Compare commits
4 Commits
fc5807d2c6
...
9847baf327
| Author | SHA1 | Date | |
|---|---|---|---|
 renovate
|
9847baf327 | ||
 Micha
|
c126b71852 | ||
|
Micha
|
e89b88a513 | ||
|
Micha
|
8bb250220b |
@@ -35,14 +35,16 @@ services:
|
||||
image: ghcr.io/immich-app/immich-machine-learning:release@sha256:a2501141440f10516d329fdfba2c68082e19eb9ba6016c061ac80d23beadf7f3
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
# Workaround fuer gunicorn-25.1.0-Fork-Deadlock (Worker haengt in futex
|
||||
# nach "Control socket listening", erreicht nie "Application startup
|
||||
# complete"). mimalloc per LD_PRELOAD deaktiviert -> umgeht den Lock im
|
||||
# geforkten Worker. Reine Allocator-Optimierung, funktional unkritisch.
|
||||
# Upstream-Regression seit Immich 2.6 (immich#27228, #22317), kein
|
||||
# offizieller Fix. Re-check: bei Immich-/gunicorn-Update entfernen und
|
||||
# pruefen, ob der Worker wieder sauber bootet.
|
||||
LD_PRELOAD: ""
|
||||
# Workaround fuer gunicorn-25.1.0-Control-Socket-Bug: der Worker haengt
|
||||
# nach "Control socket listening at /usr/src/gunicorn.ctl" und erreicht
|
||||
# nie "Application startup complete" -> Container bleibt dauerhaft
|
||||
# unhealthy, ML (Gesichtserkennung/CLIP/Smart-Search) ist tot.
|
||||
# --no-control-socket deaktiviert das fehlerhafte Feature. immich-ml
|
||||
# startet gunicorn als Subprozess, der GUNICORN_CMD_ARGS aus der Env
|
||||
# liest und anhaengt. Bestaetigte Upstream-Regression seit Immich 2.6
|
||||
# (immich#27228, gunicorn#3510). Re-check: bei Immich-Update, das
|
||||
# gunicorn auf >25.1.0/<25.1.0 mit Fix bringt, wieder entfernen.
|
||||
GUNICORN_CMD_ARGS: "--no-control-socket"
|
||||
volumes:
|
||||
- model-cache:/cache
|
||||
networks:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
services:
|
||||
mail-archiver:
|
||||
image: s1t5/mailarchiver@sha256:ea7fd8c2e3e0ef0941e8dd9e726e35a8de33296f5c7b9ed811df5168ae6a9714
|
||||
image: s1t5/mailarchiver@sha256:4ea7ecc47ad1dd2c523b85c3967574b61e39def1b6fd26edf874e21733c4018c
|
||||
container_name: mail-archiver
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
services:
|
||||
ntfy:
|
||||
image: binwiederhier/ntfy@sha256:b32b4221a64ec2e7c000f0782b2feef24022e1a09a24e531640f4cbba6cfa1e6
|
||||
image: binwiederhier/ntfy@sha256:f8a9b104313b87cc24ae4f775f39e6328205b57dff6ede3eaf098a91e5d79f59
|
||||
container_name: ntfy
|
||||
restart: unless-stopped
|
||||
dns:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
services:
|
||||
super-productivity:
|
||||
image: johannesjo/super-productivity:v18.8.0@sha256:c739caca8e0c5e83ea4a6289884079ac49e0c3c87c7f95598b5a9fb10cc2d9c4
|
||||
image: johannesjo/super-productivity:v18.9.1@sha256:773760107344e739f4c29409f7842db66a1b167d50eb2c40248cb5b5b328652e
|
||||
container_name: super-productivity
|
||||
restart: unless-stopped
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
services:
|
||||
adguard:
|
||||
image: adguard/adguardhome:v0.107.76@sha256:7157eb1dc3b26c7af1d6898759a7b3f7d0fa09891fbd2d3caa6abc1057a9179b
|
||||
