chore(deps): update postgres:18.4 docker digest to 65f70a1

2026-06-11 10:20:32 +00:00
102 changed files with 1029 additions and 6785 deletions
@@ -6,8 +6,7 @@
 !**/stack.env.example
 # Secrets and certificate material
-**/secrets/*
+**/secrets/
 !**/secrets/*.example
 **/letsencrypt/
 **/acme.json
 **/*.key
@@ -1,20 +0,0 @@
 # Agent Context - Homelab Infra
 Typ: Einstieg/Index · Stand: 2026-06-11 · Status: aktiv
 Einstiegspunkt fuer KI-Agenten (Codex, Gemini u. a.; Claude nutzt zusaetzlich
 `CLAUDE.md`). Kein eigener Inhalt - nur Pflichtpfade.
 ## Vor jeder Arbeit lesen
 1. `docs/AI_CONTEXT.md` - Systembild, harte Regeln, Ausnahmen-Kurzliste
 2. `HOMELAB_ARCHITECTURE_MASTER_V2.md` - Architektur-Zielbild
 3. `docs/WORKFLOW.md` - verbindlicher GitOps-/No-Drift-Ablauf
 4. die betroffene `docker-compose.yml` bzw. das betroffene Runbook (Index: `docs/README.md`)
 ## Nicht verhandelbar
 - Keine Secret-Werte lesen, zitieren oder schreiben - nur Namen und Pfade.
 - Keine Deployments, Host-Hotfixes oder Docker-Schreibbefehle ohne ausdrueckliche Anweisung.
 - Doku-Regeln aus `docs/REPO_MAP.md` einhalten: ein Fakt, ein Zuhause. Status nur in `docs/MASTER_TODO.md`, Entscheidungen nur in `docs/DECISIONS.md`.
 - Bei Drift oder zwei fehlgeschlagenen Reparaturversuchen: stoppen, `docs/GITOPS_DRIFT_RUNBOOK.md`.
@@ -3,7 +3,7 @@
 > **Single Source of Truth** für Docker-Netzwerkarchitektur, Sicherheitsregeln, Zielbild und Migration des Kallilabcore-Homelabs.
 > **Arbeitsregel für KI-Assistenten:** Dieses Dokument immer zuerst lesen, bevor Fragen zu Containern, Netzwerken, Traefik, Tailscale, Migration oder Security beantwortet werden.
-**Stand:** 2026-06-13 | **Aktueller Schwerpunkt:** Home Assistant Tibber / Energie-Kosten
+**Stand:** 2026-06-11 | **Aktueller Schwerpunkt:** GitOps / Doku-Synchronisierung / Reproduzierbare Deployments
 ---
@@ -88,13 +88,11 @@ Jeder produktive Container nutzt `restart: unless-stopped`, außer eine Ausnahme
 | `backend_net` | bridge, `internal: true` | interne App-/DB-/Cache-Kommunikation | Standard |
 | `dns_net` | bridge | Resolver-Schicht: AdGuard Home + Unbound | bleibt |
 | `mealie_internal` | bridge, `internal: true` | internes Netz nur für `mealie` + `mealie-postgres` | ✅ umgesetzt |
-| `immich_default` | Compose-intern, `internal: true` | internes Immich-Netz (Server, Postgres, Redis, ML) | ✅ umgesetzt |
+| `immich_default` | Compose-intern, `internal: true` | internes Immich-Netz | ✅ umgesetzt |
 | `immich_egress` | Compose-intern, bridge (nicht `internal`) | Outbound-only fuer `immich_machine_learning` (Modell-Download huggingface) | ✅ umgesetzt |
 | `nextcloud_internal` | bridge, `internal: true` | internes Netz nur fuer `nextcloud` + `nextcloud-postgres` + `nextcloud-redis` | ✅ vorbereitet |
 | `monitoring_net` | Compose-intern, bridge | zentraler Observability-Stack fuer Prometheus, Loki, Grafana, Promtail, Exporter und InfluxDB | Zielzustand |
 | `monitoring_influx_lan` | Compose-intern, bridge | nicht-oeffentliches Zusatznetz nur fuer Docker Host-Port-Publishing von InfluxDB 8181 | Zielzustand |
 | `glance_socket_net` | Compose-intern, `internal: true` | interner Zugriff von Glance auf den Docker-Socket-Proxy | umgesetzt |
 | `smarthome_net` | bridge, `internal: true` | interne Smart-Home-Kommunikation zwischen Home Assistant, Mosquitto, spaeter Zigbee2MQTT/ESPHome | vorbereitet |
 | `host` | host | nur für echte Sonderfälle | begründet |
 ### 3.2 Finales Diagramm (vereinfacht)
@@ -125,8 +123,7 @@ App-interne Netze
 ├── immich_default (internal: true) ✅
 ├── nextcloud_internal (internal: true) ✅
 ├── monitoring_net (zentraler Observability-Stack)
-├── monitoring_influx_lan (Bridge fuer LAN-Port-Publishing, keine Traefik-Route)
+└── monitoring_influx_lan (Bridge fuer LAN-Port-Publishing, keine Traefik-Route)
 └── smarthome_net (HA, Mosquitto, spaeter Zigbee2MQTT/ESPHome)
 Host-Sonderfälle
 ├── tailscale
@@ -149,7 +146,6 @@ Diese Dienste sind über echte `*.kaleschke.info`-Domains erreichbar:
 - `immich_server` — immich.kaleschke.info
 - `nextcloud` — cloud.kaleschke.info
 - `plex` — plex.kaleschke.info (Traefik, native Plex-Auth; Plex Remote Access/Port 32400 bleibt aus)
 - `homeassistant` — home.kaleschke.info (Traefik, native Home-Assistant-Auth)
 ### 4.2 Nicht öffentlich / nur Tailscale oder Traefik + Middleware
 Diese Dienste sind **keine Public Apps**:
@@ -265,7 +261,6 @@ Legende Status:
 | `immich_redis` | ⏳ | `immich_default` | intern | intern-only | anonymes Volume → named volume |
 | `nextcloud-postgres` | ✅ | `nextcloud_internal` | intern | app-eigene Nextcloud-Datenbank mit `_FILE`-Secret | — |
 | `nextcloud-redis` | ✅ | `nextcloud_internal` | intern | app-eigener Cache fuer File Locking / Sessions | — |
 | `smarthome-mosquitto` | ✅ | `smarthome_net` | intern `1883`, kein Host-Port in Phase 1 | MQTT-Datenbus fuer Home Assistant, spaeter ESPHome und Zigbee2MQTT; Passwortdatei und ACLs in `/mnt/user/appdata/mosquitto/config`; MQTT-Smoke und HA-MQTT-Integration am 2026-06-13 erfolgreich | LAN-Port erst in ESPHome-Phase mit ACLs/per-Device-Usern |
 ### 7.4 Produktive Apps
@@ -277,9 +272,8 @@ Legende Status:
 | `ntfy` | ✅ | `frontend_net` | Traefik | aktiv via `ntfy.kaleschke.info`, Git-Stack | — |
 | `gitea` | ✅ | `frontend_net` | Traefik + SSH-Port 222 | Web via Traefik, SSH direkt gebunden | — |
 | `immich_server` | ✅ | `immich_default`, `frontend_net` | Traefik | aktiv via `immich.kaleschke.info` | — |
-| `immich_machine_learning` | ✅ | `immich_default`, `immich_egress` | intern (keine Traefik-Route) | `immich_default` fuer Server-Erreichbarkeit + dediziertes `immich_egress` (nicht-internal) fuer einmaligen Modell-Download (CLIP/buffalo_l) nach `model-cache`; bewusst nicht `frontend_net`, da unauth. ML-API | — |
+| `immich_machine_learning` | ✅ | `immich_default` | intern | bleibt intern | — |
 | `nextcloud` | ✅ | `frontend_net`, `nextcloud_internal` | Traefik | aktiv via `cloud.kaleschke.info`, nativer Nextcloud-Login, WebDAV/CardDAV faehig | CalDAV/CardDAV-Redirect via Traefik-Labels |
 | `homeassistant` | ✅ | `frontend_net`, `smarthome_net` | Traefik via `home.kaleschke.info`, native HA-Auth | Home Assistant Container im GitOps-Stack `smart-home/`; kein HAOS, kein Supervised; Fach-YAML kommt aus `smart-home-kalli`, `.storage` bleibt in `/mnt/user/appdata/homeassistant`; Komodo-Stack und Gitea-Webhook aktiv; HA-native Backup-Erzeugung, Restore-Probe, HA-MQTT-Integration, SolarEdge Local und Energy Dashboard am 2026-06-13 erfolgreich | Tibber, Energie-Kosten, spaeter Energie-Automationen |
 | `plex` | ✅ | `host` | Traefik via `plex.kaleschke.info` + Plex native Auth; LAN direkt `:32400` | Compose-Stack unter `host-services/plex/`; Host-Netz bleibt fuer Discovery / Plex GDM dokumentierte Ausnahme; Traefik routet per File-Provider-Ausnahme auf `http://192.168.178.58:32400`, weil Docker-Labels Host-Netz-Container aus Traefik heraus auf `127.0.0.1` routen wuerden; kein direkter WAN-Port 32400 und Plex Remote Access bleibt aus; Server geclaimt von `Xeridos`; Smart-TVs (Schlafzimmer, Wohnzimmer) ueber WLAN-LAN per mDNS | — |
 | `super-productivity` | ✅ vorbereitet | `frontend_net` | Traefik + Middleware | Persoenliche Task-PWA des Operators; Issues kommen aus Gitea `Micha/mails` via n8n-Mail-Workflow | Deploy + Webhook + DNS-Eintrag offen |
 | `n8n` | ✅ vorbereitet | `frontend_net` | Traefik, native Auth (keine pauschale Authelia) | Workflow-Automation; erster Workflow: GMX-Mail -> OpenAI-Extraktion -> Gitea-Issue in `Micha/mails`; `N8N_ENCRYPTION_KEY` ist Stack-ENV-Pflichtsecret | Deploy + Webhook + Owner-Setup offen |
@@ -395,13 +389,10 @@ Die Blockmigration aus der Portainer-/Dockerman-Phase ist abgeschlossen: Traefik
 | `mail-archiver` | `frontend_net` + `backend_net` | braucht Internetzugang für IMAP-Abruf (GMX, Gmail) und DB-Zugang |
 | `traefik/dynamic/*` | manueller Host-Sync trotz GitOps | File-Provider bleibt bewusst fuer `middlewares.yml`, `tls.yml` und `dashboards.yml`; Komodo deployed diese Dateien nicht automatisch |
 | `nextcloud` | keine zentrale ForwardAuth-Middleware | Nextcloud bringt eigene Auth, Clients und WebDAV/CardDAV-Endpunkte mit; Traefik bleibt Reverse Proxy, Auth bleibt app-nativ |
-| `monitoring-influxdb3-core` | Host-Port 8181 auf LAN-IP; `user: "0"` | Home Assistant schreibt spaeter Langzeitdaten. Nach der HA-Container-Entscheidung muss der Writer-Pfad in der Influx-Phase explizit gewaehlt werden: entweder LAN-Bind via `INFLUXDB_BIND_IP` oder gezieltes gemeinsames internes Netz. Keine Traefik-Route, Zugriff nur ueber Token; InfluxDB 3 Core benoetigt im aktuellen Container-Setup Root-Rechte fuer den lokalen Object-Store-Pfad im named volume |
+| `monitoring-influxdb3-core` | Host-Port 8181 auf LAN-IP; `user: "0"` | Home Assistant laeuft in einer VM ausserhalb des Compose-Netzes und muss Metriken schreiben koennen; keine Traefik-Route, kein `frontend_net`, Zugriff nur ueber Token und LAN-IP `INFLUXDB_BIND_IP`; InfluxDB 3 Core benoetigt im aktuellen Container-Setup Root-Rechte fuer den lokalen Object-Store-Pfad im named volume |
 | `monitoring-promtail` | Docker-Socket read-only | Docker-Log-Discovery fuer Loki; keine Schreibrechte, keine Appdaten-Persistenz ueber den Socket |
 | `n8n` | keine pauschale Authelia-Middleware | Webhook-Endpunkte (`/webhook/*`, `/webhook-test/*`) muessen ohne ForwardAuth erreichbar bleiben; n8n bringt eigene Owner-/Login-Auth mit (analog Komodo/Nextcloud) |
 | `plex` | Traefik ohne Authelia, File-Provider-Ausnahme trotz Host-Netz | Plex bringt native Konto-/Client-Auth mit; vorgeschaltete ForwardAuth wuerde Plex Web, Apps und Client-Flows stoeren. Docker-Labels sind fuer diesen Host-Netz-Container ungeeignet, weil Traefik sonst `127.0.0.1:32400` nutzt; daher `traefik/dynamic/plex.yml` mit Ziel `192.168.178.58:32400`. Route nur ueber Traefik/443 (`plex.kaleschke.info`), direkter Plex-WAN-Port 32400 und Plex Remote Access bleiben deaktiviert. |
 | `homeassistant` | Traefik ohne Authelia, Fach-YAML aus separatem Repo | Home Assistant bringt eigene Auth, mobile Apps, Webhooks und Integrationsfluesse mit. Der Container haengt in `frontend_net` fuer Traefik und in `smarthome_net` fuer MQTT/Zigbee2MQTT/ESPHome. `.storage` und Secrets bleiben in Appdata und werden per Borg gesichert, nicht versioniert. |
 | `homeassistant` (Ecowitt) | LAN-only Host-Port `8123` auf `192.168.178.58` | Ecowitt-GW3000 kann kein HTTPS und pusht per HTTP an den HA-Webhook. HA bekommt einen Host-Bind nur auf der LAN-IP (`192.168.178.58:8123:8123`, nicht `0.0.0.0`/WAN), analog InfluxDB 8181. Kein Traefik-Umbau des globalen HTTP-Redirects noetig, da Ecowitt rein im LAN pusht. Webhook nicht `local_only`, geschuetzt durch 128-bit-Zufalls-ID. Siehe `docs/DECISIONS.md` (2026-06-13). |
 | `homeassistant` (SolarEdge Local) | HACS/Custom-Integration `solaredge_modbus_multi` | Lokaler SolarEdge-Zugriff laeuft ueber Modbus TCP `192.168.178.111:1502`, Device-ID `1`. Das ist bewusst lokal statt Cloud-API, weil kein SolarEdge-API-Key verfuegbar ist und der Wechselrichter Modbus-Daten fuer Inverter, Smart Meter und Batterie liefert. Custom-Integration-Warnungen bei HA-Core-Upgrades beachten. |
 ---
@@ -1,13 +0,0 @@
 COMPOSE_PROJECT_NAME=dawarich
 TZ=Europe/Berlin
 DAWARICH_HOST=dawarich.kaleschke.info
 APPLICATION_HOSTS=dawarich.kaleschke.info,dawarich_app,localhost,127.0.0.1,::1
 POSTGRES_USER=dawarich
 POSTGRES_DB=dawarich_production
 GRAFANA_DB_USER=dawarich_grafana_ro
 METRICS_USERNAME=prometheus
 BACKGROUND_PROCESSING_CONCURRENCY=5
 RAILS_MAX_THREADS=10
@@ -1,151 +0,0 @@
 # Dawarich Stack
 Produktionsvorlage fuer Dawarich im KalliLab-Homelab mit GitOps ueber Gitea und Komodo.
 ## Gepruefter Stand
 - Dawarich Release: `1.8.1` (GitHub latest am 2026-06-11)
 - Docker Image: `freikin/dawarich:1.8.1`
 - Hinweis: `freika/dawarich` existiert auf Docker Hub nicht; das offizielle Image aus dem Upstream-Compose ist `freikin/dawarich`.
 - Dawarich Tracking-Endpoint fuer OwnTracks: `/api/v1/owntracks/points?api_key=<api-key>`
 - Dawarich Prometheus ab 1.7.7: Web-Service `/metrics`; Port `9394` ist intern fuer Sidekiq-Metriken.
 Quellen:
 - https://github.com/Freika/dawarich/releases/tag/1.8.1
 - https://dawarich.app/docs/getting-started/track-your-location/
 - https://dawarich.app/docs/self-hosting/monitoring/prometheus/
 ## Dateien
 ```text
 apps/dawarich/
 |-- docker-compose.yml
 |-- .env.example
 |-- prometheus-scrape.snippet.yml
 |-- homeassistant-dawarich.example.yaml
 |-- grafana/
 |   |-- datasource-dawarich.yml
 |   `-- dashboard-dawarich.json
 |-- postgres/initdb/20-grafana-readonly.sh
 `-- secrets/*.txt.example
 ```
 ## Setup-Reihenfolge
 1. Stack-Verzeichnis nach Komodo/Gitea uebernehmen: `apps/dawarich`.
 2. `.env.example` als nicht versionierte Stack-`.env` oder Komodo Stack Environment anlegen.
 3. Secret-Dateien auf dem Unraid-Host erstellen:
 ```bash
 install -d -m 700 /mnt/user/appdata/secrets
 openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_postgres_password.txt
 openssl rand -base64 48 | tr -dc 'A-Za-z0-9._~-' | head -c 48 > /mnt/user/appdata/secrets/dawarich_redis_password.txt
 openssl rand -hex 64 > /mnt/user/appdata/secrets/dawarich_secret_key_base.txt
 openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_metrics_password.txt
 openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt
 chmod 600 /mnt/user/appdata/secrets/dawarich_*.txt
 ```
 4. Bind-Volume-Zielpfade vor dem ersten Deploy anlegen:
 ```bash
 install -d -m 750 \
  /mnt/user/appdata/dawarich/postgres17 \
  /mnt/user/appdata/dawarich/redis \
  /mnt/user/appdata/dawarich/shared \
  /mnt/user/appdata/dawarich/public \
  /mnt/user/appdata/dawarich/watched \
  /mnt/user/appdata/dawarich/storage
 ```
 5. In Komodo als Compose-Stack deployen. `frontend_net` und `backend_net` muessen bereits existieren.
 6. Ersten Login in Dawarich durchfuehren und den API-Key im Account-Bereich erzeugen.
 7. Home Assistant `homeassistant-dawarich.example.yaml` in das Smart-Home-Fachrepo uebernehmen und `device_tracker.your_phone` ersetzen.
 ## Traefik und Authelia
 Die UI liegt auf `https://dawarich.kaleschke.info` und nutzt `authelia@file,secure-headers@file`.
 Der Healthcheck, die Mobile-App-API-Routen (`/api/v1/settings`, `/api/v1/points`, `/api/v1/tracks`, `/api/v1/tracks/<id>/points`) und die Tracking-API-Routen fuer OwnTracks, Overland und Traccar sind separat und priorisiert ohne Authelia geroutet, weil Mobile Clients per Dawarich-API-Key authentifizieren und keine Browser-ForwardAuth-Challenge verarbeiten koennen.
 ## Prometheus
 `prometheus-scrape.snippet.yml` ist die dienstnahe Referenz. Produktiv ist der Job bereits in `monitoring/prometheus/prometheus.yml` eingetragen.
 Der Monitoring-Stack ist dafuer bereits vorbereitet:
 - `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` ist in Dawarich und Prometheus eingebunden.
 Nicht `dawarich_app:9394` scrapen: das ist nach aktueller Dawarich-Doku veraltet. Der Web-Service aggregiert App- und Sidekiq-Metriken unter `/metrics`. Im KalliLab scrapt Prometheus intern `http://dawarich_app:3000/metrics` ueber `backend_net` und setzt `X-Forwarded-Proto: https`, damit Dawarich mit `APPLICATION_PROTOCOL=https` keinen HTTPS-Redirect erzeugt.
 ## Grafana
 Der Read-only-User `dawarich_grafana_ro` wird beim ersten DB-Init durch `postgres/initdb/20-grafana-readonly.sh` angelegt.
 Bei einer bereits initialisierten DB das Script einmal manuell im DB-Container ausfuehren:
 ```bash
 docker exec dawarich_db /docker-entrypoint-initdb.d/20-grafana-readonly.sh
 ```
 Die produktive Provisionierung ist bereits in den vorhandenen Monitoring-Stack integriert:
 - Datasource: `monitoring/grafana/provisioning/datasources/dawarich.yml`
 - Dashboard: `monitoring/grafana/dashboards/dawarich.json`
 - Grafana haengt an `backend_net`, damit `dawarich_db:5432` erreichbar ist.
 - `DAWARICH_GRAFANA_RO_PASSWORD` wird beim Grafana-Start aus `/mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt` exportiert.
 ## Home Assistant
 Dawarich akzeptiert OwnTracks-kompatible Location-Punkte per:
 ```text
 https://dawarich.kaleschke.info/api/v1/owntracks/points?api_key=<dawarich-api-key>
 ```
 `homeassistant-dawarich.example.yaml` enthaelt:
 - `rest_command.dawarich_push_owntracks`
 - Automation fuer `device_tracker`-State-Changes
 - API-Key aus HA `secrets.yaml` als `dawarich_api_key`
 Alternativ existiert eine HACS-Integration `dawarich-home-assistant`; die YAML-Variante hier bleibt absichtlich transparent und GitOps-lesbar.
 ## Backup mit Borg
 Borg-relevante Daten liegen unter:
 ```text
 /mnt/user/appdata/dawarich/postgres17
 /mnt/user/appdata/dawarich/redis
 /mnt/user/appdata/dawarich/shared
 /mnt/user/appdata/dawarich/public
 /mnt/user/appdata/dawarich/watched
 /mnt/user/appdata/dawarich/storage
 /mnt/user/appdata/secrets/dawarich_*.txt
 ```
 Primaerer Restore-Weg fuer die DB sollte ein logischer Dump plus Appdaten sein. Raw-Postgres-Verzeichnisse sind nur fuer gleiches Major/PostGIS-Image und sauberen Shutdown geeignet.
 Empfohlener Dump vor Borg:
 ```bash
 docker exec dawarich_db pg_dump -U dawarich -d dawarich_production -Fc > /mnt/user/backups/borg/dumps/latest/dawarich.dump
 ```
 ## Updates
 - Kein `latest` verwenden.
 - Vor jedem Update Release Notes lesen, besonders bei Dawarich und PostGIS.
 - Dawarich App und Sidekiq muessen immer dasselbe Image-Tag nutzen.
 - PostGIS-Major-/Minor-Wechsel getrennt planen und vorher Dump plus Restore-Probe erstellen.
 - Image-Digests nach Review bewusst aktualisieren.
 ## Rollback
 1. Komodo Stack stoppen.
 2. Vorherigen Git-Commit mit altem Image-Tag/Digest deployen.
 3. Falls nur App-Code gewechselt wurde: Stack starten und Healthchecks pruefen.
 4. Falls DB-Migrationen gelaufen sind: DB aus `dawarich.dump` in einen frischen PostGIS-17-Container restoren; kein blindes Zurueckkopieren eines Live-Postgres-Verzeichnisses.
 5. Dawarich UI, `/api/v1/health`, Prometheus-Scrape und HA-Push testen.
@@ -1,270 +0,0 @@
 name: dawarich
 x-dawarich-image: &dawarich_image freikin/dawarich:1.8.1@sha256:7c70f2169e848ed77ae1cec01dd10ec4a73a70a785d4e4d248db1735c0bc25ed
 services:
  dawarich_db:
    image: postgis/postgis:17-3.5-alpine@sha256:fc07e7a034e013d50ada575673b798ca6277e000b8364e39e217f612d94bd9a5
    container_name: dawarich_db
    restart: unless-stopped
    shm_size: 1G
    environment:
      TZ: ${TZ}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_DB: ${POSTGRES_DB}
      POSTGRES_PASSWORD_FILE: /run/secrets/dawarich_postgres_password
      GRAFANA_DB_USER: ${GRAFANA_DB_USER}
      PGDATA: /var/lib/postgresql/data
    volumes:
      - dawarich_db_data:/var/lib/postgresql/data
      - dawarich_shared:/var/shared
      - ./postgres/initdb:/docker-entrypoint-initdb.d:ro
    networks:
      - backend_net
    secrets:
      - dawarich_postgres_password
      - dawarich_grafana_ro_password
    expose:
      - "5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U \"$${POSTGRES_USER}\" -d \"$${POSTGRES_DB}\""]
      interval: 10s
      timeout: 10s
      retries: 5
      start_period: 30s
    security_opt:
      - no-new-privileges:true
  dawarich_redis:
    image: redis:8.8.0-alpine@sha256:09160599abd229764c0fb44cb6be640294e1d360a54b19985ab4843dcf2d90f1
    container_name: dawarich_redis
    restart: unless-stopped
    command:
      - /bin/sh
      - -lc
      - |
        exec redis-server \
          --save 900 1 \
          --save 300 10 \
          --appendonly no \
          --requirepass "$$(cat /run/secrets/dawarich_redis_password)"
    volumes:
      - dawarich_redis_data:/data
    networks:
      - backend_net
    secrets:
      - dawarich_redis_password
    expose:
      - "6379"
    healthcheck:
      test: ["CMD-SHELL", "redis-cli -a \"$$(cat /run/secrets/dawarich_redis_password)\" --raw incr ping >/dev/null"]
      interval: 10s
      timeout: 10s
      retries: 5
      start_period: 30s
    security_opt:
      - no-new-privileges:true
  dawarich_app:
    image: *dawarich_image
    container_name: dawarich_app
    restart: unless-stopped
    stdin_open: true
    tty: true
    entrypoint:
      - /bin/sh
      - -lc
    command:
      - |
        export DATABASE_PASSWORD="$$(cat /run/secrets/dawarich_postgres_password)"
        export REDIS_URL="redis://:$$(cat /run/secrets/dawarich_redis_password)@dawarich_redis:6379/0"
        export SECRET_KEY_BASE="$$(cat /run/secrets/dawarich_secret_key_base)"
        export METRICS_PASSWORD="$$(cat /run/secrets/dawarich_metrics_password)"
        exec web-entrypoint.sh bin/rails server -p 3000 -b ::
    environment:
      TZ: ${TZ}
      RAILS_ENV: production
      DATABASE_HOST: dawarich_db
      DATABASE_PORT: "5432"
      DATABASE_USERNAME: ${POSTGRES_USER}
      DATABASE_NAME: ${POSTGRES_DB}
      APPLICATION_HOSTS: ${APPLICATION_HOSTS}
      APPLICATION_PROTOCOL: https
      TIME_ZONE: ${TZ}
      SELF_HOSTED: "true"
      STORE_GEODATA: "true"
      RAILS_LOG_TO_STDOUT: "true"
      PROMETHEUS_EXPORTER_ENABLED: "true"
      METRICS_USERNAME: ${METRICS_USERNAME}
      SIDEKIQ_METRICS_URL: http://dawarich_sidekiq:9394/metrics
      BACKGROUND_PROCESSING_CONCURRENCY: ${BACKGROUND_PROCESSING_CONCURRENCY}
      RAILS_MAX_THREADS: ${RAILS_MAX_THREADS}
    volumes:
      - dawarich_public:/var/app/public
      - dawarich_watched:/var/app/tmp/imports/watched
      - dawarich_storage:/var/app/storage
      - dawarich_db_data:/dawarich_db_data:ro
    networks:
      - frontend_net
      - backend_net
    secrets:
      - dawarich_postgres_password
      - dawarich_redis_password
      - dawarich_secret_key_base
      - dawarich_metrics_password
    expose:
      - "3000"
    healthcheck:
      test: ["CMD-SHELL", "wget -qO - --header=\"Host: ${DAWARICH_HOST}\" --header=\"X-Forwarded-Proto: https\" http://127.0.0.1:3000/api/v1/health | grep -q '\"status\"[[:space:]]*:[[:space:]]*\"ok\"'"]
      interval: 10s
      timeout: 10s
      retries: 30
      start_period: 30s
    depends_on:
      dawarich_db:
        condition: service_healthy
      dawarich_redis:
        condition: service_healthy
    security_opt:
      - no-new-privileges:true
    labels:
      - traefik.enable=true
      - traefik.docker.network=frontend_net
      # Public API-key endpoints for mobile apps and Home Assistant pushes.
      - traefik.http.routers.dawarich-api.rule=Host(`${DAWARICH_HOST}`) && (Path(`/api/v1/health`) || Path(`/api/v1/settings`) || Path(`/api/v1/settings/transportation_recalculation_status`) || Path(`/api/v1/points`) || Path(`/api/v1/tracks`) || PathRegexp(`/api/v1/tracks/[0-9]+/points`) || Path(`/api/v1/owntracks/points`) || Path(`/api/v1/overland/batches`) || Path(`/api/v1/traccar/points`))
      - traefik.http.routers.dawarich-api.entrypoints=websecure
      - traefik.http.routers.dawarich-api.tls=true
      - traefik.http.routers.dawarich-api.tls.certresolver=le
      - traefik.http.routers.dawarich-api.priority=100
      - traefik.http.routers.dawarich-api.middlewares=secure-headers@file
      - traefik.http.routers.dawarich-api.service=dawarich
      # UI and all other routes require Authelia ForwardAuth.
      - traefik.http.routers.dawarich.rule=Host(`${DAWARICH_HOST}`)
      - traefik.http.routers.dawarich.entrypoints=websecure
      - traefik.http.routers.dawarich.tls=true
      - traefik.http.routers.dawarich.tls.certresolver=le
      - traefik.http.routers.dawarich.priority=10
      - traefik.http.routers.dawarich.middlewares=authelia@file,secure-headers@file
      - traefik.http.routers.dawarich.service=dawarich
      - traefik.http.services.dawarich.loadbalancer.server.port=3000
  dawarich_sidekiq:
    image: *dawarich_image
    container_name: dawarich_sidekiq
    restart: unless-stopped
    stdin_open: true
    tty: true
    entrypoint:
      - /bin/sh
      - -lc
    command:
      - |
        export DATABASE_PASSWORD="$$(cat /run/secrets/dawarich_postgres_password)"
        export REDIS_URL="redis://:$$(cat /run/secrets/dawarich_redis_password)@dawarich_redis:6379/0"
        export SECRET_KEY_BASE="$$(cat /run/secrets/dawarich_secret_key_base)"
        export METRICS_PASSWORD="$$(cat /run/secrets/dawarich_metrics_password)"
        exec sidekiq-entrypoint.sh sidekiq
    environment:
      TZ: ${TZ}
      RAILS_ENV: production
      DATABASE_HOST: dawarich_db
      DATABASE_PORT: "5432"
      DATABASE_USERNAME: ${POSTGRES_USER}
      DATABASE_NAME: ${POSTGRES_DB}
      APPLICATION_HOSTS: ${APPLICATION_HOSTS}
      APPLICATION_PROTOCOL: https
      TIME_ZONE: ${TZ}
      SELF_HOSTED: "true"
      STORE_GEODATA: "true"
      RAILS_LOG_TO_STDOUT: "true"
      PROMETHEUS_EXPORTER_ENABLED: "true"
      PROMETHEUS_EXPORTER_PORT: "9394"
      METRICS_USERNAME: ${METRICS_USERNAME}
      BACKGROUND_PROCESSING_CONCURRENCY: ${BACKGROUND_PROCESSING_CONCURRENCY}
      RAILS_MAX_THREADS: ${RAILS_MAX_THREADS}
    volumes:
      - dawarich_public:/var/app/public
      - dawarich_watched:/var/app/tmp/imports/watched
      - dawarich_storage:/var/app/storage
    networks:
      - backend_net
    secrets:
      - dawarich_postgres_password
      - dawarich_redis_password
      - dawarich_secret_key_base
      - dawarich_metrics_password
    expose:
      - "9394"
    healthcheck:
      test: ["CMD-SHELL", "pgrep -f sidekiq >/dev/null"]
      interval: 10s
      timeout: 10s
      retries: 30
      start_period: 30s
    depends_on:
      dawarich_db:
        condition: service_healthy
      dawarich_redis:
        condition: service_healthy
      dawarich_app:
        condition: service_healthy
    security_opt:
      - no-new-privileges:true
 networks:
  frontend_net:
    external: true
  backend_net:
    external: true
 volumes:
  dawarich_db_data:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /mnt/user/appdata/dawarich/postgres17
  dawarich_redis_data:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /mnt/user/appdata/dawarich/redis
  dawarich_shared:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /mnt/user/appdata/dawarich/shared
  dawarich_public:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /mnt/user/appdata/dawarich/public
  dawarich_watched:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /mnt/user/appdata/dawarich/watched
  dawarich_storage:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /mnt/user/appdata/dawarich/storage
 secrets:
  dawarich_postgres_password:
    file: /mnt/user/appdata/secrets/dawarich_postgres_password.txt
  dawarich_redis_password:
    file: /mnt/user/appdata/secrets/dawarich_redis_password.txt
  dawarich_secret_key_base:
    file: /mnt/user/appdata/secrets/dawarich_secret_key_base.txt
  dawarich_metrics_password:
    file: /mnt/user/appdata/secrets/dawarich_metrics_password.txt
  dawarich_grafana_ro_password:
    file: /mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt
@@ -1,577 +0,0 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": {
          "type": "grafana",
          "uid": "-- Grafana --"
        },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "editable": false,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 0,
  "id": null,
  "links": [],
  "liveNow": false,
  "panels": [
    {
      "id": 10,
      "type": "stat",
      "title": "Points Last 30 Days",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 0,
        "y": 0,
        "w": 6,
        "h": 4
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT count(*)::double precision AS points\nFROM points\nWHERE timestamp >= extract(epoch from now() - interval '30 days')::integer\n  AND timestamp <= extract(epoch from now())::integer\n  AND lonlat IS NOT NULL;"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "unit": "short",
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "colorMode": "value",
        "graphMode": "none",
        "justifyMode": "auto",
        "orientation": "auto",
        "reduceOptions": {
          "calcs": [
            "lastNotNull"
          ],
          "fields": "points",
          "values": false
        },
        "textMode": "auto",
        "wideLayout": true
      }
    },
    {
      "id": 11,
      "type": "stat",
      "title": "Kilometers Last 30 Days",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 6,
        "y": 0,
        "w": 6,
        "h": 4
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT round(coalesce(sum(distance),0)::numeric / 1000.0, 2)::double precision AS km\nFROM tracks\nWHERE start_at >= now() - interval '30 days';"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "unit": "km",
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "colorMode": "value",
        "graphMode": "none",
        "justifyMode": "auto",
        "orientation": "auto",
        "reduceOptions": {
          "calcs": [
            "lastNotNull"
          ],
          "fields": "km",
          "values": false
        },
        "textMode": "auto",
        "wideLayout": true
      }
    },
    {
      "id": 12,
      "type": "stat",
      "title": "Tracks Last 30 Days",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 12,
        "y": 0,
        "w": 6,
        "h": 4
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT count(*)::double precision AS tracks\nFROM tracks\nWHERE start_at >= now() - interval '30 days';"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "unit": "short",
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "colorMode": "value",
        "graphMode": "none",
        "justifyMode": "auto",
        "orientation": "auto",
        "reduceOptions": {
          "calcs": [
            "lastNotNull"
          ],
          "fields": "tracks",
          "values": false
        },
        "textMode": "auto",
        "wideLayout": true
      }
    },
    {
      "id": 13,
      "type": "stat",
      "title": "Anomalies Last 30 Days",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 18,
        "y": 0,
        "w": 6,
        "h": 4
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT count(*)::double precision AS anomalies\nFROM points\nWHERE timestamp >= extract(epoch from now() - interval '30 days')::integer\n  AND timestamp <= extract(epoch from now())::integer\n  AND anomaly IS TRUE;"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "unit": "short",
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "colorMode": "value",
        "graphMode": "none",
        "justifyMode": "auto",
        "orientation": "auto",
        "reduceOptions": {
          "calcs": [
            "lastNotNull"
          ],
          "fields": "anomalies",
          "values": false
        },
        "textMode": "auto",
        "wideLayout": true
      }
    },
    {
      "id": 1,
      "type": "geomap",
      "title": "Location Points",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 0,
        "y": 4,
        "w": 14,
        "h": 12
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT\n  ST_Y(lonlat::geometry)::double precision AS lat,\n  ST_X(lonlat::geometry)::double precision AS lon,\n  accuracy::double precision AS accuracy,\n  to_timestamp(timestamp) AS seen_at\nFROM points\nWHERE timestamp >= extract(epoch from now() - interval '30 days')::integer\n  AND timestamp <= extract(epoch from now())::integer\n  AND lonlat IS NOT NULL\nORDER BY timestamp DESC\nLIMIT 5000;"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "custom": {
            "hideFrom": {
              "legend": false,
              "tooltip": false,
              "viz": false
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "basemap": {
          "config": {},
          "name": "Layer 0",
          "type": "default"
        },
        "controls": {
          "mouseWheelZoom": true,
          "showAttribution": true,
          "showDebug": false,
          "showMeasure": false,
          "showScale": true,
          "showZoom": true
        },
        "layers": [
          {
            "config": {
              "showLegend": false,
              "style": {
                "color": {
                  "fixed": "green"
                },
                "opacity": 0.7,
                "size": {
                  "fixed": 5,
                  "max": 15,
                  "min": 2
                },
                "symbol": {
                  "fixed": "img/icons/marker/circle.svg",
                  "mode": "fixed"
                }
              }
            },
            "location": {
              "latitude": "lat",
              "longitude": "lon",
              "mode": "coords"
            },
            "name": "Points",
            "tooltip": true,
            "type": "markers"
          }
        ],
        "tooltip": {
          "mode": "details"
        },
        "view": {
          "allLayers": true,
          "id": "fit",
          "lat": 52.0,
          "lon": 7.5,
          "zoom": 8
        }
      }
    },
    {
      "id": 2,
      "type": "table",
      "title": "Kilometers per Day",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 14,
        "y": 4,
        "w": 10,
        "h": 6
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT\n  date_trunc('day', start_at)::date AS day,\n  round(coalesce(sum(distance),0)::numeric / 1000.0, 2)::double precision AS km\nFROM tracks\nWHERE start_at >= now() - interval '30 days'\nGROUP BY 1\nORDER BY 1 DESC;"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "custom": {
            "align": "auto",
            "cellOptions": {
              "type": "auto"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "cellHeight": "sm",
        "footer": {
          "countRows": false,
          "fields": "",
          "reducer": [
            "sum"
          ],
          "show": false
        },
        "showHeader": true
      }
    },
    {
      "id": 3,
      "type": "table",
      "title": "Points per Day",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 14,
        "y": 10,
        "w": 10,
        "h": 6
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT\n  date_trunc('day', to_timestamp(timestamp))::date AS day,\n  count(*)::double precision AS points\nFROM points\nWHERE timestamp >= extract(epoch from now() - interval '30 days')::integer\n  AND timestamp <= extract(epoch from now())::integer\nGROUP BY 1\nORDER BY 1 DESC;"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "custom": {
            "align": "auto",
            "cellOptions": {
              "type": "auto"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "cellHeight": "sm",
        "footer": {
          "countRows": false,
          "fields": "",
          "reducer": [
            "sum"
          ],
          "show": false
        },
        "showHeader": true
      }
    },
    {
      "id": 4,
      "type": "table",
      "title": "Recent Tracks",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 0,
        "y": 16,
        "w": 24,
        "h": 7
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT\n  start_at AS start,\n  end_at AS end,\n  round((distance::numeric / 1000.0), 2)::double precision AS km,\n  round((duration::numeric / 60.0), 1)::double precision AS minutes\nFROM tracks\nWHERE start_at >= now() - interval '30 days'\nORDER BY start_at DESC\nLIMIT 50;"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "custom": {
            "align": "auto",
            "cellOptions": {
              "type": "auto"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "cellHeight": "sm",
        "footer": {
          "countRows": false,
          "fields": "",
          "reducer": [
            "sum"
          ],
          "show": false
        },
        "showHeader": true
      }
    }
  ],
  "refresh": "5m",
  "schemaVersion": 41,
  "tags": [
    "homelab",
    "dawarich"
  ],
  "templating": {
    "list": []
  },
  "time": {
    "from": "now-30d",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "browser",
  "title": "Dawarich",
  "uid": "dawarich",
  "version": 5,
  "weekStart": ""
 }
@@ -1,18 +0,0 @@
 apiVersion: 1
 datasources:
  - name: Dawarich PostgreSQL
    uid: dawarich-postgres
    type: postgres
    access: proxy
    url: dawarich_db:5432
    database: dawarich_production
    user: dawarich_grafana_ro
    editable: false
    jsonData:
      database: dawarich_production
      sslmode: disable
      postgresVersion: 1700
      timescaledb: false
    secureJsonData:
