTT, etc.) consistently.
Systemd	Init/Service Manager	Auto-start containers, WireGuard, and background services.

---

Data & Storage​

Software	Category	Purpose / Use
MySQL / MariaDB	Relational Database	Store structured data: users, tasks, posts, LLC records.
Redis	In-memory DB / Cache	Used by Celery & Django Channels for queues and real-time data.
SQLite	Lightweight DB	Mobile nodes, small local storage before syncing back.
MinIO (S3 compatible)	Object Storage	File/media storage (attachments, backups).
Encrypted Backups	Data Protection	Nightly rotation, safe restore points.

---

Messaging & Communication​

Software	Category	Purpose / Use
RabbitMQ	Message Broker	Heavy jobs, Celery workers, agentic task distribution.
MQTT (Eclipse Mosquitto + paho-mqtt)	IoT Messaging	Lightweight pub/sub for NFC ring scans, mobile node chatter.
Celery	Task Queue	Runs background jobs, distributed across Empire & Agentic nodes.
WireGuard	VPN	Secure mesh network between Empire, Agentic , and mobile nodes.
OpenSSH	Remote Access	Hardened secure shell into nodes.

---

Application Frameworks​

Software	Category	Purpose / Use
Python 3.11+	Language Runtime	Main language for AI integration, services, and Django apps.
Django 5	Web Framework	Core application framework for AI Governor, forums, APIs.
Django REST Framework	API Layer	Build REST APIs (for tasks, AI calls, forum).
Django Channels	Real-time	WebSockets for live updates in forums & dashboards.
Poetry / Pipenv	Dependency Mgmt	Manage Python packages cleanly.

---

AI / Agentics​

Software	Category	Purpose / Use
JetPack SDK (CUDA/cuDNN/TensorRT)	NVIDIA Drivers	Enable GPU acceleration on Jetson Orin nodes.
PyTorch / Transformers (optional)	AI Libraries	Run inference models locally on the Orins.
AI Governor (custom Django app)	Orchestration	Fan-out prompts to AI systems (Empire Orin, Agentic Orin, me, Grok).
External AI APIs	Cloud AI	Connect to large external AIs for redundancy and variety.

---

Security & Identity​

Software	Category	Purpose / Use
Django SimpleJWT	Auth Library	Token-based auth for APIs.
Fail2ban	Security Tool	Protects against brute-force SSH attacks.
ufw / nftables	Firewall	Block/allow network traffic.
AppArmor / SELinux	Kernel Security	Enforce restrictions on processes.
HashiCorp Vault (optional)	Secrets Management	Store API keys and credentials securely.
Disk Encryption (LUKS)	Data Security	Protect data if hardware is seized/lost.

---

Web & Frontend​

Software	Category	Purpose / Use
Gunicorn / Uvicorn	ASGI/WSGI Servers	Run Django apps inside Docker.
Nginx	Reverse Proxy	Routes requests, adds TLS, load-balances Empire/Agentic .
Tailwind CSS	Frontend Styling	Tron-glow UI style for forums/dashboards.
HTMX / Alpine.js	Lightweight JS	Add interactivity without SPA complexity.
Markdown (python-markdown)	Content Formatting	Render forum posts and docs.

---

DevOps & Monitoring​

Software	Category	Purpose / Use
Ansible	Provisioning	Automate golden image setups, configs.
Prometheus	Metrics	Collect system stats (CPU, GPU, memory, tasks).
Grafana	Dashboards	Visualize metrics, show agentic performance.
structlog / OpenTelemetry	Logging/Tracing	Unified logs for debugging.
OBS Studio	Recording	Capture Code Night sessions and demos.

---

Community / Forum Layer​

Software	Category	Purpose / Use
Django Forum App (custom)	Community	Threads, posts, analytics with Dim/Fact/Join models.
Markdown Editor	Post Creation	Rich text input for users.
WebSockets (Channels)	Live Updates	Instant notifications in forum UI.
Invite Token System	Onboarding	Single-use invite-only membership flow.

