Same endpoint-agnostic ping via EXIT trap. These two jobs have no warning
level, so only rc==0 pings success, any non-zero pings /fail. gitea-bundle
edit is POSIX-sh clean (script is /bin/sh). Capability URLs from per-job host
secret files. bash -n verified.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add endpoint-agnostic Healthchecks pings to the three remaining scheduled
host-audit jobs via an EXIT-trap merge (start + success/fail), so the body of
each script (incl. the 1400-line daily-status-report) stays untouched. Exit
0/1/2 = ran (ok/warning/critical); only rc>2 pings /fail. Capability URLs come
from per-job host secret files (healthchecks_<job>_url), never in the repo.
bash -n verified.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add the same endpoint-agnostic Healthchecks ping wrapper to cert-token-check.sh
(daily) as in posture-check.sh; capability URL from host secret file
healthchecks_cert_token_url. SECRETS_MAP: document the per-job internal ping
URL files. MASTER_TODO: posture-check + cert-token-check wired and verified
(status up); project KalliLab CORE + ntfy integration created.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Wrap main() with a Healthchecks ping (start + success/fail). The capability
ping URL is read from $HEALTHCHECKS_POSTURE_URL or the host secret file
/mnt/user/appdata/secrets/healthchecks_posture_url (never in the repo, same
pattern as pre-borg.sh). Exit code preserved; warning/critical still count as
"ran" (posture alerts stay on ntfy), only a real abort (rc>2) pings /fail.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Webhook authenticated and triggered a successful DeployStack (komodo-core
log 18:39:00). Only remaining step is wiring internal jobs as checks.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Stack deployed to Komodo (id 6a3acf2ca7867a4fbab9bfc1), both containers
healthy, Traefik route + LE cert OK, DNS resolves, superuser created and
auth-verified. Flip status to live in ARCHITECTURE 7.6, SERVICE_CATALOG,
MASTER_TODO and the stack README. Document the new host secret files
(secret_key, superuser_password = login password, webhook_secret) in
SECRETS_MAP. Remaining operator step: the Gitea->Komodo webhook.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Codex drills proved all six alert paths to the phone (send-ntfy, restore wrapper, freshness negative, Alertmanager->bridge->ntfy, docker-critical-watcher smoke, Borg pre-hook failure). Add a Kurzlog entry, note the send-ntfy exec-bit beleg-bug (6870ae5), and the one optional gap (Prometheus->AM leg via temp rule). Trim oldest entry to stay at max 5.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
run-restore-job-with-ntfy.sh execs send-ntfy.sh directly; without the exec bit the failure-alert path errored with Permission denied (found during Codex alert drill 2026-06-23). Set the exec bit in the repo to match the live fix.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
backend_net was recreated with --internal (Codex live): egress from postgresql17 blocked, all 12 members reattached, frontends and DB connections verified. Move the parked #17 item to the MASTER_TODO Kurzlog and confirm the live state in NETWORK_INVENTORY. No dawarich_egress needed (sidekiq makes no external connections).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Capture the audit egress analysis durably so the deferred maintenance window keeps the prep. backend_net -> internal:true is the only remaining P3 item; the single risk is dawarich_sidekiq (the only backend_net-only worker), all DB/cache and dual-homed containers are safe. If sidekiq needs egress, use a dedicated dawarich_egress net (immich_egress precedent).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Codex first live run passed (SUCCESS, 7 snapshots, single-file restore from .zfs/snapshot; report hetzner-snapshot-2026-06-23.md) with no ENV overrides. Set runbook status to active, document the run, and add the monthly cadence (15th, cron 0 6 15 * *) to schedule.md and the restore-tests README. Remaining host step: create the Unraid User Script restore-hetzner-snapshot-monthly.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add an Aktiv row for the remaining Codex/operator follow-ups (#19 snapshot-test validation, #12 default-bridge recreate, #14 drift redeploy, #15 immich path) and a Kurzlog entry summarizing the closed P1/P2 core (Vault /admin + Komodo de-publicized, snapshots proven, auth-matrix). Trim oldest Kurzlog entry to stay at max 5.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Make the off-site snapshot protection a repeatable, monitored proof (DECISIONS 2026-06-11/-23): a read-only restore-test that lists .zfs/snapshot on the Storage Box, checks retention and newest-snapshot age, and SFTP-fetches one small file from the newest snapshot (size + SHA256). Connection is derived from the borg-ui repo URL and runs via docker exec borg-ui; no secret in the script, no write access. Wired into the run-restore-checks.sh dispatcher; runbook documents the pending one-time live validation.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Codex applied the ipallowlist middleware (Tailnet 100.64.0.0/10 + LAN 192.168.178.0/24) to the Komodo router live in the inline-managed self-stack; public now returns 403. Mirror the labels in ops/komodo/docker-compose.yml for parity (not auto-deployed), record the decision in docs/DECISIONS.md, and update docs/AUTH_MATRIX.md.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Consolidate effective access policy per public domain (Authelia bypass/two_factor, native exceptions, Tailscale-only, IP-allowlist) into a single reviewable matrix, surfacing the Authelia bypass list that previously lived only in the live config. Indexed in docs/README.md.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Audit 2026-06-23 (P1): /admin was publicly reachable (200). Add a higher-priority Traefik router scoped to PathPrefix(/admin) with an ipallowlist middleware (Tailnet 100.64.0.0/10 + LAN 192.168.178.0/24); the main router stays native for browser and mobile clients. Documented in docs/DECISIONS.md.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
dawarich_redis was the last redis instance still on 7-alpine; the
closed PR #10 kept it as an "Ignored or Blocked" entry in the Renovate
Dependency Dashboard (issue #6). Bump to the already-running
redis:8.8.0-alpine digest and add apps/dawarich to the renovate redis
8.x allowedVersions pin. Data path /mnt/user/appdata/dawarich/redis
unchanged; redis 8 loads the existing RDB snapshots.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Micha
renovate