      password: $DAWARICH_GRAFANA_RO_PASSWORD
@@ -1,47 +0,0 @@
 # Add `dawarich_api_key` to Home Assistant `secrets.yaml`.
 # The endpoint is the current OwnTracks-compatible Dawarich endpoint:
 # https://<host>/api/v1/owntracks/points?api_key=<api-key>
 rest_command:
  dawarich_push_owntracks:
    url: "https://dawarich.kaleschke.info/api/v1/owntracks/points?api_key={{ api_key }}"
    method: POST
    content_type: "application/json"
    payload: >-
      {
        "_type": "location",
        "lat": {{ latitude }},
        "lon": {{ longitude }},
        "tst": {{ timestamp }},
        "acc": {{ accuracy | default(0) }},
        "alt": {{ altitude | default(0) }},
        "batt": {{ battery | default(0) }},
        "tid": "{{ tracker_id[:2] }}"
      }
 automation:
  - id: dawarich_push_device_tracker_location
    alias: Dawarich - push device tracker location
    mode: queued
    max: 20
    trigger:
      - platform: state
        entity_id:
          - device_tracker.your_phone
    condition:
      - condition: template
        value_template: >-
          {{ trigger.to_state is not none
             and state_attr(trigger.entity_id, 'latitude') is number
             and state_attr(trigger.entity_id, 'longitude') is number }}
    action:
      - service: rest_command.dawarich_push_owntracks
        data:
          api_key: !secret dawarich_api_key
          tracker_id: "{{ trigger.entity_id.split('.')[1] }}"
          latitude: "{{ state_attr(trigger.entity_id, 'latitude') }}"
          longitude: "{{ state_attr(trigger.entity_id, 'longitude') }}"
          accuracy: "{{ state_attr(trigger.entity_id, 'gps_accuracy') | default(0, true) }}"
          altitude: "{{ state_attr(trigger.entity_id, 'altitude') | default(0, true) }}"
          battery: "{{ state_attr(trigger.entity_id, 'battery_level') | default(0, true) }}"
          timestamp: "{{ as_timestamp(trigger.to_state.last_updated) | int }}"
@@ -1,24 +0,0 @@
 #!/bin/sh
 set -eu
 GRAFANA_USER="${GRAFANA_DB_USER:-dawarich_grafana_ro}"
 GRAFANA_PASSWORD="$(cat /run/secrets/dawarich_grafana_ro_password)"
 export GRAFANA_USER GRAFANA_PASSWORD
 psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<'EOSQL'
 \set grafana_user `printf %s "$GRAFANA_USER"`
 \set grafana_password `printf %s "$GRAFANA_PASSWORD"`
 SELECT format('CREATE ROLE %I LOGIN PASSWORD %L', :'grafana_user', :'grafana_password')
 WHERE NOT EXISTS (SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = :'grafana_user')
 \gexec
 SELECT format('ALTER ROLE %I WITH LOGIN PASSWORD %L', :'grafana_user', :'grafana_password')
 WHERE EXISTS (SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = :'grafana_user')
 \gexec
 SELECT format('GRANT CONNECT ON DATABASE %I TO %I', current_database(), :'grafana_user')\gexec
 SELECT format('GRANT USAGE ON SCHEMA public TO %I', :'grafana_user')\gexec
 SELECT format('GRANT SELECT ON ALL TABLES IN SCHEMA public TO %I', :'grafana_user')\gexec
 SELECT format('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO %I', :'grafana_user')\gexec
 EOSQL
@@ -1,20 +0,0 @@
 # Dawarich 1.8.1 serves the Prometheus endpoint on the web service at
 # /metrics. Port 9394 is the internal Sidekiq metrics endpoint consumed by
 # dawarich_app via SIDEKIQ_METRICS_URL.
 #
 # Prerequisites in monitoring/docker-compose.yml:
 # - mount Docker secret/file `/mnt/user/appdata/secrets/dawarich_metrics_password.txt`
 #   into the Prometheus container at `/run/secrets/dawarich_metrics_password`
 - job_name: dawarich
  metrics_path: /metrics
  basic_auth:
    username: prometheus
    password_file: /run/secrets/dawarich_metrics_password
  http_headers:
    X-Forwarded-Proto:
      values:
        - https
  static_configs:
    - targets:
        - dawarich_app:3000
@@ -1 +0,0 @@
 replace-with-a-long-random-grafana-readonly-password
@@ -1 +0,0 @@
 replace-with-a-long-random-metrics-password
@@ -1 +0,0 @@
 replace-with-a-long-random-postgres-password
@@ -1 +0,0 @@
 replace-with-a-long-random-url-safe-redis-password
@@ -1 +0,0 @@
 replace-with-output-of-openssl-rand-hex-64
@@ -1,7 +1,7 @@
 services:
  immich-server:
    container_name: immich_server
-    image: ghcr.io/immich-app/immich-server:v2.7.5@sha256:c15bff75068effb03f4355997d03dc7e0fc58720c2b54ad6f7f10d1bc57efaa5
+    image: ghcr.io/immich-app/immich-server:release@sha256:c15bff75068effb03f4355997d03dc7e0fc58720c2b54ad6f7f10d1bc57efaa5
    restart: unless-stopped
    depends_on:
      - redis
@@ -32,7 +32,7 @@ services:
  immich-machine-learning:
    container_name: immich_machine_learning
-    image: ghcr.io/immich-app/immich-machine-learning:v2.7.5@sha256:a2501141440f10516d329fdfba2c68082e19eb9ba6016c061ac80d23beadf7f3
+    image: ghcr.io/immich-app/immich-machine-learning:release@sha256:a2501141440f10516d329fdfba2c68082e19eb9ba6016c061ac80d23beadf7f3
    restart: unless-stopped
    environment:
      # Workaround fuer gunicorn-25.1.0-Control-Socket-Bug: der Worker haengt
@@ -48,18 +48,7 @@ services:
    volumes:
      - model-cache:/cache
    networks:
      # immich_default (internal) = Erreichbarkeit durch immich-server.
      # immich_egress (nicht-internal) = Outbound zu huggingface, damit ML die
      # Modelle (CLIP ViT-B-32, buffalo_l) einmalig nach model-cache laedt.
      # Ohne dieses Netz scheitert der Modell-Download an der DNS-Aufloesung
      # (immich_default ist internal: true) -> Smart Search/Gesichtserkennung tot.
      - immich_default
      - immich_egress
    dns:
      # Egress-Netz braucht externe Aufloesung (huggingface.co); explizit nach
      # docs/WORKFLOW.md "DNS-Regeln fuer Container", analog traefik/ddns-updater.
      - 1.1.1.1
      - 8.8.8.8
    security_opt:
      - no-new-privileges:true
@@ -97,10 +86,5 @@ networks:
    name: immich_default
    internal: true
    driver: bridge
  immich_egress:
    # Bewusst NICHT internal: nur fuer den ML-Modell-Download (Outbound).
    # Nur immich_machine_learning haengt hier; DB/Redis bleiben in immich_default.
    name: immich_egress
    driver: bridge
  frontend_net:
    external: true
@@ -1,6 +1,6 @@
 services:
  mail-archiver:
-    image: s1t5/mailarchiver@sha256:9ab6f51fa036c7869f64cb052a18f7bb8b9951a120ce1c03df43a273a20d3f59
+    image: s1t5/mailarchiver@sha256:4ea7ecc47ad1dd2c523b85c3967574b61e39def1b6fd26edf874e21733c4018c
    container_name: mail-archiver
    restart: unless-stopped
    environment:
@@ -54,7 +54,7 @@ services:
      - traefik.http.services.mealie.loadbalancer.server.port=9000
  mealie-postgres:
-    image: postgres:18.4@sha256:29ee7bb30d804447dc9a91fd0d74322ae1dc3a4072cc6346f70a5ed6e783b565
+    image: postgres:18.4@sha256:65f70a152846cf504dff86e807007e9aeac98c3aeb7b62541b2c55ab9d264e56
    container_name: mealie-postgres
    restart: unless-stopped
@@ -1,6 +1,6 @@
 services:
  n8n:
-    image: docker.n8n.io/n8nio/n8n:2.27.3@sha256:a772d24e6b4f9b3848be5a57c5e45437eed1965bbbcefa2f9a93f4835b6639fa
+    image: docker.n8n.io/n8nio/n8n:2.26.2@sha256:61ba01bc5e39304bbc928c9dbecd938c3a5cc1331b68affba6a34d0f654c43d9
    container_name: n8n
    restart: unless-stopped
@@ -1,6 +1,6 @@
 services:
  nextcloud:
-    image: nextcloud:34.0.0-apache@sha256:851ca6ef9da101ce3c8a32ec7b6fc65a726b380b5f466307a54c17d32fb77c9a
+    image: nextcloud:33.0.5-apache@sha256:56bdc45109067500fd0832fa64832b7c77a167d9394cbf5f0f4b59740b94194d
    container_name: nextcloud
    restart: unless-stopped
    depends_on:
@@ -46,7 +46,7 @@ services:
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
  nextcloud-postgres:
-    image: postgres:18.4@sha256:29ee7bb30d804447dc9a91fd0d74322ae1dc3a4072cc6346f70a5ed6e783b565
+    image: postgres:18.4@sha256:65f70a152846cf504dff86e807007e9aeac98c3aeb7b62541b2c55ab9d264e56
    container_name: nextcloud-postgres
    restart: unless-stopped
    environment:
@@ -1,6 +1,6 @@
 services:
  super-productivity:
-    image: johannesjo/super-productivity:v18.12.1@sha256:a108244f331a1d165f4c52ad343efe739059a078e5f5993f010daf882a53f09e
+    image: johannesjo/super-productivity:v18.9.1@sha256:773760107344e739f4c29409f7842db66a1b167d50eb2c40248cb5b5b328652e
    container_name: super-productivity
    restart: unless-stopped
@@ -1,6 +1,6 @@
 services:
  unbound:
-    image: shaanmajid/unbound:1.25.1@sha256:6fa3d5257ff6d95ab16153c62fabfe256edc0db515f94755f5edeb1f2a2258ab
+    image: shaanmajid/unbound:1.25.1@sha256:f140db02a005904802bf5840093e95e675321aa060a00426fdffc2a3ac2eeb6b
    container_name: unbound
    restart: unless-stopped
    volumes:
@@ -1,6 +1,6 @@
 services:
  gitea:
-    image: docker.gitea.com/gitea:1.26.4@sha256:8e25c717b8f748445e15ec46e0390f577cb628101184cb0a150d1dae126c1f39
+    image: docker.gitea.com/gitea:1.26.2@sha256:7d13848af12645600a5f9d93ee2560daa9c6fa6b5b859b7bff3a5e1c0b661031
    container_name: gitea
    restart: unless-stopped
    security_opt:
@@ -1,6 +1,6 @@
 # Alert Rules
-Stand: 2026-06-18
+Stand: 2026-06-05
 Diese Datei beschreibt die produktiven Alarmwege und wichtigsten Regeln. Die
 Konfiguration selbst liegt in `monitoring/prometheus/alerts.yml` und in den
@@ -36,14 +36,6 @@ Skripten unter `services/posture-check/`.
 | `HomelabBorgBackupStale` | letztes Borg-Backup >30h | warning | Backup-Lauf nachholen/pruefen |
 | `HomelabBorgLastJobFailed` | letzter Borg-Job fehlgeschlagen | critical | Borg-UI-Job-Log pruefen |
 | `HomelabBorgLastJobCompletedWithWarnings` | letzter Borg-Job mit Warnungen | warning | Warnung im Borg-UI-Job lesen |
 | `HomelabBorgDumpMissing` | erwartetes Dump-Artefakt fehlt im aktuellen Dump-Set | critical | `pre-backup-dumps.sh`/User-Script pruefen |
 | `HomelabBorgDumpStale` | Dump-Artefakt >30h alt (Borg laeuft, Dumps eingefroren) | critical | `pre-backup-dumps.sh`/User-Script pruefen, nicht nur den Borg-Job |
 | `HomelabBorgScopeSourceListMissing` | Repo-Quellliste fuer Borg-Drift-Check fehlt | critical | Borg-UI-Mount `/local/services/homelab-infra` und Repo-Pfad pruefen |
 | `HomelabBorgScopeMissingSources` | Borg UI enthaelt nicht alle Pfade aus `ops/borg-ui/all-important-sources.txt` | critical | Live-Borg-Scope an Repo-Quelle angleichen |
 | `HomelabBorgScopeExtraSources` | Borg UI enthaelt Pfade ausserhalb der Repo-Quellliste | warning | Doku oder Live-Scope bereinigen |
 | `HomelabBorgRepositoryCheckStale` | letzter Borg-Check >14 Tage alt | warning | Borg-Repository-Check ausfuehren oder Scheduler pruefen |
 | `HomelabBorgRetentionDisabled` | Scheduled Job fuehrt kein Prune aus | warning | Retention-Einstellung in Borg UI pruefen |
 | `HomelabBorgCompactDisabled` | Scheduled Job fuehrt kein Compact aus | warning | Compact-Einstellung in Borg UI pruefen |
 | `HomelabCriticalContainerDown` | kritischer Container fehlt | critical | Komodo/Docker-Status pruefen |
 | `HomelabPrometheusTargetDown` | Scrape-Ziel down | critical | node-exporter/cadvisor/blackbox/traefik pruefen |
@@ -1,16 +1,14 @@
 # Authelia OIDC fuer Apps - Plan & Runbook
-Stand: 2026-06-17. Authelia-Version: **v4.39.20**.
+Stand: 2026-06-06. Authelia-Version: **v4.39.20**.
 Ziel: App-uebergreifendes Single-Sign-On ueber Authelia als OpenID-Connect-Provider
 (`https://auth.kaleschke.info`). Statt pro App eigener Logins meldet man sich einmal
 bei Authelia an (inkl. 2FA) und wird per OIDC an die App durchgereicht.
 > **Status:** aktives Runbook. Grafana und Mealie sind seit 2026-06-06 live
-> und per Login-Smoke verifiziert. Paperless ist seit 2026-06-17 technisch
+> und per Login-Smoke verifiziert. Der weitere Rollout bleibt additiv: lokale
-> verdrahtet (Authelia-Client + Stack-ENV-Secret + Service-Smoke gruen);
+> App-Logins bleiben als Fallback aktiv.
 > finaler Browser-Login mit Operator-Account bleibt offen. Der Rollout bleibt
 > additiv: lokale App-Logins bleiben als Fallback aktiv.
 ---
@@ -87,7 +85,7 @@ docker exec authelia authelia crypto hash generate pbkdf2 \
 | 2 | Immich | `immich.kaleschke.info` | nativ (Admin-UI/Config-File) | s. u. (Familie) | mittel | **GEPARKT bis Onboarding (Entscheidung 2026-06-06):** nur `micha` hat Authelia-Account, Familien-SSO-Nutzen entsteht erst mit Familien-Accounts; Immich ist mobil-lastig (hoechste Stoeranfaelligkeit) und braucht UI/Config-File. Erst nach Onboarding gezielt. Runbook bereit. |
 | 3 | Nextcloud | `cloud.kaleschke.info` | App `user_oidc` (+occ) | s. u. | mittel | **GEPARKT bis Onboarding (Entscheidung 2026-06-06):** wie Immich; braucht `user_oidc`-App-Install + `occ`. Lokaler Login bleibt. Erst nach Onboarding. Runbook bereit. |
 | **4 ERLEDIGT 2026-06-06** | Mealie | `mealie.kaleschke.info` | nativ | `one_factor` | niedrig | **Live + Login verifiziert.** OIDC-Env additiv (lokaler Login bleibt), Secret als Stack-ENV `${MEALIE_OIDC_CLIENT_SECRET}`, `extra_hosts` noetig (s. Gotchas) |
-| **5 TEILWEISE ERLEDIGT 2026-06-17** | Paperless-ngx | `paperless.kaleschke.info` | `django-allauth` (Umgebungsvariablen) | `one_factor` (hostseitiger Ist-Stand; `two_factor` spaeter moeglich) | mittel | **Authelia-Client + `${PAPERLESS_OIDC_SECRET}` in Stack-ENV gesetzt, Authelia-Config validiert, Paperless HTTP-Smoke `200`.** Lokaler Login bleibt Fallback; finaler Browser-Login mit Operator-Account offen. |
+| 5 | Paperless-ngx | `paperless.kaleschke.info` | `django-allauth` (Umgebungsvariablen) | `two_factor` | mittel | dokumentenlastig, Operator-nah |
 **Nicht OIDC:** Vaultwarden hat kein Standard-Endnutzer-OIDC (SSO ist Enterprise/Bitwarden-Feature) -> bleibt eigener Login. ntfy bleibt wie gehabt.
@@ -177,8 +175,7 @@ GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true
  E-Mail-Claim. Stimmt die Authelia-E-Mail mit dem App-Account, wird verknuepft;
  sonst legt die App (bei aktivem Signup) einen neuen User an.
 - **Secret-Mechanik je App verschieden:** Grafana `__FILE` (Docker-Secret),
-  Mealie Stack-ENV `${MEALIE_OIDC_CLIENT_SECRET}`, Paperless Stack-ENV
+  Mealie Stack-ENV `${...}`. Hash immer in der Authelia-Host-Config, Klartext nie ins Repo.
  `${PAPERLESS_OIDC_SECRET}`. Hash immer in der Authelia-Host-Config, Klartext nie ins Repo.
 ## Spaetere Feinschliffe vor breitem Rollout
@@ -1,69 +0,0 @@
 # Auth-Matrix
 Typ: Inventar/Referenz · Stand: 2026-06-23 · Status: aktiv
 Konsolidierte Review-Sicht auf die **effektive Zugriffskontrolle je oeffentlicher
 UI/Domain**. Bisher lag das verstreut: Authelia-ACL nur in der Live-Config, die
 Bypass-/Ausnahmefaelle in `HOMELAB_ARCHITECTURE_MASTER_V2.md` (Prosa + Service-
 und Ausnahmen-Tabellen) und die Begruendungen in `DECISIONS.md`. Diese Datei
 buendelt das an **einem** Ort und **verlinkt** auf die Quellen statt zu kopieren.
 ## Quelle der Wahrheit
 - **Authelia-ACL** (bypass / two_factor / Catch-all): `security/authelia/configuration.yml`
  (`access_control`). Repo-zu-Host-Drift prueft `services/authelia-diff.sh`.
 - **Dienste ohne ForwardAuth** (bewusste Ausnahmen): Ausnahmen-Tabelle in
  `HOMELAB_ARCHITECTURE_MASTER_V2.md` + die jeweiligen `DECISIONS.md`-Eintraege.
 - **Nicht-Authelia-Schutzschichten** (Tailscale-Bind, Traefik-IP-Allowlist): die
  jeweilige `docker-compose.yml` per Label bzw. Host-Bind.
 > Diese Matrix ist die kommentierte Lese-/Review-Sicht. Bei Widerspruch gewinnen
 > die oben genannten Quellen; dann diese Datei nachziehen.
 ## Policy-Klassen
 - **Bypass** — Authelia laesst durch, **kein 2FA**; Schutz liegt allein in der
  App-eigenen Anmeldung. Bewusst fuer Public-Apps mit eigenen Clients.
 - **two_factor** — Authelia-ForwardAuth mit 2FA (Operator-TOTP), `authelia@file`.
 - **Keine Authelia (native)** — bewusste Ausnahme ohne ForwardAuth, App-Auth bleibt.
 - **Tailscale-only / LAN-only** — gar nicht oeffentlich, kein Traefik bzw. an
  Tailscale-/LAN-IP gebunden.
 - **IP-Allowlist** — oeffentlich geroutet, aber per Traefik-Middleware auf
  vertrauenswuerdige Quell-Netze begrenzt (sonst 403).
 ## Matrix
 | UI / Domain | Effektive Policy | Mechanismus | Quelle / Begruendung |
 |---|---|---|---|
 | `auth.kaleschke.info` | Bypass (Authelia selbst) | — | muss immer erreichbar sein |
 | `immich`, `paperless`, `mealie`, `vault`, `ntfy`, `git` `.kaleschke.info` | **Bypass** → native App-Auth, kein 2FA | Authelia laesst durch | `configuration.yml`; Public-Apps mit eigener Auth/Clients |
 | `vault.kaleschke.info/admin` | **IP-Allowlist** (Tailnet `100.64.0.0/10` + LAN `192.168.178.0/24`), sonst 403 | Traefik `ipallowlist` (Label) | DECISIONS 2026-06-23 (Audit-P1) |
 | `files.kaleschke.info`, `scrutiny.kaleschke.info` | **two_factor** (explizit) | `authelia@file` | `configuration.yml`; scrutiny zusaetzlich privileged |
 | uebrige `*.kaleschke.info` mit Middleware (monitoring/grafana, glances, glance, speedtest, bentopdf, mail-archiver, paperless-gpt, hermes, super-productivity, borg-ui, code-server) | **two_factor** (Catch-all) | `authelia@file` Catch-all | `configuration.yml`; Haertung 2026-06-06 |
 | `komodo.kaleschke.info` | **IP-Allowlist** (Tailnet + LAN), sonst 403; native (keine Authelia) | Traefik `ipallowlist` (Label) + native Komodo-Auth | DECISIONS 2026-06-23; Webhooks/Periphery laufen intern, nicht ueber Traefik |
 | `nextcloud` | Keine Authelia (native) | WebDAV/CardDAV/Client-Flows | DECISIONS 2026-04 / Ausnahmen-Tabelle |
 | `n8n.kaleschke.info` | Keine pauschale Authelia (native) | Webhook-Endpunkte `/webhook/*` | Ausnahmen-Tabelle; ⚠ Middleware-Abweichung lt. policy-check |
 | `plex.kaleschke.info` | Keine Authelia (native Plex) | File-Provider-Route; WAN-Port 32400 + Remote Access aus | DECISIONS 2026-05-28 |
 | `home.kaleschke.info` (homeassistant) | Keine Authelia (native HA) | Traefik + `smarthome_net`; LAN-Port 8123 | Ausnahmen-Tabelle; ⚠ Middleware-Abweichung lt. policy-check |
 | AdGuard-Admin | **Tailscale-only**, nicht oeffentlich | Host-Bind `100.80.98.33:8082`, kein Traefik | DECISIONS 2026-05-26 |
 | `influxdb3-core` :8181 | **LAN-only** Writer (HA) | Host-Port, kein Traefik, nicht in `frontend_net` | dokumentierte Ausnahme |
 ## Review-Gaps (Audit 2026-06-23)
 - **Komodo**: beschlossen IP-Allowlist (Tailnet + LAN) statt public (DECISIONS
  2026-06-23). Self-Stack ist inline in Komodo verwaltet → Labels via Komodo-UI
  setzen (Task #6), dann verifizieren (#7).
 - **Bypass-Liste bewusst ohne 2FA**: Bei App-CVE oder Account-Kompromiss greift
  davor kein Authelia. Akzeptiert fuer Public-Apps mit eigenen Clients; Review-
  Trigger = neue sensible App in der Liste oder veraendertes Risikoprofil.
 - **Middleware-Abweichungen** (policy-check `TRAEFIK002`): `n8n` und
  `homeassistant` sind erwartbar (native Ausnahmen). `grafana` steht **nicht** in
  der Ausnahmen-Tabelle und ist als Catch-all-`two_factor` gefuehrt — die
  abweichende Middleware ist live zu bestaetigen (offen).
 ## Pflege
 Diese Matrix bei jeder Aenderung an Authelia-ACL, vorgeschalteter Middleware,
 Tailscale-Bind oder IP-Allowlist mitziehen. Zugehoerige Drift-Erkennung:
 `services/authelia-diff.sh` (ACL), `ops/policy-checks/check_repo.ps1` (Middleware-
 Standard `TRAEFIK002`).
@@ -11,260 +11,6 @@ in `HOMELAB_ARCHITECTURE_MASTER_V2.md` §13, `docs/MASTER_TODO.md` (Geparkt),
 ---
 ## 2026-06-23 - Komodo nur aus vertrauenswuerdigen Netzen (IP-Allowlist statt public)
 **Entscheidung:** Der Komodo-Router (`komodo.kaleschke.info`) bekommt eine
 Label-definierte `ipallowlist`-Middleware auf Tailnet `100.64.0.0/10` + LAN
 `192.168.178.0/24`; public-Zugriff liefert kuenftig `403`. KEINE ForwardAuth
 (die bewusste Komodo-Ausnahme bleibt), `KOMODO_HOST` bleibt
 `https://komodo.kaleschke.info`. Der GANZE Router wird begrenzt, kein
 pfadbasierter Public-Bypass.
 **Kontext:** Audit 2026-06-23 (P1): Komodo war public mit `200` erreichbar und
 koppelt ueber den RW-Docker-Socket der Periphery an Host-root-aehnliche Macht
 (Core -> Periphery -> `docker.sock` -> jeder Container/Datenpfad). Read-only
 gemessen: Gitea→Komodo-Webhooks (`/listener`) und Periphery (`/ws/periphery`)
 laufen INTERN ueber `komodo-core:9120`, NICHT ueber Traefik. Der public Router
 hat damit keine legitimen externen Consumer; eine Allowlist auf dem ganzen Router
 schliesst die Public-Flaeche, ohne Automation zu brechen.
 **Umsetzung / Ausnahme:** Der Komodo-Self-Stack ist inline in Komodo verwaltet
 (`repo=""`, `files_on_host=false`, `webhook_enabled=false`, vgl. 2026-05-04),
 KEIN GitOps-Push-Stack. Die Labels werden in der Komodo-UI am Inline-Compose
 gesetzt; `ops/komodo/docker-compose.yml` ist nur Spiegel/Doku und wird zur
 Paritaet nachgezogen.
 **Alternativen:** Reines Tailscale-only (Route + public DNS-Record raus,
 `KOMODO_HOST` auf Tailscale-Host) — strenger (kein 403-Endpunkt, keine
 Hostname-Disclosure), aber mehr Aufwand und geaenderter Operator-Zugriff;
 verworfen zugunsten des bewaehrten, minimalen Allowlist-Musters (analog Vault
 /admin). **Review-Trigger:** Wunsch nach vollstaendiger Unsichtbarkeit von aussen
 oder Aenderung am Komodo-Zugriffspfad.
 ---
 ## 2026-06-23 - Vaultwarden /admin nur aus vertrauenswuerdigen Netzen (IP-Allowlist)
 **Entscheidung:** Das Vaultwarden-Admin-Panel `/admin` bekommt einen zweiten,
 hoeher priorisierten Traefik-Router `vaultwarden-admin` (Regel Host +
 PathPrefix `/admin`, `priority=100`) mit einer Label-definierten
 `ipallowlist`-Middleware auf Tailnet `100.64.0.0/10` + LAN `192.168.178.0/24`.
 Der Hauptrouter bleibt unveraendert nativ (Browser-Extension, Mobile-Clients,
 WebSocket `/notifications/hub`), damit normale Vault-Nutzung von ueberall
 funktioniert. Public-Zugriff auf `/admin` liefert kuenftig `403`.
 **Kontext:** Empirischer Audit 2026-06-23 (P1): `/admin` antwortete public mit
 `200`, obwohl `SIGNUPS_ALLOWED=false`, `INVITATIONS_ALLOWED=false` und
 `ADMIN_TOKEN_FILE` gesetzt sind. Der Admin-Token bleibt damit oeffentlich brute-
 und CVE-exponiert. Gleiche Logik wie AdGuard-Admin (Entscheidung 2026-05-26,
 Tailscale-only), hier aber pfadbasiert ueber Traefik statt Host-Port-Bind, weil
 Vaultwarden nur einen Container-Port hat. Definition als Docker-Label (nicht
 File-Provider), damit Komodo die Middleware mitdeployed.
 **Alternativen:** (a) Authelia `two_factor` auf `/admin` — verworfen als
 Primaerloesung, weil der Endpunkt dann public erreichbar bliebe; bleibt Fallback,
 falls die Quelle-IP ueber den Operator-Zugriffspfad nicht zuverlaessig im
 Allowlist-Bereich landet. (b) Reines Tailscale-only ohne LAN — strenger, aber
 LAN bewusst als Break-glass behalten (im Bedrohungsmodell vertrauenswuerdig),
 um Self-Lockout zu vermeiden.
 **Abhaengigkeit / Review-Trigger:** Wirkt nur, wenn `/admin`-Zugriff mit einer
 Quelle aus `100.64.0.0/10` oder `192.168.178.0/24` an Traefik ankommt — vor
 finaler Abnahme per Traefik-Access-Log und `curl` aus public + Tailscale/LAN
 verifizieren. Review bei Aenderung an Vault-Routing, Tailnet-CIDR oder Umstieg
 auf reines Tailscale-only.
 ---
 ## 2026-06-16 - Immich ML bekommt dediziertes Egress-Netz (Modell-Download)
 **Entscheidung:** `immich_machine_learning` haengt zusaetzlich zu `immich_default`
 (`internal: true`) in einem neuen, bewusst **nicht**-internen Compose-Netz
 `immich_egress` und bekommt explizit `dns: 1.1.1.1/8.8.8.8`. Damit kann ML die
 Modelle (CLIP `ViT-B-32__openai`, Gesichtserkennung `buffalo_l`) einmalig von
 huggingface nach `model-cache` laden. DB und Redis bleiben unveraendert in
 `immich_default` isoliert.
 **Kontext:** Am 2026-06-16 live gemessen: ML lief zwar `healthy`, aber
 `/cache` war 0 B und die Logs zeigten in Schleife
 `NameResolutionError: Failed to resolve 'huggingface.co'`. Ursache: ML hing nur
 im `internal: true`-Netz `immich_default` ohne Egress/DNS. Folge: Smart Search
 und Gesichtserkennung waren faktisch tot, trotz gesundem Container (Healthcheck
 prueft nur den HTTP-Endpoint, nicht die Modellverfuegbarkeit). Das Zielbild §7.4
 sagte vorher "bleibt intern" und widersprach damit dem eigenen Einordnungsschema
 §6 Schritt 2 ("braucht Internet -> nicht-internal").
 **Alternativen:** (a) ML an `frontend_net` haengen — verworfen, weil die
 unauthentifizierte ML-API dann im geteilten Web-Netz erreichbar waere.
 (b) `immich_default` auf nicht-internal umstellen — verworfen, weil dann auch
 Postgres/Redis Outbound-Internet bekaemen (Least-Privilege-Verlust). Das
 dediziertes Egress-Netz isoliert den Internetbedarf auf genau ML.
 **Review-Trigger:** Immich-Update, das ML-Modelle anders bezieht; Wunsch nach
 vollstaendigem Air-Gap (dann Modelle offline vorseeden statt Egress); oder wenn
 ML weitere Modelle braucht (Egress bleibt dafuer noetig).
 ## 2026-06-13 - Wetter-/Langzeitarchiv: HA schreibt nach InfluxDB 3 Core
 **Entscheidung:** Home Assistant schreibt die Ecowitt-Sensoren
 (`sensor.gw3000a_*`) dauerhaft nach InfluxDB 3 Core (DB `homeassistant`),
 visualisiert im Grafana-Dashboard `ha-weather-archive` ("Wetterarchiv
 KalliHome"). HA wurde dem bestehenden `monitoring_net` als zusaetzliches Netz
 hinzugefuegt und schreibt intern an `monitoring-influxdb3-core:8181`
 (v2-Write-API) - kein Host-Port, keine LAN-Exposition. Das war die im
 Ecowitt-Eintrag offen gelassene Reachability-Entscheidung (Alternative:
 LAN-Bind 8181).
 **Kontext:** Gewuenscht war ein echtes Langzeit-Wetterarchiv unabhaengig von
 HAs kurzer SQLite-Historie. HAs eingebaute Langzeit-Statistiken decken den Fall
 stuendlich bereits ab; InfluxDB liefert volle Aufloesung und eigene Grafana-
 Dashboards. InfluxDB 3 Core kennt nur Admin-Tokens (keine feingranularen
 Scopes), daher hat der HA-Schreibtoken vollen Admin-Zugriff auf die
 Monitoring-InfluxDB - bewusst akzeptiert (Operator-Freigabe), unabhaengig
 widerrufbar, Token nur in Appdata-Secrets (`ha_influxdb_token` + HA
 `secrets.yaml`).
 **Betriebsstand 2026-06-13:** HA im `monitoring_net`, Writer aktiv (Daten in
 Measurements `°C`, `%`, `hPa`, `km/h`, `W/m²`, `mm`, `lx`, `°`), zweite
 Grafana-Datasource `ha-weather-influx` (DB `homeassistant`) und Dashboard
 provisioniert. Glance zeigt zusaetzlich eine Live-Wetterkachel direkt aus der
 HA-API (`GLANCE_HA_TOKEN`).
 **Review-Trigger:** InfluxDB-3-Enterprise mit Token-Scopes (dann HA-Token
 einschraenken), Wegfall des Monitoring-Stacks, oder Neubewertung der
 HA-Internet-Exposition (HA haengt jetzt auch im Observability-Netz).
 ## 2026-06-13 - SolarEdge lokal ueber Modbus TCP angebunden
 **Entscheidung:** SolarEdge wird in Home Assistant lokal ueber
 `solaredge_modbus_multi` angebunden, nicht ueber die SolarEdge-Cloud-API. Der
 Wechselrichter ist im LAN als `192.168.178.111` erreichbar, MAC-OUI
 `84:D6:C5` gehoert zu SolarEdge, Modbus TCP laeuft auf Port `1502`, Device-ID
 `1`. Die Integration liefert Inverter-, Smart-Meter- und Batterie-Entitaeten.
 **Kontext:** Der Operator kann im SolarEdge-Portal keinen API-Key erzeugen; das
 fruehere Setup lief bereits lokal. Der alte in der Doku genannte VONETS-Adapter
 `192.168.178.71` ist nicht erreichbar und bleibt kein verlaesslicher Zielpfad.
 Die native HA-Core-Integration `solaredge` waere Cloud-Polling mit Site-ID/API-
 Key; `solaredge_local` erwartet dagegen die lokale HTTP-SetApp-API unter
 `/web/v1/status`, die am Wechselrichter nicht offen ist. Der vorhandene
 HACS-/Custom-Component-Pfad `solaredge_modbus_multi` v3.2.5 passt zur realen
 Schnittstelle und wurde ohne neue Downloads wiederverwendet.
 **Betriebsstand 2026-06-13:** Config-Entry `SolarEdge Local` ist `loaded`,
 Polling alle 60 Sekunden, Meter- und Batterie-Erkennung aktiv, Extras und
 Power-Control-Schreibfunktionen deaktiviert. Relevante Energy-Dashboard-
 Kandidaten:
 `sensor.solaredge_local_i1_ac_energy`,
 `sensor.solaredge_local_i1_m1_ac_energy_imported`,
 `sensor.solaredge_local_i1_m1_ac_energy_exported`,
 `sensor.solaredge_local_i1_b1_energy_import`,
 `sensor.solaredge_local_i1_b1_energy_export`. Nach der Integration wurde ein
 HA-native Backup erzeugt:
 `/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_14.59_48645373.tar`.
 Das HA Energy Dashboard wurde anschliessend mit Netz, PV und Speicher aus
 SolarEdge Local konfiguriert und per `energy/validate` ohne Issues geprueft.
 Kosten/Preise bleiben bis zur Tibber-Anbindung leer. Nach dieser UI-State-
 Aenderung wurde ein weiteres HA-native Backup erzeugt:
 `/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_15.59_25670583.tar`.
 **Trade-off:** Die lokale Modbus-Integration passt zum Prinzip "lokal vor
 Cloud" und liefert deutlich bessere Betriebsdaten als die Cloud-API, ist aber
 eine HACS-/Custom-Integration und damit nicht durch HA-Core getestet. Bei
 Problemen zuerst Integration deaktivieren oder auf HA-Core-Cloud-Polling
 zurueckfallen, sobald Site-ID/API-Key verfuegbar sind.
 **Review-Trigger:** HA-Core-Upgrade mit Custom-Integration-Warnungen,
 Ausfaelle von `192.168.178.111:1502`, Wechselrichtertausch/IP-Aenderung,
 oder wenn Energie-Automationen schreibende Power-Control-Funktionen brauchen.
 ## 2026-06-13 - Ecowitt-Ingress: LAN-only Host-Bind 8123 umgesetzt
 **Entscheidung:** Home Assistant bekommt einen LAN-only Host-Bind
 `192.168.178.58:8123:8123` (nur LAN-IP, nicht `0.0.0.0`/WAN). Das Ecowitt-GW3000
 pusht per HTTP direkt an den HA-Webhook. Damit ist die offene
 Phase-2-Entscheidung (Eintrag 2026-06-12) zugunsten des LAN-Bind-Fallbacks
 entschieden; ein Umbau des globalen Traefik HTTP-zu-HTTPS-Redirects entfaellt,
 weil Ecowitt rein im LAN pusht und Traefik gar nicht braucht.
 **Kontext:** Der globale `web`->`websecure`-Redirect auf EntryPoint-Ebene laesst
 sich nicht sauber selektiv aushebeln. Der LAN-Bind ist analog zur dokumentierten
 InfluxDB-8181-Ausnahme, WAN-sicher (FRITZ!Box forwardet nur 443 auf Traefik) und
 ohne Traefik-Umbau. Der HA-Webhook ist nicht `local_only`; Schutz ist die
 128-bit-Zufalls-Webhook-ID. Restrisiko: der Pfad ist theoretisch auch ueber
 Traefik/443 erreichbar, praktisch aber unratbar.