image: adguard/adguardhome:v0.107.77@sha256:e6f2b8bcda06064ab055b44933a4f0e983c35558b9cdb8d2e7ab1efcee36d890
|
||||
container_name: adguard
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
|
||||
@@ -25,7 +25,7 @@ services:
|
||||
- cadvisor
|
||||
|
||||
alertmanager:
|
||||
image: prom/alertmanager:v0.32.1@sha256:51a825c2a40acc3e338fdd00d622e01ec090f72be2b3ea46be0839cd47a4d286
|
||||
image: prom/alertmanager:v0.32.2@sha256:b85533a2eb45865835315810315f6951331b2dbc8c93a6cf9a51e156a006a706
|
||||
container_name: monitoring-alertmanager
|
||||
restart: unless-stopped
|
||||
command:
|
||||
@@ -118,7 +118,7 @@ services:
|
||||
- loki
|
||||
|
||||
grafana:
|
||||
image: grafana/grafana:13.0.1@sha256:0f86bada30d65ef9d0183b90c1e2682ac92d53d95da8bed322b984ea78a4a73a
|
||||
image: grafana/grafana:13.0.2@sha256:5dad0df181cb644a14e13617b913b261a54f7d4fd4510721dba420929f35bea2
|
||||
container_name: monitoring-grafana
|
||||
user: "0"
|
||||
restart: unless-stopped
|
||||
@@ -337,7 +337,7 @@ services:
|
||||
- no-new-privileges:true
|
||||
|
||||
influxdb3-core:
|
||||
image: influxdb:3.9.2-core@sha256:31ad94df2248134989b2cf73d965e51dd5f35dfae22d7ed8f4776b12e6f69f4e
|
||||
image: influxdb:3.9.3-core@sha256:c27c9b2ca2625b5b6966f0b09baa448102310e63a471fd60dff22646a2522e29
|
||||
container_name: monitoring-influxdb3-core
|
||||
user: "0"
|
||||
restart: unless-stopped
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
services:
|
||||
borg-ui:
|
||||
image: ainullcode/borg-ui@sha256:b44c0a92b650d80f215a986dadda5c2604c61eb28a7571e19c046eff41d761e7
|
||||
image: ainullcode/borg-ui@sha256:0922157e8f77a1b2bd23cd09366a458ea6de07fd9306aa1485f9cfe623eca17f
|
||||
container_name: borg-ui
|
||||
restart: unless-stopped
|
||||
security_opt:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
services:
|
||||
code-server:
|
||||
image: lscr.io/linuxserver/code-server:4.122.0@sha256:0caf1b65ebec84b94397108b56da6c33f124c5390f5832da94e75f4609c0e2ad
|
||||
image: lscr.io/linuxserver/code-server:4.123.0@sha256:cb261a7f87674b445e0fd66d87d55900c1b823d276c727ab0d168a75e69e9992
|
||||
container_name: code-server
|
||||
restart: unless-stopped
|
||||
security_opt:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
services:
|
||||
filebrowser:
|
||||
image: filebrowser/filebrowser:v2.63.5@sha256:aefb0c20de10ef8b617995ca5522479ad40d41e6386bd01946a345c6026ff31c
|
||||
image: filebrowser/filebrowser:v2.63.14@sha256:1ec9b0c68297550c92f4a93feed432850c2993b261706cc3cc2e808f94a95e76
|
||||
container_name: filebrowser
|
||||
restart: unless-stopped
|
||||
security_opt:
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
FROM nousresearch/hermes-agent:v2026.5.29
|
||||
FROM nousresearch/hermes-agent:v2026.6.5
|
||||
|
||||
USER root
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
services:
|
||||
scrutiny:
|
||||
image: ghcr.io/starosdev/scrutiny:latest-omnibus@sha256:41c5faefb96766d27d58a829fa19b3f4f27da4160926de3255cf142a85a90c12
|
||||
image: ghcr.io/starosdev/scrutiny:latest-omnibus@sha256:228483f16a6236d2fa9b2fbfca2e76dc861e648fbc6ae6e680d23e5d00211a5d
|
||||
container_name: scrutiny
|
||||
