SIMS Verified 2026-06-05 For Pedro · Vusal · Gabriel

Operate SIMS through the office jump host.

Everything routes through one machine that already holds the Simoldes VPN — no Horizon, no FortiClient on your own laptop. RDP in, connect the VPN, and you can deploy, view the frontend, and check health on the pilot.

You
Your Mac
RDP / SSH
Tailscale
Office VM
100.79.8.19
FortiClient VPN
Pilot VM
172.30.1.160

Office VM · jump host

Holds the VPN. You connect here first.
Reach
procimo-office-linux / 100.79.8.19
RDP
:3390
Login
procimo / Admin#03

Pilot VM · deployed SIMS

The real running SIMS (pocprocimo).
Reach
172.30.1.160 (via VPN)
Login
procimo / *SP.pr0c1m0#
Auth
office→pilot is passwordless (key)
0

Prerequisites & setup

Mark done

Do these once. After this, every session is just steps 1–4.

A. Install the Remote Desktop app

Microsoft renamed it Windows App (formerly Microsoft Remote Desktop).

Mac App Store → search “Windows App” → install. (The legacy “Microsoft Remote Desktop” also works.)

It’s built in — search “Remote Desktop Connection” (mstsc).

B. Add the office machine as a PC

In Windows App → + Add → Add PC:

  • PC name: procimo-office-linux:3390  (or 100.79.8.19:3390)
  • User account: procimo / Admin#03
  • Gateway: None — on first connect, accept the certificate (self-signed, expected).

C. Tailscale on the admin@procimo.com account

Tailscale is how you reach the office VM from anywhere. Install from tailscale.com/download, then make sure you’re on the procimo.com tailnet (ask Gabriel for an invite if not).

bash
tailscale status | grep procimo-office-linux
# if you're on the wrong account:
tailscale switch admin@procimo.com

D. Install your SSH key on the office VM

So you don’t type the office password on every command. Run once (prompts for Admin#03):

bash
ssh-copy-id procimo@100.79.8.19
Done once? You now have Windows App + the office PC saved, Tailscale on the right tailnet, and key-based SSH to the office VM. The office→pilot hop is already passwordless.
1

Connect the VPN

Mark done

The VPN lives on the office VM and is connected interactively (SSO + 2FA) each session.

  1. RDP into the office VM: Windows App → procimo-office-linux:3390 (user procimo, pass Admin#03).
  2. Open FortiClientREMOTE ACCESSSAML Login (connection VPN CNCs).
  3. Firefox opens → log in with Simoldes SSO + your authenticator 2FA.
  4. Status goes to Connected.

Confirm it’s up (from your Mac, no RDP needed):

bash
ssh -i ~/.ssh/<your-key> -o IdentitiesOnly=yes procimo@100.79.8.19 \
  'ip route | grep fctvpn && echo VPN_UP || echo VPN_DOWN'
The VPN is per-session (2FA each time). It must be connected on the office VM before any pilot step (2–4) works. RDP/SSH to the office VM keep working while it’s up — the routing is protected.
2

Deploy packages to the pilot

Mark done

Build the images on your Mac (amd64), then transfer through the office VM to the pilot.

1. Build on your Mac

bash
docker build --platform linux/amd64 -t sims-backend  ./sims-backend
docker build --platform linux/amd64 -t sims-frontend ./sims-frontend
docker save sims-backend  | gzip > sims-backend.tar.gz
docker save sims-frontend | gzip > sims-frontend.tar.gz

2. Transfer — one-shot Mac → pilot (relayed via the office VM)

bash
scp -i ~/.ssh/<your-key> -o IdentitiesOnly=yes \
    -o ProxyJump=procimo@100.79.8.19 \
    sims-*.tar.gz procimo@172.30.1.160:~/

If ProxyJump misbehaves, do it in two explicit hops:

bash
# Mac -> office
scp -i ~/.ssh/<your-key> -o IdentitiesOnly=yes sims-*.tar.gz procimo@100.79.8.19:~/
# office -> pilot (passwordless via office VM key)
ssh -i ~/.ssh/<your-key> -o IdentitiesOnly=yes procimo@100.79.8.19 \
  'scp -i ~/.ssh/id_ed25519 -o IdentitiesOnly=yes ~/sims-*.tar.gz procimo@172.30.1.160:~/'

3. Load + restart on the pilot

bash
# SSH to the pilot through the office VM:
ssh -i ~/.ssh/<your-key> -o IdentitiesOnly=yes -J procimo@100.79.8.19 procimo@172.30.1.160