---

Hardware Layer​

• Core Compute
  • NVIDIA Jetson Orin Nano / NX (Empire + Agentic nodes, GPU/AI acceleration)
  • Raspberry Pi 5 / 4 / Zero 2 W (mobile + onboarding nodes)
  • SSDs (NVMe / SATA for OS + data)
  • Network switches with PoE
• Peripherals
  • Touchscreens (for mobile nodes)
  • NFC/RFID readers (Empire Ring authentication)
  • Mini vibration motors, haptics, mic/speaker units (node UX)
  • LED lighting, OLED status panels
• Power
  • UPS + battery banks (mobile node autonomy)
  • Overseas converters for travel setups

---

Operating Systems​

• Core Nodes: Ubuntu 22.04 LTS (Jetson Orin supported + stable)
• Mobile Nodes: Raspberry Pi OS Lite / DietPi (low overhead)
• Optional: Debian or Alpine for container builds

---

Application / Runtime Layer​

• Languages
  • Python 3.11+ (primary, AI + web stack)
  • Bash (automation, provisioning)
  • C (device drivers, performance critical tasks)
  • (Legacy) C# / ASP.NET Core 7+ (some services you’re migrating off)
• Frameworks
  • Django 5 (web framework + ORM + auth)
  • Django REST Framework (API)
  • Django Channels (real-time websockets)
  • Celery (background tasks)
  • Poetry / Pipenv (package management)

---

Data / Storage Layer​

• Databases
  • MySQL / MariaDB (relational, core system DB)
  • Redis (cache + pub/sub for Channels, Celery)
  • SQLite (lightweight DB for mobile nodes)
• File / Media
  • MinIO / S3-compatible storage (media, backups)
  • Encrypted backup archives (offsite storage)

---

Messaging & Communication​

• Lightweight Messaging
  • MQTT (paho-mqtt client, for node chatter + NFC events)
• Job Queue / Tasks
  • RabbitMQ (Celery broker, heavy workloads)
• Real-time
  • WebSockets (Django Channels)
  • SignalR (legacy from .NET world, optional)
• VPN & Secure Transport
  • WireGuard (node-to-node mesh VPN)
  • OpenSSH (remote access, hardened)
  • TLS everywhere (MQTT, RabbitMQ, Django API)

---

AI / Agentics Layer​

• AI Integration
  • Local Jetson Orin acceleration (TensorRT, cuDNN, CUDA via JetPack)
  • Python AI libraries (transformers, torch, etc. as needed)
  • External AI APIs (me, Grok, others)
• Governance
  • “AI Governor” (Django app + Celery tasks) to fan-out requests to multiple AIs, reconcile results, and enforce rules

---

Security & Identity​

• Authentication / Identity
  • Django built-in auth + JWT (simplejwt)
  • NFC-based login (Empire Ring → MQTT publish event)
  • WireGuard keys (per node identity)
• Hardening Tools
  • Fail2ban (SSH brute force protection)
  • ufw / nftables (firewall rules)
  • AppArmor / SELinux profiles (optional, advanced)
• Data Protection
  • Disk encryption (LUKS)
  • API key vault (HashiCorp Vault, or env-secrets managed via .env)

---

Web & Frontend​

• Backend Serving
  • Gunicorn / uvicorn (Django ASGI)
  • Nginx reverse proxy
• Frontend
  • Tailwind CSS (clean styling, matches your Tron-glow aesthetic)
  • Alpine.js / HTMX (light interactivity, no heavy SPA)
  • Markdown-based editor (forum posts)

---

DevOps & Automation​

• Containerization
  • Docker / docker-compose (core stack packaging)
  • k3s (optional micro-k8s for cluster deploys)
• Provisioning
  • Ansible playbooks (infra setup, golden image creation)
  • Bash scripts for backups, seeders, migration
• Monitoring
  • Prometheus + Grafana (metrics, dashboards)
  • structlog + OpenTelemetry (structured logs)

---

Development & Community​

• Forum Stack
  • Django forum app (Dim/Fact/Join models, your style)
  • Markdown rendering (python-markdown)
  • WebSocket live updates
• Code Night Tools
  • GitHub/GitLab repos for teaching cohorts
  • VS Code / PyCharm (Python IDEs)
  • OBS Studio / GoPro integration (for your movie + code demos)

---

This stack is modular:

• Empire Node: full stack (DB, AI Governor, Celery, RabbitMQ, MQTT broker).
• Agentic Node: mirrored services + GPU workload runner + failover.
• Mobile Nodes: slim client (MQTT, WireGuard, lightweight Django/SQLite).