restart: unless-stopped
|
||||
privileged: true
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
services:
|
||||
speedtest-tracker:
|
||||
image: lscr.io/linuxserver/speedtest-tracker:1.14.3@sha256:79c00631575dec6d91c10ed904c211224f00813013a305c2284324e195a538bb
|
||||
image: lscr.io/linuxserver/speedtest-tracker:1.14.3@sha256:c3750c40948a9360000ce62d694da92e85584b4ab6d3d9a9d1432d76fa5e0726
|
||||
container_name: speedtest-tracker
|
||||
restart: unless-stopped
|
||||
security_opt:
|
||||
|
||||
@@ -38,6 +38,19 @@
|
||||
"automerge": false,
|
||||
"labels": ["dependencies", "minor-patch"]
|
||||
},
|
||||
{
|
||||
"description": "Kritische Kerninfra (Traefik=Public-Entrypoint, Unbound=DNS, n8n, Nextcloud): nicht im Sammel-PR, eigene einzeln reviewbare PRs, kein Auto-Merge",
|
||||
"matchManagers": ["docker-compose", "dockerfile"],
|
||||
"matchPackageNames": [
|
||||
"traefik",
|
||||
"shaanmajid/unbound",
|
||||
"docker.n8n.io/n8nio/n8n",
|
||||
"nextcloud"
|
||||
],
|
||||
"groupName": null,
|
||||
"automerge": false,
|
||||
"labels": ["dependencies", "core-critical"]
|
||||
},
|
||||
{
|
||||
"description": "Stateful Tier-1 (Postgres, Mongo, Redis): keine Auto-Group, einzelne PRs, kein Auto-Merge",
|
||||
"matchPackageNames": [
|
||||
|
||||
@@ -29,6 +29,7 @@ TRAEFIK_ACME_PATH="${TRAEFIK_ACME_PATH:-/mnt/user/appdata/traefik/letsencrypt/ac
|
||||
NOISE_PATTERNS_FILE="${NOISE_PATTERNS_FILE:-/mnt/user/services/homelab-infra/services/posture-check/log-noise.patterns}"
|
||||
NORMALIZE_NOISE_SCRIPT="${NORMALIZE_NOISE_SCRIPT:-/mnt/user/services/homelab-infra/services/posture-check/lib/normalize-noise-patterns.sh}"
|
||||
NOISE_ESCALATION_THRESHOLD="${NOISE_ESCALATION_THRESHOLD:-500}"
|
||||
NOISE_ESCALATION_EXEMPT_FILE="${NOISE_ESCALATION_EXEMPT_FILE:-/mnt/user/services/homelab-infra/services/posture-check/noise-escalation-exempt.patterns}"
|
||||
NOISE_BREAKDOWN_TOP_N="${NOISE_BREAKDOWN_TOP_N:-10}"
|
||||
POSTURE_CHECK_FILE="${POSTURE_CHECK_FILE:-/mnt/user/services/posture-check/last.json}"
|
||||
LOCK_FILE="${LOCK_FILE:-/tmp/homelab-daily-report.lock}"
|
||||
@@ -880,12 +881,35 @@ collect_log_highlights() {
|
||||
fi
|
||||
fi
|
||||
|
||||
# Threshold escalation: how many patterns produced more than the threshold?
|
||||
local noise_threshold_exceeded=0
|
||||
# Escalation-exempt patterns: known noise that is also permanently very loud
|
||||
# (e.g. Unraid mdadm parse spam). Without this, such a pattern would keep the
|
||||
# report stuck at >= WARNUNG forever and devalue the OK/WARNUNG/KRITISCH
|
||||
# signal. Exempt patterns are still counted/shown as noise, but do NOT count
|
||||
# toward noise_threshold_exceeded. New/unexpected loud patterns still escalate.
|
||||
local noise_exempt="$TMP_DIR/noise-escalation-exempt.normalized"
|
||||
: > "$noise_exempt"
|
||||
if [ -f "$NOISE_ESCALATION_EXEMPT_FILE" ]; then
|
||||
grep -Ev '^[[:space:]]*(#|$)' "$NOISE_ESCALATION_EXEMPT_FILE" 2>/dev/null \
|
||||
| sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//' \
|
||||
| grep -v '^$' > "$noise_exempt" || : > "$noise_exempt"
