Service Map
The services running across SuperHiTech infrastructure and the Leif tools that manage them.
A by-category inventory of the services SuperHiTech runs and how Leif reaches each one. Where a service’s host or endpoint is already pinned down elsewhere, it’s repeated here; where a specific isn’t documented yet, it’s marked rather than guessed.
Telephony
FreePBX serves SuperHiTech and select customers over a Flowroute SIP trunk. Security is a Fail2Ban + SonicWall combination, and internal extensions resolve via a SonicWall hairpin so they work from inside the network.
| Service | Host / endpoint | Leif tools |
|---|---|---|
| FreePBX | Internal 192.168.5.24, public 168.75.130.98 | None dedicated — reach via SSH/remote_execute_command (with config) or the SonicWall log tools below |
| SIP trunk | Flowroute (manage.flowroute.com) | None — vendor portal only |
| Edge filtering | SonicWall (Fail2Ban + policy drops) | sonicwall_log_search, sonicwall_log_summary, sonicwall_vpn_activity |
See Network Topology for the FreePBX IPs and VoIP details.
Monitoring
Two monitoring surfaces. LibreNMS handles distributed device monitoring over WireGuard to customer sites; UniFi data is cached on SHTops and exposed through dedicated tools.
| Service | Host / endpoint | Leif tools |
|---|---|---|
| LibreNMS | Distributed; WireGuard VPN to customer sites — host not yet documented | None dedicated — reach via SSH/remote_execute_command (with config) |
| Aruba 6000 switches | SNMP (AOS-Switch, not AOS-CX; NAE unsupported) | None — monitored through LibreNMS |
| UniFi | Cached on SHTops | unifi_get, unifi_search, unifi_status |
The corporate mail server runs Virtualmin with Postfix, and maintains DKIM and SPF for deliverability.
| Service | Host / endpoint | Leif tools |
|---|---|---|
| Inbound MX / filtering | Proofpoint Essentials (mx1-us1.ppe-hosted.com / mx2-us1.ppe-hosted.com) | cf_list_dns_records (MX records) |
| Virtualmin / Postfix | webserver.super-ht.com (168.75.130.100) | None dedicated — reach via SSH/remote_execute_command (with config) |
| DKIM + SPF | Records on webserver.super-ht.com; DNS managed in Cloudflare. SPF authorizes Google Workspace + Proofpoint; DMARC is p=none | cf_list_dns_records, cf_update_dns_record (for the DNS-side records) |
Mailbox-level work for Workspace mail uses the gmail_* tools; the Virtualmin /
Postfix server above is a separate system. Inbound mail for super-ht.com is
filtered by Proofpoint before delivery.
Web
The corporate marketing site is WordPress fronted by Cloudflare. This documentation site is the Astro build on Cloudflare Pages.
| Service | Host / endpoint | Leif tools |
|---|---|---|
| Corporate WordPress | super-ht.com — Cloudflare-proxied, origin 34.67.240.14 (Google Cloud); admin via ssh super-ht.com (wp-cli) | cf_* for DNS/cache; SSH for wp-cli |
| Leif Docs | docs.leif.super-ht.com → leif-docs.pages.dev (Cloudflare Pages) | None dedicated — Cloudflare Pages build; DNS via cf_* |
The corporate site was previously documented as SiteGround-hosted; the live
origin is Google Cloud (34.67.240.14).