 **Review-Trigger:** Wenn der Webhook haerter abgesichert werden soll
 (Traefik-IPAllowList auf `/api/webhook/` oder `local_only`), oder bei Ausbau
 auf Ecowitt-Langzeitspeicherung in InfluxDB.
 ## 2026-06-12 - Home Assistant als Container im GitOps-Stack
 **Entscheidung:** Home Assistant laeuft neu als `homeassistant` Container im
 Stack `smart-home/`, nicht als HAOS-VM und nicht als Supervised-Installation.
 Mosquitto laeuft als eigener Container im selben Stack; Zigbee2MQTT und ESPHome
 werden spaeter ebenfalls als eigenstaendige Container ergaenzt. HA haengt in
 `frontend_net` fuer Traefik und in `smarthome_net` fuer MQTT/Zigbee2MQTT/ESPHome.
 Das Fachrepo `smart-home-kalli` liefert versionierte HA-YAML-Dateien read-only;
 `.storage`, `secrets.yaml` und Integrations-State bleiben in
 `/mnt/user/appdata/homeassistant`.
 **Kontext:** Das fruehere HAOS-VM-Setup ging bei einem Crash ohne brauchbares
 Backup verloren. Das Homelab betreibt produktive Dienste inzwischen ueber
 Gitea, Komodo, Compose, Renovate und Borg. HA Container passt in dieses
 Betriebsmodell und vermeidet eine zweite Update-/Backup-Welt. Supervised ist
 kein Zielpfad mehr; HAOS bleibt die Alternative, falls Add-on-Komfort,
 Matter/Thread/HomeKit-Discovery oder Host-nahe HA-Funktionen wichtiger werden
 als GitOps-Konformitaet.
 **Betriebsstand 2026-06-13:** Owner-Onboarding ist abgeschlossen, die
 temporaere Authelia-Onboarding-Guard-Middleware ist entfernt, `smart-home`
 existiert als Komodo-Stack mit Gitea-Webhook, HA-native `backup.create` erzeugt
 ein lesbares Backup-Artefakt, und der Mosquitto-Broker besteht einen
 authentifizierten Publish/Subscribe-Smoke. Die Restore-Probe wurde am
 2026-06-13 erfolgreich abgeschlossen: HA-native Backup + Mosquitto-Appdata +
 Fachrepo-Clone wurden isoliert gestartet, HA HTTP/API/check_config waren gruen,
 MQTT Publish/Subscribe und retained Topic nach Broker-Restart waren gruen.
 Report: `/mnt/user/backups/restore-reports/homeassistant-2026-06-13.md`.
 Die HA-MQTT-Integration wurde anschliessend am 2026-06-13 ueber den
 Home-Assistant-Config-Flow verbunden; Config-Entry `smarthome-mosquitto` ist
 `loaded`, Mosquitto sieht den HA-Client mit User `homeassistant`, und
 `check_config` ist gruen. Damit ist die Foundation abgeschlossen. Naechster
 Produktivschritt ist Tibber, danach SolarEdge mit bewusster Entscheidung
 zwischen schneller Cloud-Integration und lokalem Modbus-TCP.
 **Review-Trigger:** Viele mDNS-/SSDP-abhaengige lokale Integrationen
 (HomeKit, Cast, Matter/Thread), Bedarf an HA-Add-ons als Betriebsstandard,
 oder wiederholte Probleme durch Bridge-Netzwerkbetrieb.
 ## 2026-06-12 - Ecowitt-Ingress bleibt bewusste Phase-2-Entscheidung
 **Entscheidung:** In Phase 1 wird kein Host-Port `8123` fuer Home Assistant
 veroeffentlicht. Ecowitt wird spaeter entweder ueber eine gezielte
 Traefik-HTTP-Ausnahme fuer den Webhook-Pfad angebunden oder, falls der globale
 HTTP-zu-HTTPS-EntryPoint-Redirect nicht sauber selektiv abloesbar ist, ueber
 einen dokumentierten LAN-only Host-Port `8123`.
 **Kontext:** Ecowitt kann nur HTTP und kein HTTPS. Traefik hat aktuell einen
 globalen `web` -> `websecure` Redirect auf EntryPoint-Ebene. Ein normaler
 HTTP-Router kann diese Regel voraussichtlich nicht umgehen, ohne Traefik selbst
 umzubauen. Deshalb wird die Entscheidung nicht vorgezogen.
 **Review-Trigger:** Start der Ecowitt-/InfluxDB-Phase oder Umbau der Traefik
 HTTP-Redirect-Architektur.
 ## 2026-06-11 — Host-DNS-Fallback aktiv (AdGuard-SPOF entschaerft)
 **Entscheidung:** Unraid-Host nutzt `eth0` DNS server 1 = `192.168.178.58` (AdGuard) und **DNS server 2 = `192.168.178.1`** (FRITZ!Box) als Failover.
 **Kontext:** AdGuard war einziger LAN-Resolver; ein Recreate hat 2026-06 einen Bulk-Deploy zerlegt, weil Docker-Pulls am eigenen DNS-Container scheiterten. Der Fallback bleibt nur passiv aktiv (Go-Resolver springt erst bei Socket-Fehler weiter), der Filter wirkt im Normalbetrieb unveraendert. `options rotate` ist nicht gesetzt. Umsetzung der Empfehlung 3a aus dem Optimierungs-Assessment vom 2026-06-10. Runbook: `docs/runbooks/komodo-bulk-deploy-dns.md`.
 **Review-Trigger:** Wenn AdGuard durch eine andere Filter-Loesung ersetzt wird oder ein zweiter Host-Resolver verfuegbar ist.
 ## 2026-06-11 — Hetzner Storage Box: automatische Snapshots aktiv
 **Entscheidung:** Automatische Snapshots auf der Hetzner Storage Box (BX11, `u565255.your-storagebox.de`) sind aktiv: taeglich um 05:30 UTC (nach dem Borg-Lauf 04:30 lokal), Retention 7 Tage, Snapshot-Verzeichnis sichtbar fuer Einzeldatei-Restore via `.zfs/snapshot/`.
 **Kontext:** Borg `append-only` ist bewusst nicht umgesetzt (siehe Eintrag 2026-06-01); damit war ein kompromittierter Host bisher in der Lage, auch das Off-site-Backup zu loeschen. Storage-Box-Snapshots sind host-seitig nicht loeschbar und im BX11-Tarif inklusive. Kosten: 0 EUR zusaetzlich. Umsetzung der Empfehlung 2 aus dem Optimierungs-Assessment vom 2026-06-10.
 **Review-Trigger:** Hetzner-Quota-Druck (aktuell 65 GB / 1 TB - viel Luft) oder Aenderung der Backup-Strategie.
 ## 2026-06-11 — Doku-Konsolidierung: ein Fakt, ein Zuhause
 **Entscheidung:** Die Dokumentation wird nach `docs/archive/2026/homelab-doku-optimierung-2026-06-11.md` konsolidiert: `MASTER_TODO.md` ist die einzige Statusliste, dieses Register die einzige Entscheidungssammlung, `docs/archive/` nimmt abgeschlossene Snapshots auf, Erledigtes verlaesst die Arbeitskopie. Keine Ordner-Restruktur des Bestands.
@@ -532,13 +532,8 @@ Smoke-Test: `hermes-gateway` healthcheck ist gruen, `hermes.kaleschke.info` leit
 ### Windows-Workstation `baerchen`
 `baerchen` ist die Operator-Workstation und haelt den lokalen Clone unter
-`G:\Gitea_Clone\homelab-infra`. Zusaetzlich liegt auf der externen Platte `H:`
+`G:\Gitea_Clone\homelab-infra`. Fuer einen schnellen Windows-Bare-Metal-Restore
-(`H:\kallilab-nearline-backups`) eine taegliche Nearline-Kopie der DB-Dumps,
+existiert ein Veeam-Agent-Image-Workflow.
 Gitea-Bundles und des DR-Kits als **lokale Fallback-Restore-Quelle**, falls
 Unraid/Hetzner nicht erreichbar sind. Restore-Weg und Pflicht-Frische-Pruefung:
 `ops/h-drive-nearline/README.md` Abschnitt "Restore aus H:/ (DR-Fall)". Fuer
 einen schnellen Windows-Bare-Metal-Restore existiert ein
 Veeam-Agent-Image-Workflow.
 Wichtige Pfade und Artefakte:
@@ -1,6 +1,6 @@
 # Master To-do - KalliLab CORE
-Typ: Status/To-do · Stand: 2026-06-23 · Status: aktiv
+Typ: Status/To-do · Stand: 2026-06-11 · Status: aktiv
 Diese Liste ist die **einzige** Arbeitsliste fuer offene operative Punkte im
 Homelab. Detailablaeufe stehen in den verlinkten Runbooks; Entscheidungen mit
@@ -23,22 +23,15 @@ Host-Reports (`/mnt/user/backups/restore-reports/`) und in der Git-Historie.
 | Family-Onboarding erster Termin | Operator | Checkliste ist fertig (`docs/FAMILY_ONBOARDING.md` Abschnitt "Erster Onboarding-Termin"). Personen/Geraete festlegen, Reihenfolge Vaultwarden -> Immich -> Mealie pro Person abarbeiten | `docs/FAMILY_ONBOARDING.md` |
 | Restore-Test Unraid OS Flash (Stick-Boot) | Operator | Artefakt-Validierung 2026-06-05 erledigt (`ops/maintenance/check-unraid-flash-backup.sh`). **Verbleibt:** physischer Ersatzstick-Boot-Test, wenn ein Wegwerf-Stick bereitliegt | `ops/restore-tests/unraid-flash-runbook.md` |
 | Restore-Test Tailscale | Operator | State-Validierung + Reconnect nur auf Wegwerf-Host/VM, danach Geraet in Tailscale-Admin entfernen | `ops/restore-tests/tailscale-runbook.md` |
-| Authelia OIDC fuer Apps | Operator/Codex | Live: Grafana + Mealie login-verifiziert; Paperless Secret verdrahtet und Service-Smoke am 2026-06-17 gruen, finaler Browser-Login mit Operator-Account offen. Immich + Nextcloud bewusst geparkt bis Family-Onboarding (siehe `docs/DECISIONS.md` 2026-06-06) | `docs/AUTHELIA_OIDC_PLAN.md` |
+| Authelia OIDC fuer Apps | Operator/Claude | Live: Grafana + Mealie (verifiziert), Paperless deployed (Login-Test offen). Immich + Nextcloud bewusst geparkt bis Family-Onboarding (siehe `docs/DECISIONS.md` 2026-06-06) | `docs/AUTHELIA_OIDC_PLAN.md` |
 | Home Assistant Tibber | Operator/Codex | Tibber per HA-UI-Config-Flow verbinden. Danach Energy-Dashboard um echte Kosten/Preisquelle ergaenzen; SolarEdge-PV, Netz und Speicher sind bereits konfiguriert und validiert | `docs/runbooks/smart-home-bootstrap.md`, `docs/DECISIONS.md` |
 | Nearline-Pull Dead-Man's-Switch | Operator | **S4U-Root-Cause 2026-06-21 behoben + verifiziert:** Task `KalliLab H Drive Nearline Pull` von S4U auf LogonType `Interactive` ("Nur wenn Benutzer angemeldet") umgestellt (kein Passwort noetig, da `michi` Dauer-Konsolen-User) -> per Planer mit `0x0` bestaetigt. Spiegel frisch, Exit-Code-Leak gefixt, Heartbeat-Pings gepusht. **Verbleibt (optional, niedrige Dringlichkeit):** je einen Healthchecks-Check anlegen + Capability-URL hinterlegen (baerchen ENV `HEALTHCHECKS_NEARLINE_URL`/Datei; Unraid `/mnt/user/appdata/secrets/healthchecks_borg_url`) | `ops/h-drive-nearline/README.md` |
 | Monitoring Single-File-Bind-Mount Hardening | Operator/Claude | alertmanager/blackbox/loki/promtail + alertmanager-ntfy-bridge lokal auf Directory-Mounts umgestellt (grafana-provisioning war bereits Directory-Mount); `docker compose config` gruen. **Verbleibt:** Push + Komodo-Redeploy des monitoring-Stacks mit `--force-recreate` (Mount-Pfade aendern sich), danach Reload-/Alert-Smoke | `monitoring/docker-compose.yml` |
 | Audit 2026-06-23 Remediation-Reste | Codex/Operator | **P1/P2-Kern erledigt** (Commits `23a6975..3e9c12e`). Verbleibt: #19 Snapshot-Restore-Test live validieren + in `schedule.md` (`run-restore-checks.sh hetzner-snapshot`); #12 `vaultwarden`+`Redis` per force-recreate aus Default-`bridge`; #14 Drift-Redeploy `gitea` 1.26.4 + `dawarich_redis` 8.8.0; #15 Immich-Stackpfad messen + Repo/Doku angleichen | `docs/AUTH_MATRIX.md`, `docs/DECISIONS.md` (2026-06-23), `ops/restore-tests/hetzner-snapshot-runbook.md` |
 ---
 ## Operator-Entscheidung
 **Stand 2026-06-11: keine offenen Operator-Entscheidungen.**
 Getroffene Entscheidungen mit Begruendung und Review-Trigger: `docs/DECISIONS.md`.
 | Thema | Entscheidung noetig | Quelle |
 |---|---|---|
 | `/mnt/user/projekte` Backup-Scope | Filebrowser serviert `projekte` (und ganze `documents`/`photos`), aber nur App-Unterordner sind im Borg-Scope. Entscheiden: `projekte` als read-only Borg-UI-Mount + Quelllisten-Eintrag aufnehmen, oder bewusst als "nur lokal, nicht DR-relevant" bestaetigen | `ops/borg-ui/BACKUP_SCOPE.md` Abschnitt "User-Daten-Shares ausserhalb des App-Scope" |
 ---
 ## Geparkt
@@ -54,14 +47,13 @@ Bewusst nicht jetzt - Begruendungen in `docs/DECISIONS.md`, hier nur Thema und T
 | CrowdSec vor Traefik | breitere Attack Surface als nur `443/tcp` | `docs/DECISIONS.md` |
 | Nextcloud 2FA (Operator-TOTP) | OIDC-/SSO-Block erreicht die App-Login-Ebene | `docs/DECISIONS.md` |
 | Hermes-Agent | Review-Deadline 2026-07-25; NAS-Stack bleibt deaktiviert | `docs/SERVICE_CATALOG.md` |
 | Tailnet-Konsole aufraeumen (Rest) | trivial, bei Gelegenheit: tote Node-Eintraege (`kallilab-core`, alter `baerchen`) in der Tailscale-Admin-Konsole entfernen; optional State-Pfad `/mnt/user/appdata/tailscale` nach `_archive/` | `docs/NETWORK_INVENTORY.md` |
 | Dedizierter SMB-User `veeam-baerchen` | nur wenn Unraid-User-/Share-Rechte bewusst angefasst werden | `ops/windows-reinstall/docs/windows-image-backup-baseline.md` |
 | Filebrowser-Mount-Scope | naechster Hardening-Sprint | `docs/SERVICE_CATALOG.md` |
 | Scrutiny Privileged-Ausnahme | nur mit klarer Begruendung aendern | `docs/SERVICE_CATALOG.md` |
 | Immich Redis named volume | passende Wartung am Immich-Stack | `docs/SERVICE_CATALOG.md` |
 | Komodo keys named volume | gemeinsames Wartungsfenster mit Operator | Live-Volume `komodo_komodo_keys` nach `/mnt/user/appdata/komodo/keys` migrieren, Compose anpassen, Periphery-Reconnect pruefen, dann in Borg-Scope aufnehmen |
 | Storage-Wachstum (zweite NVMe, zweite Array-Disk, ZFS/BTRFS) | Trigger aus Capacity-Doku | `docs/STORAGE_LAYOUT.md`, `docs/CAPACITY_AND_LIFECYCLE.md` |
 | Wiederkehrende Restore-Drills | laufend nach Kadenz, inkl. quartalsweisem Frische-Negativtest (`run-restore-checks.sh freshness-negative`) | `docs/RESTORE_MATRIX.md`, `ops/restore-tests/schedule.md` |
 | Doku-Quartals-Gaertnern (~15 min) | quartalsweise, erster Lauf mit Q3-Review ab 2026-07-01: Datiertes archivieren, Done-/Review-Logs kuerzen, tote Links pruefen | `docs/REPO_MAP.md` Doku-Regeln |
 ---
@@ -75,11 +67,9 @@ Bewusst nicht jetzt - Begruendungen in `docs/DECISIONS.md`, hier nur Thema und T
 ## Zuletzt erledigt (Kurzlog, max. 5 Eintraege)
- **2026-06-23** Audit-Remediation abgeschlossen: Vault `/admin` + Komodo public zu (403, IP-Allowlist), Off-site-Snapshots bewiesen + monatlicher Test, Live-Drift bereinigt, `backend_net` auf `internal:true` gesetzt (Egress live BLOCKED, 12/12 Member ok). Doku: `AUTH_MATRIX.md`, DECISIONS, Snapshot-Runbook. Commits `23a6975..` ff.
+- **2026-06-11** Doku-Konsolidierung umgesetzt: `docs/archive/`, `docs/DECISIONS.md`, Statuslisten auf diese Datei reduziert, Restore-Doku zusammengefuehrt. Details: `docs/DECISIONS.md` Eintrag 2026-06-11.
- **2026-06-17** Offene TODOs gegen Live-Stand abgeglichen: Paperless-OIDC-Secret verdrahtet und Service-Smoke gruen; alter Tailscale-Docker-State nach `_archive/tailscale-removed-2026-06-06/` verschoben; Tailnet-Restpunkt geschlossen.
+- **2026-06-06** Wochenend-Sprint abgeschlossen: Veeam-Recovery-Test, DR-Workstation-Kit final (DR-Smoke OK), Tailscale-ACL restriktiv + redundanter Docker-Stack entfernt, Gast-/IoT-Netz validiert, AdGuard-/Redis-Restore-Smokes, Authelia-2FA-Catch-all, Frische-Negativtest. Belege: Host-Reports, `docs/DECISIONS.md`.
- **2026-06-17** Komodo/Gitea-Webhooks normalisiert: aktive Komodo-Hooks fuer `Micha/homelab-infra` nutzen Branch-Filter `master`; DB-Backup vor Host-Hotfix erstellt. Workflow-Regel nachgezogen.
+- **2026-06-03** Restore-Backlog geschlossen: Nextcloud, Shared-PG18-Cluster, Komodo-Mongo, Mailarchiver, Mealie, Traefik. Reports unter `/mnt/user/backups/restore-reports/`.
 - **2026-06-19** Backup-Hardening live verifiziert: Borg-Scope-Drift 0 (alle 33 Quellen konfiguriert), Dumps frisch (11/11 present), neue Dump-Alerts aktiv (25 Regeln, 0 feuern). Prometheus-`alerts.yml`-Stale-Handle (FUSE-Einzeldatei-Mount) per `--force-recreate` behoben und anschliessend dauerhaft auf Directory-Mount umgestellt (recreated, 25 Regeln aktiv).
 - **2026-06-18** Backup-Audit-Hardening: Dump-Frische-Metriken + Alerts `HomelabBorgDumpMissing/Stale`, Freshness-Checks + Nearline-Pull um `n8n`/`globals` ergaenzt, 4 Tier-2-Container in Critical-Watch, Scope-Doku fuer `projekte`/Hermes praezisiert. H:-Nearline (still seit 2026-06-04) nachgeholt + Task neu registriert.
 ---
@@ -1,7 +1,7 @@
 # Network Inventory - KalliLab CORE
-Status: Host-Audit erfasst; Router-Baseline und Portfreigaben-UI bereinigt; FRITZ!Box-Remote-Dienste aus; IPv6-Exposure technisch und per UI entschaerft; Tailscale-Inventar am 2026-06-17 real gemessen.
+Status: Host-Audit erfasst; Router-Baseline und Portfreigaben-UI bereinigt; FRITZ!Box-Remote-Dienste aus; IPv6-Exposure technisch und per UI entschaerft; Tailscale-Inventar am 2026-06-05 real gemessen.
-Letzte Pruefung: 2026-06-17 (Tailscale-Inventar), 2026-06-01 (Router/Ports)
+Letzte Pruefung: 2026-06-05 (Tailscale-Inventar), 2026-06-01 (Router/Ports)
 ## Zweck
@@ -38,7 +38,7 @@ Dieses Dokument beschreibt Router, DNS, Tailscale, Portfreigaben und Netztrennun
 | Komponente | Rolle | Adresse | Bemerkung |
 |---|---|---|---|
 | AdGuard Home | LAN DNS / Filter | Host `192.168.178.58`, Docker `172.23.0.3` | DNS auf Port 53; Admin soll nur via Tailscale-IP `100.80.98.33:8082` erreichbar sein |
-| Unbound | DNSSEC-validierender Forwarding-Resolver | Docker `dns_net` | Upstream fuer AdGuard; forwardet per DoT zu Cloudflare, keine Root-Rekursion |
+| Unbound | Rekursiver Resolver | Docker `dns_net` | Upstream fuer AdGuard |
 | Cloudflare | Authoritative DNS | extern | DNS-Challenge fuer TLS |
 | Router | DHCP DNS-Verteilung | TBD | Muss auf AdGuard zeigen, falls so betrieben |
@@ -57,16 +57,18 @@ Gemessen am 2026-06-05 per read-only SSH auf den Host (`tailscale status`,
 | Subnet Router | **Ja, aktiv.** Host advertised und ist Primary fuer `192.168.178.0/24` (`Self.PrimaryRoutes: ["192.168.178.0/24"]`, ebenfalls in `AllowedIPs`). Das LAN ist also fuer das gesamte Tailnet ueber diesen Subnet-Router erreichbar — bewusst gemessener Ist-Zustand, **kein** "keine Route" wie zuvor vermutet. |
 | ACL-Policy extern dokumentiert | **Angewendet 2026-06-06** — restriktive Tag-basierte `grants`-Policy live (`tag:server`/`tag:operator`, `tag:family` schlafend). Default-Allow entfernt, verifiziert. Details im Block unten. |
-### Tailnet-Geraete (Snapshot 2026-06-17)
+### Tailnet-Geraete (Snapshot 2026-06-05)
 | Tailscale-IP | Node | OS | Status |
 |---|---|---|---|
 | `100.80.98.33` | kallilabcore | linux | aktiv (Host, Subnet-Router) |
 | `100.78.133.37` | baerchen-1 | windows | aktiv (aktuelle Operator-Workstation, direct) |
-| `100.73.83.55` | iphone-14 | iOS | bekannt, aktuell offline |
+| `100.105.203.21` | baerchen | windows | offline, zuletzt vor ~1 Tag gesehen (Alt-Node) |
 | `100.73.83.55` | iphone-14 | iOS | bekannt |
 | `100.112.0.90` | kallilab-core | linux | **am 2026-06-06 entfernt.** War der redundante userspace-only `Tailscale-Docker`-Stack (`host-services/tailscale/`). Komodo-Stack gestoppt+destroyed, Repo-Pfad per `git rm` entfernt, Container weg (read-only verifiziert). Node-Eintrag in der Admin-Konsole noch zu entfernen. |
-> **Historischer Befund 2026-06-06 (read-only auf dem Host ermittelt):** Der Host
+> **Befund 2026-06-06 (read-only auf dem Host ermittelt):** Der Host hat **zwei**
-> hatte damals **zwei** `tailscaled`-Prozesse:
+> `tailscaled`-Prozesse:
 >
 > 1. **Native Unraid-Plugin** = `kallilabcore` (100.80.98.33). Prozess
 >    `/usr/local/sbin/tailscaled -statedir /boot/config/plugins/tailscale/state
@@ -87,10 +89,9 @@ Gemessen am 2026-06-05 per read-only SSH auf den Host (`tailscale status`,
 > (Operator), `git rm host-services/tailscale/`, Glance-Widget entfernt, und
 > Architektur-/Service-Catalog-/DR-/CLAUDE-Doku auf "natives Plugin" nachgezogen.
 > Read-only verifiziert: Container weg, nur noch der native `tailscaled` mit
-> `tailscale1`, Subnet-Route + Operator-Zugriff intakt. Nachpruefung 2026-06-17:
+> `tailscale1`, Subnet-Route + Operator-Zugriff intakt. Offen: Node-Eintraege
-> `tailscale status --self=false` zeigt nur noch `baerchen-1` und `iphone-14`;
+> `kallilab-core` und alter `baerchen` in der Admin-Konsole entfernen; State-Pfad
-> der alte State-Pfad `/mnt/user/appdata/tailscale` ist weg und liegt archiviert
+> `/mnt/user/appdata/tailscale` bei Gelegenheit nach `_archive/` (kein Sofort-Loeschen).
 > unter `/mnt/user/appdata/_archive/tailscale-removed-2026-06-06/`.
 >
 > **Doku-Korrektur erledigt:** `docs/RESTORE_MATRIX.md` zeigt jetzt auf den
 > funktionalen State `/boot/config/plugins/tailscale/state` (im Flash-Backup)
@@ -154,8 +155,8 @@ erhalten.
 ```
 **Geraete-Tags (live):** `kallilabcore` = `tag:server`; `baerchen-1` + `iphone-14`
-= `tag:operator`. Alte Nodes `kallilab-core` und `baerchen` sind nicht mehr im
+= `tag:operator`; `kallilab-core` (Docker) + alter `baerchen` bewusst untagged ->
-aktuellen Tailnet-Status sichtbar.
+isoliert.
 **Rollout-Protokoll 2026-06-06 (lockout-sicher, je Schritt read-only verifiziert):**
@@ -192,10 +193,10 @@ ist die vollstaendige Wahrheit.
 - Familien-Dienste/Ports konkretisieren — erst wenn ein reales Familiengeraet dazukommt.
 - **Zwei-Tailscale-Konsolidierung: ERLEDIGT 2026-06-06** — redundanter Docker-Stack
  abgebaut, nur noch die native Plugin-Instanz `kallilabcore` (Subnet-Router) aktiv.
- **Tailnet-Konsole/Altstate aufraeumen: ERLEDIGT 2026-06-17** — Node-Eintraege
+- **Tailnet-Konsole aufraeumen: ERLEDIGT 2026-06-06** — Node-Eintraege `kallilab-core`
-  `kallilab-core` und alter Offline-`baerchen` sind im aktuellen Tailnet-Status
+  und alter Offline-`baerchen` aus der Admin-Konsole entfernt.
-  nicht mehr sichtbar; State-Pfad `/mnt/user/appdata/tailscale` vom entfernten
+- State-Pfad `/mnt/user/appdata/tailscale` (vom entfernten Docker-Stack) bei
-  Docker-Stack liegt unter `_archive/tailscale-removed-2026-06-06/`.
+  Gelegenheit nach `_archive/tailscale-removed-2026-06-06/` (kein Sofort-Loeschen).
 - Optionaler Off-LAN-Routentest: von einem Operator-Geraet im Mobilfunk
  (nicht im Heim-LAN) ein LAN-Ziel ueber `192.168.178.0/24` erreichen, um die
  Subnet-Route end-to-end zu bestaetigen (im Heim-LAN nicht sauber isolierbar).
@@ -287,8 +288,6 @@ docker network inspect frontend_net | jq '.[0].Containers | keys'
 docker network inspect backend_net | jq '.[0].Internal'
 ```
 > Stand 2026-06-23: `backend_net` live als `internal: true` bestaetigt (Egress-Test aus `postgresql17` nach `1.1.1.1:443` = BLOCKED, 12/12 Member attached); zuvor Drift `internal:false`, per Audit-Remediation behoben.
 ## SSH-Konfiguration Host
 Geprueft 2026-06-06 (read-only), **gehaertet 2026-06-07** via `ssh root@192.168.178.58`.
@@ -14,7 +14,6 @@ geloescht (Git-Historie ist das Archiv). Verbindliche Doku-Regeln:
 | Datei | Zweck |
 |---|---|
 | `../README.md` | kurzer Repo-Einstieg |
 | `../AGENTS.md` | Einstiegspunkt fuer KI-Agenten (Codex u. a.) |
 | `../HOMELAB_ARCHITECTURE_MASTER_V2.md` | Architektur-Quelle fuer Netz, Zugriff und Ausnahmen |
 | `WORKFLOW.md` | verbindlicher GitOps-/No-Drift-Ablauf |
 | `REPO_MAP.md` | technische Landkarte des Repositories + Doku-Regeln |
@@ -40,7 +39,6 @@ geloescht (Git-Historie ist das Archiv). Verbindliche Doku-Regeln:
 |---|---|
 | `STORAGE_LAYOUT.md` | verbindliche Storage-/Share-/Pfad-Regeln |
 | `SECRETS_MAP.md` | Secret-Namen, Speicherorte und Einbindungsarten ohne Werte |
 | `AUTH_MATRIX.md` | konsolidierte Auth-Matrix: effektive Policy je Domain (bypass/2FA/native/Tailscale/IP-Allowlist) |
 | `AUTHELIA_OIDC_PLAN.md` | Plan & Runbook fuer app-uebergreifendes SSO via Authelia OIDC |
 | `HARDWARE_INVENTORY.md` | Host-, Disk-, SMART- und Power-Baseline |
 | `NETWORK_INVENTORY.md` | Router, DNS, Tailscale, Portfreigaben und Netzthemen |
@@ -119,10 +119,6 @@ Grafana 13 wurde anschliessend manuell aus #7 `renovate/major-major-updates` ueb
 Komodo-Mongo laeuft bereits auf der erlaubten MongoDB-8.0-Schiene; ein offener Mongo-8-Renovate-PR ist aktuell nicht vorhanden.
 **2026-06-21 (Routine-Merge-Runde):** Sechs offene Renovate-PRs nach Sichtpruefung in einem Bulk-Deploy ueber den Komodo-Webhook gemergt: die Sammelgruppe `minor-and-patch-updates` (u. a. gitea 1.26.3, home-assistant 2026.6.4, alertmanager v0.33.0, influxdb 3.10.0-core, code-server 4.125.0, filebrowser, speedtest, super-productivity plus Digest-Refreshes fuer borg-ui/glances/scrutiny/mailarchiver/python), die reinen Digest-Refreshes fuer `unbound`, `traefik:v3.7` und `postgres:18.4` (gleiche Versionen) sowie n8n 2.26.2 -> 2.27.3 und der `nextcloud:33.0.5-apache` Digest-Refresh. Anschliessend nach Operator-Freigabe nachgezogen: Gitea 1.26.3 -> 1.26.4, cAdvisor v0.57.0 -> v0.60.1 und Nextcloud 33.0.5 -> 34.0.0.
 **2026-06-22 (Dawarich-Redis nachgezogen):** `dawarich_redis` war nach den 2026-05-31-Migrationen die letzte verbliebene Redis-7-Instanz; der seinerzeit geschlossene PR #10 hielt sie als "Ignored or Blocked" im Dependency Dashboard (Issue #6). Bewusste Entscheidung, die Instanz auf die 8.x-Schiene nachzuziehen: `apps/dawarich/docker-compose.yml` von `redis:7-alpine` auf den bereits produktiven `redis:8.8.0-alpine`-Digest gehoben und in `renovate.json` zur `allowedVersions`-Redis-8.x-Liste hinzugefuegt. Damit ist die Dashboard-Blockade aufgeloest und alle Redis-Instanzen laufen auf 8.x. Datenpfad `/mnt/user/appdata/dawarich/redis` unveraendert; Redis 8 laedt die bestehenden RDB-Snapshots.
 ## Erwartete erste PRs (historisch)
 Beim Erstlauf wird Renovate vermutlich PRs fuer einige der digest-gepinnten Images oeffnen, weil diese Digests seit Wochen nicht erneuert wurden. Reihenfolge der Sichtpruefung:
@@ -29,7 +29,7 @@ Sie ist die fachliche Ergaenzung zu `docs/DISASTER_RECOVERY.md`.
 | Unraid OS Flash | Borg-Artefakt + optional Unraid Connect | `/boot/config` aus `unraid-flash-config.tar.gz` | `unraid-flash-config.tar.gz`, `.sha256`, Manifest | enthaelt sensible Host-Konfiguration, wie Secret-Material behandeln | Unraid USB Flash Creator / neuer Boot-Stick | Unraid bootet, Array-Zuordnung und Shares sind sichtbar |
 | Traefik | Share / Borg | `/mnt/user/appdata/traefik`, besonders `dynamic/`, `letsencrypt`, `secrets` | keine eigene DB | `cloudflare_dns_api_token` | `frontend_net`, `backend_net` | `https://traefik.kaleschke.info` erreichbar, Dashboard ueber Authelia |
 | AdGuard Home | Share / Borg | `/mnt/user/appdata/adguard/conf` | keine | keine zusaetzlichen Repo-Secrets dokumentiert | `dns_net`, `frontend_net` | DNS-Aufloesung funktioniert; Restore-Smoke am 2026-06-06 erfolgreich |
-| Tailscale | Flash-Backup (funktional) | **Funktional: `/boot/config/plugins/tailscale/state`** (native Unraid-Plugin-Instanz `kallilabcore`, Subnet-Router, im Flash-Backup gesichert). Der frueher genannte Pfad `/mnt/user/appdata/tailscale` gehoerte zum entfernten userspace-only Docker-Stack `kallilab-core` und ist seit 2026-06-17 nach `/mnt/user/appdata/_archive/tailscale-removed-2026-06-06/` verschoben; nicht mehr als aktive Restore-Quelle behandeln | keine | Tailscale-State im Flash-Backup; Archivpfad nur fuer Altanalyse | Host-Netz | Tailscale verbunden, Subnet-Route `192.168.178.0/24` aktiv |
+| Tailscale | Flash-Backup (funktional) / Share | **Funktional: `/boot/config/plugins/tailscale/state`** (native Unraid-Plugin-Instanz `kallilabcore`, Subnet-Router, im Flash-Backup gesichert). Der frueher hier genannte Pfad `/mnt/user/appdata/tailscale` gehoert zum **userspace-only Docker-Stack** `kallilab-core` (redundant, Abbau geplant — siehe `docs/NETWORK_INVENTORY.md`) | keine | Tailscale-State im jeweiligen State-Pfad | Host-Netz | Tailscale verbunden, Subnet-Route `192.168.178.0/24` aktiv |
 | PostgreSQL 18 | Share + Dumps | `/mnt/user/appdata/postgresql18` (archivierter Rollback-Altstand: `/mnt/user/appdata/_archive/pg18-immich-rollback-volumes-20260602/postgresql17`) | `postgresql17-globals.sql`, `postgresql17-mailarchiver.dump`, `postgresql17-paperless.dump`, optional `postgresql17-authelia.dump` | `postgres_password.txt`, App-Rollen-Passwoerter aus den jeweiligen Stack-ENV/Secret-Dateien | `backend_net` | DB startet, Ziel-Datenbanken vorhanden; `SHOW data_checksums` ist `on` |
 | Redis 8 | Share / Host | `/mnt/user/appdata/redis`; Rollback-Backup unter `/mnt/user/backups/borg/dumps/latest/shared-redis-pre-redis8-<ts>` | RDB/AOF-Dateien im Datenpfad | `redis_password.txt` | `backend_net` | Redis startet, `redis_version` ist 8.x, Apps verbinden sich; Restore-Smoke am 2026-06-06 erfolgreich |
 | Authelia | Borg | `/mnt/user/appdata/authelia/config`, `/mnt/user/appdata/secrets/*authelia*` | Shared PostgreSQL 18, optional Dump `postgresql17-authelia.dump` | JWT/Session/Storage/Postgres-/SMTP-Secret-Dateien | PostgreSQL 18, Traefik, GMX SMTP | Login-Seite und ForwardAuth funktionieren; SMTP-Notifier startet; aktive Sessions werden nach Restart neu aufgebaut; Restore-Smoke am 2026-06-03 erfolgreich: Config aus Borg, minimale Test-Config, frisches Test-Postgres, HTTP `/api/health` 200, Report `/mnt/user/backups/restore-reports/authelia-2026-06-03.md` |
@@ -52,7 +52,7 @@ Sie ist die fachliche Ergaenzung zu `docs/DISASTER_RECOVERY.md`.
 | Dienst | Fuehrende Quelle | Datei-Restore | Dump / DB | Secrets / ENV | Abhaengigkeiten | Smoke-Test |
 |---|---|---|---|---|---|---|
-| Paperless-ngx | Borg + Dumps | `/mnt/user/appdata/paperless-ngx/data`, `/mnt/user/documents/paperless`, `/mnt/user/documents/paperless/export`, `/mnt/user/documents/scans_inbox` | `postgresql17-paperless.dump` | `PAPERLESS_DBPASS`, `PAPERLESS_REDIS`, `PAPERLESS_OIDC_SECRET`, `borg_repo_passphrase.txt` fuer Restore-Tests | PostgreSQL 18, Redis, Traefik, Authelia OIDC | Web-UI startet, Dokumente vorhanden; Restore-Test am 2026-05-31 erfolgreich: Borg-Archiv `Tägliche-Sicherung-2026-05-31T04:30:13.181`, isolierter PostgreSQL-18-/Redis-8-Testpfad, HTTP `200`, `32` Dokumente im Test-DB-Check, Report `/mnt/user/backups/restore-reports/paperless-2026-05-31.md`; OIDC-Secret am 2026-06-17 verdrahtet, lokaler Login bleibt Fallback |
+| Paperless-ngx | Borg + Dumps | `/mnt/user/appdata/paperless-ngx/data`, `/mnt/user/documents/paperless`, `/mnt/user/documents/paperless/export`, `/mnt/user/documents/scans_inbox` | `postgresql17-paperless.dump` | `PAPERLESS_DBPASS`, `PAPERLESS_REDIS`, `borg_repo_passphrase.txt` fuer Restore-Tests | PostgreSQL 18, Redis, Traefik | Web-UI startet, Dokumente vorhanden; Restore-Test am 2026-05-31 erfolgreich: Borg-Archiv `Tägliche-Sicherung-2026-05-31T04:30:13.181`, isolierter PostgreSQL-18-/Redis-8-Testpfad, HTTP `200`, `32` Dokumente im Test-DB-Check, Report `/mnt/user/backups/restore-reports/paperless-2026-05-31.md` |
 | Mealie | Borg + Dump | `/mnt/user/appdata/mealie/data`, `/mnt/user/appdata/mealie/postgres18` (archivierter Rollback-Altstand: `/mnt/user/appdata/_archive/pg18-immich-rollback-volumes-20260602/mealie-postgres17`) | `mealie.dump` | `mealie_postgres_password.txt` | `mealie-postgres`, Traefik | UI startet, Rezepte vorhanden |
 | Immich | Borg + Dump | `/mnt/user/photos/immich`, `/mnt/user/photos/family_archive`, `/mnt/user/appdata/immich_postgres_vectorchord`; archivierter Rollback-Altstand: `/mnt/user/appdata/_archive/pg18-immich-rollback-volumes-20260602/immich-postgres-pgvecto-rs` | `immich.dump`; nach VectorChord braucht ein Restore ein Postgres-Image mit VectorChord | `IMMICH_DB_PASSWORD`, `immich_postgres_password.txt`, `borg_repo_passphrase.txt` fuer Restore-Tests | `immich_postgres`, `immich_redis`, Traefik | DB- und UI-Smoke gegen produktives Borg-Archiv am 2026-05-27 erfolgreich validiert; VectorChord-Migration am 2026-05-31: `11977` Assets, `11107` Smart-Search-Zeilen, `7092` Face-Search-Zeilen, `vchord 0.4.3`, `vector 0.8.1`, HTTP/API-Smoke 200. Voll-Restore der Foto-Dateien bleibt separater DR-Drill |
 | Mail-Archiver | Borg + Shared Dump | `/mnt/user/appdata/mailarchiver/data-protection-keys` | `postgresql17-mailarchiver.dump` | `MAILARCHIVER_DB_CONNECTION`, `MAILARCHIVER_AUTH_PASSWORD` | PostgreSQL 18, Traefik, Authelia | Authelia-Weiterleitung greift; nach Login startet die Web-UI und das Archiv laesst sich oeffnen |
@@ -60,10 +60,6 @@ Sie ist die fachliche Ergaenzung zu `docs/DISASTER_RECOVERY.md`.