 

[Flynn]

Empire Ring - Empire Node (Server) Tech Stack - The Build

Perfect. Here’s a tight, do-able Winter Build Order (60 days) that gets your Empire Node + Agentic Node + mobiles online, talking, and using Jetson Orin horsepower. I’m giving you: a week-by-week plan, a repo/file layout, AND fully-commented scripts/config so you can paste and run.

0) Repo layout (clone this structure)​

empire-stack/
├─ .env.example
├─ docker-compose.yml
├─ Dockerfile.web
├─ scripts/
│ ├─ 01_install_docker.sh
│ ├─ 02_harden_ssh.sh
│ ├─ 03_wireguard_setup.sh
│ ├─ 04_seed_users.sh
│ ├─ 05_systemd_compose.service
│ ├─ 06_backup_rotate.sh
│ └─ README_TOPICS.md
├─ mqtt/
│ ├─ mosquitto.conf
│ └─ passwd # generated by mosquitto_passwd
├─ empire_core/… # (Django project from earlier message)
└─ ai_governor/… # (same as earlier)

1) Winter Build Order (8 weeks)​

Week 1 — Base OS + Docker + SSH hardening (both Orins)

1. Flash Ubuntu 22.04 LTS (JetPack support).
2. Paste/run scripts/01_install_docker.sh on both nodes.
3. Paste/run scripts/02_harden_ssh.sh (keys only, ufw, fail2ban).
4. Copy this repo to Empire and Agentic.

Week 2 — WireGuard mesh + hostnames

1. Run scripts/03_wireguard_setup.sh on Empire first, then Agentic (fill peer blocks).
2. Give stable names: empire-node, Agentic-node. Test ping over wg (10.8.0.0/24).

Week 3 — Core services on Empire

1. Fill .env from .env.example.
2. docker-compose up -d (MySQL, Redis, RabbitMQ, Mosquitto, Django web, Celery, MQTT bridge).
3. python manage.py migrate && python manage.py seed_demo.

Week 4 — Mirror on Agentics + failover test

1. On Agentics, bring up the same compose (web optional; definitely Celery).
2. Stop Empire web temporarily—confirm Agenticworkers still process tasks via VPN.
3. Bring Empire back, confirm normal ops.

Week 5 — Mobile nodes (Pi)

1. Raspberry Pi OS Lite + WireGuard client + paho-mqtt.
2. NFC ring → Pi: publish to empire/tasks/create.
3. Receive results on empire/tasks/<id>/queued|done.

Week 6 — AI acceleration + agentics

1. Install JetPack on both Orins (CUDA/cuDNN/TensorRT).
2. Pin a local model/inference service on each node (optional now; stub endpoint OK).
3. Add systems in Django Admin: “Empire-Orin”, “Agentic-Orin”, external (me/Grok). Dispatch a task and see all responses logged.

Week 7 — Security polish + backups

1. TLS for MQTT and RabbitMQ, rotate creds, enable ufw deny-by-default.
2. scripts/06_backup_rotate.sh nightly.
3. Create an offline recovery USB image; print and store WireGuard keys.

Week 8 — Docs + Code Night prep

1. Write your Code Night “Golden Image” steps.
2. Record 2 short videos: “Mesh Built” + “First Agentics Dispatch.”
3. Open the private forum cohort.