Edge / DNS
Cloudflare fronts the public hostnames. A Tunnel maps the MCP endpoints to the
Leif host, Pages serves the docs site, and the cf_* tools manage zones, DNS,
SSL, and cache.
| Service | Host / endpoint | Leif tools |
|---|---|---|
| Cloudflare Tunnel | mcp.super-ht.com / leif.super-ht.com → Leif (10.10.0.25) | cf_list_zones, cf_get_zone, cf_get_zone_settings |
| Cloudflare Pages | docs.leif.super-ht.com | cf_* (DNS / zone management) |
| DNS records | Cloudflare zones | cf_list_dns_records, cf_create_dns_record, cf_update_dns_record, cf_delete_dns_record |
| TLS / cache | Cloudflare zone settings | cf_get_ssl_mode, cf_set_ssl_mode, cf_set_zone_setting, cf_purge_cache |
The Cloudflare account holds 12 zones — super-ht.com plus customer domains
(vanwyk.com, vanwykrecruiting.com, sanbornpropane.com, sheldongolf.com,
cityofsheldon.com, colelogisticsinc.com, coletruckinginc.com, prinsins.com,
redrockdp.com, shtserver.com, superhi.tech). Beyond the Leif/MCP/Pages
hostnames, several internal services are exposed through Cloudflare Tunnels:
ntfy.super-ht.com (obs-01 alerting), shtops.super-ht.com (SHTops dashboard),
and the EDU/pricing surfaces (odyssey, rs-webhook, deals, money).
Backup
Backups target Storj object storage as a destination. Customer Veeam replication into SuperHiTech storage rides the Van Wyk tunnel, which carries a NAT translation worth remembering.
| Service | Host / endpoint | Leif tools |
|---|---|---|
| Proxmox Backup Server | pbs-01 (CT 114 on pve) → storj-pbs datastore | pve_lxc_exec (node pve, vmid 114) |
| Storj backup destination | Object storage, fronted by the PBS storj-pbs datastore (~86 GB) | None dedicated |
| Veeam replication (Van Wyk) | Over the Van Wyk site-to-site tunnel | None — see network topology |
| Backup host | nvrbackup (10.10.0.14, SSH :2223) | remote_execute_command |
Proxmox guest backups run through the pbs-01 container (Proxmox Backup
Server, CT 114) writing to the storj-pbs datastore on Storj — see
Proxmox → Storage pools.
The Van Wyk tunnel NATs the customer’s real 192.168.10.0/24 to
10.99.10.0/24 on the SuperHiTech side. See
Network Topology for the full detail.
Virtualization
Proxmox hosts the VMs and LXCs behind much of the above. Leif manages it through
the pve_* family.
| Service | Host / endpoint | Leif tools |
|---|---|---|
| Proxmox VE | Reached on port 22 of the pricing host’s address space (not the pricing app — see hosts) | pve_node_status, pve_vm_list, pve_lxc_list, pve_storage_list, pve_template_list, pve_* lifecycle/exec tools |
Applications
Two in-house applications run on nvrbackup (10.10.0.14), each with its own
tool family. The pricing app handles vendor price lists and product catalog; the
finance project is a trading-signal collection and ML scoring system.
| Service | Host / endpoint | Leif tools |
|---|---|---|
| Pricing app | nvrbackup (10.10.0.14), /home/superht/pricing/ | pricing_app_* (imports, products, parsing, Keepa, health) |
| Finance / trading project | nvrbackup (10.10.0.14), /home/superht/finance/, API :3000 | finance_* (portfolio, quotes, positions, signals, watchlists, risk); finance_app_* (shell/file on the finance tree) |
See Hosts for the full path and routing detail on both applications.
Compute / GPU
GPU workloads run on an on-demand RunPod cloud instance, reached over SSH. The endpoint is ephemeral — RunPod rotates the public IP and port per pod start.
| Service | Host / endpoint | Leif tools |
|---|---|---|
| RunPod GPU pod | Dynamic public IP + high port (e.g. 213.173.109.238:49862) | runpod_execute_command, runpod_get_system_info, runpod_list_directory, runpod_read_file, runpod_write_file |
Related pages
- Hosts — host inventory and tool routing rules
- Network Topology — VPNs, public endpoints, VoIP, the Van Wyk tunnel
- Cron Schedule — recurring jobs across hosts
- Architecture — how Leif and the tunnel fit together
Last verified against live systems: 2026-06-01 — see doc freshness.