|
||||
fi
|
||||
|
||||
# Threshold escalation: how many NON-exempt patterns exceeded the threshold?
|
||||
local noise_threshold_exceeded=0 noise_threshold_exempt=0
|
||||
if [ -s "$noise_by_pattern" ]; then
|
||||
noise_threshold_exceeded="$(awk -v t="$NOISE_ESCALATION_THRESHOLD" '$1 > t { n++ } END { print n + 0 }' "$noise_by_pattern")"
|
||||
noise_threshold_exceeded="$(awk -F '\t' -v t="$NOISE_ESCALATION_THRESHOLD" '
|
||||
NR == FNR { exempt[$0] = 1; next }
|
||||
$1 > t && !($2 in exempt) { n++ }
|
||||
END { print n + 0 }
|
||||
' "$noise_exempt" "$noise_by_pattern")"
|
||||
noise_threshold_exempt="$(awk -F '\t' -v t="$NOISE_ESCALATION_THRESHOLD" '
|
||||
NR == FNR { exempt[$0] = 1; next }
|
||||
$1 > t && ($2 in exempt) { n++ }
|
||||
END { print n + 0 }
|
||||
' "$noise_exempt" "$noise_by_pattern")"
|
||||
fi
|
||||
set_summary "noise_threshold_exceeded" "$noise_threshold_exceeded"
|
||||
set_summary "noise_threshold_exempt" "$noise_threshold_exempt"
|
||||
|
||||
local hit_count attention_count known_noise_count
|
||||
hit_count="$(count_lines < "$hits")"
|
||||
@@ -906,6 +930,9 @@ collect_log_highlights() {
|
||||
if [ "$noise_threshold_exceeded" -gt 0 ]; then
|
||||
append "- WARNUNG: $noise_threshold_exceeded Pattern ueberschreit(en) die Schwelle - bitte pruefen ob noch wirklich Noise."
|
||||
fi
|
||||
if [ "${noise_threshold_exempt:-0}" -gt 0 ]; then
|
||||
append "- Hinweis: $noise_threshold_exempt laute(s) Pattern ist/sind als bewusst eskalations-befreit markiert (siehe \`$NOISE_ESCALATION_EXEMPT_FILE\`) und loesen keine WARNUNG aus."
|
||||
fi
|
||||
append ""
|
||||
|
||||
if [ "$attention_count" -eq 0 ]; then
|
||||
@@ -955,22 +982,32 @@ collect_log_highlights() {
|
||||
if [ -s "$noise_by_pattern" ]; then
|
||||
append "#### Pattern mit den meisten Treffern"
|
||||
append ""
|
||||
append "| Pattern | Anzahl |"
|
||||
append "|---|---:|"
|
||||
append "| Pattern | Anzahl | Hinweis |"
|
||||
append "|---|---:|---|"
|
||||
head -n "$NOISE_BREAKDOWN_TOP_N" "$noise_by_pattern" \
|
||||
| while IFS="$(printf '\t')" read -r cnt pat; do
|
||||
local short="$pat"
|
||||
local short="$pat" note=""
|
||||
# Mark patterns that are deliberately exempt from escalation.
|
||||
if [ -s "$noise_exempt" ] && grep -Fxq -- "$pat" "$noise_exempt"; then
|
||||
if [ "$cnt" -gt "$NOISE_ESCALATION_THRESHOLD" ]; then
|
||||
note="eskalations-befreit"
|
||||
fi
|
||||
elif [ "$cnt" -gt "$NOISE_ESCALATION_THRESHOLD" ]; then
|
||||
note="ueber Schwelle"
|
||||
fi
|
||||
if [ "${#short}" -gt 80 ]; then
|
||||
short="${short:0:77}..."