 | Glance | Git / Borg-Repo | Repo-Konfiguration unter `ops/glance/config/glance.yml`; keine kritische Datenpersistenz | keine | `GLANCE_IMMICH_API_KEY`, `GLANCE_ADGUARD_USERNAME`, `GLANCE_ADGUARD_PASSWORD`, `GLANCE_SPEEDTEST_API_KEY` | Traefik, Authelia, optional interne API-Ziele | Dashboard startet, Widgets laden, Docker-Status laeuft nur ueber `glance-docker-socket-proxy` |
 | ntfy | Borg / Share | `/mnt/user/appdata/ntfy` | keine | keine besonderen Secret-Dateien dokumentiert | Traefik | UI und Push-Endpunkt erreichbar |
 | Paperless-GPT | Borg / Share | `/mnt/user/appdata/paperless-gpt` | keine eigene DB | `PAPERLESS_API_TOKEN`, `OPENAI_API_KEY` | Traefik, Paperless, OpenAI API | UI startet, Konfiguration vorhanden; LLM-Provider zeigt `openai` / `gpt-5.4-mini` |
 | n8n | Borg + Dump | `/mnt/user/appdata/n8n/data` | `n8n.sqlite.dump`; Credentials sind nur mit dem passenden `N8N_ENCRYPTION_KEY` entschluesselbar | `N8N_ENCRYPTION_KEY`, GMX/OpenAI/Gitea-Credentials in n8n | Traefik, GMX IMAP, OpenAI API, Gitea API | UI startet, Owner-Login funktioniert, kritischer Mail->LLM->Gitea-Workflow ist vorhanden und deaktiviert/aktiv wie vor Restore |
 | Home Assistant | Borg + HA-native Backups + Fachrepo | `/mnt/user/appdata/homeassistant` inkl. `.storage`, `secrets.yaml`, `trusted_proxies.yaml`, `custom_components` (HACS, `solaredge_modbus_multi`); Fach-YAML aus `/mnt/user/services/smart-home-kalli/home-assistant` | HA-native Backup-Artefakte unter `/mnt/user/appdata/homeassistant/backups`; erstes Artefakt 2026-06-13 erzeugt und tar-lesbar (`backup.json`, `homeassistant.tar.gz`); Backup nach SolarEdge-Integration: `Custom_backup_2026.6.1_2026-06-13_14.59_48645373.tar`; Backup nach Energy-Dashboard-Konfiguration: `Custom_backup_2026.6.1_2026-06-13_15.59_25670583.tar`; keine externe DB in Phase 1 | HA-Secrets in `secrets.yaml`, Integrations-Tokens in `.storage`, MQTT-Credentials, Agent-API-Tokens als Host-Secrets `ha_token_codex`/`ha_token_claude` (nur mit erhaltenem `.storage`-Auth-State nutzbar), spaeter Tibber/InfluxDB-Tokens | Traefik, `frontend_net`, `smarthome_net`, Mosquitto, Fachrepo-Clone, SolarEdge-Wechselrichter `192.168.178.111:1502` | Restore-Test am 2026-06-13 erfolgreich: HA-native Backup + Mosquitto-Appdata + Fachrepo-Clone isoliert gestartet, HA HTTP/API/check_config gruen; produktiv danach HA-MQTT-Config-Entry `smarthome-mosquitto` geladen, SolarEdge Local `solaredge_modbus_multi` loaded mit 68 Entitaeten und Energy Dashboard fuer Netz/PV/Speicher per `energy/validate` ohne Issues; Report `/mnt/user/backups/restore-reports/homeassistant-2026-06-13.md` |
 | Smart-Home MQTT / Mosquitto | Borg / Share | `/mnt/user/appdata/mosquitto/config`, `/mnt/user/appdata/mosquitto/data`, `/mnt/user/appdata/mosquitto/log` | Mosquitto persistiert retained messages/subscriptions dateibasiert | `passwordfile`, `aclfile`, spaeter per-Device-User | `smarthome_net`, Home Assistant, spaeter ESPHome/Zigbee2MQTT | Restore-Test am 2026-06-13 erfolgreich: authentifizierter Publish/Subscribe-Smoke mit `homeassistant`-User und retained Topic nach Broker-Restart gruen; produktiv verbindet sich HA als User `homeassistant` |
 | Smart-Home Fachrepo | Gitea + Borg-Repo-Clone | `/mnt/user/services/smart-home-kalli` | keine | keine echten Secrets im Repo; `secrets-template/` nur Beispiele | Gitea, Home Assistant Mounts | `git status` sauber, HA liest `configuration.yaml` und `packages/` aus dem Clone |
 ---
@@ -81,8 +77,6 @@ Sie ist die fachliche Ergaenzung zu `docs/DISASTER_RECOVERY.md`.
 | InfluxDB 3 Core | historischer Altstand / Datenuebernahme | `/mnt/user/appdata/influxdb3/data`, `/mnt/user/appdata/influxdb3/plugins` | dateibasierter Object Store | `influxdb3_admin_token.json` | `monitoring-influxdb3-core` | Datenpfad wird vom Monitoring-Zielstack weitergenutzt und darf nicht blind geloescht werden |
 | Loki / Alloy | historischer Altstand | `/mnt/user/appdata/loki/config`, `/mnt/user/appdata/loki/data`, `/mnt/user/appdata/alloy/config` | keine primaere DB; Loki-Dateispeicher war transient | keine zusaetzlichen Secrets | nicht aktiv | Compose-Pfad aus aktivem Repo entfernt; aktuelle Logsammlung laeuft ueber `monitoring-loki`/`monitoring-promtail` |
 | Monitoring Stack | Rebuild + named volumes + InfluxDB-Appdata | `prometheus_data`, `loki_data`, `promtail_positions`, `grafana_data`; InfluxDB unter `/mnt/user/appdata/influxdb3/data` und `/mnt/user/appdata/influxdb3/plugins`; Provisioning aus `monitoring/grafana/provisioning` | Prometheus-TSDB, Loki-Dateispeicher und InfluxDB-Dateistore; Diagnose-/Langzeitdaten, keine Tier-1-Restore-Quelle | `monitoring_grafana_admin_password.txt`, `monitoring_grafana_influxdb_token.txt`, `influxdb3_admin_token.json` | `monitoring_net`, `monitoring_influx_lan`, `frontend_net`, Traefik, Authelia, Docker socket read-only fuer Promtail, Host-Mounts fuer node-exporter/cAdvisor | `https://monitoring.kaleschke.info` leitet zu Authelia; Prometheus Targets sind up; Grafana-Datasources `Prometheus`, `Loki` und `InfluxDB 3 Core` funktionieren |
 | Zigbee2MQTT (geplant) | Borg + Fachrepo | `/mnt/user/appdata/zigbee2mqtt` inkl. `configuration.yaml`, `database.db`, `coordinator_backup.json`, `state.json`; Fach-Doku im Repo `smart-home-kalli` | keine externe DB | `network_key`, MQTT-Credentials, LAN-Koordinator-IP/Firmwarestand | Mosquitto, LAN-PoE-Koordinator, `smarthome_net` | Z2M startet, Coordinator verbindet sich, geraete bleiben gepairt, Testgeraet sendet MQTT-State |
 | ESPHome (geplant) | Fachrepo + Borg fuer Build-/Runtime-State | `/mnt/user/appdata/esphome` falls Dashboard/Build-Cache genutzt wird; YAML unter `/mnt/user/services/smart-home-kalli/esphome` | keine | ESPHome-Secrets ausserhalb Git, API-/OTA-Keys | WLAN/LAN, Mosquitto falls MQTT genutzt wird | Dashboard startet, ein Testgeraet kompiliert/validiert, OTA/API-Verbindung funktioniert |
 | Hermes Agent | VM-seitig offen | `/mnt/user/appdata/hermes-agent/data`, `/mnt/user/appdata/hermes-agent/ssh` | keine eigene DB | Host-`.env` fuer Provider-/API-/Home-Assistant-Tokens, `hermes_runner_id_ed25519`, `HERMES_DASHBOARD_HOST` | separate Hermes-VM/Runner, Traefik, Authelia, `hermes_net` | NAS-Stack nicht starten, solange Runner-VM und echte `.env` fehlen |
 | ddns-updater | Rebuildbar | geringe Persistenzrelevanz | keine | Provider-Zugang ueber Stack ENV | Internetzugang | Update-Job laeuft |
@@ -105,7 +99,6 @@ Aktuell relevante Dump-Artefakte unter `/mnt/user/backups/borg/dumps/latest`:
 - `filebrowser.bolt.dump`
 - `borg-ui.sqlite`
 - `grafana.sqlite`
 - `n8n.sqlite.dump`
 - `unraid-flash-config.tar.gz` plus `unraid-flash-config.tar.gz.sha256` und Manifest
 - Monitoring-Stack: keine verpflichtenden Dump-Artefakte; Prometheus/Loki/Grafana named volumes sind Diagnose-/Dashboard-Zustand, keine primaere Restore-Quelle.
 - `komodo-mongo.archive.gz` (noch gesondert verifizieren)
@@ -167,7 +160,6 @@ Stand 2026-06-06. Pro Dienst auf einen Blick: Wurde der Restore schon einmal rea
 | Borg UI | 3 | - | rebuildbar | - |
 | Filebrowser | 3 | - | rebuildbar | - |
 | baerchen Windows Image | Workstation | 2026-06-06 | Full-Backup geschrieben; Recovery-USB-Boot, SMB-Mount und Restore-Point-Sichtpruefung erfolgreich; vor echtem Restore abgebrochen | nach Image-Aenderungen oder quartalsweise |
 | Home Assistant + Mosquitto | 2 | 2026-06-13 | HA-native Backup + Mosquitto-Appdata + Fachrepo-Clone, isolierte Testcontainer, HA HTTP/API/check_config, MQTT Publish/Subscribe + retained Topic nach Broker-Restart | vor groesseren Smart-Home-Aenderungen oder nach relevanten HA/Mosquitto-Architekturaenderungen |
 ---
@@ -25,7 +25,6 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
 | mealie-postgres | DB Password | `/mnt/user/appdata/secrets/mealie_postgres_password.txt` -> `POSTGRES_PASSWORD_FILE` | aktiv |
 | Paperless-ngx | DB Password | Stack ENV `${PAPERLESS_DBPASS}` | aktiv |
 | Paperless-ngx | Redis URL | Stack ENV `${PAPERLESS_REDIS}` | aktiv |
 | Paperless OIDC (Authelia) | Client Secret | Stack ENV `${PAPERLESS_OIDC_SECRET}` in `/mnt/user/services/stacks/paperless/apps/paperless/.env` (Komodo-Stack-ENV); pbkdf2-Hash im Authelia-Host-Config-Client `paperless` (kein Wert im Repo) | aktiv (2026-06-17) |
 | Paperless-GPT | OpenAI API Key | Stack ENV `${OPENAI_API_KEY}`; nicht im Repo, nicht in Logs | aktiv |
 | code-server | Passwort | `/mnt/user/appdata/code-server/secrets/password` -> `FILE__PASSWORD` | aktiv |
 | Filebrowser | Admin Password | `/mnt/user/appdata/secrets/filebrowser_admin_password.txt` -> initialisierte SQLite-DB | aktiv |
@@ -41,30 +40,21 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
 | Komodo Mongo | Root Password | `/mnt/user/appdata/secrets/komodo_mongo_password.txt` -> `MONGO_INITDB_ROOT_PASSWORD_FILE` | aktiv |
 | Komodo Core | App Secrets | Stack ENV `${KOMODO_SECRET_KEY}`, `${KOMODO_WEBHOOK_SECRET}`, `${KOMODO_JWT_SECRET}`, `${KOMODO_MONGO_PASSWORD}`, `${KOMODO_PERIPHERY_PASSKEY}` | aktiv |
 | Gitea Push Mirror | GitHub fine-grained PAT fuer `michaelkaleschke-spec/homelab-infra` | Gitea Repository Mirror Settings, persistent in `/mnt/user/services/gitea/data`; kein Datei-Secret im Repo | aktiv |
-| Glance | Community Widget API Tokens | Stack ENV `${GLANCE_IMMICH_API_KEY}`, `${GLANCE_ADGUARD_USERNAME}`, `${GLANCE_ADGUARD_PASSWORD}`, `${GLANCE_SPEEDTEST_API_KEY}`, `${GLANCE_KOMODO_API_KEY}`, `${GLANCE_KOMODO_API_SECRET}`, `${GLANCE_GITEA_TOKEN}`, `${GLANCE_PAPERLESS_TOKEN}`, `${GLANCE_MEALIE_TOKEN}` (alle read-only anlegen), `${GLANCE_HA_TOKEN}` (HA Long-Lived Access Token; Glance nutzt nur `GET /api/states`) | aktiv |
+| Glance | Community Widget API Tokens | Stack ENV `${GLANCE_IMMICH_API_KEY}`, `${GLANCE_ADGUARD_USERNAME}`, `${GLANCE_ADGUARD_PASSWORD}`, `${GLANCE_SPEEDTEST_API_KEY}` | aktiv |
 | speedtest-tracker | App Key / Admin-Zugang | Stack ENV `${APP_KEY}`, `${ADMIN_PASSWORD}` | aktiv |
 | Nextcloud | Admin User | `/mnt/user/appdata/secrets/nextcloud_admin_user.txt` -> `NEXTCLOUD_ADMIN_USER_FILE` | neu |
 | Nextcloud | Admin Password | `/mnt/user/appdata/secrets/nextcloud_admin_password.txt` -> `NEXTCLOUD_ADMIN_PASSWORD_FILE` | neu |
 | nextcloud-postgres | DB Password | `/mnt/user/appdata/secrets/nextcloud_postgres_password.txt` -> `POSTGRES_PASSWORD_FILE` | neu |
 | Borg UI / Borg | Admin-Login, `SECRET_KEY`, SSH-Keys, Repo-Credentials | persistent unter `/mnt/user/appdata/borg-ui/data/` | aktiv |
 | Borg Repo | Borg-Passphrase fuer Restore-Tests und Notfallzugriff | `/mnt/user/appdata/secrets/borg_repo_passphrase.txt` -> Host-Secret-Datei, nicht im Repo | aktiv |
 | Healthchecks Dead-Man's-Switch (Borg Pre-Hook) | Ping-/Capability-URL | `/mnt/user/appdata/secrets/healthchecks_borg_url` (chmod 600) **oder** ENV `HEALTHCHECKS_BORG_URL`/`HEALTHCHECKS_URL`, gelesen von `ops/borg-ui/scripts/pre-borg.sh`; URL ist eine Capability-URL -> wie Secret behandeln, nie ins Repo | aktiv nach Operator-Setup |
 | Healthchecks Dead-Man's-Switch (Nearline-Pull) | Ping-/Capability-URL | baerchen: ENV `HEALTHCHECKS_NEARLINE_URL` **oder** `%USERPROFILE%\.kallilab\healthchecks-nearline-url.txt`, gelesen von `ops/h-drive-nearline/pull-critical-backups.ps1`; URL ist eine Capability-URL -> wie Secret behandeln, nie ins Repo | aktiv nach Operator-Setup |
 | Unraid Flash Backup | Boot-/Array-/Share-/Plugin-Konfiguration, ggf. Hashes/Keys/Templates | `/mnt/user/backups/borg/dumps/latest/unraid-flash-config.tar.gz`, via Borg/Hetzner gesichert | aktiv; wie Secret-Material behandeln |
 | Hermes Agent | Provider-Keys, Bot-Tokens, API-Server-Key | `/mnt/user/appdata/hermes-agent/data/.env` | VM-seitig offen |
 | Hermes Agent | SSH-Runner Private Key | `/mnt/user/appdata/secrets/hermes_runner_id_ed25519` -> `/root/.ssh/id_ed25519` | VM-seitig offen |
 | InfluxDB 3 Core | Admin Token JSON | `/mnt/user/appdata/secrets/influxdb3_admin_token.json` -> Docker Secret `/run/secrets/influxdb3_admin_token` | aktiv |
 | Home Assistant -> InfluxDB | Write Token (Wetterarchiv) | `/mnt/user/appdata/secrets/ha_influxdb_token` + HA `/config/secrets.yaml` Key `influxdb_ha_token`; InfluxDB-3-Core Named-Admin-Token (voller Zugriff, da Core keine Scopes kennt) | aktiv |
 | Home Assistant | Agent API Tokens | `/mnt/user/appdata/secrets/ha_token_claude`, `ha_token_codex` (Long-Lived Access Tokens fuer read-only API-Zugriff durch KI-Agenten) | aktiv |
 | Monitoring Grafana | Admin Password | `/mnt/user/appdata/secrets/monitoring_grafana_admin_password.txt` -> Docker Secret `/run/secrets/monitoring_grafana_admin_password` -> `GF_SECURITY_ADMIN_PASSWORD__FILE` | aktiv |
 | Monitoring Grafana -> InfluxDB | Datasource Token | `/mnt/user/appdata/secrets/monitoring_grafana_influxdb_token.txt` -> Docker Secret `/run/secrets/monitoring_grafana_influxdb_token` | aktiv |
 | Grafana OIDC (Authelia) | Client Secret | `/mnt/user/appdata/secrets/grafana_oidc_client_secret` (Klartext, chmod 600) -> Docker Secret `/run/secrets/grafana_oidc_client_secret` -> `GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET__FILE`. Zugehoeriger pbkdf2-Hash liegt im Authelia-Host-Config-Client `grafana` (kein Wert im Repo) | aktiv (2026-06-06) |
 | Mealie OIDC (Authelia) | Client Secret | Stack-ENV `${MEALIE_OIDC_CLIENT_SECRET}` in `/mnt/user/services/stacks/mealie/apps/mealie/.env` (Komodo-Stack-ENV); pbkdf2-Hash im Authelia-Host-Config-Client `mealie` (kein Wert im Repo) | aktiv (2026-06-06) |
 | Dawarich | DB Password | `/mnt/user/appdata/secrets/dawarich_postgres_password.txt` -> Docker Secret `/run/secrets/dawarich_postgres_password`; Postgres nutzt `POSTGRES_PASSWORD_FILE`, App/Sidekiq lesen per Entrypoint-Export | aktiv |
 | Dawarich | Redis Password | `/mnt/user/appdata/secrets/dawarich_redis_password.txt` -> Docker Secret `/run/secrets/dawarich_redis_password`; Redis `--requirepass`, App/Sidekiq `REDIS_URL` | aktiv |
 | Dawarich | Rails `SECRET_KEY_BASE` | `/mnt/user/appdata/secrets/dawarich_secret_key_base.txt` -> Docker Secret `/run/secrets/dawarich_secret_key_base` | geplant |
 | Dawarich Metrics | Basic-Auth Password | `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` -> Docker Secret `/run/secrets/dawarich_metrics_password`; Prometheus `password_file` | aktiv |
 | Grafana -> Dawarich | Read-only DB Password | `/mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt` -> Docker Secret `/run/secrets/dawarich_grafana_ro_password`; Grafana-Env `DAWARICH_GRAFANA_RO_PASSWORD` | aktiv |
 | Renovate Bot | Gitea Service-Account PAT | `/mnt/user/appdata/secrets/renovate_token.txt` -> Host-Datei (chmod 600), gelesen von `ops/renovate/run-renovate.sh` und an Renovate-Container als `RENOVATE_TOKEN` weitergegeben | aktiv nach Operator-Setup (siehe `docs/RENOVATE.md`) |
 | n8n | Encryption Key fuer interne Credential-Verschluesselung | `/mnt/user/appdata/secrets/n8n_encryption_key.txt` (chmod 600) -> Komodo Stack ENV `${N8N_ENCRYPTION_KEY}`; kein `_FILE`-Support im Upstream-Image | aktiv |
 | n8n | GMX IMAP Login (Mail-Trigger Workflow) | n8n Credentials Store (Typ `imap`), nur in `/mnt/user/appdata/n8n/data` mit `N8N_ENCRYPTION_KEY` verschluesselt | aktiv |
@@ -108,16 +98,8 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
 |-- redis_password.txt
 |-- borg_repo_passphrase.txt
 |-- influxdb3_admin_token.json
 |-- ha_influxdb_token
 |-- ha_token_claude
 |-- ha_token_codex
 |-- filebrowser_admin_password.txt
 |-- homelab_smtp_password.txt
 |-- dawarich_postgres_password.txt
 |-- dawarich_redis_password.txt
 |-- dawarich_secret_key_base.txt
 |-- dawarich_metrics_password.txt
 |-- dawarich_grafana_ro_password.txt
 `-- vaultwarden_admin_token.txt
 ```
@@ -129,8 +111,7 @@ Weitere dokumentierte Secret-Pfade:
 - Borg UI verwaltet Session-Secret, Admin-Login, SSH-Keys und Repo-Credentials in seiner persistenten `/data`-Struktur. Diese Daten liegen nicht im Git, muessen aber gesichert werden.
 - Die Borg-Repo-Passphrase liegt zusaetzlich als Host-Secret-Datei fuer Restore-Tests und Notfallzugriff vor. Der Wert ist laut Operator-Bestaetigung vom 2026-05-26 offline gesichert; Ablageort und Wert werden nicht im Repo dokumentiert.
 - Gitea verwaltet den GitHub-Push-Mirror-PAT in den Repository-Mirror-Settings. Der Wert wird nicht dokumentiert und nicht in Dateien unter `docs/` oder `core/gitea/` geschrieben.
- Die beiden Healthchecks-Ping-URLs (Borg-Pre-Hook, Nearline-Pull) sind Capability-URLs und werden wie Secrets behandelt; sie liegen nicht im Repo. Die Skript-Integration ist endpoint-agnostisch (Healthchecks.io-Cloud oder self-hosted). Ist keine URL gesetzt, sind die Pings ein No-Op und brechen keinen Lauf ab. Operator-Setup-Schritte: `ops/h-drive-nearline/README.md` Abschnitt "Externer Dead-Man's-Switch".
+- `paperless-ngx` ist eine bewusste Ausnahme: DB-Passwort und Redis-URL bleiben aktuell als Komodo Stack Environment Variables hinterlegt, um den stabil laufenden Produktionsstand nicht fuer eine reine Secret-Mechanik-Migration zu riskieren.
 - `paperless-ngx` ist eine bewusste Ausnahme: DB-Passwort, Redis-URL und OIDC-Client-Secret bleiben aktuell als Komodo Stack Environment Variables hinterlegt, um den stabil laufenden Produktionsstand nicht fuer eine reine Secret-Mechanik-Migration zu riskieren.
 - `baerchen` nutzt fuer das Veeam-Backup aktuell den bestehenden SMB-User
  `micha`. Ein dedizierter SMB-User `veeam-baerchen` ist nur ein spaeteres
  Hardening-Ziel, solange keine Unraid-User-/Share-Aenderungen gewuenscht sind.
@@ -153,14 +134,14 @@ Einige Secrets liegen bewusst nur als Komodo Stack Environment Variables vor, we
 | Stack | Stack-ENV-Variablen | Restore-Quelle (Reihenfolge) | Folgen bei Verlust aller Quellen |
 |---|---|---|---|
-| `paperless-ngx` | `PAPERLESS_DBPASS`, `PAPERLESS_REDIS`, `PAPERLESS_OIDC_SECRET` | Komodo-Mongo-Dump -> Vaultwarden -> externe Notiz | App-DB ist im Postgres-Cluster, Passwort muss in Postgres und Stack-ENV synchron neu gesetzt werden; Redis-URL ist deterministisch rekonstruierbar (Host, Port, Passwort), wenn Redis-Passwort-Datei vorliegt; OIDC-Client-Secret kann mit passendem Authelia-Client neu rotiert werden |
+| `paperless-ngx` | `PAPERLESS_DBPASS`, `PAPERLESS_REDIS` | Komodo-Mongo-Dump -> Vaultwarden -> externe Notiz | App-DB ist im Postgres-Cluster, Passwort muss in Postgres und Stack-ENV synchron neu gesetzt werden; Redis-URL ist deterministisch rekonstruierbar (Host, Port, Passwort), wenn Redis-Passwort-Datei vorliegt |
 | `paperless-gpt` | `PAPERLESS_API_TOKEN`, `OPENAI_API_KEY` | Komodo-Mongo-Dump -> Vaultwarden -> externe Notiz | Paperless-Token kann in Paperless neu erzeugt werden; OpenAI-Key muss im OpenAI-Projekt rotiert/neu erstellt werden |
 | `immich-server` | `IMMICH_DB_PASSWORD` | Komodo-Mongo-Dump -> Vaultwarden -> externe Notiz | analog Paperless: Postgres-User-Passwort in `immich_postgres` und Stack-ENV gemeinsam zuruecksetzen |
 | `mail-archiver` | `MAILARCHIVER_DB_CONNECTION`, `MAILARCHIVER_AUTH_PASSWORD` | Komodo-Mongo-Dump -> Vaultwarden -> externe Notiz | DB-Connection-String enthaelt Postgres-Pass; App-Auth-Password fuer Web-UI |
 | `speedtest-tracker` | `APP_KEY`, `ADMIN_PASSWORD` | Komodo-Mongo-Dump -> Vaultwarden -> externe Notiz | `APP_KEY` ist verschluesselungsrelevant; bei echtem Verlust App-State frisch initialisieren |
 | `komodo-core` | `KOMODO_SECRET_KEY`, `KOMODO_WEBHOOK_SECRET`, `KOMODO_JWT_SECRET`, `KOMODO_MONGO_PASSWORD`, `KOMODO_PERIPHERY_PASSKEY` | Vaultwarden -> externe Notiz (Henne-Ei: Komodo-Mongo-Dump ist hier **nicht** Restore-Quelle, weil Komodo dafuer schon laufen muesste) | siehe `docs/SERVICES_RECOVERY.md` Komodo-Bootstrap; ohne diese Werte ist der Self-Stack nicht reproduzierbar |
 | `hermes-agent` | `HERMES_DASHBOARD_HOST` plus Provider-/API-/Home-Assistant-Tokens in Host-`.env` | Vaultwarden -> externe Notiz | Stack ist aktuell geparkt (Review 2026-07-25); ohne Werte bleibt der Stack deaktiviert, kein Schaden am Rest |
-| `glance` | `GLANCE_IMMICH_API_KEY`, `GLANCE_ADGUARD_USERNAME`, `GLANCE_ADGUARD_PASSWORD`, `GLANCE_SPEEDTEST_API_KEY`, `GLANCE_KOMODO_API_KEY`, `GLANCE_KOMODO_API_SECRET`, `GLANCE_GITEA_TOKEN`, `GLANCE_PAPERLESS_TOKEN`, `GLANCE_MEALIE_TOKEN`, `GLANCE_HA_TOKEN` | Provider-UIs (Immich, AdGuard, Speedtest-Tracker, Komodo, Gitea, Paperless, Mealie, Home Assistant) neu erzeugen | rebuildbar; Widgets bleiben leer bis Tokens neu erzeugt sind, kein kritischer Datentopf; `GLANCE_HA_TOKEN` muss zusaetzlich in `ops/glance/docker-compose.yml` durchgereicht werden |
+| `glance` | `GLANCE_IMMICH_API_KEY`, `GLANCE_ADGUARD_USERNAME`, `GLANCE_ADGUARD_PASSWORD`, `GLANCE_SPEEDTEST_API_KEY` | Provider-UIs (Immich, AdGuard, Speedtest-Tracker) neu erzeugen | rebuildbar; Widgets bleiben leer bis Tokens neu erzeugt sind, kein kritischer Datentopf |
 | `n8n` | `N8N_ENCRYPTION_KEY` | Host-Secret-Datei `/mnt/user/appdata/secrets/n8n_encryption_key.txt` -> Komodo-Mongo-Dump -> Vaultwarden -> externe Notiz | Bei Verlust aller Quellen: n8n startet, aber **alle gespeicherten Credentials sind unbrauchbar** (Re-Eingabe noetig: GMX IMAP, OpenAI, Gitea PAT). Workflows bleiben strukturell erhalten. |
 ### Komodo-Sonderfall
@@ -1,6 +1,6 @@
 # Service Catalog
-Stand: 2026-06-13
+Stand: 2026-06-02
 Dieser Katalog beschreibt produktive und repo-vorbereitete Dienste aus Sicht von Betrieb, Restore und KI-Kontext. Er basiert auf dem Repo-Sollzustand. Vor produktiven Eingriffen immer den Live-Zustand in Komodo/Docker pruefen.
