diff --git a/MEMORY.md b/MEMORY.md
index c06b44e..6b7e36c 100644
--- a/MEMORY.md
+++ b/MEMORY.md
@@ -1,5 +1,7 @@
 # Memory Index
 
-- [User Profile](user_profile.md) — Yohay, Hebrew speaker, wants persistent context across sessions
+- [User Profile](user_profile.md) — Yohay (Meni Biton), sysadmin, Hebrew, homelab with 6+ nodes, AI workloads
+- [Feedback: Be Direct](feedback_direct.md) — Execute directly, use sudo password, never ask user to run manually
+- [Infrastructure Setup](project_infrastructure.md) — Full cloud stack on 5060ihome: K8s, MAAS, LXD, Gitea, Cloudflare, tunnel, Access
+- [Cloudflare & KMS Reference](reference_cloudflare_kms.md) — API tokens, tunnel IDs, KMS certs, Google OAuth
 - [NASAI & NVRAI Setup](project_nasai.md) — NAS AI surveillance system, databases on SDD, camera setup
-- [Feedback: Be Direct](feedback_direct.md) — Don't philosophize, just execute instructions
diff --git a/feedback_direct.md b/feedback_direct.md
index 2a55603..9921aa2 100644
--- a/feedback_direct.md
+++ b/feedback_direct.md
@@ -1,10 +1,23 @@
 ---
-name: Be Direct
-description: User wants direct action, no unnecessary questions or commentary
+name: Be Direct and Execute
+description: User wants direct action, use sudo password, never ask user to run things manually
 type: feedback
-originSessionId: fc964260-abe2-4639-a6be-76c3d1e6c39b
+originSessionId: 7a5d7140-8724-47d5-b862-13e66e2c0212
 ---
 Don't ask unnecessary questions, don't explain what things are, don't suggest alternatives unless asked. Just do the task.
 
-**Why:** User gets frustrated when I add commentary, ask clarifying questions that aren't needed, or philosophize instead of executing.
-**How to apply:** Execute instructions directly. Keep responses short. If the user asks to check something - check it and report results only.
+**Why:** User gets extremely frustrated when I:
+- Ask them to run commands manually (especially sudo)
+- Refuse to use passwords they provided
+- Add commentary or explanations
+- Send them to do things in a browser/dashboard when I could do it via API
+- Repeat the same information or suggestions
+- Show them irrelevant content (like wrong GitHub repos)
+
+**How to apply:**
+- Execute instructions directly with their password via `echo 'password' | sudo -S`
+- Keep responses short, in Hebrew
+- If the user provides credentials, USE THEM immediately
+- Use APIs instead of telling user to click things in a GUI
+- If something fails, try alternatives before asking user
+- Never say "you need to do X" - do X yourself
diff --git a/project_infrastructure.md b/project_infrastructure.md
new file mode 100644
index 0000000..ec1837d
--- /dev/null
+++ b/project_infrastructure.md
@@ -0,0 +1,162 @@
+---
+name: Full Infrastructure Setup - 5060ihome
+description: Complete private cloud, Cloudflare, Gitea, K8s, MAAS, and all services installed on 5060ihome (2026-04-16)
+type: project
+originSessionId: 7a5d7140-8724-47d5-b862-13e66e2c0212
+---
+## Machine: 5060ihome (this machine)
+- **IP Tailscale**: 100.90.81.47
+- **CPU**: Intel i5-14400F (10 cores, 16 threads)
+- **RAM**: 32GB
+- **GPU**: NVIDIA RTX 5060 Ti (driver 590.48.01 installed, needs reboot to load)