|
||||
fi
|
||||
# Escape pipe characters that would break the markdown table.
|
||||
short="${short//|/\\|}"
|
||||
append "| \`$short\` | $cnt |"
|
||||
append "| \`$short\` | $cnt | $note |"
|
||||
done
|
||||
append ""
|
||||
fi
|
||||
if [ "$noise_threshold_exceeded" -gt 0 ]; then
|
||||
append "Bewertung: $noise_threshold_exceeded Pattern ueberschreit(en) die Eskalations-Schwelle ($NOISE_ESCALATION_THRESHOLD). Bitte pruefen, ob die als Noise eingeordneten Meldungen noch fachlich Noise sind oder ob sich ein echter Vorfall darunter versteckt."
|
||||
append "Bewertung: $noise_threshold_exceeded nicht-befreite(s) Pattern ueberschreit(en) die Eskalations-Schwelle ($NOISE_ESCALATION_THRESHOLD). Bitte pruefen, ob die als Noise eingeordneten Meldungen noch fachlich Noise sind oder ob sich ein echter Vorfall darunter versteckt."
|
||||
elif [ "${noise_threshold_exempt:-0}" -gt 0 ]; then
|
||||
append "Bewertung: Kein nicht-befreites Pattern ueberschreitet die Eskalations-Schwelle ($NOISE_ESCALATION_THRESHOLD). $noise_threshold_exempt lautes Pattern ist bewusst eskalations-befreit und mit Begruendung dokumentiert."
|
||||
else
|
||||
append "Bewertung: Kein Pattern ueberschreitet die Eskalations-Schwelle ($NOISE_ESCALATION_THRESHOLD)."
|
||||
fi
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
# noise-escalation-exempt.patterns - Daily Operations Report
|
||||
#
|
||||
# Pattern, die als Rauschen bekannt UND dauerhaft sehr laut sind, sollen die
|
||||
# Eskalations-Schwelle (NOISE_ESCALATION_THRESHOLD) nicht in eine WARNUNG
|
||||
# uebersetzen. Ohne diese Ausnahme haengt der Report-Status strukturell auf
|
||||
# >= WARNUNG fest (z. B. mdadm-Noise auf Unraid feuert dauerhaft > 5000/Tag),
|
||||
# was die OK/WARNUNG/KRITISCH-Ampel entwertet.
|
||||
#
|
||||
# Wirkung: Ein hier gelistetes Pattern wird weiterhin als Noise gezaehlt und
|
||||
# in der Breakdown-Tabelle gezeigt (mit Markierung "eskalations-befreit"),
|
||||
# zaehlt aber NICHT mehr zu noise_threshold_exceeded. Neue/unerwartete laute
|
||||
# Patterns loesen weiterhin eine WARNUNG aus.
|
||||
#
|
||||
# Format:
|
||||
# - Exakte Pattern-Zeile wie in log-noise.patterns (nach Normalisierung:
|
||||
# getrimmt, ohne Kommentar). Muss zeichengenau dem Eintrag entsprechen.
|
||||
# - Zeilen mit '#' sind Kommentare, Leerzeilen werden ignoriert.
|
||||
#
|
||||
# Eine Befreiung heisst NICHT "ignorieren", sondern "Volumen ist als Noise
|
||||
# akzeptiert; nur die ESKALATION ist abgeschaltet".
|
||||
#
|
||||
# Last reviewed: 2026-06-10
|
||||
|
||||
# node-exporter kann /proc/mdstat auf Unraid nicht parsen (eigener Array-
|
||||
# Treiber, kein Linux-mdadm). Dauerhaft > 5000/Tag, rein kosmetisch.
|
||||
# Re-check: nur bei Migration auf echtes mdadm-RAID.
|
||||
monitoring-node-exporter.*mdadm.*Cannot parse /host/proc/mdstat
|
||||
|
||||
# Fritz!Box sendet RFC-1035-widrige Multi-Question-SOA-Queries fuer
|
||||
# myfritz.net/myfritz.link; AdGuard lehnt sie ab. ~1000+/Tag, kein Impact.
|
||||
# Re-check: falls derselbe Fehler fuer Nicht-AVM-Domains auftaucht.
|
||||
adguard.*bad question section.*only 1 question allowed
|
||||
Reference in New Issue
Block a user