@@ -12,7 +12,7 @@ Secret-Werte sind nicht enthalten. Es werden nur Secret-Namen, Env-Key-Namen und
 |---|---|---|---|---|---|---|---|---|
 | `traefik` | zentraler Reverse Proxy, TLS, Docker-Label-Routing | `traefik/docker-compose.yml`, `traefik/dynamic/*` | `https://traefik.kaleschke.info` | Docker socket, Cloudflare DNS API, `frontend_net`, `backend_net` | `/mnt/user/appdata/traefik/dynamic`, `/mnt/user/appdata/traefik/letsencrypt` | Tier 1, Share/Borg | ja, eigene Dashboard-Route mit Authelia | Host-Ports 80/443 sind zentrale Ausnahme; dynamic configs werden nicht automatisch von Komodo deployed |
 | `adguard` | DNS-Server / LAN DNS | `host-services/Adguard/docker-compose.yml` | LAN-Port `53`, Admin `100.80.98.33:8082` | `dns_net`, `frontend_net`, Unbound | `/mnt/user/appdata/adguard/conf`, `/mnt/user/appdata/adguard/work` | Tier 1, config relevant | nein | Direkter DNS-Port 53 bleibt; Admin-Port ist bewusst ohne Traefik/2FA, aber auf Tailscale-IP begrenzt (Operator-Entscheidung 2026-05-26) |
-| `unbound` | DNSSEC-validierender Forwarding-Resolver fuer AdGuard | `apps/unbound/docker-compose.yml` | intern | `dns_net` | `/mnt/user/appdata/unbound/config` | rebuildbar / config relevant | nein | intern isoliert; forwardet per DoT zu Cloudflare, keine Root-Rekursion |
+| `unbound` | Upstream DNS Resolver fuer AdGuard | `apps/unbound/docker-compose.yml` | intern | `dns_net` | `/mnt/user/appdata/unbound/config` | rebuildbar / config relevant | nein | intern isoliert |
 | `tailscale` | VPN/Remote-Zugang, Subnet-Router | **Natives Unraid-Plugin** `tailscale.plg` (nicht repo-/Komodo-verwaltet) | Tailscale | Host-Netz (`tailscale1`) | `/boot/config/plugins/tailscale/state` (im Flash-Backup) | Tier 1, State relevant | nein | Subnet-Router `192.168.178.0/24`; redundanter Docker-Stack `host-services/tailscale/` am 2026-06-06 entfernt |
 | `gitea` | Git-Server / origin fuer GitOps | `core/gitea/docker-compose.yml` | `https://git.kaleschke.info`, SSH `222` | Traefik, `frontend_net`, externe DNS-Resolver fuer GitHub-Push-Mirror | `/mnt/user/services/gitea/data` | Tier 1, `gitea.sqlite.dump` + Share; privater GitHub-Push-Mirror fuer Repo-Bootstrap | ja | SSH-Port 222 direkte Host-Port-Ausnahme; Push-Mirror nach `michaelkaleschke-spec/homelab-infra` reduziert das DR-Bootstrap-Risiko |
@@ -35,17 +35,14 @@ Secret-Werte sind nicht enthalten. Es werden nur Secret-Namen, Env-Key-Namen und
 | Service | Zweck | Autoritativer Pfad | URL / Zugang | Abhaengigkeiten | Datenpfade | Backup / Restore | Traefik | Besonderheiten / TODOs |
 |---|---|---|---|---|---|---|---|---|
-| `paperless-ngx` | Dokumentenmanagement | `apps/paperless/docker-compose.yml` | `https://paperless.kaleschke.info` | PostgreSQL 18, Redis 8, Traefik, Authelia OIDC | `/mnt/user/appdata/paperless-ngx/data`, `/mnt/user/documents/paperless`, `/mnt/user/documents/scans_inbox` | Tier 2, Borg + `postgresql17-paperless.dump` | ja + Authelia | DB/Redis/OIDC Secrets bleiben bewusst Stack ENV; OIDC ist additiv via Authelia konfiguriert, lokaler Login bleibt Fallback; Dump-Dateiname behaelt den historischen Cluster-Namen |
+| `paperless-ngx` | Dokumentenmanagement | `apps/paperless/docker-compose.yml` | `https://paperless.kaleschke.info` | PostgreSQL 18, Redis 8, Traefik | `/mnt/user/appdata/paperless-ngx/data`, `/mnt/user/documents/paperless`, `/mnt/user/documents/scans_inbox` | Tier 2, Borg + `postgresql17-paperless.dump` | ja | DB/Redis Secrets bleiben bewusst Stack ENV; Dump-Dateiname behaelt den historischen Cluster-Namen |
 | `paperless-gpt` | KI-Ergaenzung fuer Paperless | `apps/paperless-gpt/docker-compose.yml` | `https://paperless-gpt.kaleschke.info` | Paperless API, OpenAI API, Traefik | `/mnt/user/appdata/paperless-gpt/data`, `/mnt/user/appdata/paperless-gpt/prompts` | Tier 2 | ja + Authelia | `PAPERLESS_API_TOKEN` und `OPENAI_API_KEY` als Stack ENV; LLM und Vision-OCR laufen ueber `gpt-5.4-mini`, kein Zugriff mehr auf lokale Ollama-VM. **Behalten-Entscheidung 2026-05-28:** Container bleibt aktiv, auch wenn aktuell keine Traefik-Zugriffe in der Woche; Ablouseplanung erst mit Paperless-NGX 3.0 (eigene KI-Features erwartet) - dann neu bewerten. |
 | `immich_server` | Foto-/Video-App | `apps/immich/docker-compose.yml` | `https://immich.kaleschke.info` | Immich Postgres, Immich Redis, ML, Traefik | `/mnt/user/photos/immich`, `/mnt/user/photos/family_archive` | Tier 2, Borg + `immich.dump` | ja | native App-Auth; externes Fotoarchiv gemountet |
 | `immich_postgres` | Immich-Datenbank | `apps/immich/docker-compose.yml` | intern | `immich_default` | `/mnt/user/appdata/immich_postgres_vectorchord`, archivierter Rollback-Altstand `/mnt/user/appdata/_archive/pg18-immich-rollback-volumes-20260602/immich-postgres-pgvecto-rs`, `immich_postgres_password.txt` | Dump `immich.dump`; Restore braucht ein Image mit VectorChord/pgvector | nein | PG14 bleibt bewusst; Immich-DB-Image `ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0`; nie ins `frontend_net` |
 | `immich_redis` | Immich Cache | `apps/immich/docker-compose.yml` | intern | `immich_default` | kein kritischer Pfad dokumentiert | rebuildbar | nein | Redis 8.8; Architektur nennt anonymes Volume -> named volume als offenes Thema |
-| `immich_machine_learning` | Immich ML | `apps/immich/docker-compose.yml` | intern | `immich_default`, `immich_egress` | `model-cache` | rebuildbar | nein | keine Traefik-Route; `immich_egress` (nicht-internal) nur fuer Modell-Download zu huggingface, sonst scheitert Smart Search/Gesichtserkennung an DNS |
+| `immich_machine_learning` | Immich ML | `apps/immich/docker-compose.yml` | intern | `immich_default` | `model-cache` | rebuildbar | nein | intern-only |
 | `mealie` | Rezeptverwaltung | `apps/mealie/docker-compose.yml` | `https://mealie.kaleschke.info` | `mealie-postgres`, Traefik | `/mnt/user/appdata/mealie/data` | Tier 2, Borg + `mealie.dump` | ja | App + DB in internem Netz getrennt |
 | `mealie-postgres` | Mealie-Datenbank | `apps/mealie/docker-compose.yml` | intern | `mealie_internal` | `/mnt/user/appdata/mealie/postgres18`, archivierter Rollback-Altstand `/mnt/user/appdata/_archive/pg18-immich-rollback-volumes-20260602/mealie-postgres17`, `mealie_postgres_password.txt` | Dump `mealie.dump` | nein | interne DB; PostgreSQL 18 |
 | `dawarich_app` | Standort-Historie / Google-Timeline-Ersatz | `apps/dawarich/docker-compose.yml` | `https://dawarich.kaleschke.info` | eigene PostGIS-DB, eigene Redis, Traefik + Authelia, optional Home Assistant Push | `/mnt/user/appdata/dawarich/{postgres17,redis,shared,public,watched,storage}`, `dawarich_*.txt` Secrets | Tier 2, Borg + `dawarich.dump` | ja + Authelia | UI hinter Authelia; API-Key-Tracking-Endpunkte fuer OwnTracks/Overland/Traccar ohne ForwardAuth priorisiert. App und Sidekiq nutzen `freikin/dawarich:1.8.1`; Prometheus-Scrape nach aktueller Dawarich-Doku ueber `dawarich_app:3000/metrics`, Sidekiq-Metriken intern ueber `:9394`. |
 | `dawarich_db` | Dawarich PostGIS-Datenbank | `apps/dawarich/docker-compose.yml` | intern | `backend_net` | `/mnt/user/appdata/dawarich/postgres17`, `dawarich_postgres_password.txt`, `dawarich_grafana_ro_password.txt` | Dump `dawarich.dump`; raw DB nur bei gleichem PG/PostGIS und sauberem Shutdown | nein | PostGIS 17-3.5 Alpine; Grafana-Read-only-User `dawarich_grafana_ro` per Init-Script |
 | `dawarich_redis` | Dawarich Cache/Queue-Backend | `apps/dawarich/docker-compose.yml` | intern | `backend_net` | `/mnt/user/appdata/dawarich/redis`, `dawarich_redis_password.txt` | Teil von Dawarich-Restore, aber aus DB/Appdaten rekonstruierbar | nein | Redis 8.8 Alpine, keine Host-Ports |
 | `mail-archiver` | Mail-Archivierung | `apps/mail-archiver/docker-compose.yml` | `https://mail.kaleschke.info` | PostgreSQL 18, Internet/IMAP, Traefik, Authelia | `/mnt/user/appdata/mailarchiver/data-protection-keys` | Tier 2, `postgresql17-mailarchiver.dump` | ja + Authelia | Hybrid-Dienst: `frontend_net` fuer Internet, `backend_net` fuer DB; App-eigene Auth bleibt zusaetzliche Schutzschicht; Dump-Dateiname behaelt den historischen Cluster-Namen |
 | `nextcloud` | Datei-/Cloud-Dienst | `apps/nextcloud/docker-compose.yml` | `https://cloud.kaleschke.info` | eigene PostgreSQL, eigene Redis, Traefik | `/mnt/user/appdata/nextcloud/html`, `/mnt/user/documents/nextcloud-data` | Tier 2, `nextcloud.dump` + Share | ja | native App-Auth ohne zentrale ForwardAuth; WebDAV/CardDAV beachten |
 | `nextcloud-postgres` | Nextcloud-Datenbank | `apps/nextcloud/docker-compose.yml` | intern | `nextcloud_internal` | `/mnt/user/appdata/nextcloud/postgres18`, archivierter Rollback-Altstand `/mnt/user/appdata/_archive/pg18-immich-rollback-volumes-20260602/nextcloud-postgres17`, `nextcloud_postgres_password.txt` | `nextcloud.dump`, raw DB nicht primaerer Restore-Weg | nein | interne DB; PostgreSQL 18 |
@@ -70,7 +67,7 @@ Secret-Werte sind nicht enthalten. Es werden nur Secret-Namen, Env-Key-Namen und
 | `filebrowser` | Datei-Browser fuer Documents/Photos/Projekte | `ops/filebrowser/docker-compose.yml` | `https://files.kaleschke.info` | Traefik + Authelia | `/mnt/user/appdata/filebrowser/*`, `/mnt/user/documents`, `/mnt/user/photos`, `/mnt/user/projekte` | Tier 3, `filebrowser.bolt.dump` + Share | ja + Authelia | Breiter Appdata-Mount entfernt; Secrets und Traefik-Dynamic-Config sind nicht mehr ueber Filebrowser gemountet |
 | `code-server` | Web-Editor / Operations Workspace | `ops/code-server/docker-compose.yml` | `https://code.kaleschke.info` | Traefik + Authelia | `/mnt/user/appdata/code-server`, `/mnt/user/services/dev` | Tier 3 | ja + Authelia | Passwort ueber LSIO `FILE__PASSWORD`; Workspaces beachten |
 | `monitoring-grafana` | zentrale Observability-UI fuer Metriken, Logs und InfluxDB | `monitoring/docker-compose.yml` | `https://monitoring.kaleschke.info` | Traefik + Authelia, Prometheus, Loki, InfluxDB 3 Core | named volume `grafana_data`, Provisioning unter `monitoring/grafana/provisioning`, Dashboards unter `monitoring/grafana/dashboards` | Tier 3, named volume | ja + Authelia | Admin-Passwort ueber `monitoring_grafana_admin_password.txt`; Zielbestand: `Homelab / Availability`, `Homelab / Host Overview`, `Homelab / Containers + Logs`, `Homelab / Family Status`, `Traefik Official Standalone Dashboard`; Dashboard-Importer ist optionales `bootstrap`-Profil fuer Traefik |
-| `monitoring-prometheus` | Metrik-Speicher fuer Homelab-Monitoring | `monitoring/docker-compose.yml`, `monitoring/prometheus/prometheus.yml`, `monitoring/prometheus/alerts.yml` | intern `http://prometheus:9090` | `monitoring_net`, `backend_net`, node-exporter, cAdvisor, Traefik-Metrics, Blackbox Exporter, Alertmanager | named volume `prometheus_data` | Tier 3, transiente Metriken mit 30 Tagen Retention | nein | Scrapes: Prometheus, node-exporter, cAdvisor, Traefik `:8082`, Dawarich intern `dawarich_app:3000`, `blackbox-http`; Prometheus-Regeln senden an Alertmanager und von dort nach ntfy |
+| `monitoring-prometheus` | Metrik-Speicher fuer Homelab-Monitoring | `monitoring/docker-compose.yml`, `monitoring/prometheus/prometheus.yml`, `monitoring/prometheus/alerts.yml` | intern `http://prometheus:9090` | `monitoring_net`, node-exporter, cAdvisor, Traefik-Metrics, Blackbox Exporter, Alertmanager | named volume `prometheus_data` | Tier 3, transiente Metriken mit 30 Tagen Retention | nein | Scrapes: Prometheus, node-exporter, cAdvisor, Traefik `:8082`, `blackbox-http`; Prometheus-Regeln senden an Alertmanager und von dort nach ntfy |
 | `monitoring-alertmanager` | Alert-Routing fuer Prometheus-Regeln | `monitoring/docker-compose.yml`, `monitoring/alertmanager/alertmanager.yml` | intern `:9093` | Prometheus, ntfy Bridge | named volume `alertmanager_data` | Tier 3 | nein | sendet firing und resolved Alerts an `monitoring-alertmanager-ntfy-bridge` |
 | `monitoring-alertmanager-ntfy-bridge` | Alertmanager-Webhook nach ntfy Push | `monitoring/docker-compose.yml`, `monitoring/alertmanager-ntfy-bridge/bridge.py` | intern `:8080` | Alertmanager, `https://ntfy.kaleschke.info/homelab-alerts` | kein kritischer Zustand | rebuildbar | nein | formatiert Alertmanager JSON als ntfy Titel, Nachricht, Priority und Tags; keine Secrets |
 | `monitoring-blackbox-exporter` | HTTP-Erreichbarkeitspruefungen als Uptime-Kuma-Ersatz | `monitoring/docker-compose.yml`, `monitoring/blackbox/blackbox.yml` | intern `:9115` | Prometheus, externe HTTPS-Ziele | kein kritischer Zustand | rebuildbar | nein | Uptime Kuma wurde 2026-05-25 nach erfolgreichem Blackbox-/Grafana-Smoke-Test entfernt |
@@ -78,18 +75,11 @@ Secret-Werte sind nicht enthalten. Es werden nur Secret-Namen, Env-Key-Namen und
 | `monitoring-promtail` | Docker-Log-Collector fuer Monitoring-Loki | `monitoring/docker-compose.yml`, `monitoring/promtail/promtail-config.yml` | intern | Docker socket read-only, Docker json-file Logs, Loki | named volume `promtail_positions` | rebuildbar | nein | Dokumentierte Host-Observability-Ausnahme: `/var/run/docker.sock:/var/run/docker.sock:ro` und `/var/lib/docker/containers:ro`; keine Appdaten, nur Log-Discovery |
 | `monitoring-node-exporter` | Host-Metriken fuer Prometheus | `monitoring/docker-compose.yml` | intern `:9100` | Host `/proc`, `/sys`, `/` read-only, Prometheus | kein kritischer Zustand | rebuildbar | nein | Host-Observability-Ausnahme mit read-only Rootfs/Proc/Sys-Mounts |
 | `monitoring-cadvisor` | Container-Metriken fuer Prometheus | `monitoring/docker-compose.yml` | intern `:8080` | Docker/Host read-only Mounts, Prometheus | kein kritischer Zustand | rebuildbar | nein | Host-Observability-Ausnahme fuer Container-Metriken; keine direkten Ports |
-| `monitoring-influxdb3-core` | InfluxDB 3 Core fuer Home-Assistant-/Ecowitt-Langzeitdaten | `monitoring/docker-compose.yml` | Host-Port `8181` je `INFLUXDB_BIND_IP`, keine Public URL | Monitoring-Grafana, Home Assistant Writer | `/mnt/user/appdata/influxdb3/data`, `/mnt/user/appdata/influxdb3/plugins` | Tier 3 | nein | 2026-05-31 effektiv auf `127.0.0.1:8181` gebunden, also nicht LAN-exponiert; vor dem HA-Writer muss entschieden werden, ob `INFLUXDB_BIND_IP` auf eine LAN-IP geht oder HA gezielt ein gemeinsames internes Netz mit InfluxDB bekommt. `user: "0"` ist fuer den lokalen Object-Store-Pfad dokumentiert; `401 Unauthorized` beim Curl ohne Token ist erwarteter Reachability-Test |
+| `monitoring-influxdb3-core` | InfluxDB 3 Core fuer Home-Assistant-/Ecowitt-Langzeitdaten | `monitoring/docker-compose.yml` | Host-Port `8181` je `INFLUXDB_BIND_IP`, keine Public URL | Monitoring-Grafana, Home Assistant Writer | `/mnt/user/appdata/influxdb3/data`, `/mnt/user/appdata/influxdb3/plugins` | Tier 3 | nein | 2026-05-31 effektiv auf `127.0.0.1:8181` gebunden, also nicht LAN-exponiert; `user: "0"` ist fuer den lokalen Object-Store-Pfad dokumentiert; uebernimmt den bisherigen InfluxDB-Daten-/Token-Katalog; `401 Unauthorized` beim Curl ohne Token ist erwarteter Reachability-Test |
 | `hermes-gateway` | Hermes Agent Gateway/API intern | `ops/hermes-agent/docker-compose.yml` | intern `8642` auf `hermes_net` | SSH Runner (VM 192.168.178.143), LLM Provider, optional Home Assistant | `/mnt/user/appdata/hermes-agent/data`, SSH key path | Tier 3, Borg/Share | nein | NAS-Stack bleibt deaktiviert, solange die separate Hermes-VM/Runner-Seite nicht wiederhergestellt ist; kein Docker-Socket |
 | `hermes-dashboard` | Hermes Dashboard | `ops/hermes-agent/docker-compose.yml` | `https://hermes.kaleschke.info` via `${HERMES_DASHBOARD_HOST}` | `hermes-gateway`, Traefik + Authelia | shared read-only data mount | Tier 3, Borg/Share | ja + Authelia | Compose-Profil `dashboard`; aktuell VM-seitig offen, nicht Teil des NAS-Finalstarts |
 | `n8n` | Workflow-Automation; aktuell genutzt fuer Mail->LLM->Gitea-Issue (Inbox `Micha/mails`) | `apps/n8n/docker-compose.yml`, `apps/n8n/workflows/*.json` | `https://n8n.kaleschke.info` | Traefik (ohne pauschale Authelia, analog Komodo/Nextcloud), GMX IMAP, OpenAI API, Gitea API | `/mnt/user/appdata/n8n/data` (SQLite, Credentials, Workflows) | Tier 2, Borg + `n8n-data` (Credentials sind nur mit `N8N_ENCRYPTION_KEY` entschluesselbar) | ja, native Auth | Wegen Webhook-Endpunkten (`/webhook/*`) bewusst ohne `authelia@file`; eigene Login-/Owner-Auth bleibt Pflicht; `N8N_ENCRYPTION_KEY` ist Stack-ENV-Pflichtsecret, Verlust macht Credentials unbrauchbar. |
 ## Smart Home
 | Service | Zweck | Autoritativer Pfad | URL / Zugang | Abhaengigkeiten | Datenpfade | Backup / Restore | Traefik | Besonderheiten / TODOs |
 |---|---|---|---|---|---|---|---|---|
 | `homeassistant` | Zentrale Smart-Home-Steuerung, Energy Dashboard, Integrations-Hub | Runtime: `smart-home/docker-compose.yml`; Fachkonfiguration: Repo `smart-home-kalli` | `https://home.kaleschke.info`; zusaetzlich LAN-only Host-Bind `192.168.178.58:8123` nur fuer den Ecowitt-HTTP-Push | Traefik, `frontend_net`, `smarthome_net`, `smarthome-mosquitto`, SolarEdge-Wechselrichter `192.168.178.111:1502`, Fachrepo unter `/mnt/user/services/smart-home-kalli` | `/mnt/user/appdata/homeassistant` inkl. `.storage`, `secrets.yaml`, `trusted_proxies.yaml` und `custom_components` (HACS, `solaredge_modbus_multi`); YAML-Fachdateien read-only aus `/mnt/user/services/smart-home-kalli/home-assistant`; Agent-API-Tokens als Host-Secrets `ha_token_codex`/`ha_token_claude` | Tier 2, Borg + HA-native Backups; erstes HA-Backup am 2026-06-13 erzeugt/geprueft; Restore-Probe am 2026-06-13 erfolgreich, Report `/mnt/user/backups/restore-reports/homeassistant-2026-06-13.md`; Backup nach SolarEdge-Integration: `/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_14.59_48645373.tar`; Backup nach Energy-Dashboard-Konfiguration: `/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_15.59_25670583.tar` | ja, native HA-Auth | HA Container statt HAOS-VM; keine Add-ons, keine Supervised-Installation. `configuration.yaml` kommt aus dem Fachrepo, `.storage` wird nicht versioniert. `http.use_x_forwarded_for`, `trusted_proxies` und `ip_ban_enabled` sind aktiv. HA-MQTT-Integration `smarthome-mosquitto` ist seit 2026-06-13 geladen. SolarEdge ist seit 2026-06-13 lokal ueber `solaredge_modbus_multi` v3.2.5 angebunden: `SolarEdge Local`, `192.168.178.111:1502`, Device-ID `1`, Meter+Batterie-Erkennung an, Power-Control aus. Energy Dashboard ist fuer Netz, PV und Speicher konfiguriert; Kosten folgen mit Tibber. Komodo-Stack und Gitea-Webhook sind aktiv. Ecowitt-Ingress seit 2026-06-13 ueber LAN-only Host-Bind `192.168.178.58:8123` geloest; offen ist nur die GW3000-Customized-Server-Konfiguration. Naechster Produktivschritt: Tibber. |
 | `smarthome-mosquitto` | MQTT-Broker fuer HA, spaeter ESPHome und Zigbee2MQTT | `smart-home/docker-compose.yml`, `smart-home/mosquitto/config/mosquitto.conf` | intern `smarthome_net:1883`; kein LAN-Port in Phase 1 | `smarthome_net`, Passwort-/ACL-Dateien in Appdata | `/mnt/user/appdata/mosquitto/config`, `/mnt/user/appdata/mosquitto/data`, `/mnt/user/appdata/mosquitto/log` | Tier 2, Borg; Passwortdatei, ACLs und persistente Broker-Daten relevant; Restore-Probe am 2026-06-13 erfolgreich | nein | Authentifizierter Publish/Subscribe-Smoke und retained Topic nach Broker-Restart am 2026-06-13 erfolgreich. Home Assistant verbindet sich als User `homeassistant`. LAN-Port `1883` erst in ESPHome-Phase mit ACLs und per-Device-Usern. |
 ## Host Operations
 | Service | Zweck | Autoritativer Pfad | URL / Zugang | Abhaengigkeiten | Datenpfade | Backup / Restore | Traefik | Besonderheiten / TODOs |
@@ -124,20 +124,14 @@ Pflichtschritte beim Anlegen:
 1. Stack in Komodo aus Gitea anlegen
 2. `webhook_enabled` in Komodo aktivieren
 3. passenden Gitea-Webhook fuer die aktuelle Stack-ID anlegen
-4. Branch-Filter im Gitea-Hook auf den produktiven Branch setzen, aktuell `master`
+4. Gitea-Hook gegen `http://komodo-core:9120/listener/github/stack/<stack-id>/deploy` pruefen
-5. Gitea-Hook gegen `http://komodo-core:9120/listener/github/stack/<stack-id>/deploy` pruefen
+5. einen Push oder Test-Delivery ausloesen und `last_status`/Komodo-Deploy pruefen
-6. einen Push oder Test-Delivery ausloesen und `last_status`/Komodo-Deploy pruefen
+6. Ausnahmen explizit dokumentieren
 7. Ausnahmen explizit dokumentieren
 **Regel:** Kein neuer produktiver GitOps-Stack ohne funktionierenden Gitea->Komodo-Webhook. Bewusste Ausnahmen muessen im selben Aenderungsblock dokumentiert werden, inklusive Grund und Alternativ-Deploy-Weg.
 Der Standardfall nutzt den globalen `KOMODO_WEBHOOK_SECRET` aus der Komodo-Host-`.env`, ausser Komodo zeigt fuer den Stack explizit ein eigenes per-Stack-Secret.
 Der Gitea-Branch-Filter darf nicht leer oder `*` bleiben, solange der Komodo-Stack
 einen konkreten Repo-Branch erwartet. Sonst triggern Feature-/Arbeitsbranches alle
 Stack-Listener, Komodo verwirft sie mit `request branch does not match expected`
 und der Operations-Report bekommt unnuetzes Komodo-/Traefik-Rauschen.
 ### Ausnahme: Komodo-Zugangsmodell
 Komodo bleibt **bewusst** ohne zentrale Traefik-ForwardAuth-Middleware.
@@ -1,6 +1,6 @@
 # Runbook: Komodo Bulk-Deploy schlaegt mit DNS `connection refused` fehl
-Stand: 2026-06-11 · Typ: Runbook / ADR-light · Status: **Sofortmassnahme aktiv** (Host-DNS-Fallback gesetzt 2026-06-11 bzw. frueher)
+Stand: 2026-06-10 · Typ: Runbook / ADR-light · Status: Sofortmassnahme empfohlen, noch nicht umgesetzt
 ## Symptom
@@ -19,12 +19,12 @@ Der Host nutzt **AdGuard Home als einzigen Resolver** (`/etc/resolv.conf` = nur
 Es ist **kein** Webhook-, Auth- oder Docker-Hub-Rate-Limit-Problem: Webhooks authentifizieren sauber, `webhook_enabled=true`, Fehlerbild ist `connection refused` auf den eigenen DNS-Port direkt nach AdGuard-Recreate. Fuer den Pull-Pfad zaehlt der Docker-Daemon/Go-Resolver (iteriert ueber die `resolv.conf`-Server und springt bei Socket-Fehlern zum naechsten), nicht der glibc-Client.
-## Sofortmassnahme (Schicht 1) — umgesetzt
+## Sofortmassnahme (Schicht 1)
 Unraid -> Settings -> Network Settings -> `eth0`:
- DNS server 1: `192.168.178.58` (AdGuard)
+- DNS server 1: `192.168.178.58` (AdGuard, bleibt)
- **DNS server 2: `192.168.178.1`** (FritzBox) — **gesetzt und aktiv** (Operator-Bestaetigung 2026-06-11; Apply-Button erfordert Docker-/VM-Stop, der gespeicherte Wert greift bereits ohne Re-Apply)
+- **DNS server 2: `192.168.178.1`** (FritzBox) -> Apply
 Damit ueberleben Registry-Pulls einen kurzen AdGuard-Ausfall via Resolver-Failover. Im Normalbetrieb wird weiter DNS1 (AdGuard) genutzt, der Filter bleibt aktiv.
@@ -1,224 +0,0 @@
 # Smart-Home Bootstrap
 Ziel: Den Stack `smart-home/` auf Kallilabcore initial startklar machen, ohne
 Secrets oder UI-State ins Git zu schreiben.
 ## 1. Fachrepo auf dem Host bereitstellen
 ```sh
 cd /mnt/user/services
 git clone https://git.kaleschke.info/Micha/smart-home-kalli.git smart-home-kalli
 cd smart-home-kalli
 git checkout main
 ```
 Der Home-Assistant-Container mountet daraus einzelne YAML-Dateien read-only nach
 `/config`.
 ## 2. Home-Assistant-Appdata vorbereiten
 ```sh
 mkdir -p /mnt/user/appdata/homeassistant
 cp /mnt/user/services/smart-home-kalli/secrets-template/secrets.yaml.example \
  /mnt/user/appdata/homeassistant/secrets.yaml
 cp /mnt/user/services/smart-home-kalli/secrets-template/trusted_proxies.yaml.example \
  /mnt/user/appdata/homeassistant/trusted_proxies.yaml
 ```
 Danach `trusted_proxies.yaml` auf das echte Traefik-/`frontend_net`-Subnetz
 anpassen:
 ```sh
 docker network inspect frontend_net
 ```
 ## 3. Mosquitto vorbereiten
 ```sh
 mkdir -p /mnt/user/appdata/mosquitto/config \
  /mnt/user/appdata/mosquitto/data \
  /mnt/user/appdata/mosquitto/log
 docker run --rm -it \
  -v /mnt/user/appdata/mosquitto/config:/mosquitto/external_config \
  eclipse-mosquitto:2.0.22 \
  mosquitto_passwd -c /mosquitto/external_config/passwordfile homeassistant
 cat > /mnt/user/appdata/mosquitto/config/aclfile <<'EOF'
 user homeassistant
 topic readwrite #
 EOF
 ```
 Das initiale Passwort anschliessend in
 `/mnt/user/appdata/homeassistant/secrets.yaml` eintragen. LAN-Port `1883` bleibt
 in Phase 1 geschlossen.
 ## 4. Stack deployen
 Komodo-Stack:
 - Repo: `homelab-infra`
 - Pfad: `smart-home/docker-compose.yml`
 - Branch: nach Review `master`
 - Status 2026-06-13: Stack `smart-home` existiert in Komodo, Gitea-Webhook ist
  aktiv, `deployed_hash == latest_hash`.
 Nach dem Start pruefen:
 ```sh
 docker ps --filter name=homeassistant
 docker ps --filter name=smarthome-mosquitto
 docker logs --tail=100 homeassistant
 docker logs --tail=100 smarthome-mosquitto
 ```
 ## 5. Smoke-Test
 - `https://home.kaleschke.info` zeigt die Home-Assistant-Oberflaeche.
 - Nach Owner-Onboarding: keine Authelia-ForwardAuth mehr vor HA; HA nutzt native
  Auth plus `http.ip_ban_enabled`.
 - `trusted_proxies.yaml` deckt das `frontend_net` ab; damit wertet HA die echte
  Client-IP aus `X-Forwarded-For` aus.
 - Keine Trusted-Proxy-Fehler im HA-Log.
 - MQTT-Broker-Smoke: `homeassistant`-User aus `secrets.yaml` kann gegen
  `smarthome-mosquitto:1883` publish/subscriben.
 - HA-MQTT-Integration ist verbunden: Config-Entry `smarthome-mosquitto` ist
  `loaded`, Mosquitto sieht einen HA-Client mit User `homeassistant`.
 - HA-native Backup-Erstellung funktioniert; Beispielartefakt:
  `/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_08.25_38034438.tar`.
 - Backup-Artefakt ist lesbar (`backup.json`, `homeassistant.tar.gz`).
 - Agent-API-Tokens liegen als Host-Secrets unter
  `/mnt/user/appdata/secrets/ha_token_codex` und
  `/mnt/user/appdata/secrets/ha_token_claude`; Werte nie ausgeben oder in Git
  schreiben. Die Tokens sind nur mit erhaltenem HA-Auth-State in `.storage`
  brauchbar und bei Verdacht in HA zu widerrufen.
 ## 6. Fachrepo-Update
 Das Fachrepo `/mnt/user/services/smart-home-kalli` ist kein eigener
 Komodo-Stack. Aenderungen wirken erst nach diesem Host-Ablauf:
 ```sh
 cd /mnt/user/services/smart-home-kalli
 git pull --ff-only origin main
 docker compose -f /mnt/user/services/stacks/smart-home/smart-home/docker-compose.yml \
  up -d --force-recreate homeassistant
 ```
 Der Force-Recreate ist Pflicht, weil `configuration.yaml`, `automations.yaml`,
 `scripts.yaml` und `scenes.yaml` als Einzeldateien in den Container gemountet
 werden. Nach einem `git pull` kann Docker sonst noch den alten Datei-Inode sehen
 (`Stale file handle`).
 ## 7. UI-Editor-Politik
 `automations.yaml`, `scripts.yaml` und `scenes.yaml` sind read-only aus Git
 gemountet. Der Home-Assistant-UI-Editor fuer diese Dateien ist deshalb nicht der
 primaere Schreibweg. Automationen und Scripts werden in Git gepflegt; UI-State
 und Integrations-State bleiben in `.storage` und werden per Borg gesichert.
 ## 8. Abnahmebedingung
 Vor produktiven Energie-Automationen muss ein Restore-Test fuer
 `/mnt/user/appdata/homeassistant`, `/mnt/user/appdata/mosquitto` und den Clone
 `/mnt/user/services/smart-home-kalli` dokumentiert sein.
 Wichtig: Ein erfolgreich erzeugtes HA-Backup ist nur die Voraussetzung. Das Gate
 ist erst geschlossen, wenn eine Restore-Probe in einem isolierten Testpfad
 dokumentiert ist.
 Status 2026-06-13: Gate geschlossen. Die isolierte Restore-Probe war
 erfolgreich:
 - Report: `/mnt/user/backups/restore-reports/homeassistant-2026-06-13.md`
 - Test: HA-native Backup + Mosquitto-Appdata + Fachrepo-Clone
 - Ergebnis: HA HTTP/API/check_config gruen, MQTT Publish/Subscribe und retained
  Topic nach Broker-Restart gruen
 Status 2026-06-13: HA-MQTT-Integration ist produktiv verbunden.
 Verifikation:
 ```sh
 TOKEN=$(cat /mnt/user/appdata/secrets/ha_token_codex)
 curl -ksS -H "Authorization: Bearer $TOKEN" \
  https://home.kaleschke.info/api/config/config_entries/entry
 docker logs --tail=120 smarthome-mosquitto
 docker exec homeassistant python -m homeassistant --script check_config --config /config
 ```
 Erwartung: Ein MQTT-Config-Entry `smarthome-mosquitto` mit Status `loaded`, ein
 Mosquitto-Client mit User `homeassistant`, und `check_config` ohne Fehler.
 ## 9. SolarEdge lokal
 Status 2026-06-13: SolarEdge ist lokal per Modbus TCP angebunden.
 - Integration: HACS/Custom `solaredge_modbus_multi` v3.2.5
 - HA-Config-Entry: `SolarEdge Local`, Status `loaded`
 - Wechselrichter: `192.168.178.111:1502`
 - Modbus Device-ID: `1`
 - Optionen: Polling 60 Sekunden, Meter-Erkennung aktiv, Batterie-Erkennung
  aktiv, Extras aus, Power-Control aus
 Verifikation:
 ```sh
 TOKEN=$(cat /mnt/user/appdata/secrets/ha_token_codex)
 curl -ksS -H "Authorization: Bearer $TOKEN" \
  https://home.kaleschke.info/api/config/config_entries/entry
 curl -ksS -H "Authorization: Bearer $TOKEN" \
  https://home.kaleschke.info/api/states
 docker exec homeassistant python -m homeassistant --script check_config --config /config
 ```
 Wichtige Energy-Dashboard-Kandidaten:
 - PV-Produktion: `sensor.solaredge_local_i1_ac_energy`
 - Netzbezug: `sensor.solaredge_local_i1_m1_ac_energy_imported`
 - Einspeisung: `sensor.solaredge_local_i1_m1_ac_energy_exported`
 - Batterie geladen: `sensor.solaredge_local_i1_b1_energy_import`
 - Batterie entladen: `sensor.solaredge_local_i1_b1_energy_export`
 - Batterie-SoC: `sensor.solaredge_local_i1_b1_state_of_energy`
 Nach der Integration wurde ein HA-native Backup erzeugt und tar-geprueft:
 `/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_14.59_48645373.tar`.
 Trade-off: Dieser Pfad ist lokal und liefert Inverter, Meter und Batterie ohne
 Cloud-API, nutzt aber eine Custom-Integration. Bei HA-Core-Upgrades auf Warnungen
 zu `solaredge_modbus_multi` achten.
 ## 10. Energy Dashboard
 Status 2026-06-13: Energy Dashboard ist ueber die Home-Assistant-WebSocket-API
 konfiguriert und validiert.
 Konfiguration:
 - Netz: Bezug `sensor.solaredge_local_i1_m1_ac_energy_imported`, Einspeisung
  `sensor.solaredge_local_i1_m1_ac_energy_exported`
 - PV: Produktion `sensor.solaredge_local_i1_ac_energy`, Live-Leistung
  `sensor.solaredge_local_i1_ac_power`
 - Speicher: Entladung `sensor.solaredge_local_i1_b1_energy_export`, Ladung
  `sensor.solaredge_local_i1_b1_energy_import`, SoC
  `sensor.solaredge_local_i1_b1_state_of_energy`
 - Kosten/Preise: noch nicht gesetzt; folgt mit Tibber
 Verifikation:
 ```sh
 TOKEN=$(cat /mnt/user/appdata/secrets/ha_token_codex)
 # WebSocket: energy/get_prefs und energy/validate
 sed -n '1,260p' /mnt/user/appdata/homeassistant/.storage/energy
 ```
 Erwartung: `.storage/energy` enthaelt drei Quellen (`grid`, `solar`,
 `battery`), und `energy/validate` meldet keine Issues.
 Nach der Energy-Konfiguration wurde ein HA-native Backup erzeugt und
 tar-geprueft:
 `/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_15.59_25670583.tar`.
 Naechster Schritt: Tibber per HA-UI-Config-Flow verbinden und danach Kosten im
 Energy Dashboard ergaenzen.
@@ -1,6 +1,6 @@
 services:
  postgresql17:
-    image: postgres:18.4@sha256:29ee7bb30d804447dc9a91fd0d74322ae1dc3a4072cc6346f70a5ed6e783b565
+    image: postgres:18.4@sha256:65f70a152846cf504dff86e807007e9aeac98c3aeb7b62541b2c55ab9d264e56
    container_name: postgresql17
    restart: unless-stopped
@@ -74,56 +74,6 @@ INFLUXDB_BIND_IP=192.168.178.58
 - Uptime Kuma ist entfernt; `Homelab / Availability`, Blackbox Exporter und Prometheus-Alerts sind der Zielzustand fuer HTTP-Verfuegbarkeit.
 - Dashboard-Zielbestand: `Homelab / Availability`, `Homelab / Containers + Logs`, `Homelab / Host Overview`, `Homelab / Family Status`, `Traefik Official Standalone Dashboard`.
 ## Wetter-Tagesberichte
 Die Ecowitt-/HA-Wetterdaten (DB `homeassistant`, Datasource `ha-weather-influx`)
 werden in drei Grafana-Dashboards sichtbar (Ordner `Homelab`, Tag `weather`):
 - `Wetterarchiv KalliHome` (`ha-weather-archive`): Verlaeufe und Gauges ueber einen Zeitbereich.
 - `Wetterbericht KalliHome` (`ha-weather-day-report`): visueller Tagesbericht fuer **einen** Tag (Bewertungs-Banner, Kennzahl-Karten mit Sparkline, Tagescharts Temperatur und Solar/UV).
 - `Wetter-Tagesberichte KalliHome` (`ha-weather-report-history`): Index/Finder, **eine Zeile pro Tag** mit Kurzbewertung, T min/max/Mittel, Regen, UV und Boee.
 ### Alte Tagesberichte finden und ein Datum waehlen
 1. Dashboard **`Wetter-Tagesberichte`** oeffnen (Standard: letzte 30 Tage, Europe/Berlin).
   In der Tabelle **auf das Datum klicken** -> der ausfuehrliche Tagesbericht oeffnet
   sich fuer genau diesen Tag. Weiter zurueck: Zeitbereich oben rechts vergroessern.
 2. Alternativ im Dashboard **`Wetterbericht KalliHome`** direkt einen Tag waehlen:
   Zeitbereich oben rechts -> *Absolute time range* -> z. B. From `2026-06-15 00:00:00`,
   To `2026-06-16 00:00:00` -> **Apply**. Beide Dashboards haben Zeitzone
   `Europe/Berlin`, die Eingaben gelten also in Berliner Lokalzeit; Standard ist
   `gestern` (`now-1d/d` bis `now/d`).
 Grafana hat **keine echte Datepicker-Variable**: eine Textbox-Variable kann den
 Zeitbereich nicht setzen, und ein `report_date`-Ansatz braeuchte zeitzonen-genaues
 Tages-Bounding in InfluxDB-3-SQL. Deshalb ist der **Timepicker bei Dashboard-Zeitzone
 `Europe/Berlin`** der exakte Weg fuer einen vollstaendigen Lokaltag, und die
 Index-Tabelle der bequeme Klick-Selektor fuer alte Tage. Die Tabellen-Buckets liegen
 auf UTC-Mitternacht (~01:00/02:00 Berlin); der verlinkte Tagesbericht zeigt das
 gewaehlte Fenster vollstaendig.
 ### Quelle: InfluxDB statt Markdown-Index
 Die Dashboards rendern direkt per SQL aus InfluxDB 3 Core - gleiche Quelle wie der
 Markdown-Generator `services/posture-check/weather-day-report.py`. Damit ist jeder
 zurueckliegende Tag reproduzierbar, solange die Rohdaten vorgehalten werden; ein
 separater Markdown-Index ist bewusst nicht noetig. Die erzeugten Tagesberichte als
 Datei (E-Mail/Offline-Archiv) liegen weiterhin unter
 `/mnt/user/services/posture-check/daily-reports/homelab-day-YYYY-MM-DD.md`.
 ### Deploy und Test
 Dashboards werden aus `monitoring/grafana/dashboards/` provisioniert (Verzeichnis-
 Mount, Reload alle 5 Minuten, Ordner `Homelab`). Nach Push nach Gitea deployt Komodo
 den `monitoring`-Stack; Grafana laedt die JSON-Dateien automatisch nach. Kein
 Bootstrap-Importer noetig (der gilt nur fuer grafana.com-Dashboard-ID 17346).
 SQL der Index-Tabelle vor dem Verlassen einmal pruefen: Grafana -> *Explore* ->
 Datasource `ha-weather-influx` -> die `rawSql` aus `weather-report-history.json`
 einfuegen und einen Zeitbereich (z. B. letzte 7 Tage) waehlen. Erwartet: eine Zeile
 pro Tag mit gefuellten Spalten. Falls `extract(epoch FROM ...)` auf dem InfluxDB-3-
 Build nicht unterstuetzt wird, stattdessen `to_unixtime(...)` verwenden.
 ## Alerting
 Prometheus wertet `monitoring/prometheus/alerts.yml` aus und sendet an `monitoring-alertmanager`.