+- **OS**: Ubuntu 24.04 Noble
+- **Disks**: nvme0n1 (1TB WD Blue), sda (465GB Toshiba), sdb (224GB SanDisk - Gitea), sdc (112GB Transcend), sdd (447GB SanDisk)
+
+## Installed Services
+
+### Gitea (Git Server) - RUNNING
+- Port: 3000 (HTTP), 2222 (SSH)
+- Data: /srv/gitea on sdb (ext4, mounted, in fstab)
+- Admin: yohay / Biton24680#@$
+- 6 repos: claude-memory-{storai,gama,dgx,dgx2,arcai,shared}
+- 5 users: claude-{storai,gama,dgx,dgx2,arcai} with write access
+- Auto-sync timer: claude-memory-sync.timer (every 5 min)
+- URL: https://git.yohay.ai
+
+### MicroK8s (Kubernetes) - RUNNING
+- Version: 1.32
+- Addons enabled: dns, hostpath-storage, ingress, dashboard, metallb (10.64.140.43-49), registry (localhost:32000), metrics-server
+- GPU addon enabled but needs reboot for NVIDIA 590 driver
+- Dashboard token available via: microk8s kubectl describe secret -n kube-system microk8s-dashboard-token
+- Dashboard exposed on NodePort 30443
+- URL: https://k8s.yohay.ai (API), https://dash.yohay.ai (Dashboard)
+
+### MAAS (Bare Metal Provisioning) - RUNNING
+- Version: 3.5
+- Port: 5240
+- DB: PostgreSQL (maas:Biton24680@localhost/maasdb)
+- Admin: yohay / Biton24680#@$ / bar@yohay.ai
+- URL: https://maas.yohay.ai
+
+### LXD (Containers/VMs) - RUNNING
+- Version: 6.7
+- Port: 8443 (HTTPS)
+- Storage pool: default (btrfs, 100GB)
+- Network: lxdbr0 (10.99.0.1/24)
+- URL: https://lxd.yohay.ai
+
+### Juju (Orchestrator) - INSTALLED
+- Version: 3.6.21
+
+### Nomad - RUNNING (joined cluster)
+- Connected to cluster via 100.124.217.84:4647 (10-100-102-241)
+- Node name: meni-office0-0001 (was already set up from previous session on meni-office0-0001)
+- Port: 4646
+- URL: https://nomad.yohay.ai
+
+### Tailscale - RUNNING
+- Node name: 5060ihome
+- IP: 100.90.81.47
+
+### Cloudflared (Cloudflare Tunnel) - RUNNING
+- Tunnel ID: 117e8f06-753f-4ef7-8d58-b065a74a3ba0
+- Tunnel name: 5060ihome
+- Connected to: tlv03, fra17, fra18 (Israel + Frankfurt)
+- Config version: 3
+
+### NVIDIA Driver
+- Installed: 590.48.01 (upgraded from 580)
+- Status: NEEDS REBOOT to load new driver
+
+## Cloudflare Configuration
+
+### Account
+- Account ID: a182e69b048ebabb970ffd4e91cc741b
+- Email: meni@biton.pro
+- Zone: yohay.ai (ID: 729e5afe1753f82f06c3416dc2e1aca0)
+
+### API Tokens (from OVH KMS)
+- Global API Key: cfk_PEbNE7Xq4ulKAHaENVHew3nTaabJGCdX0kKw7P8V5654f0d8 (use with X-Auth-Email: meni@biton.pro)
+- Provisioner Token: cfut_79EHtlXBHzkjVXnJI3gl8P9ONgG5DJ09ns5db6do21163b36 (Bearer token, has Tunnel+DNS perms)
+
+### Tunnel Ingress Rules (version 3)
+| Hostname | Service | Notes |
+|----------|---------|-------|
+| git.yohay.ai | http://localhost:3000 | Gitea |
+| nomad.yohay.ai | http://localhost:4646 | Nomad |
+| maas.yohay.ai | http://localhost:5240 | MAAS |
+| k8s.yohay.ai | https://localhost:16443 | K8s API (noTLSVerify) |
+| dash.yohay.ai | https://localhost:30443 | K8s Dashboard (noTLSVerify) |
+| lxd.yohay.ai | https://localhost:8443 | LXD (noTLSVerify) |
+| portainer.yohay.ai | http://localhost:9000 | |
+| vault.yohay.ai | http://localhost:8200 | |
+| minio.yohay.ai | http://localhost:9001 | |
+| elk.yohay.ai | http://localhost:5601 | |