2) Environment template (.env.example)​

DJANGO_SECRET_KEY=change-me
DJANGO_DEBUG=True
ALLOWED_HOSTS=localhost,127.0.0.1,empire-node,Agentic-node
DB_NAME=empire
DB_USER=empire
DB_PASSWORD=empirepass
DB_HOST=mysql
DB_PORT=3306
REDIS_URL=redis://redis:6379/0
RABBITMQ_URL=amqp://guest:guest@rabbitmq:5672//
MQTT_HOST=mosquitto
MQTT_PORT=1883

3) Docker Compose (services for Empire/Agentic; Empire runs web)​

version: "3.9"
services:
mysql:
image: mysql:8.0
environment:
MYSQL_DATABASE: ${DB_NAME}
MYSQL_USER: ${DB_USER}
MYSQL_PASSWORD: ${DB_PASSWORD}
MYSQL_ROOT_PASSWORD: rootpass
ports: ["3306:3306"]
volumes: ["mysql_data:/var/lib/mysql"]
command: ["mysqld","--default-authentication-plugin=mysql_native_password","--character-set-server=utf8mb4","--collation-server=utf8mb4_unicode_ci"]


redis:
image: redis:7
ports: ["6379:6379"]


rabbitmq:
image: rabbitmq:3-management
ports: ["5672:5672","15672:15672"]


mosquitto:
image: eclipse-mosquitto:2
ports: ["1883:1883"] # add 8883:8883 after TLS
volumes:
- ./mqtt/mosquitto.conf:/mosquitto/config/mosquitto.conf
- ./mqtt/passwd:/mosquitto/config/passwd


web:
build:
context: .
dockerfile: Dockerfile.web
env_file: .env
volumes: [".:/app"]
depends_on: [mysql,redis,rabbitmq,mosquitto]
ports: ["8000:8000"]
command: bash -lc "python manage.py migrate && python manage.py runserver 0.0.0.0:8000"


worker:
build:
context: .
dockerfile: Dockerfile.web
env_file: .env
volumes: [".:/app"]
depends_on: [web,redis,rabbitmq]
command: bash -lc "celery -A celery_app.celery_app worker -l info"


mqttbridge:
build:
context: .
dockerfile: Dockerfile.web
env_file: .env
volumes: [".:/app"]
depends_on: [web,mosquitto]
command: bash -lc "python -m ai_governor.mqtt_bridge"


volumes:
mysql_data:

4) Dockerfile.web (Django/Celery image)​

FROM python:3.11-slim
WORKDIR /app
RUN apt-get update && apt-get install -y build-essential default-libmysqlclient-dev && rm -rf /var/lib/apt/lists/*
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
ENV DJANGO_SETTINGS_MODULE=empire_core.settings
EXPOSE 8000
CMD ["bash","-lc","python manage.py runserver 0.0.0.0:8000"]

5) Mosquitto config (mqtt/mosquitto.conf)​

Minimal dev config; switch to TLS + per-client certs in Week 7​

persistence true
persistence_location /mosquitto/data/
allow_anonymous false
password_file /mosquitto/config/passwd
listener 1883 0.0.0.0

6) Script: install Docker + Compose (scripts/01_install_docker.sh)​

#!/usr/bin/env bash
set -euo pipefail

Install Docker CE + compose on Ubuntu 22.04​

sudo apt-get update
sudo apt-get install -y ca-certificates curl gnupg lsb-release
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg]
https://download.docker.com/linux/ubuntu $(. /etc/os-release; echo $UBUNTU_CODENAME) stable"
| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo usermod -aG docker "$USER"
echo "Log out/in to activate docker group."

7) Script: SSH hardening + UFW + Fail2ban (scripts/02_harden_ssh.sh)​

#!/usr/bin/env bash
set -euo pipefail

Require keys, rate-limit, firewall​

sudo apt-get update && sudo apt-get install -y fail2ban ufw
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
echo "MaxAuthTries 3" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart ssh
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 51820/udp # WireGuard
sudo ufw allow 8000/tcp # Django dev
sudo ufw allow 1883/tcp # MQTT (dev)
sudo ufw allow 5672/tcp 15672/tcp 6379/tcp 3306/tcp
yes | sudo ufw enable
sudo systemctl enable fail2ban