@@ -2,28 +2,20 @@ services:
  prometheus:
    image: prom/prometheus:v3.12.0@sha256:69f5241418838263316593f7274a304b095c40bcf22e57272865da91bd60a8ac
    container_name: monitoring-prometheus
    user: "0"
    restart: unless-stopped
    command:
-      - --config.file=/etc/prometheus/config/prometheus.yml
+      - --config.file=/etc/prometheus/prometheus.yml
      - --storage.tsdb.path=/prometheus
      - --storage.tsdb.retention.time=30d
      - --web.enable-lifecycle
    volumes:
-      # Verzeichnis-Mount statt Einzeldatei: auf dem Unraid-FUSE-Share (/mnt/user)
+      - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
-      # bricht ein Einzeldatei-Bind-Mount bei git/Komodo-Updates zu
+      - ./prometheus/alerts.yml:/etc/prometheus/alerts.yml:ro
      # "Stale NFS file handle" (Inode-Wechsel) -> Reload laedt 0 Regeln, nur
      # --force-recreate heilt. Directory-Inode ist stabil, Reload reicht wieder.
      - ./prometheus:/etc/prometheus/config:ro
      - prometheus_data:/prometheus
    networks:
      - monitoring_net
      - backend_net
    expose:
      - "9090"
    secrets:
      - source: dawarich_metrics_password
        mode: 0444
    security_opt:
      - no-new-privileges:true
    depends_on:
@@ -33,17 +25,14 @@ services:
      - cadvisor
  alertmanager:
-    image: prom/alertmanager:v0.33.0@sha256:af26fbe4dd1886ac0efd7bd55cd9027da262e105b137a376522b7c14c3626e4a
+    image: prom/alertmanager:v0.32.2@sha256:b85533a2eb45865835315810315f6951331b2dbc8c93a6cf9a51e156a006a706
    container_name: monitoring-alertmanager
    restart: unless-stopped
    command:
-      - --config.file=/etc/alertmanager/config/alertmanager.yml
+      - --config.file=/etc/alertmanager/alertmanager.yml
      - --storage.path=/alertmanager
    volumes:
-      # Verzeichnis-Mount statt Einzeldatei (Begruendung siehe prometheus):
+      - ./alertmanager/alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro
      # /mnt/user-FUSE bricht Einzeldatei-Bind-Mounts bei git/Komodo-Updates
      # zu "Stale NFS file handle" -> Directory-Inode ist stabil.
      - ./alertmanager:/etc/alertmanager/config:ro
      - alertmanager_data:/alertmanager
    networks:
      - monitoring_net
@@ -53,7 +42,7 @@ services:
      - no-new-privileges:true
  alertmanager-ntfy-bridge:
-    image: python:3.14-alpine@sha256:26730869004e2b9c4b9ad09cab8625e81d256d1ce97e72df5520e806b1709f92
+    image: python:3.14-alpine@sha256:5a824eb82cc75361f98611f3cfc5091ea33f10a6ccea4d4ebdabbc523b9a1614
    container_name: monitoring-alertmanager-ntfy-bridge
    restart: unless-stopped
    dns:
@@ -65,9 +54,7 @@ services:
      - python
      - /app/bridge.py
    volumes:
-      # Verzeichnis-Mount statt Einzeldatei (Begruendung siehe prometheus):
+      - ./alertmanager-ntfy-bridge/bridge.py:/app/bridge.py:ro
      # vermeidet Stale-Handle auf dem /mnt/user-FUSE-Share bei git/Komodo-Updates.
      - ./alertmanager-ntfy-bridge:/app:ro
    networks:
      - monitoring_net
    expose:
@@ -85,11 +72,9 @@ services:
    dns:
      - 172.23.0.3
    command:
-      - --config.file=/etc/blackbox_exporter/config/blackbox.yml
+      - --config.file=/etc/blackbox_exporter/blackbox.yml
    volumes:
-      # Verzeichnis-Mount statt Einzeldatei (Begruendung siehe prometheus):
+      - ./blackbox/blackbox.yml:/etc/blackbox_exporter/blackbox.yml:ro
      # vermeidet Stale-Handle auf dem /mnt/user-FUSE-Share bei git/Komodo-Updates.
      - ./blackbox:/etc/blackbox_exporter/config:ro
    networks:
      - monitoring_net
      - dns_net
@@ -103,11 +88,9 @@ services:
    container_name: monitoring-loki
    restart: unless-stopped
    command:
-      - -config.file=/etc/loki/config/loki-config.yml
+      - -config.file=/etc/loki/loki-config.yml
    volumes:
-      # Verzeichnis-Mount statt Einzeldatei (Begruendung siehe prometheus):
+      - ./loki/loki-config.yml:/etc/loki/loki-config.yml:ro
      # vermeidet Stale-Handle auf dem /mnt/user-FUSE-Share bei git/Komodo-Updates.
      - ./loki:/etc/loki/config:ro
      - loki_data:/loki
    networks:
      - monitoring_net
@@ -121,11 +104,9 @@ services:
    container_name: monitoring-promtail
    restart: unless-stopped
    command:
-      - -config.file=/etc/promtail/config/promtail-config.yml
+      - -config.file=/etc/promtail/promtail-config.yml
    volumes:
-      # Verzeichnis-Mount statt Einzeldatei (Begruendung siehe prometheus):
+      - ./promtail/promtail-config.yml:/etc/promtail/promtail-config.yml:ro
      # vermeidet Stale-Handle auf dem /mnt/user-FUSE-Share bei git/Komodo-Updates.
      - ./promtail:/etc/promtail/config:ro
      - promtail_positions:/positions
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /var/lib/docker/containers:/var/lib/docker/containers:ro
@@ -137,7 +118,7 @@ services:
      - loki
  grafana:
-    image: grafana/grafana:13.1.0@sha256:121a7a9ece6dc10b969f1f96eed64b4f07dfac0d0b8abc070f7cb83bbde86f63
+    image: grafana/grafana:13.0.2@sha256:5dad0df181cb644a14e13617b913b261a54f7d4fd4510721dba420929f35bea2
    container_name: monitoring-grafana
    user: "0"
    restart: unless-stopped
@@ -170,7 +151,6 @@ services:
      - -c
      - |
        export GRAFANA_INFLUXDB_TOKEN="$$(cat /run/secrets/monitoring_grafana_influxdb_token)"
        export DAWARICH_GRAFANA_RO_PASSWORD="$$(cat /run/secrets/dawarich_grafana_ro_password)"
        exec /run.sh
    volumes:
      - grafana_data:/var/lib/grafana
@@ -179,12 +159,10 @@ services:
    networks:
      - monitoring_net
      - frontend_net
      - backend_net
    secrets:
      - monitoring_grafana_admin_password
      - monitoring_grafana_influxdb_token
      - grafana_oidc_client_secret
      - dawarich_grafana_ro_password
    expose:
      - "3000"
    security_opt:
@@ -338,7 +316,7 @@ services:
      - no-new-privileges:true
  cadvisor:
-    image: ghcr.io/google/cadvisor:v0.60.1@sha256:d48aea9d9c1bcf375917279842408703293fde88982d4610aefe75134ec69759
+    image: ghcr.io/google/cadvisor:v0.57.0@sha256:e75bdb03b74b0b6995f208f166fead2e6e555dde73e44200113bb26f41b1981d
    container_name: monitoring-cadvisor
    restart: unless-stopped
    command:
@@ -359,7 +337,7 @@ services:
      - no-new-privileges:true
  influxdb3-core:
-    image: influxdb:3.10.0-core@sha256:b3e577f38c19963597170d8850a3a7f77af8f0cfa866c64cd13e5de0f238e114
+    image: influxdb:3.9.3-core@sha256:c27c9b2ca2625b5b6966f0b09baa448102310e63a471fd60dff22646a2522e29
    container_name: monitoring-influxdb3-core
    user: "0"
    restart: unless-stopped
@@ -373,12 +351,6 @@ services:
      - --data-dir=/var/lib/influxdb3/data
      - --plugin-dir=/var/lib/influxdb3/plugins
      - --admin-token-file=/run/secrets/influxdb3_admin_token
      # InfluxDB 3 Core kompaktiert Parquet-Dateien nicht (nur Enterprise).
      # HA schreibt viele Sensoren haeufig -> Tabellen wie "°C"/"%"/"hPa" liefen
      # ins Default-Limit von 432 Dateien/Query ("No data" in Grafana).
      # Stopgap: Limit anheben. Langfristig: Enterprise (Auto-Compaction, frei
      # fuer Home) oder weniger/seltener nach InfluxDB schreiben.
      - --query-file-limit=20000
    volumes:
      - /mnt/user/appdata/influxdb3/data:/var/lib/influxdb3/data
      - /mnt/user/appdata/influxdb3/plugins:/var/lib/influxdb3/plugins
@@ -398,8 +370,6 @@ networks:
    driver: bridge
  frontend_net:
    external: true
  backend_net:
    external: true
  dns_net:
    external: true
@@ -419,7 +389,3 @@ secrets:
    file: /mnt/user/appdata/secrets/grafana_oidc_client_secret
  influxdb3_admin_token:
    file: /mnt/user/appdata/secrets/influxdb3_admin_token.json
  dawarich_metrics_password:
    file: /mnt/user/appdata/secrets/dawarich_metrics_password.txt
  dawarich_grafana_ro_password:
    file: /mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt
@@ -1,577 +0,0 @@
 {
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": {
          "type": "grafana",
          "uid": "-- Grafana --"
        },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "editable": false,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 0,
  "id": null,
  "links": [],
  "liveNow": false,
  "panels": [
    {
      "id": 10,
      "type": "stat",
      "title": "Points Last 30 Days",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 0,
        "y": 0,
        "w": 6,
        "h": 4
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT count(*)::double precision AS points\nFROM points\nWHERE timestamp >= extract(epoch from now() - interval '30 days')::integer\n  AND timestamp <= extract(epoch from now())::integer\n  AND lonlat IS NOT NULL;"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "unit": "short",
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "colorMode": "value",
        "graphMode": "none",
        "justifyMode": "auto",
        "orientation": "auto",
        "reduceOptions": {
          "calcs": [
            "lastNotNull"
          ],
          "fields": "points",
          "values": false
        },
        "textMode": "auto",
        "wideLayout": true
      }
    },
    {
      "id": 11,
      "type": "stat",
      "title": "Kilometers Last 30 Days",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 6,
        "y": 0,
        "w": 6,
        "h": 4
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT round(coalesce(sum(distance),0)::numeric / 1000.0, 2)::double precision AS km\nFROM tracks\nWHERE start_at >= now() - interval '30 days';"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "unit": "km",
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "colorMode": "value",
        "graphMode": "none",
        "justifyMode": "auto",
        "orientation": "auto",
        "reduceOptions": {
          "calcs": [
            "lastNotNull"
          ],
          "fields": "km",
          "values": false
        },
        "textMode": "auto",
        "wideLayout": true
      }
    },
    {
      "id": 12,
      "type": "stat",
      "title": "Tracks Last 30 Days",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 12,
        "y": 0,
        "w": 6,
        "h": 4
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT count(*)::double precision AS tracks\nFROM tracks\nWHERE start_at >= now() - interval '30 days';"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "unit": "short",
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "colorMode": "value",
        "graphMode": "none",
        "justifyMode": "auto",
        "orientation": "auto",
        "reduceOptions": {
          "calcs": [
            "lastNotNull"
          ],
          "fields": "tracks",
          "values": false
        },
        "textMode": "auto",
        "wideLayout": true
      }
    },
    {
      "id": 13,
      "type": "stat",
      "title": "Anomalies Last 30 Days",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 18,
        "y": 0,
        "w": 6,
        "h": 4
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT count(*)::double precision AS anomalies\nFROM points\nWHERE timestamp >= extract(epoch from now() - interval '30 days')::integer\n  AND timestamp <= extract(epoch from now())::integer\n  AND anomaly IS TRUE;"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "unit": "short",
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "colorMode": "value",
        "graphMode": "none",
        "justifyMode": "auto",
        "orientation": "auto",
        "reduceOptions": {
          "calcs": [
            "lastNotNull"
          ],
          "fields": "anomalies",
          "values": false
        },
        "textMode": "auto",
        "wideLayout": true
      }
    },
    {
      "id": 1,
      "type": "geomap",
      "title": "Location Points",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 0,
        "y": 4,
        "w": 14,
        "h": 12
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT\n  ST_Y(lonlat::geometry)::double precision AS lat,\n  ST_X(lonlat::geometry)::double precision AS lon,\n  accuracy::double precision AS accuracy,\n  to_timestamp(timestamp) AS seen_at\nFROM points\nWHERE timestamp >= extract(epoch from now() - interval '30 days')::integer\n  AND timestamp <= extract(epoch from now())::integer\n  AND lonlat IS NOT NULL\nORDER BY timestamp DESC\nLIMIT 5000;"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "custom": {
            "hideFrom": {
              "legend": false,
              "tooltip": false,
              "viz": false
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "basemap": {
          "config": {},
          "name": "Layer 0",
          "type": "default"
        },
        "controls": {
          "mouseWheelZoom": true,
          "showAttribution": true,
          "showDebug": false,
          "showMeasure": false,
          "showScale": true,
          "showZoom": true
        },
        "layers": [
          {
            "config": {
              "showLegend": false,
              "style": {
                "color": {
                  "fixed": "green"
                },
                "opacity": 0.7,
                "size": {
                  "fixed": 5,
                  "max": 15,
                  "min": 2
                },
                "symbol": {
                  "fixed": "img/icons/marker/circle.svg",
                  "mode": "fixed"
                }
              }
            },
            "location": {
              "latitude": "lat",
              "longitude": "lon",
              "mode": "coords"
            },
            "name": "Points",
            "tooltip": true,
            "type": "markers"
          }
        ],
        "tooltip": {
          "mode": "details"
        },
        "view": {
          "allLayers": true,
          "id": "fit",
          "lat": 52.0,
          "lon": 7.5,
          "zoom": 8
        }
      }
    },
    {
      "id": 2,
      "type": "table",
      "title": "Kilometers per Day",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 14,
        "y": 4,
        "w": 10,
        "h": 6
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT\n  date_trunc('day', start_at)::date AS day,\n  round(coalesce(sum(distance),0)::numeric / 1000.0, 2)::double precision AS km\nFROM tracks\nWHERE start_at >= now() - interval '30 days'\nGROUP BY 1\nORDER BY 1 DESC;"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "custom": {
            "align": "auto",
            "cellOptions": {
              "type": "auto"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "cellHeight": "sm",
        "footer": {
          "countRows": false,
          "fields": "",
          "reducer": [
            "sum"
          ],
          "show": false
        },
        "showHeader": true
      }
    },
    {
      "id": 3,
      "type": "table",
      "title": "Points per Day",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 14,
        "y": 10,
        "w": 10,
        "h": 6
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT\n  date_trunc('day', to_timestamp(timestamp))::date AS day,\n  count(*)::double precision AS points\nFROM points\nWHERE timestamp >= extract(epoch from now() - interval '30 days')::integer\n  AND timestamp <= extract(epoch from now())::integer\nGROUP BY 1\nORDER BY 1 DESC;"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "custom": {
            "align": "auto",
            "cellOptions": {
              "type": "auto"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "cellHeight": "sm",
        "footer": {
          "countRows": false,
          "fields": "",
          "reducer": [
            "sum"
          ],
          "show": false
        },
        "showHeader": true
      }
    },
    {
      "id": 4,
      "type": "table",
      "title": "Recent Tracks",
      "datasource": {
        "type": "postgres",
        "uid": "dawarich-postgres"
      },
      "pluginVersion": "13.0.2",
      "gridPos": {
        "x": 0,
        "y": 16,
        "w": 24,
        "h": 7
      },
      "targets": [
        {
          "refId": "A",
          "datasource": {
            "type": "postgres",
            "uid": "dawarich-postgres"
          },
          "editorMode": "code",
          "format": "table",
          "rawQuery": true,
          "rawSql": "SELECT\n  start_at AS start,\n  end_at AS end,\n  round((distance::numeric / 1000.0), 2)::double precision AS km,\n  round((duration::numeric / 60.0), 1)::double precision AS minutes\nFROM tracks\nWHERE start_at >= now() - interval '30 days'\nORDER BY start_at DESC\nLIMIT 50;"
        }
      ],
      "fieldConfig": {
        "defaults": {
          "custom": {
            "align": "auto",
            "cellOptions": {
              "type": "auto"
            }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              }
            ]
          }
        },
        "overrides": []
      },
      "options": {
        "cellHeight": "sm",
        "footer": {
          "countRows": false,
          "fields": "",
          "reducer": [
            "sum"
          ],
          "show": false
        },
        "showHeader": true
      }
    }
  ],
  "refresh": "5m",
  "schemaVersion": 41,
  "tags": [
    "homelab",
    "dawarich"
  ],
  "templating": {
    "list": []
  },
  "time": {
    "from": "now-30d",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "browser",
  "title": "Dawarich",
  "uid": "dawarich",
  "version": 5,
  "weekStart": ""
 }
@@ -1,204 +0,0 @@
 {
  "uid": "ha-solar-pv",
  "title": "Solar PV System",
  "tags": ["solar", "solaredge", "homeassistant", "energy"],
  "timezone": "browser",
  "schemaVersion": 39,
  "version": 1,
  "refresh": "30s",
  "time": { "from": "now-24h", "to": "now" },
  "templating": { "list": [] },
  "annotations": { "list": [] },
  "panels": [
    {
      "id": 1,
      "title": "Power",
      "type": "timeseries",
      "gridPos": { "h": 11, "w": 12, "x": 0, "y": 0 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": { "unit": "kwatt", "custom": { "drawStyle": "line", "fillOpacity": 30, "lineWidth": 1, "showPoints": "never" } },
        "overrides": [
          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Solar Produktion" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#73bf69" } } ] },
          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Strom Verbrauch" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#fade2a" } } ] }
        ]
      },
      "options": { "legend": { "displayMode": "list", "placement": "bottom", "calcs": ["lastNotNull"] }, "tooltip": { "mode": "multi" } },
      "targets": [
        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'solaredge_pv_live_power' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'kallihome_live_load_power' AND $__timeFilter(time) ORDER BY time" }
      ]
    },
    {
      "id": 2,
      "title": "Aktuelle Solar Produktion",
      "type": "bargauge",
      "gridPos": { "h": 4, "w": 6, "x": 12, "y": 0 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "kwatt", "min": 0, "max": 8, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "displayMode": "lcd", "orientation": "horizontal", "showUnfilled": true },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'solaredge_pv_live_power' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 3,
      "title": "Strom Produziert (Heute)",
      "type": "gauge",
      "gridPos": { "h": 7, "w": 6, "x": 18, "y": 0 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "kwatth", "min": 0, "max": 50, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'solaredge_pv_energy_today' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 4,
      "title": "Produktion und Verbrauch kWh",
      "type": "bargauge",
      "gridPos": { "h": 7, "w": 6, "x": 12, "y": 4 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": { "unit": "kwatth", "min": 0, "color": { "mode": "continuous-GrYlRd" } },
        "overrides": [
          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Solar Produktion" } ] },
          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Netzbezug" } ] }
        ]
      },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "displayMode": "lcd", "orientation": "horizontal", "showUnfilled": true },
      "targets": [
        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'solaredge_pv_energy_today' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'solaredge_grid_import_today' AND $__timeFilter(time) ORDER BY time" }
      ]
    },
    {
      "id": 5,
      "title": "Tages Produktion 30 Tage Übersicht",
      "type": "barchart",
      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 11 },
      "timeFrom": "30d",
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "kwatth", "color": { "mode": "continuous-GrYlRd" }, "custom": { "fillOpacity": 80, "gradientMode": "scheme", "lineWidth": 1 } }, "overrides": [] },
      "options": { "orientation": "vertical", "showValue": "never", "xField": "time", "legend": { "showLegend": false }, "tooltip": { "mode": "single" } },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "table", "rawSql": "SELECT date_bin(INTERVAL '1 day', time) AS time, max(value) AS value FROM \"kWh\" WHERE entity_id = 'solaredge_pv_energy_today' AND $__timeFilter(time) GROUP BY 1 ORDER BY 1" } ]
    },
    {
      "id": 6,
      "title": "Speicher-Ladestand",
      "type": "gauge",
      "gridPos": { "h": 4, "w": 6, "x": 18, "y": 7 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "percent", "min": 0, "max": 100, "thresholds": { "mode": "absolute", "steps": [ { "color": "red", "value": null }, { "color": "yellow", "value": 20 }, { "color": "green", "value": 50 } ] } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": true },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"%\" WHERE entity_id = 'solaredge_local_i1_b1_state_of_energy' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 7,
      "title": "Erreichte TOP kWh an einem Tag",
      "type": "bargauge",
      "gridPos": { "h": 4, "w": 12, "x": 12, "y": 11 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": { "unit": "kwatth", "min": 0, "max": 50, "color": { "mode": "continuous-GrYlRd" } },
        "overrides": [
          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Bester Wert bis jetzt" } ] },
          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Heute" } ] }
        ]
      },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "displayMode": "lcd", "orientation": "horizontal", "showUnfilled": true },
      "targets": [
        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "table", "rawSql": "SELECT max(d) AS value FROM (SELECT date_bin(INTERVAL '1 day', time) AS day, max(value) AS d FROM \"kWh\" WHERE entity_id = 'solaredge_pv_energy_today' AND time > now() - INTERVAL '365 days' GROUP BY 1)" },
        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "table", "rawSql": "SELECT value FROM \"kWh\" WHERE entity_id = 'solaredge_pv_energy_today' ORDER BY time DESC LIMIT 1" }
      ]
    },
    {
      "id": 8,
      "title": "Gesamt Produktion kWh",
      "type": "stat",
      "gridPos": { "h": 4, "w": 12, "x": 12, "y": 15 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "kwatth", "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "colorMode": "value", "graphMode": "area", "textMode": "value" },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'solaredge_local_i1_ac_energy' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 9,
      "title": "Netzbilanz (heute)",
      "type": "bargauge",
      "gridPos": { "h": 4, "w": 12, "x": 0, "y": 19 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": { "unit": "kwatth", "min": 0, "color": { "mode": "continuous-GrYlRd" } },
        "overrides": [
          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Netzbezug" } ] },
          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Einspeisung" } ] }
        ]
      },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "displayMode": "lcd", "orientation": "horizontal", "showUnfilled": true },
      "targets": [
        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'solaredge_grid_import_today' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'solaredge_grid_export_today' AND $__timeFilter(time) ORDER BY time" }
      ]
    },
    {
      "id": 10,
      "title": "Netz & Batterie (Verlauf)",
      "type": "timeseries",
      "gridPos": { "h": 7, "w": 24, "x": 0, "y": 23 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": { "unit": "kwatt", "custom": { "drawStyle": "line", "fillOpacity": 10, "lineWidth": 2 } },
        "overrides": [
          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Netzbezug" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#fa5252" } } ] },
          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Einspeisung" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#4dabf7" } } ] },
          { "matcher": { "id": "byFrameRefID", "options": "C" }, "properties": [ { "id": "displayName", "value": "Speicher laden" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#37b24d" } } ] },
          { "matcher": { "id": "byFrameRefID", "options": "D" }, "properties": [ { "id": "displayName", "value": "Speicher entladen" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#d6336c" } } ] }
        ]
      },
      "options": { "legend": { "displayMode": "list", "placement": "bottom" }, "tooltip": { "mode": "multi" } },
      "targets": [
        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'solaredge_grid_import_power' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'solaredge_grid_export_power' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "C", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'solaredge_battery_charge_power' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "D", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'solaredge_battery_discharge_power' AND $__timeFilter(time) ORDER BY time" }
      ]
    },
    {
      "id": 11,
      "title": "Wallbox – Ladeleistung",
      "type": "timeseries",
      "gridPos": { "h": 7, "w": 12, "x": 0, "y": 30 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "kwatt", "color": { "mode": "fixed", "fixedColor": "#9775fa" }, "custom": { "drawStyle": "line", "fillOpacity": 20, "lineWidth": 2 } }, "overrides": [] },
      "options": { "legend": { "showLegend": false }, "tooltip": { "mode": "single" } },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'eh7klptt_leistung' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 12,
      "title": "Ladeleistung",
      "type": "gauge",
      "gridPos": { "h": 7, "w": 6, "x": 12, "y": 30 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "kwatt", "min": 0, "max": 11, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'eh7klptt_leistung' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 13,
      "title": "Gesamt geladen",
      "type": "stat",
      "gridPos": { "h": 4, "w": 6, "x": 18, "y": 30 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "kwatth", "color": { "mode": "fixed", "fixedColor": "#9775fa" } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "colorMode": "value", "graphMode": "area", "textMode": "value" },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'eh7klptt_gesamtenergie' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 14,
      "title": "Aktuelle Session",
      "type": "stat",
      "gridPos": { "h": 3, "w": 6, "x": 18, "y": 34 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "kwatth", "color": { "mode": "fixed", "fixedColor": "#4dabf7" } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "colorMode": "value", "graphMode": "none", "textMode": "value" },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'eh7klptt_sitzungsenergie' AND $__timeFilter(time) ORDER BY time" } ]
    }
  ]
 }
@@ -1,165 +0,0 @@
 {
  "uid": "ha-weather-archive",
  "title": "Wetterarchiv KalliHome",
  "tags": ["weather", "ecowitt", "homeassistant"],
  "timezone": "browser",
  "schemaVersion": 39,
  "version": 2,
  "refresh": "1m",
  "time": { "from": "now-7d", "to": "now" },
  "templating": { "list": [] },
  "annotations": { "list": [] },
  "panels": [
    {
      "id": 1,
      "title": "Außentemperatur",
      "type": "gauge",
      "gridPos": { "h": 5, "w": 4, "x": 0, "y": 0 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "celsius", "min": -10, "max": 40, "color": { "mode": "continuous-BlYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_outdoor_temperature' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 2,
      "title": "Luftfeuchte",
      "type": "gauge",
      "gridPos": { "h": 5, "w": 4, "x": 4, "y": 0 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "percent", "min": 0, "max": 100, "color": { "mode": "continuous-BlYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"%\" WHERE entity_id = 'gw3000a_humidity' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 3,
      "title": "Wind",
      "type": "gauge",
      "gridPos": { "h": 5, "w": 4, "x": 8, "y": 0 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "velocitykmh", "min": 0, "max": 60, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"km/h\" WHERE entity_id = 'gw3000a_wind_speed' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 4,
      "title": "UV-Index",
      "type": "gauge",
      "gridPos": { "h": 5, "w": 4, "x": 12, "y": 0 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "short", "min": 0, "max": 11, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"UV index\" WHERE entity_id = 'gw3000a_uv_index' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 5,
      "title": "Solarstrahlung",
      "type": "gauge",
      "gridPos": { "h": 5, "w": 4, "x": 16, "y": 0 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "wattm2", "min": 0, "max": 1200, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"W/m²\" WHERE entity_id = 'gw3000a_solar_radiation' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 6,
      "title": "Luftdruck",
      "type": "stat",
      "gridPos": { "h": 5, "w": 4, "x": 20, "y": 0 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "pressurehpa", "color": { "mode": "fixed", "fixedColor": "#4dabf7" } }, "overrides": [] },
      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "colorMode": "value", "graphMode": "area", "textMode": "value" },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"hPa\" WHERE entity_id = 'gw3000a_relative_pressure' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 7,
      "title": "Temperatur (°C)",
      "type": "timeseries",
      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 5 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": { "unit": "celsius", "custom": { "drawStyle": "line", "fillOpacity": 12, "lineWidth": 2, "showPoints": "never" } },
        "overrides": [
          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Außen" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#fa5252" } } ] },
          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Gefühlt" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#ff922b" } } ] },
          { "matcher": { "id": "byFrameRefID", "options": "C" }, "properties": [ { "id": "displayName", "value": "Taupunkt" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#4dabf7" } } ] },
          { "matcher": { "id": "byFrameRefID", "options": "D" }, "properties": [ { "id": "displayName", "value": "Innen" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#82c91e" } } ] }
        ]
      },
      "options": { "legend": { "displayMode": "list", "placement": "bottom", "calcs": ["lastNotNull"] }, "tooltip": { "mode": "multi" } },
      "targets": [
        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_outdoor_temperature' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_feels_like_temperature' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "C", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_dewpoint' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "D", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_indoor_temperature' AND $__timeFilter(time) ORDER BY time" }
      ]
    },
    {
      "id": 8,
      "title": "Luftfeuchte (%)",
      "type": "timeseries",
      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 5 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": { "unit": "percent", "min": 0, "max": 100, "custom": { "drawStyle": "line", "fillOpacity": 12, "lineWidth": 2, "showPoints": "never" } },
        "overrides": [
          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Außen" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#4dabf7" } } ] },
          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Innen" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#82c91e" } } ] }
        ]
      },
      "options": { "legend": { "displayMode": "list", "placement": "bottom", "calcs": ["lastNotNull"] }, "tooltip": { "mode": "multi" } },
      "targets": [
        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"%\" WHERE entity_id = 'gw3000a_humidity' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"%\" WHERE entity_id = 'gw3000a_indoor_humidity' AND $__timeFilter(time) ORDER BY time" }
      ]
    },
    {
      "id": 9,
      "title": "Solarstrahlung (W/m²)",
      "type": "timeseries",
      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 13 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "wattm2", "color": { "mode": "fixed", "fixedColor": "#f2b705" }, "custom": { "drawStyle": "line", "fillOpacity": 35, "lineWidth": 1, "showPoints": "never", "gradientMode": "opacity" } }, "overrides": [] },
      "options": { "legend": { "showLegend": false }, "tooltip": { "mode": "single" } },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"W/m²\" WHERE entity_id = 'gw3000a_solar_radiation' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 10,
      "title": "Wind (km/h)",
      "type": "timeseries",
      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 13 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": { "unit": "velocitykmh", "custom": { "drawStyle": "line", "fillOpacity": 10, "lineWidth": 2, "showPoints": "never" } },
        "overrides": [
          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Wind" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#15aabf" } } ] },
          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Böe" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#fab005" } } ] }
        ]
      },
      "options": { "legend": { "displayMode": "list", "placement": "bottom", "calcs": ["lastNotNull", "max"] }, "tooltip": { "mode": "multi" } },
      "targets": [
        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"km/h\" WHERE entity_id = 'gw3000a_wind_speed' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"km/h\" WHERE entity_id = 'gw3000a_wind_gust' AND $__timeFilter(time) ORDER BY time" }
      ]
    },
    {
      "id": 11,
      "title": "Regen pro Tag (mm)",
      "type": "barchart",
      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 21 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "lengthmm", "color": { "mode": "fixed", "fixedColor": "#4dabf7" }, "custom": { "fillOpacity": 80, "lineWidth": 1 } }, "overrides": [] },
      "options": { "orientation": "vertical", "showValue": "auto", "xField": "time", "legend": { "showLegend": false }, "tooltip": { "mode": "single" } },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "table", "rawSql": "SELECT date_bin(INTERVAL '1 day', time) AS time, max(value) AS value FROM \"mm\" WHERE entity_id = 'gw3000a_daily_rain' AND $__timeFilter(time) GROUP BY 1 ORDER BY 1" } ]
    },
    {
      "id": 12,
      "title": "Luftdruck (hPa)",
      "type": "timeseries",
      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 21 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "pressurehpa", "decimals": 0, "color": { "mode": "fixed", "fixedColor": "#9775fa" }, "custom": { "drawStyle": "line", "fillOpacity": 10, "lineWidth": 2, "showPoints": "never" } }, "overrides": [] },
      "options": { "legend": { "showLegend": false }, "tooltip": { "mode": "single" } },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"hPa\" WHERE entity_id = 'gw3000a_relative_pressure' AND $__timeFilter(time) ORDER BY time" } ]
    }
  ]
 }
@@ -1,213 +0,0 @@
 {
  "uid": "ha-weather-day-report",
  "title": "Wetterbericht KalliHome",
  "tags": ["weather", "ecowitt", "homeassistant", "report"],
  "timezone": "Europe/Berlin",
  "schemaVersion": 39,
  "version": 5,
  "refresh": "",
  "time": { "from": "now-1d/d", "to": "now/d" },
  "templating": { "list": [] },
  "annotations": { "list": [] },
  "links": [
    { "asDropdown": true, "icon": "external link", "includeVars": false, "keepTime": false, "tags": ["weather"], "targetBlank": false, "title": "Wetter-Dashboards", "tooltip": "", "type": "dashboards", "url": "" }
  ],
  "panels": [
    {
      "id": 2,
      "title": "",
      "type": "text",
      "gridPos": { "h": 3, "w": 24, "x": 0, "y": 0 },
      "options": {
        "mode": "markdown",
        "content": "**Wetterbericht – Tag auswählen.** Standard: **gestern** (ganzer Tag, Europe/Berlin). Anderen Tag: Zeitbereich oben rechts → *Absolute time range* → z. B. From `2026-06-15 00:00:00`, To `2026-06-16 00:00:00`. Alle Tage als Liste: **[Wetter-Tagesberichte](/d/ha-weather-report-history)** (Datum anklicken)."
      }
    },
    {
      "id": 3,
      "title": "Bewertung des Tages",
      "type": "stat",
      "gridPos": { "h": 3, "w": 24, "x": 0, "y": 3 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": {
          "color": { "mode": "thresholds" },
          "thresholds": { "mode": "absolute", "steps": [ { "color": "#868e96", "value": null } ] },
          "mappings": [
            { "type": "value", "options": {
              "0": { "text": "Sonnig & warm", "color": "#ff922b", "index": 0 },
              "1": { "text": "Warm", "color": "#fab005", "index": 1 },
              "2": { "text": "Regnerisch", "color": "#4dabf7", "index": 2 },
              "3": { "text": "Wechselhaft", "color": "#868e96", "index": 3 },
              "4": { "text": "Kalt", "color": "#74c0fc", "index": 4 }
            } }
          ]
        },
        "overrides": []
      },
      "options": {
        "reduceOptions": { "values": false, "calcs": ["lastNotNull"], "fields": "" },
        "orientation": "horizontal",
        "colorMode": "background",
        "graphMode": "none",
        "justifyMode": "center",
        "textMode": "value",
        "wideLayout": true
      },
      "targets": [
        {
          "refId": "A",
          "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
          "rawQuery": true,
          "format": "table",
          "rawSql": "WITH t AS (SELECT 1 AS k, max(value) AS tmax FROM \"°C\" WHERE entity_id = 'gw3000a_outdoor_temperature' AND $__timeFilter(time)), s AS (SELECT 1 AS k, max(value) AS smax FROM \"W/m²\" WHERE entity_id = 'gw3000a_solar_radiation' AND $__timeFilter(time)), u AS (SELECT 1 AS k, max(value) AS uvmax FROM \"UV index\" WHERE entity_id = 'gw3000a_uv_index' AND $__timeFilter(time)), r AS (SELECT 1 AS k, max(value) AS rain FROM \"mm\" WHERE entity_id = 'gw3000a_daily_rain' AND $__timeFilter(time)) SELECT CASE WHEN s.smax >= 700 AND u.uvmax >= 6 THEN 0 WHEN coalesce(r.rain, 0) >= 5 THEN 2 WHEN t.tmax >= 25 THEN 1 WHEN t.tmax <= 5 THEN 4 ELSE 3 END AS code FROM t LEFT JOIN s ON s.k = t.k LEFT JOIN u ON u.k = t.k LEFT JOIN r ON r.k = t.k"
        }
      ]
    },
    {
      "id": 10,
      "title": "Temp max",
      "type": "gauge",
      "gridPos": { "h": 6, "w": 4, "x": 0, "y": 6 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "celsius", "min": -10, "max": 40, "decimals": 1, "color": { "mode": "continuous-BlYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "values": false, "calcs": ["max"], "fields": "" }, "showThresholdMarkers": false, "orientation": "auto" },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_outdoor_temperature' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 11,
      "title": "Temp min",
      "type": "gauge",
      "gridPos": { "h": 6, "w": 4, "x": 4, "y": 6 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "celsius", "min": -10, "max": 40, "decimals": 1, "color": { "mode": "continuous-BlYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "values": false, "calcs": ["min"], "fields": "" }, "showThresholdMarkers": false, "orientation": "auto" },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_outdoor_temperature' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 12,
      "title": "Luftfeuchte Ø",
      "type": "gauge",
      "gridPos": { "h": 6, "w": 4, "x": 8, "y": 6 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "percent", "min": 0, "max": 100, "decimals": 0, "color": { "mode": "continuous-BlYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "values": false, "calcs": ["mean"], "fields": "" }, "showThresholdMarkers": false, "orientation": "auto" },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"%\" WHERE entity_id = 'gw3000a_humidity' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 13,
      "title": "Böe max",
      "type": "gauge",
      "gridPos": { "h": 6, "w": 4, "x": 12, "y": 6 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "velocitykmh", "min": 0, "max": 80, "decimals": 1, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "values": false, "calcs": ["max"], "fields": "" }, "showThresholdMarkers": false, "orientation": "auto" },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"km/h\" WHERE entity_id = 'gw3000a_wind_gust' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 14,
      "title": "UV max",
      "type": "gauge",
      "gridPos": { "h": 6, "w": 4, "x": 16, "y": 6 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "short", "min": 0, "max": 12, "decimals": 1, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "values": false, "calcs": ["max"], "fields": "" }, "showThresholdMarkers": false, "orientation": "auto" },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"UV index\" WHERE entity_id = 'gw3000a_uv_index' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 15,
      "title": "Solar max",
      "type": "gauge",
      "gridPos": { "h": 6, "w": 4, "x": 20, "y": 6 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "wattm2", "min": 0, "max": 1000, "decimals": 0, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
      "options": { "reduceOptions": { "values": false, "calcs": ["max"], "fields": "" }, "showThresholdMarkers": false, "orientation": "auto" },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"W/m²\" WHERE entity_id = 'gw3000a_solar_radiation' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 16,
      "title": "",
      "type": "stat",
      "gridPos": { "h": 4, "w": 8, "x": 0, "y": 12 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "celsius", "decimals": 1, "displayName": "Gefühlt max", "color": { "mode": "fixed", "fixedColor": "#ff922b" } }, "overrides": [] },
      "options": { "reduceOptions": { "values": false, "calcs": ["max"], "fields": "" }, "colorMode": "value", "graphMode": "area", "justifyMode": "auto", "textMode": "value_and_name", "wideLayout": true },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_feels_like_temperature' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 17,
      "title": "",
      "type": "stat",
      "gridPos": { "h": 4, "w": 8, "x": 8, "y": 12 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": {
          "unit": "lengthmm",
          "decimals": 1,
          "displayName": "Regen",
          "noValue": "0 mm",
          "color": { "mode": "thresholds" },
          "thresholds": { "mode": "absolute", "steps": [
            { "color": "#868e96", "value": null },
            { "color": "#4dabf7", "value": 0.2 },
            { "color": "#1c7ed6", "value": 5 },
            { "color": "#1864ab", "value": 15 }
          ] }
        },
        "overrides": []
      },
      "options": { "reduceOptions": { "values": false, "calcs": ["max"], "fields": "" }, "colorMode": "value", "graphMode": "area", "justifyMode": "auto", "textMode": "value_and_name", "wideLayout": true },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"mm\" WHERE entity_id = 'gw3000a_daily_rain' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 18,
      "title": "",
      "type": "stat",
      "gridPos": { "h": 4, "w": 8, "x": 16, "y": 12 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": { "defaults": { "unit": "pressurehpa", "decimals": 0, "displayName": "Luftdruck Ø", "color": { "mode": "fixed", "fixedColor": "#3bc9db" } }, "overrides": [] },
      "options": { "reduceOptions": { "values": false, "calcs": ["mean"], "fields": "" }, "colorMode": "value", "graphMode": "area", "justifyMode": "auto", "textMode": "value_and_name", "wideLayout": true },
      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"hPa\" WHERE entity_id = 'gw3000a_relative_pressure' AND $__timeFilter(time) ORDER BY time" } ]
    },
    {
      "id": 20,
      "title": "Temperatur über den Tag",
      "type": "timeseries",
      "gridPos": { "h": 9, "w": 12, "x": 0, "y": 16 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": { "unit": "celsius", "custom": { "drawStyle": "line", "fillOpacity": 12, "lineWidth": 2, "showPoints": "never" } },
        "overrides": [
          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Außen" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#fa5252" } } ] },
          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Gefühlt" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#ff922b" } } ] },
          { "matcher": { "id": "byFrameRefID", "options": "C" }, "properties": [ { "id": "displayName", "value": "Taupunkt" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#4dabf7" } } ] }
        ]
      },
      "options": { "legend": { "displayMode": "list", "placement": "bottom", "calcs": ["min", "max"] }, "tooltip": { "mode": "multi" } },
      "targets": [
        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_outdoor_temperature' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_feels_like_temperature' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "C", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_dewpoint' AND $__timeFilter(time) ORDER BY time" }
      ]
    },
    {
      "id": 21,
      "title": "Sonne: Solarstrahlung & UV",
      "type": "timeseries",
      "gridPos": { "h": 9, "w": 12, "x": 12, "y": 16 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": { "custom": { "drawStyle": "line", "fillOpacity": 30, "lineWidth": 1, "showPoints": "never", "gradientMode": "opacity" } },
        "overrides": [
          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Solar" }, { "id": "unit", "value": "wattm2" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#f2b705" } } ] },
          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "UV-Index" }, { "id": "unit", "value": "short" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#ff6b6b" } }, { "id": "custom.axisPlacement", "value": "right" }, { "id": "custom.fillOpacity", "value": 0 }, { "id": "custom.lineWidth", "value": 2 } ] }
        ]
      },
      "options": { "legend": { "displayMode": "list", "placement": "bottom", "calcs": ["max"] }, "tooltip": { "mode": "multi" } },
      "targets": [
        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"W/m²\" WHERE entity_id = 'gw3000a_solar_radiation' AND $__timeFilter(time) ORDER BY time" },
        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"UV index\" WHERE entity_id = 'gw3000a_uv_index' AND $__timeFilter(time) ORDER BY time" }
      ]
    }
  ]
 }
@@ -1,55 +0,0 @@
 {
  "uid": "ha-weather-report-history",
  "title": "Wetter-Tagesberichte KalliHome",
  "tags": ["weather", "ecowitt", "homeassistant", "report"],
  "timezone": "Europe/Berlin",
  "schemaVersion": 39,
  "version": 1,
  "refresh": "",
  "time": { "from": "now-30d/d", "to": "now/d" },
  "templating": { "list": [] },
  "annotations": { "list": [] },
  "links": [
    { "asDropdown": true, "icon": "external link", "includeVars": false, "keepTime": false, "tags": ["weather"], "targetBlank": false, "title": "Wetter-Dashboards", "tooltip": "", "type": "dashboards", "url": "" }
  ],
  "panels": [
    {
      "id": 2,
      "title": "",
      "type": "text",
      "gridPos": { "h": 4, "w": 24, "x": 0, "y": 0 },
      "options": {
        "mode": "markdown",
        "content": "## Wetter-Tagesberichte\n\nEine Zeile pro Tag im gewählten Zeitbereich (Standard: letzte 30 Tage, Europe/Berlin). **Auf das Datum klicken** öffnet den ausführlichen [Tagesbericht](/d/ha-weather-day-report) für genau diesen Tag. Zeitbereich oben rechts ändern, um weiter zurückzublättern.\n\nHinweis: Die Tagesgrenzen dieser Übersicht liegen auf UTC-Mitternacht (~01:00/02:00 Europe/Berlin); der verlinkte Tagesbericht zeigt das gewählte Tagesfenster vollständig an. Regen ist der Tages-Maximalwert von `gw3000a_daily_rain`."