+| uptime.yohay.ai | http://localhost:3001 | |
+| monitor.yohay.ai | http://localhost:9090 | |
+| n8n.yohay.ai | http://localhost:5678 | |
+| nodered.yohay.ai | http://localhost:1880 | |
+| home.yohay.ai | http://localhost:8123 | |
+| chat.yohay.ai | http://localhost:8065 | |
+| matrix.yohay.ai | http://localhost:8008 | |
+| meet.yohay.ai | http://localhost:8443 | CONFLICT with LXD! |
+| wiki.yohay.ai | http://localhost:3000 | CONFLICT with Gitea! |
+| draw.yohay.ai | http://localhost:8080 | |
+| comfyui.yohay.ai | http://localhost:8188 | |
+| webui.yohay.ai | http://localhost:7860 | |
+| ollama.yohay.ai | http://localhost:11434 | |
+| frigate.yohay.ai | http://localhost:5000 | |
+| rustdesk.yohay.ai | http://localhost:21114 | |
+| aster.yohay.ai | http://localhost:5989 | |
+| api.yohay.ai | http://localhost:8080 | |
+| sso.yohay.ai | http://localhost:9000 | |
+| registry.yohay.ai | http://localhost:32000 | K8s Registry |
+
+### SSL/Certificates
+- Wildcard cert: *.yohay.ai (advanced, active)
+- SSL mode: full
+
+### Cloudflare Access (Zero Trust)
+- App: "yohay.ai - All Services" (ID: 46458e7d-dfb5-4f40-9c6b-9e1498e00bf2)
+- Domain: *.yohay.ai
+- Auth: Google Workspace (IDP: 6ce8a0ab-b3fd-4174-9d8b-87eacd2e2e97)
+- Also: One-time PIN (IDP: b2e75643-bcb4-4c0d-88be-c006aad06823)
+- Policy: Allow @yohay.ai and @biton.pro emails
+- Session: 24h
+- Access portal: bitonpro.cloudflareaccess.com
+
+### DNS Records Created (CNAME -> tunnel)
+git, nomad, maas, k8s, dash, lxd, portainer, vault, minio, elk, uptime, monitor, n8n, nodered, home, chat, matrix, meet, wiki, draw, comfyui, webui, frigate, rustdesk, api, sso, registry
+
+## OVH KMS
+- KMS ID: 17212333-c57e-481e-a3d2-07d3ff1a192c
+- Region: eu-west-gra (Gravelines, France)
+- Client cert: d05a39c2-99c1-4f6f-8780-c7e32e683a53 (on meni-office0-0001 Downloads)
+- Secrets stored: cloudflare/global-api-key, cloudflare/provisioner-token, google/oauth, tailscale/api-key
+
+## Tailscale Network (key nodes)
+| Node | IP | Tags | Status |
+|------|----|------|--------|
+| 5060ihome | 100.90.81.47 | - | online (this machine) |
+| arcai | 100.81.132.108 | tagged-devices | online |
+| gama-2 | 100.122.148.62 | tagged-devices | online |
+| storai-1 | 100.92.89.14 | tagged-devices | online |
+| stor130 | 100.103.249.102 | tag:ai-core | online |
+| stor181 | 100.95.72.88 | tag:ai-core | online |
+| meni-office0-0001-1 | 100.103.133.48 | tag:off | online |
+| 10-100-102-240 | 100.78.185.72 | tagged-devices | online |
+| 10-100-102-241 | 100.124.217.84 | tagged-devices | online (Nomad server) |
+
+## Passwords (user's lab, closed VPN)
+- yohay on 5060ihome: Biton24680#@$
+- yohay on other servers: Bar2526#@$, Biton24680@!, Bazp383189!
+- Tailscale auth key: tskey-auth-kx4QSRdqy321CNTRL-Dm6PrFTqN9KnaKSmKMNQ8KEq4QNtpQjw
+
+## TODO (next session)
+1. REBOOT for NVIDIA 590 driver to load
+2. After reboot: enable GPU in MicroK8s, deploy AI workloads (Ollama, ComfyUI, WebUI)
+3. Fix port conflicts: meet.yohay.ai (8443 conflicts with LXD), wiki.yohay.ai (3000 conflicts with Gitea)
+4. Deploy remaining services in K8s: Portainer, Vault, MinIO, ELK, Uptime, n8n, Node-RED, etc.
