Infrastructure Independence — Strategic Initiative
Classification: Internal — Strategic Initiative Prepared by: Anshin Health Engineering Version: 2.0, 2026-03-22
Goal
Anshin Health operates its entire infrastructure stack — network, security, DNS, secrets, VPN, user access, Kubernetes, monitoring, certificates, and domains — without relying on any individual consultant or external contractor for routine operations.
North star: An authorized operator opens a terminal, types a question or instruction in plain English, and Claude Code executes it safely — with full audit trail, rollback ability, and documented rationale.
Operational Interface — Claude Code + MCP
All infrastructure operations are performed through Claude Code connected to purpose-built MCP servers. Each MCP server gives Claude direct, audited, role-controlled access to a specific system.
| System | MCP Server | What It Manages |
|---|---|---|
| Firewall / Network | mcp-opnsense | Firewall rules, VLANs, routing, Suricata IDS |
| Switch Fabric | mcp-omada | TP-Link Omada SDN — ports, LAGs, VLANs |
| Secrets | mcp-infisical | All credentials, tokens, API keys |
| Identity / Users | mcp-freeipa | User accounts, groups, Kerberos, PKI |
| VPN Access | mcp-netbird | Peer management, access policies, groups |
| Kubernetes | mcp-kubectl | Deployments, namespaces, services |
| CI/CD | mcp-gitlab | Pipelines, repositories, merge requests |
| Monitoring | mcp-prometheus | Metrics, alerts, dashboards |
| Config Mgmt | mcp-ansible | OS configuration, provisioning |
| DNS / Domains | mcp-porkbun | External DNS records, domain management |
Access Segregation
Infrastructure access is role-controlled at three levels:
Anshin Staff — Full internal access (all VLANs, K8s, Proxmox/OpenStack)
Onnex Staff — Scoped access (partner VLANs, designated K8s namespaces only)
External Customers — DMZ only (public-facing app endpoints, no internal network access)
Each role maps to: FreeIPA group → NetBird VPN policy → K8s RBAC → SaaS Guard tenant scope.
Implementation Phases
| Phase | Milestone | Status |
|---|---|---|
| 0 | MCP servers for identity (FreeIPA) + VPN (NetBird) + DNS (Porkbun) | 🔵 In Progress |
| 1 | Network hardware cutover — OPNsense + TP-Link Omada | 🔵 Planned |
| 2 | OpenStack deployment on HP#2 + HP#3, migrate off Proxmox | 📋 Scheduled |
| 3 | GPU farm activation (HP#4), K8s GPU node pool | 📋 Scheduled |
| 4 | Full MCP operational stack — complete AI-assisted administration | 📋 Scheduled |
Governance
All infrastructure changes initiated through Claude Code are:
- Logged — every MCP operation is timestamped and attributed
- Reversible — configuration changes are committed to git before application
- Approved — destructive or security-sensitive operations require explicit Bryan confirmation in the chat interface (Prime Directive)
Operational runbooks and detailed implementation procedures are maintained in the private knowledge store, accessible only to authorized Engineering personnel.
Detailed Runbooks
Full implementation runbooks, MCP configuration details, user provisioning workflows, and network cutover procedures are maintained in the private engineering knowledge store (not published here). Contact the Engineering Director for access.