      }
    },
    {
      "id": 1,
      "title": "Tagesübersicht",
      "type": "table",
      "gridPos": { "h": 20, "w": 24, "x": 0, "y": 4 },
      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
      "fieldConfig": {
        "defaults": {
          "custom": { "align": "left", "cellOptions": { "type": "auto" }, "filterable": true, "inspect": false }
        },
        "overrides": [
          { "matcher": { "id": "byName", "options": "from_ms" }, "properties": [ { "id": "custom.hidden", "value": true } ] },
          { "matcher": { "id": "byName", "options": "to_ms" }, "properties": [ { "id": "custom.hidden", "value": true } ] },
          { "matcher": { "id": "byName", "options": "Datum" }, "properties": [ { "id": "links", "value": [ { "title": "Tagesbericht öffnen", "url": "/d/ha-weather-day-report?from=${__data.fields.from_ms}&to=${__data.fields.to_ms}&timezone=Europe/Berlin", "targetBlank": true } ] } ] },
          { "matcher": { "id": "byName", "options": "Bewertung" }, "properties": [ { "id": "custom.cellOptions", "value": { "type": "color-text" } }, { "id": "mappings", "value": [ { "type": "value", "options": { "Sonnig, warm": { "color": "#ffa94d", "index": 0 }, "Warm": { "color": "#ffd43b", "index": 1 }, "Regnerisch": { "color": "#4dabf7", "index": 2 }, "Kalt": { "color": "#74c0fc", "index": 3 }, "Unauffaellig": { "color": "#adb5bd", "index": 4 } } } ] } ] }
        ]
      },
      "options": { "showHeader": true, "cellHeight": "sm", "footer": { "show": false, "reducer": ["sum"], "countRows": false }, "sortBy": [ { "displayName": "Datum", "desc": true } ] },
      "targets": [
        {
          "refId": "A",
          "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
          "rawQuery": true,
          "format": "table",
          "rawSql": "WITH t AS (SELECT date_bin(INTERVAL '1 day', time) AS d, min(value) AS tmin, max(value) AS tmax, avg(value) AS tavg FROM \"°C\" WHERE entity_id = 'gw3000a_outdoor_temperature' AND $__timeFilter(time) GROUP BY 1), r AS (SELECT date_bin(INTERVAL '1 day', time) AS d, max(value) AS rain FROM \"mm\" WHERE entity_id = 'gw3000a_daily_rain' AND $__timeFilter(time) GROUP BY 1), u AS (SELECT date_bin(INTERVAL '1 day', time) AS d, max(value) AS uvmax FROM \"UV index\" WHERE entity_id = 'gw3000a_uv_index' AND $__timeFilter(time) GROUP BY 1), s AS (SELECT date_bin(INTERVAL '1 day', time) AS d, max(value) AS smax FROM \"W/m²\" WHERE entity_id = 'gw3000a_solar_radiation' AND $__timeFilter(time) GROUP BY 1), wg AS (SELECT date_bin(INTERVAL '1 day', time) AS d, max(value) AS wmax FROM \"km/h\" WHERE entity_id = 'gw3000a_wind_gust' AND $__timeFilter(time) GROUP BY 1) SELECT cast(cast(t.d AS date) AS varchar) AS \"Datum\", CASE WHEN s.smax >= 700 AND u.uvmax >= 6 THEN 'Sonnig, warm' WHEN t.tmax >= 25 THEN 'Warm' WHEN coalesce(r.rain, 0) >= 5 THEN 'Regnerisch' WHEN t.tmax <= 5 THEN 'Kalt' ELSE 'Unauffaellig' END AS \"Bewertung\", round(t.tmin, 1) AS \"T min °C\", round(t.tmax, 1) AS \"T max °C\", round(t.tavg, 1) AS \"T Mittel °C\", round(coalesce(r.rain, 0), 1) AS \"Regen mm\", round(u.uvmax, 1) AS \"UV max\", round(wg.wmax, 1) AS \"Böe max km/h\", cast(extract(epoch FROM t.d) AS bigint) * 1000 AS from_ms, cast(extract(epoch FROM t.d + INTERVAL '1 day') AS bigint) * 1000 AS to_ms FROM t LEFT JOIN r ON r.d = t.d LEFT JOIN u ON u.d = t.d LEFT JOIN s ON s.d = t.d LEFT JOIN wg ON wg.d = t.d ORDER BY t.d DESC"
        }
      ]
    }
  ]
 }
@@ -31,19 +31,3 @@ datasources:
      insecureGrpc: true
    secureJsonData:
      token: $GRAFANA_INFLUXDB_TOKEN
  # Wetter-/Langzeitarchiv aus Home Assistant (Ecowitt). Gleiche InfluxDB-Instanz,
  # aber Datenbank `homeassistant`; gleicher Admin-Read-Token.
  - name: InfluxDB HA Weather
    uid: ha-weather-influx
    type: influxdb
    access: proxy
    url: http://influxdb3-core:8181
    editable: false
    jsonData:
      version: SQL
      dbName: homeassistant
      httpMode: POST
      insecureGrpc: true
    secureJsonData:
      token: $GRAFANA_INFLUXDB_TOKEN
@@ -1,18 +0,0 @@
 apiVersion: 1
 datasources:
  - name: Dawarich PostgreSQL
    uid: dawarich-postgres
    type: postgres
    access: proxy
    url: dawarich_db:5432
    database: dawarich_production
    user: dawarich_grafana_ro
    editable: false
    jsonData:
      database: dawarich_production
      sslmode: disable
      postgresVersion: 1700
      timescaledb: false
    secureJsonData:
      password: $DAWARICH_GRAFANA_RO_PASSWORD
@@ -131,78 +131,6 @@ groups:
          summary: "Latest Borg backup completed with warnings"
          description: "The latest Borg UI job completed with warnings for archive {{ $labels.archive }}."
      - alert: HomelabBorgScopeSourceListMissing
        expr: homelab_borg_scope_expected_file_present != 1
        for: 15m
        labels:
          severity: critical
        annotations:
          summary: "Borg expected source list is not visible"
          description: "Borg UI cannot see the repo source list used for drift checks."
      - alert: HomelabBorgScopeMissingSources
        expr: homelab_borg_scope_missing_sources_total > 0
        for: 15m
        labels:
          severity: critical
        annotations:
          summary: "Borg UI is missing expected backup sources"
          description: "Borg UI is missing {{ $value }} source path(s) from ops/borg-ui/all-important-sources.txt."
      - alert: HomelabBorgScopeExtraSources
        expr: homelab_borg_scope_extra_sources_total > 0
        for: 30m
        labels:
          severity: warning
        annotations:
          summary: "Borg UI has sources not tracked in the repo"
          description: "Borg UI has {{ $value }} source path(s) that are not listed in ops/borg-ui/all-important-sources.txt."
      - alert: HomelabBorgDumpMissing
        expr: homelab_borg_dump_present == 0
        for: 15m
        labels:
          severity: critical
        annotations:
          summary: "Borg pre-backup dump is missing: {{ $labels.dump }}"
          description: "Expected dump artifact {{ $labels.dump }} is not present in the latest dump set. The pre-backup dump job may have failed or stopped."
      - alert: HomelabBorgDumpStale
        expr: homelab_borg_dump_age_seconds > 30 * 60 * 60
        for: 15m
        labels:
          severity: critical
        annotations:
          summary: "Borg pre-backup dump is stale: {{ $labels.dump }}"
          description: "Dump artifact {{ $labels.dump }} is older than 30 hours. pre-backup-dumps.sh may have stopped; Borg would keep archiving stale database content without a job failure."
      - alert: HomelabBorgRepositoryCheckStale
        expr: time() - homelab_borg_repository_last_check_timestamp_seconds > 14 * 24 * 60 * 60
        for: 30m
        labels:
          severity: warning
        annotations:
          summary: "Borg repository check is stale"
          description: "Borg repository {{ $labels.repository }} has not had a recorded check for more than 14 days."
      - alert: HomelabBorgRetentionDisabled
        expr: homelab_borg_schedule_prune_after_enabled != 1
        for: 30m
        labels:
          severity: warning
        annotations:
          summary: "Borg retention pruning is disabled"
          description: "Scheduled Borg job {{ $labels.schedule }} does not run prune after backup."
      - alert: HomelabBorgCompactDisabled
        expr: homelab_borg_schedule_compact_after_enabled != 1
        for: 30m
        labels:
          severity: warning
        annotations:
          summary: "Borg compaction is disabled"
          description: "Scheduled Borg job {{ $labels.schedule }} does not run compact after backup."
      - alert: HomelabCriticalContainerDown
        expr: homelab_critical_container_running == 0
        for: 5m
@@ -5,7 +5,7 @@ global:
    site: kallilabcore
 rule_files:
-  - /etc/prometheus/config/alerts.yml
+  - /etc/prometheus/alerts.yml
 alerting:
  alertmanagers:
@@ -36,20 +36,6 @@ scrape_configs:
      - targets:
          - traefik:8082
  - job_name: dawarich
    metrics_path: /metrics
    basic_auth:
      username: prometheus
      password_file: /run/secrets/dawarich_metrics_password
    http_headers:
      X-Forwarded-Proto:
        values:
          - https
    static_configs:
      # Dawarich >= 1.7.7 serves aggregated web + Sidekiq metrics here.
      - targets:
          - dawarich_app:3000
  - job_name: blackbox-http
    metrics_path: /probe
    params:
@@ -1,6 +1,6 @@
 # Borg Backup Scope for KalliLabcore
-Stand: 2026-06-17
+Stand: 2026-05-31
 This file defines the target state for replacing Backrest with Borg in this homelab.
@@ -38,7 +38,7 @@ The Unraid flash configuration archive is intentional as well and must be treate
 | Traefik | file data | `/local/appdata/traefik` |
 | ntfy | file data | `/local/appdata/ntfy` |
 | Paperless-GPT | file data | `/local/appdata/paperless-gpt` |
-| Tailscale | Flash config artifact | covered by `/local/borg-dumps/unraid-flash-config.tar.gz`; no active `/local/appdata/tailscale` path |
+| Tailscale | file data | `/local/appdata/tailscale` |
 | AdGuard | config only | `/local/appdata/adguard/conf` |
 | Borg UI | SQLite dump + self-backup | `/local/borg-dumps`, `/local/appdata/borg-ui/data` |
 | Komodo | config + Mongo dump | `/local/borg-dumps`, `/local/appdata/komodo/periphery`, `/local/appdata/komodo/core` |
@@ -48,12 +48,7 @@ The Unraid flash configuration archive is intentional as well and must be treate
 | Grafana | SQLite dump from `monitoring_grafana_data` + provisioned config in Git | `/local/borg-dumps`, `monitoring/grafana/provisioning`, `monitoring/grafana/dashboards` |
 | Filebrowser | file-backed state dump + file data | `/local/borg-dumps`, `/local/appdata/filebrowser` |
 | InfluxDB 3 Core | file data | `/local/appdata/influxdb3/data`, `/local/appdata/influxdb3/plugins` |
-| n8n | SQLite dump + encrypted workflow/credential state | `/local/borg-dumps`, `/local/appdata/n8n/data` |
+| Hermes Agent | file data + SSH key | `/local/appdata/hermes-agent/data`, `/local/secrets/hermes_runner_id_ed25519` |
 | Home Assistant | HA-native backup + file state | `/local/appdata/homeassistant`, `/local/services/smart-home-kalli` |
 | Smart-Home MQTT / Mosquitto | file data | `/local/appdata/mosquitto/config`, `/local/appdata/mosquitto/data` |
 | Zigbee2MQTT (planned) | file data + coordinator state | `/local/appdata/zigbee2mqtt`, `/local/services/smart-home-kalli` |
 | ESPHome (planned) | Fachrepo + optional build/runtime cache | `/local/services/smart-home-kalli/esphome`, optional `/local/appdata/esphome` |
 | Hermes Agent | file data + SSH key | SSH-Key via `/local/secrets`; `/local/appdata/hermes-agent/data` ist bewusst NICHT in `all-important-sources.txt`, weil der Stack geparkt ist (Review 2026-07-25). Beim Aktivieren des Stacks in die Quellliste aufnehmen. |
 | BentoPDF | rebuildable | no critical persistence in compose |
 ## Open Decisions and Coverage Gaps
@@ -72,17 +67,6 @@ Option A umgesetzt: `pre-backup-dumps.sh` writes `nextcloud.dump` from `nextclou
 The live Unraid User Scripts execute repo scripts from `/mnt/user/services/homelab-infra`, while Komodo keeps stack workspaces below `/mnt/user/services/stacks`. These paths are now mounted into Borg UI as `/local/services/...` and included explicitly so host-side script hotfixes, stack workspace state, and posture-check state are recoverable.
 ### User-Daten-Shares ausserhalb des App-Scope
 Filebrowser serviert `/mnt/user/projekte`, `/mnt/user/documents` und `/mnt/user/photos` komplett (`ops/filebrowser/docker-compose.yml`). Der Borg-Scope deckt aber bewusst nur die App-Unterordner ab (`documents/paperless*`, `documents/nextcloud-data`, `documents/scans_inbox`, `photos/immich`, `photos/family_archive`).
 - **`/mnt/user/projekte`** ist aktuell in **keinem** Borg-Scope. Ad-hoc-Dateien, die direkt unter `documents/` oder `photos/` (ausserhalb der genannten App-Ordner) abgelegt werden, ebenfalls nicht.
 - Entscheidung Operator offen (Eintrag in `docs/MASTER_TODO.md`): Entweder `projekte` als eigenen read-only Borg-UI-Mount + Quelllisten-Eintrag aufnehmen, oder bewusst als "nur lokal, nicht DR-relevant" bestaetigen. Bis zur Entscheidung gilt: dort liegende Originaldaten sind **nicht** wiederherstellbar.
 ### Komodo keys
 Production still stores Komodo Core/Periphery keys in the Docker named volume `komodo_komodo_keys`. This is a known open migration item and is not fixed by the Borg source list alone. Target state: move the keys to a host path such as `/mnt/user/appdata/komodo/keys` and mount that path into both Komodo containers, then include it in Borg. Do not treat this as solved until the live Compose stack has been migrated and Periphery reconnect has been verified.
 ## Database Dumps Required
 ### Shared PostgreSQL (`postgresql17`, runtime PostgreSQL 18)
@@ -101,10 +85,8 @@ Production still stores Komodo Core/Periphery keys in the Docker named volume `k
 - Komodo MongoDB
 - SQLite: `gitea`, `vaultwarden`, `speedtest-tracker`, `borg-ui`, `grafana`
 - SQLite: `n8n` (`n8n.sqlite.dump`, credentials require the matching `N8N_ENCRYPTION_KEY`)
 - File-backed state: `filebrowser.bolt.dump`
 - Unraid flash config: `unraid-flash-config.tar.gz` plus `unraid-flash-config.tar.gz.sha256`
 - Home Assistant native backups: created by HA under `/mnt/user/appdata/homeassistant/backups` and captured as file state
 ## Explicitly Not Backed Up as Raw Live DB Files
@@ -14,20 +14,11 @@
 /local/appdata/traefik
 /local/appdata/ntfy
 /local/appdata/paperless-gpt
 /local/appdata/tailscale
 /local/appdata/adguard/conf
 /local/appdata/borg-ui/data
 /local/appdata/komodo/periphery
 /local/appdata/komodo/core
 /local/appdata/nextcloud/html
 /local/nextcloud/data
 /local/appdata/n8n/data
 /local/appdata/filebrowser
 /local/appdata/influxdb3/data
 /local/appdata/influxdb3/plugins
 /local/services/homelab-infra
 /local/services/smart-home-kalli
 /local/services/stacks
 /local/services/posture-check
 /local/appdata/homeassistant
 /local/appdata/mosquitto/config
 /local/appdata/mosquitto/data
@@ -1,6 +1,6 @@
 services:
  borg-ui:
-    image: ainullcode/borg-ui@sha256:e51b3d2e6cb38d1ba127ef60ba442c1e157965327196e6f7afb69f30c0ba99d1
+    image: ainullcode/borg-ui@sha256:0922157e8f77a1b2bd23cd09366a458ea6de07fd9306aa1485f9cfe623eca17f
    container_name: borg-ui
    restart: unless-stopped
    security_opt:
@@ -325,7 +325,6 @@ main() {
  # Additional host-side SQLite dumps for admin tooling with appdata files.
  dump_sqlite_file "/mnt/user/appdata/borg-ui/data/borg.db" "$LATEST_DIR/borg-ui.sqlite" "borg-ui"
  dump_sqlite_file "/var/lib/docker/volumes/monitoring_grafana_data/_data/grafana.db" "$LATEST_DIR/grafana.sqlite" "grafana"
  dump_sqlite_file "/mnt/user/appdata/n8n/data/database.sqlite" "$LATEST_DIR/n8n.sqlite.dump" "n8n"
  # MongoDB
  dump_mongo_container "komodo-mongo" "$LATEST_DIR/komodo-mongo.archive.gz"
@@ -22,31 +22,12 @@ case "${DUMP_ROOT:-}" in
    ;;
 esac
 # Externer Dead-Man's-Switch (endpoint-agnostisch: Healthchecks.io-Cloud oder
 # self-hosted). ntfy meldet nur Fehler eines tatsaechlich gestarteten Laufs;
 # der externe Switch faengt zusaetzlich den Fall ab, dass der Pre-Hook gar nicht
 # laeuft. Die Ping-URL ist eine Capability-URL -> wie ein Secret behandeln,
 # niemals ins Repo. Ist keine URL gesetzt, ist der Switch ein No-Op.
 HEALTHCHECKS_URL="${HEALTHCHECKS_URL:-${HEALTHCHECKS_BORG_URL:-}}"
 HEALTHCHECKS_URL_FILE="${HEALTHCHECKS_URL_FILE:-/mnt/user/appdata/secrets/healthchecks_borg_url}"
 if [ -z "$HEALTHCHECKS_URL" ] && [ -r "$HEALTHCHECKS_URL_FILE" ]; then
  HEALTHCHECKS_URL="$(tr -d '[:space:]' < "$HEALTHCHECKS_URL_FILE")"
 fi
 hc_ping() {
  # $1: optionaler Suffix ("/start" | "/fail"); leer = Erfolg
  [ -n "$HEALTHCHECKS_URL" ] || return 0
  command -v curl >/dev/null 2>&1 || return 0
  curl -fsS -m 10 --retry 3 "${HEALTHCHECKS_URL}${1:-}" >/dev/null 2>&1 || true
 }
 notify_failure() {
  local step="$1"
  local message="$2"
  if [ -x "$NTFY_SCRIPT" ]; then
    "$NTFY_SCRIPT" "$NTFY_TOPIC" "Borg pre-hook failed: $step" "$message" high || true
  fi
  hc_ping "/fail"
 }
 run_step() {
@@ -63,8 +44,6 @@ run_step() {
  fi
 }
 hc_ping "/start"
 echo "[pre-borg] Running posture-check"
 if "$POSTURE_CHECK"; then
  echo "[pre-borg] OK: posture-check"
@@ -81,4 +60,3 @@ run_step "pre-backup-dumps" "$PRE_BACKUP_DUMPS"
 run_step "restore-freshness" env DUMP_ROOT="$FRESHNESS_DUMP_ROOT" "$FRESHNESS_CHECK"
 echo "[pre-borg] All pre-flight checks passed"
 hc_ping
@@ -1,6 +1,6 @@
 services:
  code-server:
-    image: lscr.io/linuxserver/code-server:4.125.0@sha256:7e9523734c003b6336781942df7b48aa6936a9df6931c12a19a1f7ad7858eeba
+    image: lscr.io/linuxserver/code-server:4.123.0@sha256:cb261a7f87674b445e0fd66d87d55900c1b823d276c727ab0d168a75e69e9992
    container_name: code-server
    restart: unless-stopped
    security_opt:
@@ -1,6 +1,6 @@
 services:
  filebrowser:
-    image: filebrowser/filebrowser:v2.63.16@sha256:a6653eb79ecf8312f4f6bf0d0adf65d81016f17a92d64d5b2562340984e39405
+    image: filebrowser/filebrowser:v2.63.14@sha256:1ec9b0c68297550c92f4a93feed432850c2993b261706cc3cc2e808f94a95e76
    container_name: filebrowser
    restart: unless-stopped
    security_opt:
@@ -1,182 +0,0 @@
 /* ============================================================
   KalliLab "Neon Ops v2" - Glance Custom CSS
   Rotierende Akzentfarben pro Widget, Gradient-Zahlen,
   animierte Header-Linien, kraeftige Glows
   ============================================================ */
 /* --- Akzentfarben rotieren ueber die Widgets --- */
 .widget                  { --kl-accent: 205 100% 60%; }
 .widget:nth-of-type(4n+2) { --kl-accent: 172 95% 48%; }
 .widget:nth-of-type(4n+3) { --kl-accent: 38 100% 55%; }
 .widget:nth-of-type(4n)   { --kl-accent: 145 85% 50%; }
 /* --- Seiten-Hintergrund: kraeftigere Farb-Glows --- */
 body {
  background:
    radial-gradient(1300px 700px at 85% -10%, hsla(205, 100%, 55%, 0.13), transparent 60%),
    radial-gradient(1000px 600px at -10% 25%, hsla(172, 95%, 45%, 0.09), transparent 55%),
    radial-gradient(900px 700px at 50% 115%, hsla(38, 100%, 50%, 0.07), transparent 60%),
    var(--color-background);
  background-attachment: fixed;
 }
 /* --- Widgets als Karten mit Akzentrand --- */
 .widget {
  background: linear-gradient(
    160deg,
    hsla(220, 30%, 100%, 0.05),
    hsla(220, 30%, 100%, 0.015)
  );
  border: 1px solid hsl(var(--kl-accent) / 0.18);
  border-radius: 14px;
  padding: 14px 16px;
  box-shadow:
    0 10px 30px hsla(220, 60%, 3%, 0.4),
    0 0 24px hsl(var(--kl-accent) / 0.06),
    inset 0 1px 0 hsla(220, 40%, 90%, 0.05);
  transition: border-color 0.2s ease, box-shadow 0.25s ease;
 }
 .widget:hover {
  border-color: hsl(var(--kl-accent) / 0.55);
  box-shadow:
    0 12px 36px hsla(220, 60%, 3%, 0.45),
    0 0 36px hsl(var(--kl-accent) / 0.16),
    inset 0 1px 0 hsla(220, 40%, 90%, 0.07);
 }
 /* Widgets in Gruppen/Tabs nicht doppelt einrahmen */
 .widget .widget {
  background: none;
  border: none;
  border-radius: 0;
  padding: 0;
  box-shadow: none;
 }
 /* --- Widget-Titel: animierte Farbverlaufs-Linie in Akzentfarbe --- */
 .widget-header {
  letter-spacing: 0.14em;
  position: relative;
  padding-bottom: 7px;
  margin-bottom: 4px;
  color: hsl(var(--kl-accent) / 0.85);
 }
 .widget-header::after {
  content: "";
  position: absolute;
  left: 0;
  bottom: 0;
  width: 64px;
  height: 2px;
  border-radius: 2px;
  background: linear-gradient(
    90deg,
    hsl(var(--kl-accent)),
    hsl(var(--kl-accent) / 0.25),
    hsl(var(--kl-accent))
  );
  background-size: 200% 100%;
  animation: kl-shimmer 4s linear infinite;
 }
@keyframes kl-shimmer {
  0%   { background-position: 0% 0; }
  100% { background-position: 200% 0; }
 }
 /* --- Grosse Zahlen: Gradient-Text + Glow --- */
 .color-highlight.size-h2,
 .color-highlight.size-h3,
 .color-primary.size-h2,
 .color-primary.size-h3 {
  background: linear-gradient(
    120deg,
    hsl(var(--kl-accent)),
    hsl(var(--kl-accent) / 0.55) 60%,
    hsl(210, 30%, 95%)
  );
  -webkit-background-clip: text;
  background-clip: text;
  color: transparent;
  filter: drop-shadow(0 0 14px hsl(var(--kl-accent) / 0.35));
 }
 .color-positive {
  text-shadow: 0 0 16px hsla(150, 95%, 45%, 0.45);
 }
 .color-negative {
  text-shadow: 0 0 16px hsla(350, 95%, 58%, 0.45);
 }
 /* --- Status-Punkte leuchten --- */
 .monitor-site-status-icon-compact,
 .monitor-site-status-icon {
  filter: drop-shadow(0 0 7px hsla(150, 95%, 45%, 0.55));
 }
 /* --- Navigation --- */
 .nav-item.nav-item-current {
  text-shadow: 0 0 18px hsla(212, 100%, 60%, 0.6);
 }
 /* --- Suchleiste --- */
 .search {
  border: 1px solid hsla(212, 90%, 65%, 0.2);
  border-radius: 12px;
  background: hsla(220, 30%, 100%, 0.04);
  transition: border-color 0.2s ease, box-shadow 0.2s ease;
 }
 .search:focus-within {
  border-color: hsla(212, 100%, 60%, 0.55);
  box-shadow: 0 0 0 3px hsla(212, 100%, 55%, 0.15), 0 0 28px hsla(212, 100%, 55%, 0.12);
 }
 /* --- Server-Stats: Balken rund, gradient, glow --- */
 .progress-bar {
  border: none;
  height: 13px;
  border-radius: 999px;
  background: hsla(220, 30%, 60%, 0.12);
  box-shadow: inset 0 1px 3px hsla(220, 60%, 3%, 0.5);
  overflow: hidden;
 }
 .progress-value {
  border-radius: 999px;
  background: linear-gradient(90deg, hsl(205, 100%, 55%), hsl(172, 95%, 48%));
  box-shadow: 0 0 10px hsla(205, 100%, 55%, 0.35);
 }
 .progress-value-notice {
  background: linear-gradient(90deg, hsl(38, 100%, 55%), hsl(355, 90%, 60%));
  box-shadow: 0 0 12px hsla(355, 90%, 58%, 0.45);
 }
 /* --- Feinschliff --- */
 ::selection {
  background: hsla(212, 100%, 50%, 0.35);
 }
 ::-webkit-scrollbar {
  width: 10px;
 }
 ::-webkit-scrollbar-thumb {
  background: hsla(220, 30%, 50%, 0.25);
  border-radius: 8px;
 }
 ::-webkit-scrollbar-thumb:hover {
  background: hsla(212, 80%, 55%, 0.45);
 }
 /* Reduzierte Bewegung respektieren */
@media (prefers-reduced-motion: reduce) {
  .widget-header::after {
    animation: none;
  }
 }
@@ -1,287 +0,0 @@
 traefik:
  name: Traefik
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/traefik.svg
  url: https://traefik.kaleschke.info
  description: Reverse Proxy
  category: core
  hide: false
 gitea:
  name: Gitea
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/gitea.svg
  url: https://git.kaleschke.info
  description: GitOps Origin
  category: core
  hide: false
 authelia:
  name: Authelia
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/authelia.svg
  url: https://auth.kaleschke.info
  description: ForwardAuth
  category: core
  hide: false
 vaultwarden:
  name: Vaultwarden
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/vaultwarden.svg
  url: https://vault.kaleschke.info
  description: Password Vault
  category: core
  hide: false
 postgresql17:
  name: PostgreSQL 18
  icon: si:postgresql
  description: Shared DB
  category: core
  hide: false
 Redis:
  name: Redis
  icon: si:redis
  description: Shared Cache
  category: core
  hide: false
 adguard:
  name: AdGuard
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/adguard-home.svg
  url: http://192.168.178.58:8082
  description: DNS Filter
  category: network
  hide: false
 unbound:
  name: Unbound
  icon: mdi:dns
  description: Upstream Resolver
  category: network
  hide: false
 ddns-updater:
  name: DDNS Updater
  icon: mdi:cloud-sync
  description: Cloudflare DNS
  category: network
  hide: false
 paperless-ngx:
  name: Paperless-ngx
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/paperless-ngx.svg
  url: https://paperless.kaleschke.info
  description: Dokumente
  category: apps
  hide: false
 paperless-gpt:
  name: Paperless-GPT
  icon: mdi:robot
  url: https://paperless-gpt.kaleschke.info
  description: Dokumenten-KI
  category: apps
  hide: false
 immich_server:
  name: Immich
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/immich.svg
  url: https://immich.kaleschke.info
  description: Fotos und Videos
  category: apps
  id: immich
  hide: false
 immich_postgres:
  name: DB
  parent: immich
  category: apps
  hide: false
 immich_redis:
  name: Redis
  parent: immich
  category: apps
  hide: false
 immich_machine_learning:
  name: ML
  parent: immich
  category: apps
  hide: false
 mealie:
  name: Mealie
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/mealie.svg
  url: https://mealie.kaleschke.info
  description: Rezepte
  category: apps
  id: mealie
  hide: false
 mealie-postgres:
  name: DB
  parent: mealie
  category: apps
  hide: false
 nextcloud:
  name: Nextcloud
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/nextcloud.svg
  url: https://cloud.kaleschke.info
  description: Dateien und Sync
  category: apps
  id: nextcloud
  hide: false
 nextcloud-postgres:
  name: DB
  parent: nextcloud
  category: apps
  hide: false
 nextcloud-redis:
  name: Redis
  parent: nextcloud
  category: apps
  hide: false
 mail-archiver:
  name: Mail Archiver
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/mailcow.svg
  url: https://mail.kaleschke.info
  description: Mail-Archiv
  category: apps
  hide: false
 ntfy:
  name: ntfy
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/ntfy.svg
  url: https://ntfy.kaleschke.info
  description: Push Alerts
  category: apps
  hide: false
 bentopdf:
  name: BentoPDF
  icon: mdi:file-pdf-box
  url: https://pdf.kaleschke.info
  description: PDF Tools
  category: apps
  hide: false
 glance:
  name: Glance
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/glance.svg
  url: https://glance.kaleschke.info
  description: Homelab Uebersicht
  category: ops
  hide: false
 glance-docker-socket-proxy:
  name: Glance Socket Proxy
  icon: si:docker
  description: Read-only Docker API
  category: ops
  hide: false
 monitoring-grafana:
  name: Monitoring Grafana
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/grafana.svg
  url: https://monitoring.kaleschke.info
  description: Observability UI
  category: ops
  id: monitoring
  hide: false
 monitoring-prometheus:
  name: Prometheus
  parent: monitoring
  category: ops
  hide: false
 monitoring-loki:
  name: Loki
  parent: monitoring
  category: ops
  hide: false
 monitoring-promtail:
  name: Promtail
  parent: monitoring
  category: ops
  hide: false
 monitoring-alertmanager:
  name: Alertmanager
  parent: monitoring
  category: ops
  hide: false
 monitoring-alertmanager-ntfy-bridge:
  name: ntfy Bridge
  parent: monitoring
  category: ops
  hide: false
 monitoring-blackbox-exporter:
  name: Blackbox
  parent: monitoring
  category: ops
  hide: false
 monitoring-node-exporter:
  name: Node Exporter
  parent: monitoring
  category: ops
  hide: false
 monitoring-cadvisor:
  name: cAdvisor
  parent: monitoring
  category: ops
  hide: false
 monitoring-influxdb3-core:
  name: InfluxDB 3
  parent: monitoring
  category: ops
  hide: false
 glances:
  name: Glances
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/glances.svg
  url: https://glances.kaleschke.info
  description: Host-Monitoring
  category: ops
  hide: false
 scrutiny:
  name: Scrutiny
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/scrutiny.svg
  url: https://scrutiny.kaleschke.info
  description: SMART
  category: ops
  hide: false
 speedtest-tracker:
  name: Speedtest
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/speedtest-tracker.png
  url: https://speedtest.kaleschke.info
  description: WAN-Messung
  category: ops
  hide: false
 filebrowser:
  name: Filebrowser
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/filebrowser.svg
  url: https://files.kaleschke.info
  description: Dateizugriff
  category: ops
  hide: false
 code-server:
  name: code-server
  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/vscode.svg
  url: https://code.kaleschke.info
  description: Web IDE
  category: ops
  hide: false
 borg-ui:
  name: Borg UI
  icon: mdi:archive-sync
  url: https://borg.kaleschke.info
  description: Backup und Restore
  category: ops
  hide: false
 hermes-dashboard:
  name: Hermes
  icon: mdi:shield-sparkles
  url: https://hermes.kaleschke.info
  description: Ops Agent UI
  category: ops
  id: hermes
  hide: false
 hermes-gateway:
  name: Gateway
  parent: hermes
  category: ops
  hide: false
 komodo-core:
  name: Komodo
  icon: sh:komodo
  url: https://komodo.kaleschke.info
  description: Stack Manager
  category: ops
  id: komodo
  hide: false
 komodo-mongo:
  name: Mongo
  parent: komodo
  category: ops
  hide: false
 komodo-periphery:
  name: Periphery
  parent: komodo
  category: ops
  hide: false
@@ -1,6 +1,5 @@
 server:
  proxied: true
  assets-path: /app/assets
 branding:
  app-name: KalliLab Dashboard
@@ -8,45 +7,867 @@ branding:
  hide-footer: true
 theme:
-  background-color: 222 14 8
+  background-color: 210 20 13
-  primary-color: 205 100 58
+  primary-color: 212 100 50
-  positive-color: 150 80 45
+  positive-color: 140 70 40
-  negative-color: 355 90 60
+  negative-color: 4 78 57
-  contrast-multiplier: 1.3
+  contrast-multiplier: 1.25
-  text-saturation-multiplier: 0.5
+  text-saturation-multiplier: 0.9
  disable-picker: false
  custom-css-file: /assets/custom.css
  presets:
    catppuccin-mocha:
      background-color: 240 21 15
      primary-color: 217 92 83
      positive-color: 115 54 76
      negative-color: 347 70 65
      contrast-multiplier: 1.2
    gruvbox-dark:
      background-color: 0 0 16
      primary-color: 43 59 81
      positive-color: 61 66 44
      negative-color: 6 96 59
    kallilab-light:
      light: true
      background-color: 220 23 95
      primary-color: 212 100 35
      positive-color: 140 70 30
      negative-color: 0 70 45
    synthwave:
      background-color: 265 35 10
      primary-color: 320 100 65
      positive-color: 175 100 50
      negative-color: 0 100 65
      contrast-multiplier: 1.3
    matrix:
      background-color: 130 25 6
      primary-color: 130 100 55
      positive-color: 130 100 45
      negative-color: 35 100 55
      contrast-multiplier: 1.25
      text-saturation-multiplier: 1.2
 pages:
-  $include: pages.yml
+  - name: Home
    slug: home
    width: wide
    head-widgets:
      - type: search
        search-engine: duckduckgo
        new-tab: true
        autofocus: true
        placeholder: Suche im Web oder springe per Bang...
