🌍 CRUMBFOREST — TECHNICAL DEPLOYMENT GUIDE (UNHCR OPS‑STYLE)

Mit Policy Framework, Field Constraints & Operational Checklists
Version 1.0 — February 2026
Prepared for humanitarian operations, emergency education, child‑protection actors, and digital‑safety units.

0. PURPOSE & SCOPE

Dieses Deployment-Dokument beschreibt wie ein Crumbforest‑System sicher, schnell und resilient in humanitären Kontexten aufgebaut werden kann — inklusive:
- 🌐 Offline-first learning infrastructure
- 🔐 Child protection by architecture (Krümelschutz)
- 🔄 Reset‑ & Recovery‑konzepten
- 🛰️ Low‑connectivity operations
- 🛡️ UNHCR/UNICEF Policy-Konformität
- 🧩 Minimalem technischen Fußabdruck (Debian, WireGuard, ESP32)

Das Dokument folgt dem formalen Stil, wie ihn UNHCR‑OPS, UNICEF ICT4D und WFP FITTEST nutzen.

1. SYSTEM OVERVIEW (EXECUTIVE OPS VIEW)

1.1 Mission Objective

Bereitstellung einer lokalen, kinderschützenden IT‑Lernumgebung, die:
- keine personenbezogenen Daten speichert
- offline vollständig lauffähig ist
- den Betrieb in Camps, Schools-in-a-Box, Child-Friendly Spaces ermöglicht
- mit günstigster Hardware (Raspberry Pi, ESP32) funktioniert
- keine Cloud-Abhängigkeit benötigt
- von lokalen Facilitators betreut werden kann

1.2 Core Components

2. DEPLOYMENT MODELS (UNHCR‑OPS)

2.1 Model A — Classroom Box (Schools, CFS, Learning Centers)

Hardware:
- 1× Raspberry Pi 5 (8GB) — Server
- 10× Raspberry Pi 4/5 — Krümel Clients
- 10× ESP32 LED devices

Connectivity: Optional (nur für Updates)
Power: 1× 65W Solar Panel + Powerbank (falls nötig)
Use Case: Refugee camps, rural schools, mobile schools.

2.2 Model B — Pelicase Deployment (Emergency / Rapid Response)

• Rugged Pelicase
• Mini UPS
• Pi 5, 8× ESP32
• Offline-first curriculum
• Reset in < 60 seconds

Use Case: Rapid onset emergencies, Protection clusters, IDP sites, Host community support.

2.3 Model C — Multi‑Forest Star Map (Regional Cluster)

• Mehrere Standorte
• Verbunden via CrumbVPN Mesh
• Jeder Standort autonom
• Keine zentrale Datenhaltung

Use Case: National Education Ministries, Multi‑school deployments, NGOs mit mehreren Lernorten.

3. TECHNICAL SETUP (STEP‑BY‑STEP)

3.1 Base Server Setup (Debian)

apt update && apt upgrade -y
apt install -y git vim ufw fail2ban wireguard postgresql python3

Disable password login:

sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart ssh

Enable firewall:

ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable

3.2 PostgreSQL + pgvector

apt install postgresql-16-pgvector
sudo -u postgres psql -c "CREATE EXTENSION IF NOT EXISTS vector;"

Create database:

CREATE DATABASE crumblearning;

3.3 Ollama (Local AI)

curl -fsSL https://ollama.com/install.sh | sh
systemctl enable --now ollama
ollama pull llama3.2

3.4 Go API

Deploy:

git clone https://git.crumbforest.org/<repo>/crumb-api.git
cd crumb-api
go build -o crumb-api main.go
export API_TOKEN="supersecret"
./crumb-api

3.5 WireGuard (CrumbVPN)

Server /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <PRIVKEY>

# Pi Clients
[Peer]
PublicKey = <CLIENT1>
AllowedIPs = 10.0.0.11/32

# ESP32
[Peer]
PublicKey = <ESP32>
AllowedIPs = 10.0.0.20/32

Enable:

systemctl enable --now wg-quick@wg0

3.6 ESP32 (RKL – Regenbogen Krümel Login)

On ESP32:
- periodic beacon
- sends X-Crumb-Resonance: <freq>
- safe mission received (LED color, pattern)

4. FIELD POLICY (UNHCR STYLE)

4.1 Data Protection & Privacy (Equivalent to UNHCR DP Handbook)

The Crumbforest MUST comply with zero collection of personal data, zero cloud dependency, zero behavioural analytics, zero profiling, and zero permanent accounts for minors.

The system MUST:
- store no names
- store no identifiers
- store no learning histories
- allow reset of all data < 60 seconds

4.2 Protection Principles (aligned with UNHCR/UNICEF Minimum Standards)

• Principle 1 — Best Interest of the Child: Technology MUST never override child well‑being.
• Principle 2 — Do No Harm (DNH): Architecture MUST prevent dual‑use, surveillance, or coercion.
• Principle 3 — Access & Equity: System MUST run in low‑resource contexts.
• Principle 4 — Accountability & Transparency: All logs technical, not personal. All code open-source. All decisions reproducible.

4.3 Operational Constraints (Field Reality)

The Crumbforest MUST work reliably with:
- intermittent power & network
- limited tech skills
- mixed languages
- high turnover of field staff
- insecure environments
- minimal repair options

5. RISKS & MITIGATIONS (OPS TABLE)

6. MAINTENANCE & RESET

6.1 Daily

systemctl status cradle
journalctl -u crumb-api | tail

6.2 Weekly

apt update && apt upgrade -y
lynis audit system

6.3 Full Reset (Takes < 60 seconds)

rm -rf /var/lib/postgresql/*
rm -rf /opt/crumbforest/*
systemctl restart all

7. TRAINING MATERIALS (FOR FIELD STAFF)

Modules:
- Using the Pi
- Child safety & CKL/HHL
- Reset & Recovery
- ESP32 mission programming
- CrumbVPN mesh management
- Teaching with blinking LEDs

8. APPENDIX: POLICY TEXT (UNHCR‑READY)

The Crumbforest complies with UNHCR’s:
- Policy on the Protection of Personal Data of Persons of Concern (2018)
- Age, Gender and Diversity Policy
- Education Handbook
- Emergency Handbook (digital learning)

It also adopts UNICEF’s:
- Children’s Rights in the Digital Age
- ICT4D Principles
- Child Online Protection Guidelines

The Forest Principle:

If data is not stored, it cannot be misused.