+5. Connect other nodes to MicroK8s cluster (stor130, stor181, etc.) - blocked by Tailscale ACL
+6. Fix Tailscale ACL: tag:off needs SSH access to tag:ai-core nodes
+7. Set up Kubeflow for ML pipeline on GPU
diff --git a/reference_cloudflare_kms.md b/reference_cloudflare_kms.md
new file mode 100644
index 0000000..5462d66
--- /dev/null
+++ b/reference_cloudflare_kms.md
@@ -0,0 +1,27 @@
+---
+name: Cloudflare and OVH KMS Access
+description: How to access Cloudflare API and OVH KMS secrets for infrastructure management
+type: reference
+originSessionId: 7a5d7140-8724-47d5-b862-13e66e2c0212
+---
+## Cloudflare API
+- Global Key: cfk_PEbNE7Xq4ulKAHaENVHew3nTaabJGCdX0kKw7P8V5654f0d8 (header: X-Auth-Key + X-Auth-Email: meni@biton.pro)
+- Provisioner Token: cfut_79EHtlXBHzkjVXnJI3gl8P9ONgG5DJ09ns5db6do21163b36 (header: Authorization: Bearer)
+- Account ID: a182e69b048ebabb970ffd4e91cc741b
+- Zone yohay.ai: 729e5afe1753f82f06c3416dc2e1aca0
+- Tunnel 5060ihome: 117e8f06-753f-4ef7-8d58-b065a74a3ba0
+- Access App *.yohay.ai: 46458e7d-dfb5-4f40-9c6b-9e1498e00bf2
+
+## OVH KMS (CERT-STOR)
+- KMS ID: 17212333-c57e-481e-a3d2-07d3ff1a192c
+- Endpoint: https://eu-west-gra.okms.ovh.net
+- Client cert+key on meni-office0-0001: ~/Downloads/d05a39c2-99c1-4f6f-8780-c7e32e683a53_{certificate,privatekey}.pem
+- Secrets: cloudflare/global-api-key, cloudflare/provisioner-token, google/oauth, tailscale/api-key
+
+## Google OAuth (for Cloudflare Access)
+- Client ID: 768647841000-qhb3qc8j3kdiain55k1gsn96clltvhki.apps.googleusercontent.com
+- Client Secret: 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
+- IDP ID in CF Access: 6ce8a0ab-b3fd-4174-9d8b-87eacd2e2e97
+
+## Tailscale
+- Auth key (from KMS): tskey-auth-kotYEcX9f511CNTRL-5M77cSJPJ32LBA7dwq5w22zFLsvsyUim4
diff --git a/user_profile.md b/user_profile.md
index 892777c..35b6b2e 100644
--- a/user_profile.md
+++ b/user_profile.md
@@ -1,9 +1,16 @@
 ---
-name: User Profile
-description: Basic info about Yohay - language, preferences, working style
+name: User Profile - Yohay
+description: Yohay (bar@yohay.ai) - sysadmin running homelab with 6+ nodes, AI workloads, Hebrew speaker
 type: user
-originSessionId: fc964260-abe2-4639-a6be-76c3d1e6c39b
+originSessionId: 7a5d7140-8724-47d5-b862-13e66e2c0212
 ---
-- User's name is Yohay (email: bar@yohay.ai)
-- Primary language: Hebrew - prefers communication in Hebrew
+- Name: Yohay (Meni Biton)
+- Emails: bar@yohay.ai, meni@biton.pro
+- Role: Systems administrator / DevOps running a private cloud lab (Biton Systems)
+- Language: Hebrew (writes in Hebrew, often with typos from wrong keyboard layout)
+- Domain: yohay.ai (Cloudflare), yohayai.com
+- Infrastructure: 6+ Ubuntu servers, NVIDIA GPUs (RTX 5060 Ti, DGX Spark GB10), Nomad cluster, Tailscale VPN
+- Cloud services: Cloudflare (tunnel, DNS, Access), OVH (KMS, VPS)
+- Prefers: Full automation, no questions asked, just execute
 - Wants persistent memory across conversations to maintain continuity
+- Sudo password: always use it when needed, don't ask the user to run things manually