docs(wiki): full IX server inventory from live SSH

Expand wiki/systems/ix-server.md with a 2026-06-05 live SSH inventory:
- Host: CloudLinux 9.7, cPanel/WHM 134, 64-core Xeon Gold 6130, 62 GiB,
  4.4 T /home; Apache 2.4.67, MariaDB 10.11.16, ea-php 5.6-8.5,
  Exim 4.99.4, Dovecot 2.4.2, BIND 9.16.
- 72 cPanel accounts / 185 domains / 101 WordPress; full account ->
  primary-domain -> disk map (the "where does client X live" reference).
- ACG subdomain docroots (radio, community/Flarum, analytics/Matomo,
  portal, support, etc.) under the azcomputerguru account.
- GuruRMM agent enrolled (gururmm-agent.service).
- Backups appear unconfigured (/backup ~178M vs 1.6T /home) - flagged.
- SSH key auth from GURU-5070 now works; updated reference_ix_server_access
  memory (was stale: claimed key auth not set up) + index summary.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.claude/memory/reference_ix_server_access.md

@@ -1,25 +1,27 @@
 ---
 name: IX server access — network + SSH
-description: How to reach ix.azcomputerguru.com (172.16.3.10) — Tailscale-on means it's directly reachable, no separate VPN. SSH currently uses sshpass with the root password (key auth was never set up after GURU-5070 was reinstalled to Windows 11). Setting up key auth would simplify this.
+description: How to reach ix.azcomputerguru.com (172.16.3.10) — Tailscale-on means it's directly reachable, no separate VPN. SSH KEY AUTH from GURU-5070 now works (verified 2026-06-05); sshpass+password is only the fallback. Also enrolled in GuruRMM (gururmm-agent.service). Full inventory: wiki/systems/ix-server.md.
 type: reference
 ---
 
 ## Network reachability
 
-- **Host:** `ix.azcomputerguru.com` / `172.16.3.10`
-- **Access:** directly reachable when Tailscale is on. No separate VPN connection required.
+- **Host:** `ix.azcomputerguru.com` / `172.16.3.10` (also `172.16.1.39`)
+- **Access:** directly reachable when Tailscale is on. No separate VPN connection required. External `72.194.62.5:22` is firewalled — internal only.
+- **Also enrolled in GuruRMM** (`gururmm-agent.service`, binary `/usr/local/bin/gururmm-agent`, config `/etc/gururmm/agent.toml`) — drivable via `/rmm` when SSH isn't handy.
 
 ## SSH
 
-> **VERIFY 2026-05-26** — the no-key-auth note was written under the old CachyOS install on GURU-5070; the machine is now Windows 11. Re-confirm whether key auth got set up before relying on the sshpass fallback below.
-
 - **User:** `root`
-- **Password:** vault — see `credentials.md` or SOPS.
-- **SSH key auth:** NOT configured from GURU-5070 (the old `guru@wsl` key was authorized but the workstation was reinstalled; new pubkey hasn't been added to IX's `authorized_keys` yet).
-- **Current workflow (sshpass):**
+- **SSH key auth: WORKS from GURU-5070** (verified 2026-06-05 via system OpenSSH, internal IP, Tailscale up):
+  ```bash
+  /c/Windows/System32/OpenSSH/ssh.exe -o BatchMode=yes root@172.16.3.10 'whmapi1 listaccts'
+  ```
+- **Password fallback:** vault `infrastructure/ix-server.sops.yaml` (root password). Use sshpass only if key auth ever breaks:
   ```bash
   sshpass -p "$PASSWORD" ssh -o StrictHostKeyChecking=no -o PubkeyAuthentication=no root@172.16.3.10
   ```
-- **Suppress sshpass warnings:** pipe through `grep -v WARNING | grep -v 'not using'` or `tail`.
+- **Account-level (`gurushow`) paths from scripts:** paramiko with `look_for_keys=False, allow_agent=False` (that account's key auth is disabled).
 
-**Recommended:** add GURU-5070's pubkey to IX's `~/.ssh/authorized_keys` to drop the sshpass dance.
+## What's on it
+Full systems inventory (host specs, web/mail/DB stack versions, 72 cPanel accounts → domains → disk, ACG subdomain docroots, backup gap) is documented in **`wiki/systems/ix-server.md`** (live SSH inventory 2026-06-05). cPanel 134, CloudLinux 9.7, 64-core Xeon, 4.4 T /home. [[reference_radio_website]] is hosted here.