Cron registered in /boot/config/plugins/user.scripts and live in
/etc/cron.d/root after update_cron. First scheduled run: Sun 05:00.
End-to-end smoke test on host: 6 warnings, 0 critical.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Catches the failure class that let immich_new slip through: stacks
without a configured repo, project_missing, hash drift, and repo
compose files without a matching Komodo stack. Dry-run on host found
6 honest warnings, 0 critical. Wrapper as Unraid User Script for
weekly cadence is tracked in MASTER_TODO.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
eth0 DNS server 2 = 192.168.178.1 (FRITZ!Box) is set as failover behind
AdGuard. Mark the komodo-bulk-deploy-dns runbook immediate measure as
implemented. Closes the AdGuard SPOF for Docker image pulls.
Ref: docs/homelab-optimierung.md recommendation 3a.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Daily snapshots at 05:30 UTC (after the 04:30 local Borg run), 7 days
retention, snapshot directory visible for single-file restore via
.zfs/snapshot/. Closes the ransomware/misuse gap left open by the
explicit decision against Borg append-only (2026-06-01).
Ref: docs/homelab-optimierung.md recommendation 2.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Codex CLI auto-reads AGENTS.md; file only points to AI_CONTEXT,
architecture master, workflow and the binding doc rules - no duplicated
content (one fact, one home).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- REPO_MAP.md: replace Arbeitsregel with 8 binding documentation rules
(one fact one home, done leaves the working copy, file types, header
convention, quarterly gardening)
- WORKFLOW.md Dokumentationspflicht and CLAUDE.md aligned to the rules
- docs/README.md index rebuilt for the consolidated state
- H drive docs merged into ops/h-drive-nearline/README.md (scheduled
task + no-MIR rule added); docs/H_DRIVE_NEARLINE_PULL.md removed
- implemented proposal archived to docs/archive/2026/
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- merge RESTORE_HANDBOOK.md into ops/restore-tests/README.md (single
operations doc; restore status lives only in RESTORE_MATRIX maturity
table)
- RESTORE_MATRIX.md: extract embedded runbook drafts (261 -> 141 lines);
unraid-flash and tailscale stubs become ops/restore-tests runbooks,
adguard/redis checklists superseded by validated scripts
- delete six historical pre-first-run *-plan.md files (runbook + script
are the source of truth since the validated first runs)
- SERVICES_RECOVERY: drop completed task table; DISASTER_RECOVERY:
point related docs and section 11 to MASTER_TODO/schedule
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- MASTER_TODO.md is now the only status list: parked decisions point to
DECISIONS.md, done log capped at 5 condensed entries
- delete AUDIT_2026-05-25_TODO.md (open items and parked decisions fully
covered by MASTER_TODO/DECISIONS)
- AI_CONTEXT.md: drop duplicated status block, keep rules and pointers
- EXTERNAL_DEPENDENCIES.md: condense review log to recent entries
- fix references in DR_WORKSTATION_SETUP, EXTERNAL_OPERATOR_RUNBOOK,
STORAGE_LAYOUT, REPO_MAP, docs/README
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Der komodo-Stack wird in Komodo inline (file_contents) verwaltet, nicht aus dem Repo deployed. Renovate-PRs darauf wirken zur Laufzeit nicht und erzeugen Git-Komodo-Scheinsicherheit. Daher: ops/komodo/** in ignorePaths, mongo-Digest auf den real laufenden Stand zurueckgesetzt, Inline-Ausnahme in docs/RENOVATE.md und im Compose-Header dokumentiert.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Bulk-Renovate-Merge loest parallele Komodo-Deploys aus; Image-Pulls scheitern mit DNS connection refused, weil AdGuard (einziger Host-Resolver) im selben Batch recreated wird. Runbook haelt Symptom, Ursache, Sofortmassnahme (Unraid DNS2) und Betriebsregel fest. Verweis in REPO_MAP ergaenzt.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Host gehaertet 2026-06-07: PermitRootLogin prohibit-password,
PasswordAuthentication no, KbdInteractiveAuthentication no; PubkeyAuthentication yes.
Persistenz upgrade-sicher via idempotentem /boot/config/ssh-harden.sh aus
/boot/config/go (sshd -t vor HUP-Reload, Syslog-Selbst-Verifikation).
Manueller Post-Upgrade-Check und Rollback dokumentiert.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Micha