# On the pilot:
docker load < sims-backend.tar.gz && docker load < sims-frontend.tar.gz
cd /opt/sims/sims-backend
docker compose stop backend front-end
docker rm -f sims-api sims-frontend          # remove old containers FIRST
docker compose up -d backend front-end
Pilot gotchas:
  • VM service names are backend / front-end / ingestion (not api/frontend).
  • docker restart does not re-read .env → always rm -f + compose up -d.
  • Env (root-owned): /opt/sims/sims-backend/.env. Compose: /opt/sims/sims-backend/docker-compose.yml.
  • Backend 500s with missing columns → docker exec sims-api alembic upgrade head, then restart it.
3

View the running frontend

Mark done

Open an SSH tunnel that forwards the pilot’s port 80 to a local port, through the office VM.

bash
# Mac -> office VM -> pilot:80, exposed locally as http://localhost:8080
ssh -i ~/.ssh/<your-key> -o IdentitiesOnly=yes \
    -L 8080:172.30.1.160:80 procimo@100.79.8.19

Leave that terminal open, then open http://localhost:8080 in your browser.

Frontend login: admin@simoldes.com / admin123

Replaces the old -L 8080:localhost:80 procimo@172.30.1.160 — the tunnel now goes via the office VM, so you don’t need the VPN on your own laptop. Forward :8000 the same way to hit the API directly.
4

Check containers & health

Mark done

SSH to the pilot (ssh … -J procimo@100.79.8.19 procimo@172.30.1.160), then run any of these. No sudo needed.

Container status + health

bash
docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"

Healthy looks like:

output
NAMES            STATUS                  PORTS
sims-frontend    Up 5 weeks              0.0.0.0:80->80/tcp
sims-api         Up 5 weeks (healthy)    0.0.0.0:8000->8000/tcp
sims-ingestion   Up ... (healthy)
sims-db          Up 5 weeks (healthy)    5432/tcp
sims-redis       Up 5 weeks (healthy)    6379/tcp

Quick endpoint health

bash
curl -s -o /dev/null -w "FE  :80   = %{http_code}\n" http://localhost:80
curl -s -o /dev/null -w "API :8000 = %{http_code}\n" http://localhost:8000/health
# both should be 200

Logs

bash
docker logs --tail 100 sims-api
docker logs -f sims-frontend                       # follow; Ctrl+C to stop
docker logs sims-api 2>&1 | grep "progrow sync"    # proGrow running?

Resources & database

bash
docker stats                                       # live CPU/mem; q to quit

# Postgres (role sims_user, db sims_db — NOT -U postgres)
docker exec sims-db psql -U sims_user -d sims_db -c "SELECT count(*) FROM machines;"

# Restart a stuck service (env changes need rm -f + up -d instead)
cd /opt/sims/sims-backend && docker compose restart front-end
!

Troubleshooting

SymptomFix
Can’t reach 100.79.8.19 at alltailscale status must show procimo-office-linux. Wrong account → tailscale switch admin@procimo.com.
RDP error 0x204 / 0x4Usually transient. Fully quit + reopen Windows App. If still failing, the office VM’s tailscale0 may be down — a watchdog auto-restarts it within ~30s; wait and retry.
Pilot 172.30.1.160 unreachableVPN not connected on the office VM. RDP in & reconnect FortiClient (step 1). Verify with ip route | grep fctvpn.
scp/ssh to pilot asks for a passwordYou’re SSHing as yourself instead of via the office VM. Use -J procimo@100.79.8.19 — office→pilot uses the office VM’s installed key.
FortiClient GUI froze the desktopUse SAML Login (external Firefox), not the embedded browser. It’s already configured for external browser.
Frontend localhost:8080 blank / refusedTunnel not up or VPN down. Ensure the VPN is connected on the office VM, then re-run the step 3 command.

Credentials

WhatValue
Office VMprocimo / Admin#03 — RDP :3390, SSH over Tailscale 100.79.8.19
Pilot VMprocimo / *SP.pr0c1m0# — only via VPN; office→pilot passwordless by key
FortiClient VPNProcimo@simoldes.pt + Simoldes SSO + your 2FA (connection VPN CNCs)
SIMS frontendadmin@simoldes.com / admin123

Full credential docs: Linear “Accesses & Quick Links” + “Simoldes (legacy) VPN connection”. Deploy details: docs/deploy-runbook.md.

Escalation

While Joaquim is away:

Technical / SIMS

Gabriel

Client coordination / logistics

João Faria
No sections match your filter.