8) Script: WireGuard mesh (scripts/03_wireguard_setup.sh)​

#!/usr/bin/env bash
set -euo pipefail

Simple single-peer template; run on Empire first, then add Agentic as peer.​

sudo apt-get update && sudo apt-get install -y wireguard
WG_IF=wg0
WG_DIR=/etc/wireguard
sudo mkdir -p $WG_DIR && cd $WG_DIR
if [ ! -f privatekey ]; then
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
fi
PRIV=$(cat privatekey)
PUB=$(cat publickey)
read -rp "Is this EMPIRE or Agentic? [E/W]: " ROLE
if [ "$ROLE" = "E" ] || [ "$ROLE" = "e" ]; then

Empire config​

cat <<EOF | sudo tee $WG_IF.conf
[Interface]
PrivateKey = $PRIV
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = true

Add Agentics peer block AFTER you generate Agentics public key​

[Peer]​

PublicKey = <AGENTICS_PUBLIC_KEY>​

AllowedIPs = 10.8.0.2/32​

Endpoint = <agentic_public_ip>:51820​

PersistentKeepalive = 25​

EOF
else

Agentic config (you must paste Empire public key and endpoint)​

read -rp "Empire public key: " EMP_PUB
read -rp "Empire endpoint (ip:51820): " EMP_EP
cat <<EOF | sudo tee $WG_IF.conf
[Interface]
PrivateKey = $PRIV
Address = 10.8.0.2/24
ListenPort = 51820
SaveConfig = true


[Peer]
PublicKey = $EMP_PUB
AllowedIPs = 10.8.0.1/32, 10.8.0.0/24
Endpoint = $EMP_EP
PersistentKeepalive = 25
EOF
fi
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-wg.conf
sudo systemctl enable wg-quick@${WG_IF}
sudo systemctl start wg-quick@${WG_IF}
sudo wg

9) Systemd unit to auto-start compose (scripts/05_systemd_compose.service)​

[Unit]
Description=Empire Stack (docker compose)
Requires=docker.service
After=docker.service


[Service]
Type=oneshot
WorkingDirectory=/home/YOURUSER/empire-stack
ExecStart=/usr/bin/docker compose up -d
ExecStop=/usr/bin/docker compose down
RemainAfterExit=true
TimeoutStartSec=0


[Install]
WantedBy=multi-user.target

10) Backup script (scripts/06_backup_rotate.sh)​

#!/usr/bin/env bash
set -euo pipefail

Nightly backup of MySQL dump + .env; keep 7 days​

BACK=/var/backups/empire
mkdir -p "$BACK"
STAMP=$(date +%Y%m%d_%H%M%S)
docker exec -i $(docker ps -qf name=mysql) mysqldump -u${DB_USER:-empire} -p${DB_PASSWORD:-empirepass} ${DB_NAME:-empire} > "$BACK/mysql_${STAMP}.sql"
cp /home/YOURUSER/empire-stack/.env "$BACK/env_${STAMP}.txt" || true
ls -1t "$BACK" | tail -n +15 | xargs -r -I {} rm -f "$BACK/{}"

11) MQTT topic guide (scripts/README_TOPICS.md)​

Topic contract (keep it simple, stable)​

Publish task:

• topic: empire/tasks/create
• payload: {"prompt":"SUMMARIZE THIS...", "files":[]}

System feedback:

• empire/tasks/{id}/queued
• empire/tasks/{id}/done
• empire/errors

Device events (optional):

• empire/devices/{device_id}/online|offline
• empire/devices/{device_id}/metrics

12) Seed helper (scripts/04_seed_users.sh)​

#!/usr/bin/env bash
set -euo pipefail
docker compose exec -it web bash -lc "python manage.py createsuperuser"
docker compose exec -it web bash -lc "python manage.py seed_demo"

---

How to use this right now​

1. Create the folder tree above; paste each file where shown.
2. On Empire: run scripts 01 → 02 → 03; fill peers later.
3. On Agentic: run 01 → 02 → 03; paste Empire public key/endpoint when prompted.
4. Copy .env.example to .env, adjust passwords.
5. docker compose up -d on Empire (and Agentics if you want mirrored workers).
6. bash scripts/04_seed_users.sh → login to admin → add AISystems for Empire-Orin / Agentics-Orin / external AIs.
7. Publish a test MQTT payload to empire/tasks/create and watch it flow.