Working-tree improvements to the audit scripts (authored locally, not by me;
reviewed for correctness + bash -n clean before commit):
- compose-runtime-drift: prefer `docker compose config` for the expected image
with a raw-parse fallback; raw parser now resolves YAML anchors (*alias) so
anchor-based composes (e.g. dawarich) no longer mis-report drift.
- komodo-stack-hygiene: treat an unreachable Komodo API as critical and exit 3
so the Healthchecks EXIT trap sends /fail (the monitor itself is down, not
"all green"); git fetch before hash-drift compare; clearer "cannot compare"
message; pin in-container km host to localhost:9120.
- cert-token-check: expand monitored cert domains to the full set incl.
hc.kaleschke.info.
- gitea-bundle-mirror: skip empty repos without refs instead of failing.
- unraid-user-scripts.md: document SEND_NTFY/NTFY_TOPIC for the daily report.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Same endpoint-agnostic ping via EXIT trap. These two jobs have no warning
level, so only rc==0 pings success, any non-zero pings /fail. gitea-bundle
edit is POSIX-sh clean (script is /bin/sh). Capability URLs from per-job host
secret files. bash -n verified.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
node-exporter runs as nobody:65534 inside its container and was
hitting node_textfile_scrape_error 1 on homelab.prom, because the
file was 0600 root:root (mktemp default). Set it to 0644 right
before the atomic mv. Bundle inhaltsidentisch zum Git-Repo, ohne
Secrets (.gitignore-abgedeckt) und nicht sensibler als die
uebrigen /mnt/user/backups/borg/dumps/latest/*.dump-Files, die
ebenfalls 0644 sind. So funktioniert auch der Nearline-Pull-Workflow
ueber SMB (docs/H_DRIVE_NEARLINE_PULL.md).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Micha