        bangs:
          - title: Gitea
            shortcut: "!git"
            url: https://git.kaleschke.info/explore/repos?q={QUERY}
          - title: Paperless
            shortcut: "!doc"
            url: https://paperless.kaleschke.info/documents?query={QUERY}
          - title: Nextcloud
            shortcut: "!cloud"
            url: https://cloud.kaleschke.info/apps/files/?dir=/{QUERY}
          - title: Komodo
            shortcut: "!komodo"
            url: https://komodo.kaleschke.info
    columns:
      - size: small
        widgets:
          - type: group
            widgets:
              - type: custom-api
                title: Day
                body-type: string
                skip-json-validation: true
                cache: 1s
                template: |
                  {{ $localTime := now }}
                  {{ $elapsedSeconds := add (mul $localTime.Hour 3600) (mul $localTime.Minute 60) | add $localTime.Second }}
                  {{ $dayProgress := div (mul $elapsedSeconds 100.0) 86400.0 }}
                  {{ $gradient := "#70a1ff" }}
                  {{ if gt $dayProgress 25.0 }}{{ $gradient = "#ff6b6b, #70a1ff" }}{{ end }}
                  {{ if gt $dayProgress 50.0 }}{{ $gradient = "#ff6b6b, #f8e71c, #7ed6df" }}{{ end }}
                  {{ if gt $dayProgress 75.0 }}{{ $gradient = "#ff6b6b, #f8e71c, #7ed6df, #70a1ff" }}{{ end }}
                  <div style="text-align: center;">
                    <div style="width: 100%; height: 12px; background: #23262f; border: 1px solid color-mix(in srgb, var(--color-text-subdue) 55%, transparent); border-radius: 10px; overflow: hidden;">
                      <div style="height: 100%; width: {{ $dayProgress }}%; background: linear-gradient(90deg, {{ $gradient }});"></div>
                    </div>
                    <div class="size-h1" style="margin-top: 6px;">{{ printf "%.2f" $dayProgress }}% des Tages sind vorbei</div>
                  </div>
              - type: custom-api
                title: Month
                body-type: string
                skip-json-validation: true
                cache: 1s
                template: |
                  {{ $localTime := now }}
                  {{ $month := $localTime.Month }}
                  {{ $daysInMonth := 31 }}
                  {{ if eq $month 2 }}{{ $daysInMonth = 28 }}{{ end }}
                  {{ if or (eq $month 4) (eq $month 6) (eq $month 9) (eq $month 11) }}{{ $daysInMonth = 30 }}{{ end }}
                  {{ $secondsToday := add (mul $localTime.Hour 3600) (mul $localTime.Minute 60) | add $localTime.Second }}
                  {{ $daysElapsed := add (sub $localTime.Day 1) (div $secondsToday 86400.0) }}
                  {{ $monthProgress := mul (div $daysElapsed $daysInMonth) 100.0 }}
                  {{ $gradient := "#70a1ff" }}
                  {{ if gt $monthProgress 25.0 }}{{ $gradient = "#ff6b6b, #70a1ff" }}{{ end }}
                  {{ if gt $monthProgress 50.0 }}{{ $gradient = "#ff6b6b, #f8e71c, #7ed6df" }}{{ end }}
                  {{ if gt $monthProgress 75.0 }}{{ $gradient = "#ff6b6b, #f8e71c, #7ed6df, #70a1ff" }}{{ end }}
                  <div style="text-align: center;">
                    <div style="width: 100%; height: 12px; background: #23262f; border: 1px solid color-mix(in srgb, var(--color-text-subdue) 55%, transparent); border-radius: 10px; overflow: hidden;">
                      <div style="height: 100%; width: {{ $monthProgress }}%; background: linear-gradient(90deg, {{ $gradient }});"></div>
                    </div>
                    <div class="size-h1" style="margin-top: 6px;">{{ printf "%.2f" $monthProgress }}% des Monats sind vorbei</div>
                  </div>
              - type: custom-api
                title: Year
                body-type: string
                skip-json-validation: true
                cache: 1s
                template: |
                  {{ $localTime := now }}
                  {{ $secondsToday := add (mul $localTime.Hour 3600) (mul $localTime.Minute 60) | add $localTime.Second }}
                  {{ $secondsElapsed := add (mul (sub $localTime.YearDay 1) 86400) $secondsToday }}
                  {{ $yearProgress := div (mul $secondsElapsed 100.0) (mul 365 86400) }}
                  {{ $gradient := "#70a1ff" }}
                  {{ if gt $yearProgress 25.0 }}{{ $gradient = "#ff6b6b, #70a1ff" }}{{ end }}
                  {{ if gt $yearProgress 50.0 }}{{ $gradient = "#ff6b6b, #f8e71c, #7ed6df" }}{{ end }}
                  {{ if gt $yearProgress 75.0 }}{{ $gradient = "#ff6b6b, #f8e71c, #7ed6df, #70a1ff" }}{{ end }}
                  <div style="text-align: center;">
                    <div style="width: 100%; height: 12px; background: #23262f; border: 1px solid color-mix(in srgb, var(--color-text-subdue) 55%, transparent); border-radius: 10px; overflow: hidden;">
                      <div style="height: 100%; width: {{ $yearProgress }}%; background: linear-gradient(90deg, {{ $gradient }});"></div>
                    </div>
                    <div class="size-h1" style="margin-top: 6px;">{{ printf "%.2f" $yearProgress }}% des Jahres sind vorbei</div>
                  </div>
          - type: clock
            hour-format: 24h
            show-progress: true
            timezones:
              - timezone: Europe/Berlin
                label: Berlin
              - timezone: UTC
                label: UTC
          - type: calendar
            first-day-of-week: monday
          - type: bookmarks
            title: Direkte Einstiege
            groups:
              - title: Core
                color: 212 100 50
                links:
                  - title: Komodo
                    url: https://komodo.kaleschke.info
                    icon: sh:komodo
                  - title: Gitea
                    url: https://git.kaleschke.info
                    icon: si:gitea
                  - title: Monitoring
                    url: https://monitoring.kaleschke.info
                    icon: si:grafana
              - title: Ops
                color: 45 70 55
                links:
                  - title: Borg
                    url: https://borg.kaleschke.info
                    icon: mdi:archive
                  - title: Glances
                    url: https://glances.kaleschke.info
                    icon: sh:glances
                  - title: Scrutiny
                    url: https://scrutiny.kaleschke.info
                    icon: sh:scrutiny
      - size: full
        widgets:
          - type: server-stats
            title: Server Stats
            servers:
              - type: local
                name: Kallilabcore
                hide-mountpoints-by-default: false
          - type: group
            widgets:
              - type: custom-api
                title: Immich
                title-url: https://immich.kaleschke.info
                cache: 10m
                url: http://immich_server:2283/api/server/statistics
                headers:
                  x-api-key: ${GLANCE_IMMICH_API_KEY}
                subrequests:
                  storage:
                    url: http://immich_server:2283/api/server/storage
                    headers:
                      x-api-key: ${GLANCE_IMMICH_API_KEY}
                template: |
                  {{ $photos := .JSON.Int "photos" }}
                  {{ $videos := .JSON.Int "videos" }}
                  {{ $usageGiB := div (toFloat (.JSON.Int "usage")) 1073741824.0 }}
                  {{ $storage := .Subrequest "storage" }}
                  {{ $storageOK := and (ge $storage.Response.StatusCode 200) (le $storage.Response.StatusCode 299) }}
                  {{ $percentage := 0.0 }}
                  {{ if $storageOK }}{{ $percentage = $storage.JSON.Float "diskUsagePercentage" }}{{ end }}
                  <div class="flex justify-between text-center">
                    <div>
                      <div class="color-highlight size-h3">{{ $photos | formatNumber }}</div>
                      <div class="size-h6 uppercase">Fotos</div>
                    </div>
                    <div>
                      <div class="color-highlight size-h3">{{ $videos | formatNumber }}</div>
                      <div class="size-h6 uppercase">Videos</div>
                    </div>
                    <div>
                      <div class="color-highlight size-h3">{{ printf "%.0f" $usageGiB }} GiB</div>
                      <div class="size-h6 uppercase">Medien</div>
                    </div>
                  </div>
                  <div style="height: 8px; margin-top: 14px; border-radius: 999px; overflow: hidden; background: color-mix(in srgb, var(--color-text-subdue) 22%, transparent);">
                    <div style="height: 100%; width: {{ if $storageOK }}{{ printf "%.1f" $percentage }}%{{ else }}0%{{ end }}; border-radius: 999px; background: var(--color-primary);"></div>
                  </div>
                  <div class="size-h6 color-subdue" style="margin-top: 8px;">{{ if $storageOK }}{{ printf "%.1f" $percentage }}% Speicher belegt{{ else }}Speicher API nicht verfuegbar{{ end }}</div>
          - type: monitor
            title: Homelab Status
            cache: 1m
            sites:
              - title: AdGuard Home
                url: http://192.168.178.58:8082
                check-url: http://adguard
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/adguard-home.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Authelia
                url: https://auth.kaleschke.info
                check-url: http://authelia:9091/api/health
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/authelia.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Gitea
                url: https://git.kaleschke.info
                check-url: http://gitea:3000/api/healthz
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/gitea.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Traefik
                url: https://traefik.kaleschke.info
                check-url: http://traefik:8082/metrics
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/traefik.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Vaultwarden
                url: https://vault.kaleschke.info
                check-url: http://vaultwarden/alive
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/vaultwarden.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Komodo
                url: https://komodo.kaleschke.info
                check-url: http://komodo-core:9120
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/komodo.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Paperless-ngx
                url: https://paperless.kaleschke.info
                check-url: http://paperless-ngx:8000
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/paperless-ngx.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Paperless-GPT
                url: https://paperless-gpt.kaleschke.info
                check-url: http://paperless-gpt:8080
                icon: mdi:robot
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Immich
                url: https://immich.kaleschke.info
                check-url: http://immich_server:2283/api/server/ping
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/immich.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Mealie
                url: https://mealie.kaleschke.info
                check-url: http://mealie:9000
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/mealie.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Nextcloud
                url: https://cloud.kaleschke.info
                check-url: http://nextcloud/status.php
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/nextcloud.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: ntfy
                url: https://ntfy.kaleschke.info
                check-url: http://ntfy/v1/health
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/ntfy.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Mail Archiver
                url: https://mail.kaleschke.info
                check-url: http://mail-archiver:5000
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/mailcow.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: BentoPDF
                url: https://pdf.kaleschke.info
                check-url: http://bentopdf:8080
                icon: mdi:file-pdf-box
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Glance
                url: https://glance.kaleschke.info
                check-url: http://glance:8080
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/glance.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Monitoring Grafana
                url: https://monitoring.kaleschke.info
                check-url: http://monitoring-grafana:3000/api/health
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/grafana.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Glances
                url: https://glances.kaleschke.info
                check-url: http://glances:61208
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/glances.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Scrutiny
                url: https://scrutiny.kaleschke.info
                check-url: http://scrutiny:8080
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/scrutiny.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Speedtest Tracker
                url: https://speedtest.kaleschke.info
                check-url: http://speedtest-tracker
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/speedtest-tracker.png
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Filebrowser
                url: https://files.kaleschke.info
                check-url: http://filebrowser
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/filebrowser.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: code-server
                url: https://code.kaleschke.info
                check-url: http://code-server:8443
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/vscode.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Borg UI
                url: https://borg.kaleschke.info
                check-url: http://borg-ui:8081
                icon: mdi:archive-sync
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
      - size: small
        widgets:
          - type: custom-api
            title: Internet
            title-url: https://speedtest.kaleschke.info
            cache: 1h
            url: http://speedtest-tracker/api/v1/results/latest
            headers:
              Authorization: Bearer ${GLANCE_SPEEDTEST_API_KEY}
              Accept: application/json
            template: |
              {{ $ip := .JSON.String "external_ip" }}
              {{ if eq $ip "" }}{{ $ip = .JSON.String "data.interface.externalIp" }}{{ end }}
              {{ $isp := .JSON.String "isp" }}
              {{ if eq $isp "" }}{{ $isp = .JSON.String "data.isp" }}{{ end }}
              {{ $server := .JSON.String "server_name" }}
              {{ if eq $server "" }}{{ $server = .JSON.String "data.server_name" }}{{ end }}
              <div style="display: flex; flex-direction: column; align-items: center; gap: 6px; text-align: center;">
                <div class="color-primary size-h2" style="font-weight: 700;">{{ if ne $ip "" }}{{ $ip }}{{ else }}WAN online{{ end }}</div>
                <div class="size-h5 color-highlight">Speedtest Tracker</div>
                <div class="size-h6 color-subdue" style="font-style: italic;">{{ if ne $isp "" }}{{ $isp }}{{ else }}{{ $server }}{{ end }}</div>
              </div>
          - type: custom-api
            title: Internet Speed
            title-url: https://speedtest.kaleschke.info
            cache: 1h
            url: http://speedtest-tracker/api/v1/results/latest
            headers:
              Authorization: Bearer ${GLANCE_SPEEDTEST_API_KEY}
              Accept: application/json
            subrequests:
              stats:
                url: http://speedtest-tracker/api/v1/stats
                headers:
                  Authorization: Bearer ${GLANCE_SPEEDTEST_API_KEY}
                  Accept: application/json
            template: |
              {{ $stats := .Subrequest "stats" }}
              {{ $download := .JSON.Float "download" }}
              {{ if eq $download 0.0 }}{{ $download = .JSON.Float "data.download" }}{{ end }}
              {{ if eq $download 0.0 }}{{ $download = div (.JSON.Float "download_bits") 1000000.0 }}{{ end }}
              {{ if eq $download 0.0 }}{{ $download = div (.JSON.Float "data.download_bits") 1000000.0 }}{{ end }}
              {{ $upload := .JSON.Float "upload" }}
              {{ if eq $upload 0.0 }}{{ $upload = .JSON.Float "data.upload" }}{{ end }}
              {{ if eq $upload 0.0 }}{{ $upload = div (.JSON.Float "upload_bits") 1000000.0 }}{{ end }}
              {{ if eq $upload 0.0 }}{{ $upload = div (.JSON.Float "data.upload_bits") 1000000.0 }}{{ end }}
              {{ $ping := .JSON.Float "ping" }}
              {{ if eq $ping 0.0 }}{{ $ping = .JSON.Float "data.ping" }}{{ end }}
              {{ $downloadAvg := $stats.JSON.Float "avg_download" }}
              {{ if eq $downloadAvg 0.0 }}{{ $downloadAvg = $stats.JSON.Float "data.download.avg" }}{{ end }}
              {{ if eq $downloadAvg 0.0 }}{{ $downloadAvg = div ($stats.JSON.Float "data.download.avg_bits") 1000000.0 }}{{ end }}
              {{ $uploadAvg := $stats.JSON.Float "avg_upload" }}
              {{ if eq $uploadAvg 0.0 }}{{ $uploadAvg = $stats.JSON.Float "data.upload.avg" }}{{ end }}
              {{ if eq $uploadAvg 0.0 }}{{ $uploadAvg = div ($stats.JSON.Float "data.upload.avg_bits") 1000000.0 }}{{ end }}
              {{ $pingAvg := $stats.JSON.Float "avg_ping" }}
              {{ if eq $pingAvg 0.0 }}{{ $pingAvg = $stats.JSON.Float "data.ping.avg" }}{{ end }}
              {{ $downloadChange := percentChange $downloadAvg $download }}
              {{ $uploadChange := percentChange $uploadAvg $upload }}
              {{ $pingChange := percentChange $pingAvg $ping }}
              <div class="flex justify-between text-center margin-block-3">
                <div>
                  <div class="size-small {{ if lt $downloadChange 0.0 }}color-negative{{ else }}color-positive{{ end }}">{{ printf "%+.1f%%" $downloadChange }}</div>
                  <div class="color-highlight size-h3">{{ printf "%.1f" $download }}</div>
                  <div class="size-h6 color-subdue">DOWNLOAD</div>
                </div>
                <div>
                  <div class="size-small {{ if lt $uploadChange 0.0 }}color-negative{{ else }}color-positive{{ end }}">{{ printf "%+.1f%%" $uploadChange }}</div>
                  <div class="color-highlight size-h3">{{ printf "%.1f" $upload }}</div>
                  <div class="size-h6 color-subdue">UPLOAD</div>
                </div>
                <div>
                  <div class="size-small {{ if gt $pingChange 0.0 }}color-negative{{ else }}color-positive{{ end }}">{{ printf "%+.1f%%" $pingChange }}</div>
                  <div class="color-highlight size-h3">{{ printf "%.0f ms" $ping }}</div>
                  <div class="size-h6 color-subdue">PING</div>
                </div>
              </div>
          - type: dns-stats
            title: DNS Stats
            service: adguard
            url: http://adguard
            username: ${GLANCE_ADGUARD_USERNAME}
            password: ${GLANCE_ADGUARD_PASSWORD}
          - type: monitor
            title: DNS und VPN
            cache: 1m
            sites:
              - title: AdGuard Home
                url: http://192.168.178.58:8082
                check-url: http://adguard
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/adguard-home.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Traefik
                url: https://traefik.kaleschke.info
                check-url: http://traefik:8082/metrics
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/traefik.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
          - type: docker-containers
            title: Network Container
            category: network
            hide-by-default: true
            sock-path: tcp://glance-docker-socket-proxy:2375
            containers: &containers
              traefik:
                name: Traefik
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/traefik.svg
                url: https://traefik.kaleschke.info
                description: Reverse Proxy
                category: core
                hide: false
              gitea:
                name: Gitea
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/gitea.svg
                url: https://git.kaleschke.info
                description: GitOps Origin
                category: core
                hide: false
              authelia:
                name: Authelia
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/authelia.svg
                url: https://auth.kaleschke.info
                description: ForwardAuth
                category: core
                hide: false
              vaultwarden:
                name: Vaultwarden
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/vaultwarden.svg
                url: https://vault.kaleschke.info
                description: Password Vault
                category: core
                hide: false
              postgresql17:
                name: PostgreSQL 18
                icon: si:postgresql
                description: Shared DB
                category: core
                hide: false
              Redis:
                name: Redis
                icon: si:redis
                description: Shared Cache
                category: core
                hide: false
              adguard:
                name: AdGuard
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/adguard-home.svg
                url: http://192.168.178.58:8082
                description: DNS Filter
                category: network
                hide: false
              unbound:
                name: Unbound
                icon: mdi:dns
                description: Upstream Resolver
                category: network
                hide: false
              ddns-updater:
                name: DDNS Updater
                icon: mdi:cloud-sync
                description: Cloudflare DNS
                category: network
                hide: false
              paperless-ngx:
                name: Paperless-ngx
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/paperless-ngx.svg
                url: https://paperless.kaleschke.info
                description: Dokumente
                category: apps
                hide: false
              paperless-gpt:
                name: Paperless-GPT
                icon: mdi:robot
                url: https://paperless-gpt.kaleschke.info
                description: Dokumenten-KI
                category: apps
                hide: false
              immich_server:
                name: Immich
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/immich.svg
                url: https://immich.kaleschke.info
                description: Fotos und Videos
                category: apps
                id: immich
                hide: false
              immich_postgres:
                name: DB
                parent: immich
                category: apps
                hide: false
              immich_redis:
                name: Redis
                parent: immich
                category: apps
                hide: false
              immich_machine_learning:
                name: ML
                parent: immich
                category: apps
                hide: false
              mealie:
                name: Mealie
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/mealie.svg
                url: https://mealie.kaleschke.info
                description: Rezepte
                category: apps
                id: mealie
                hide: false
              mealie-postgres:
                name: DB
                parent: mealie
                category: apps
                hide: false
              nextcloud:
                name: Nextcloud
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/nextcloud.svg
                url: https://cloud.kaleschke.info
                description: Dateien und Sync
                category: apps
                id: nextcloud
                hide: false
              nextcloud-postgres:
                name: DB
                parent: nextcloud
                category: apps
                hide: false
              nextcloud-redis:
                name: Redis
                parent: nextcloud
                category: apps
                hide: false
              mail-archiver:
                name: Mail Archiver
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/mailcow.svg
                url: https://mail.kaleschke.info
                description: Mail-Archiv
                category: apps
                hide: false
              ntfy:
                name: ntfy
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/ntfy.svg
                url: https://ntfy.kaleschke.info
                description: Push Alerts
                category: apps
                hide: false
              bentopdf:
                name: BentoPDF
                icon: mdi:file-pdf-box
                url: https://pdf.kaleschke.info
                description: PDF Tools
                category: apps
                hide: false
              glance:
                name: Glance
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/glance.svg
                url: https://glance.kaleschke.info
                description: Homelab Uebersicht
                category: ops
                hide: false
              glance-docker-socket-proxy:
                name: Glance Socket Proxy
                icon: si:docker
                description: Read-only Docker API
                category: ops
                hide: false
              monitoring-grafana:
                name: Monitoring Grafana
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/grafana.svg
                url: https://monitoring.kaleschke.info
                description: Observability UI
                category: ops
                id: monitoring
                hide: false
              monitoring-prometheus:
                name: Prometheus
                parent: monitoring
                category: ops
                hide: false
              monitoring-loki:
                name: Loki
                parent: monitoring
                category: ops
                hide: false
              monitoring-promtail:
                name: Promtail
                parent: monitoring
                category: ops
                hide: false
              monitoring-alertmanager:
                name: Alertmanager
                parent: monitoring
                category: ops
                hide: false
              monitoring-alertmanager-ntfy-bridge:
                name: ntfy Bridge
                parent: monitoring
                category: ops
                hide: false
              monitoring-blackbox-exporter:
                name: Blackbox
                parent: monitoring
                category: ops
                hide: false
              monitoring-node-exporter:
                name: Node Exporter
                parent: monitoring
                category: ops
                hide: false
              monitoring-cadvisor:
                name: cAdvisor
                parent: monitoring
                category: ops
                hide: false
              monitoring-influxdb3-core:
                name: InfluxDB 3
                parent: monitoring
                category: ops
                hide: false
              glances:
                name: Glances
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/glances.svg
                url: https://glances.kaleschke.info
                description: Host-Monitoring
                category: ops
                hide: false
              scrutiny:
                name: Scrutiny
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/scrutiny.svg
                url: https://scrutiny.kaleschke.info
                description: SMART
                category: ops
                hide: false
              speedtest-tracker:
                name: Speedtest
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/speedtest-tracker.png
                url: https://speedtest.kaleschke.info
                description: WAN-Messung
                category: ops
                hide: false
              filebrowser:
                name: Filebrowser
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/filebrowser.svg
                url: https://files.kaleschke.info
                description: Dateizugriff
                category: ops
                hide: false
              code-server:
                name: code-server
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/vscode.svg
                url: https://code.kaleschke.info
                description: Web IDE
                category: ops
                hide: false
              borg-ui:
                name: Borg UI
                icon: mdi:archive-sync
                url: https://borg.kaleschke.info
                description: Backup und Restore
                category: ops
                hide: false
              hermes-dashboard:
                name: Hermes
                icon: mdi:shield-sparkles
                url: https://hermes.kaleschke.info
                description: Ops Agent UI
                category: ops
                id: hermes
                hide: false
              hermes-gateway:
                name: Gateway
                parent: hermes
                category: ops
                hide: false
              komodo-core:
                name: Komodo
                icon: sh:komodo
                url: https://komodo.kaleschke.info
                description: Stack Manager
                category: ops
                id: komodo
                hide: false
              komodo-mongo:
                name: Mongo
                parent: komodo
                category: ops
                hide: false
              komodo-periphery:
                name: Periphery
                parent: komodo
                category: ops
                hide: false
          - type: docker-containers
            title: App Container
            category: apps
            hide-by-default: true
            sock-path: tcp://glance-docker-socket-proxy:2375
            containers: *containers
          - type: docker-containers
            title: Ops Container
            category: ops
            hide-by-default: true
            sock-path: tcp://glance-docker-socket-proxy:2375
            containers: *containers
  - name: Infrastructure and Media
    slug: infrastructure
    width: wide
    columns:
      - size: small
        widgets:
          - type: bookmarks
            title: Core
            groups:
              - title: Control Plane
                color: 212 100 50
                links:
                  - title: Komodo
                    url: https://komodo.kaleschke.info
                    icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/komodo.svg
                  - title: Gitea
                    url: https://git.kaleschke.info
                    icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/gitea.svg
                  - title: Traefik
                    url: https://traefik.kaleschke.info
                    icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/traefik.svg
                  - title: Authelia
                    url: https://auth.kaleschke.info
                    icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/authelia.svg
          - type: bookmarks
            title: Media und Apps
            groups:
              - title: Apps
                color: 140 70 40
                links:
                  - title: Immich
                    url: https://immich.kaleschke.info
                    icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/immich.svg
                  - title: Paperless
                    url: https://paperless.kaleschke.info
                    icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/paperless-ngx.svg
                  - title: Nextcloud
                    url: https://cloud.kaleschke.info
                    icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/nextcloud.svg
                  - title: Mealie
                    url: https://mealie.kaleschke.info
                    icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/mealie.svg
      - size: full
        widgets:
          - type: monitor
            title: Platform Checks
            cache: 1m
            sites:
              - title: Gitea
                url: https://git.kaleschke.info
                check-url: http://gitea:3000/api/healthz
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/gitea.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Monitoring Grafana
                url: https://monitoring.kaleschke.info
                check-url: http://monitoring-grafana:3000/api/health
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/grafana.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Glance
                url: https://glance.kaleschke.info
                check-url: http://glance:8080
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/glance.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Immich
                url: https://immich.kaleschke.info
                check-url: http://immich_server:2283/api/server/ping
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/immich.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Paperless-ngx
                url: https://paperless.kaleschke.info
                check-url: http://paperless-ngx:8000
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/paperless-ngx.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
              - title: Nextcloud
                url: https://cloud.kaleschke.info
                check-url: http://nextcloud/status.php
                icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/nextcloud.svg
                timeout: 5s
                alt-status-codes: [200, 302, 401, 403]
          - type: docker-containers
            title: Core Container
            category: core
            hide-by-default: true
            sock-path: tcp://glance-docker-socket-proxy:2375
            containers: *containers
          - type: docker-containers
            title: App Container
            category: apps
            hide-by-default: true
            sock-path: tcp://glance-docker-socket-proxy:2375
            containers: *containers
          - type: docker-containers
            title: Ops Container
            category: ops
            hide-by-default: true
            sock-path: tcp://glance-docker-socket-proxy:2375
            containers: *containers
      - size: small
        widgets:
          - type: bookmarks
            title: Ops
            groups:
              - title: Tools
                color: 4 78 57
                links:
                  - title: Glances
                    url: https://glances.kaleschke.info
                    icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/glances.svg
                  - title: Scrutiny
                    url: https://scrutiny.kaleschke.info
                    icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/scrutiny.svg
                  - title: Speedtest
                    url: https://speedtest.kaleschke.info
                    icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/speedtest-tracker.png
@@ -1,596 +0,0 @@
 - name: Home
  slug: home
  width: wide
  head-widgets:
    - type: search
      search-engine: duckduckgo
      new-tab: true
      autofocus: true
      placeholder: Suche im Web oder springe per Bang...
      bangs:
        - title: Gitea
          shortcut: "!git"
          url: https://git.kaleschke.info/explore/repos?q={QUERY}
        - title: Paperless
          shortcut: "!doc"
          url: https://paperless.kaleschke.info/documents?query={QUERY}
        - title: Nextcloud
          shortcut: "!cloud"
          url: https://cloud.kaleschke.info/apps/files/?dir=/{QUERY}
        - title: Komodo
          shortcut: "!komodo"
          url: https://komodo.kaleschke.info
        - title: Immich
          shortcut: "!foto"
          url: https://immich.kaleschke.info/search?query={QUERY}
        - title: Mealie
          shortcut: "!rezept"
          url: https://mealie.kaleschke.info/g/home/?search={QUERY}
  columns:
    - size: small
      widgets:
        - type: group
          widgets:
            - type: custom-api
              title: Day
              body-type: string
              skip-json-validation: true
              cache: 1s
              template: |
                {{ $localTime := now }}
                {{ $elapsedSeconds := add (mul $localTime.Hour 3600) (mul $localTime.Minute 60) | add $localTime.Second }}
                {{ $dayProgress := div (mul $elapsedSeconds 100.0) 86400.0 }}
                {{ $gradient := "#70a1ff" }}
                {{ if gt $dayProgress 25.0 }}{{ $gradient = "#ff6b6b, #70a1ff" }}{{ end }}
                {{ if gt $dayProgress 50.0 }}{{ $gradient = "#ff6b6b, #f8e71c, #7ed6df" }}{{ end }}
                {{ if gt $dayProgress 75.0 }}{{ $gradient = "#ff6b6b, #f8e71c, #7ed6df, #70a1ff" }}{{ end }}
                <div style="text-align: center;">
                  <div style="width: 100%; height: 12px; background: #23262f; border: 1px solid color-mix(in srgb, var(--color-text-subdue) 55%, transparent); border-radius: 10px; overflow: hidden;">
                    <div style="height: 100%; width: {{ $dayProgress }}%; background: linear-gradient(90deg, {{ $gradient }});"></div>
                  </div>
                  <div class="size-h1" style="margin-top: 6px;">{{ printf "%.2f" $dayProgress }}% des Tages sind vorbei</div>
                </div>
            - type: custom-api
              title: Month
              body-type: string
              skip-json-validation: true
              cache: 1s
              template: |
                {{ $localTime := now }}
                {{ $month := $localTime.Month }}
                {{ $daysInMonth := 31 }}
                {{ if eq $month 2 }}{{ $daysInMonth = 28 }}{{ end }}
                {{ if or (eq $month 4) (eq $month 6) (eq $month 9) (eq $month 11) }}{{ $daysInMonth = 30 }}{{ end }}
                {{ $secondsToday := add (mul $localTime.Hour 3600) (mul $localTime.Minute 60) | add $localTime.Second }}
                {{ $daysElapsed := add (sub $localTime.Day 1) (div $secondsToday 86400.0) }}
                {{ $monthProgress := mul (div $daysElapsed $daysInMonth) 100.0 }}
                {{ $gradient := "#70a1ff" }}
                {{ if gt $monthProgress 25.0 }}{{ $gradient = "#ff6b6b, #70a1ff" }}{{ end }}
                {{ if gt $monthProgress 50.0 }}{{ $gradient = "#ff6b6b, #f8e71c, #7ed6df" }}{{ end }}
                {{ if gt $monthProgress 75.0 }}{{ $gradient = "#ff6b6b, #f8e71c, #7ed6df, #70a1ff" }}{{ end }}
                <div style="text-align: center;">
                  <div style="width: 100%; height: 12px; background: #23262f; border: 1px solid color-mix(in srgb, var(--color-text-subdue) 55%, transparent); border-radius: 10px; overflow: hidden;">
                    <div style="height: 100%; width: {{ $monthProgress }}%; background: linear-gradient(90deg, {{ $gradient }});"></div>
                  </div>
                  <div class="size-h1" style="margin-top: 6px;">{{ printf "%.2f" $monthProgress }}% des Monats sind vorbei</div>
                </div>
            - type: custom-api
              title: Year
              body-type: string
              skip-json-validation: true
              cache: 1s
              template: |
                {{ $localTime := now }}
                {{ $secondsToday := add (mul $localTime.Hour 3600) (mul $localTime.Minute 60) | add $localTime.Second }}
                {{ $secondsElapsed := add (mul (sub $localTime.YearDay 1) 86400) $secondsToday }}
                {{ $yearProgress := div (mul $secondsElapsed 100.0) (mul 365 86400) }}
                {{ $gradient := "#70a1ff" }}
                {{ if gt $yearProgress 25.0 }}{{ $gradient = "#ff6b6b, #70a1ff" }}{{ end }}
                {{ if gt $yearProgress 50.0 }}{{ $gradient = "#ff6b6b, #f8e71c, #7ed6df" }}{{ end }}
                {{ if gt $yearProgress 75.0 }}{{ $gradient = "#ff6b6b, #f8e71c, #7ed6df, #70a1ff" }}{{ end }}
                <div style="text-align: center;">
                  <div style="width: 100%; height: 12px; background: #23262f; border: 1px solid color-mix(in srgb, var(--color-text-subdue) 55%, transparent); border-radius: 10px; overflow: hidden;">
                    <div style="height: 100%; width: {{ $yearProgress }}%; background: linear-gradient(90deg, {{ $gradient }});"></div>
                  </div>
                  <div class="size-h1" style="margin-top: 6px;">{{ printf "%.2f" $yearProgress }}% des Jahres sind vorbei</div>
                </div>
        - type: clock
          hour-format: 24h
          show-progress: true
          timezones:
            - timezone: Europe/Berlin
              label: Berlin
            - timezone: UTC
              label: UTC
        - type: custom-api
          title: Wetter · KalliHome
          title-url: https://home.kaleschke.info
          cache: 30s
          url: http://homeassistant:8123/api/states/sensor.gw3000a_outdoor_temperature
          headers:
            Authorization: Bearer ${GLANCE_HA_TOKEN}
            Content-Type: application/json
          subrequests:
            feels:
              url: http://homeassistant:8123/api/states/sensor.gw3000a_feels_like_temperature
              headers:
                Authorization: Bearer ${GLANCE_HA_TOKEN}
            humidity:
              url: http://homeassistant:8123/api/states/sensor.gw3000a_humidity
              headers:
                Authorization: Bearer ${GLANCE_HA_TOKEN}
            wind:
              url: http://homeassistant:8123/api/states/sensor.gw3000a_wind_speed
              headers:
                Authorization: Bearer ${GLANCE_HA_TOKEN}
            gust:
              url: http://homeassistant:8123/api/states/sensor.gw3000a_wind_gust
              headers:
                Authorization: Bearer ${GLANCE_HA_TOKEN}
            rain:
              url: http://homeassistant:8123/api/states/sensor.gw3000a_daily_rain
              headers:
                Authorization: Bearer ${GLANCE_HA_TOKEN}
            solar:
              url: http://homeassistant:8123/api/states/sensor.gw3000a_solar_radiation
              headers:
                Authorization: Bearer ${GLANCE_HA_TOKEN}
            uv:
              url: http://homeassistant:8123/api/states/sensor.gw3000a_uv_index
              headers:
                Authorization: Bearer ${GLANCE_HA_TOKEN}
            pressure:
              url: http://homeassistant:8123/api/states/sensor.gw3000a_relative_pressure
              headers:
                Authorization: Bearer ${GLANCE_HA_TOKEN}
          template: |
            {{ $temp := .JSON.String "state" }}
            {{ $feels := (.Subrequest "feels").JSON.String "state" }}
            {{ $hum := (.Subrequest "humidity").JSON.String "state" }}
            {{ $wind := (.Subrequest "wind").JSON.String "state" }}
            {{ $gust := (.Subrequest "gust").JSON.String "state" }}
            {{ $rain := (.Subrequest "rain").JSON.String "state" }}
            {{ $solar := (.Subrequest "solar").JSON.String "state" }}
            {{ $uv := (.Subrequest "uv").JSON.String "state" }}
            {{ $press := (.Subrequest "pressure").JSON.String "state" }}
            {{ $gustF := (.Subrequest "gust").JSON.Float "state" }}
            {{ $divider := "border-left: 1px solid hsla(220, 40%, 70%, 0.14);" }}
            <div class="text-center" style="margin-bottom: 12px;">
              <div class="color-highlight size-h2" style="font-weight: 700;">{{ $temp }}°C</div>
              <div class="size-h6 color-subdue">gefühlt {{ $feels }}° · {{ $hum }}% feucht</div>
            </div>
            <div class="flex justify-between text-center" style="margin-bottom: 12px;">
              <div style="flex: 1;">
                <div class="size-h4 {{ if gt $gustF 40.0 }}color-negative{{ else }}color-highlight{{ end }}">{{ $wind }}</div>
                <div class="size-h6 uppercase color-subdue">km/h Wind</div>
              </div>
              <div style="flex: 1; {{ $divider }}">
                <div class="size-h4 {{ if gt $gustF 40.0 }}color-negative{{ else }}color-highlight{{ end }}">{{ $gust }}</div>
                <div class="size-h6 uppercase color-subdue">km/h Böe</div>
              </div>
              <div style="flex: 1; {{ $divider }}">
                <div class="size-h4 color-highlight">{{ $rain }}</div>
                <div class="size-h6 uppercase color-subdue">mm heute</div>
              </div>
            </div>
            <div class="flex justify-between text-center">
              <div style="flex: 1;">
                <div class="size-h4 color-highlight">{{ $solar }}</div>
                <div class="size-h6 uppercase color-subdue">W/m² Solar</div>
              </div>
              <div style="flex: 1; {{ $divider }}">
                <div class="size-h4 color-highlight">{{ $uv }}</div>
                <div class="size-h6 uppercase color-subdue">UV-Index</div>
              </div>
              <div style="flex: 1; {{ $divider }}">
                <div class="size-h4 color-highlight">{{ $press }}</div>
                <div class="size-h6 uppercase color-subdue">hPa Druck</div>
              </div>
            </div>
        - type: calendar
          first-day-of-week: monday
        - type: to-do
          title: Operator-Notizen
        - type: bookmarks
          title: Direkte Einstiege
          groups:
            - title: Core
              color: 212 100 50
              links:
                - title: Komodo
                  url: https://komodo.kaleschke.info
                  icon: sh:komodo
                - title: Gitea
                  url: https://git.kaleschke.info
                  icon: si:gitea
                - title: Monitoring
                  url: https://monitoring.kaleschke.info
                  icon: si:grafana
            - title: Ops
              color: 45 70 55
              links:
                - title: Borg
                  url: https://borg.kaleschke.info
                  icon: mdi:archive
                - title: Glances
                  url: https://glances.kaleschke.info
                  icon: sh:glances
                - title: Scrutiny
                  url: https://scrutiny.kaleschke.info
                  icon: sh:scrutiny
    - size: full
      widgets:
        - type: server-stats
          title: Server Stats
          servers:
            - type: local
              name: Kallilabcore
              hide-mountpoints-by-default: false
        - type: custom-api
          title: Komodo Stacks
          title-url: https://komodo.kaleschke.info
          cache: 2m
          url: http://komodo-core:9120/read
          method: POST
          body-type: json
          body:
            type: ListStacks
            params: {}
          headers:
            X-Api-Key: ${GLANCE_KOMODO_API_KEY}
            X-Api-Secret: ${GLANCE_KOMODO_API_SECRET}
            Content-Type: application/json
          template: |
            {{ $stacks := .JSON.Array "@this" }}
            {{ $total := len $stacks }}
            {{ $running := 0 }}
            {{ range $stacks }}{{ if eq (.String "info.state") "running" }}{{ $running = add $running 1 }}{{ end }}{{ end }}
            {{ $problems := sub $total $running }}
            {{ $divider := "border-left: 1px solid hsla(220, 40%, 70%, 0.14);" }}
            <div style="display: flex; text-align: center;">
              <div style="flex: 1;">
                <div class="color-highlight size-h3">{{ $total }}</div>
                <div class="size-h6 uppercase color-subdue">Stacks</div>
              </div>
              <div style="flex: 1; {{ $divider }}">
                <div class="color-positive size-h3">{{ $running }}</div>
                <div class="size-h6 uppercase color-subdue">Running</div>
              </div>
              <div style="flex: 1; {{ $divider }}">
                <div class="{{ if gt $problems 0 }}color-negative{{ else }}color-subdue{{ end }} size-h3">{{ $problems }}</div>
                <div class="size-h6 uppercase color-subdue">Auffaellig</div>
              </div>
            </div>
            <div style="height: 5px; margin-top: 14px; border-radius: 999px; overflow: hidden; background: hsla(220, 30%, 60%, 0.12);">
              <div style="height: 100%; width: {{ if gt $total 0 }}{{ div (mul $running 100.0) (toFloat $total) }}{{ else }}0{{ end }}%; border-radius: 999px; background: linear-gradient(90deg, hsl(150, 85%, 42%), hsl(172, 95%, 48%));"></div>
            </div>
            {{ if gt $problems 0 }}
            <div style="display: flex; justify-content: center; gap: 8px; flex-wrap: wrap; margin-top: 12px;">
              {{ range $stacks }}
              {{ if ne (.String "info.state") "running" }}
              <span class="size-h6" style="padding: 3px 12px; border-radius: 999px; border: 1px solid hsla(350, 90%, 60%, 0.45); background: hsla(350, 90%, 60%, 0.08); color: var(--color-negative); letter-spacing: 0.05em;">{{ .String "name" }} · {{ .String "info.state" }}</span>
              {{ end }}
              {{ end }}
            </div>
            {{ end }}
        - type: custom-api
          title: Immich
          title-url: https://immich.kaleschke.info
          cache: 10m
          url: http://immich_server:2283/api/server/statistics
          headers:
            x-api-key: ${GLANCE_IMMICH_API_KEY}
          subrequests:
            storage:
              url: http://immich_server:2283/api/server/storage
              headers:
                x-api-key: ${GLANCE_IMMICH_API_KEY}
          template: |
            {{ $photos := .JSON.Int "photos" }}
            {{ $videos := .JSON.Int "videos" }}
            {{ $usageGiB := div (toFloat (.JSON.Int "usage")) 1073741824.0 }}
            {{ $storage := .Subrequest "storage" }}
            {{ $storageOK := and (ge $storage.Response.StatusCode 200) (le $storage.Response.StatusCode 299) }}
            {{ $percentage := 0.0 }}
            {{ if $storageOK }}{{ $percentage = $storage.JSON.Float "diskUsagePercentage" }}{{ end }}
            {{ $divider := "border-left: 1px solid hsla(220, 40%, 70%, 0.14);" }}
            <div style="display: flex; text-align: center;">
              <div style="flex: 1;">
                <div class="color-highlight size-h3">{{ $photos | formatNumber }}</div>
                <div class="size-h6 uppercase color-subdue">Fotos</div>
              </div>
              <div style="flex: 1; {{ $divider }}">
                <div class="color-highlight size-h3">{{ $videos | formatNumber }}</div>
                <div class="size-h6 uppercase color-subdue">Videos</div>
              </div>
              <div style="flex: 1; {{ $divider }}">
                <div class="color-highlight size-h3">{{ printf "%.0f" $usageGiB }} GiB</div>
                <div class="size-h6 uppercase color-subdue">Medien</div>
              </div>
            </div>
            <div style="display: flex; align-items: center; gap: 12px; margin-top: 16px;">
              <div style="flex: 1; height: 5px; border-radius: 999px; overflow: hidden; background: hsla(220, 30%, 60%, 0.12);">
                <div style="height: 100%; width: {{ if $storageOK }}{{ printf "%.1f" $percentage }}%{{ else }}0%{{ end }}; border-radius: 999px; background: linear-gradient(90deg, hsl(205, 100%, 55%), hsl(172, 95%, 48%));"></div>
              </div>
              <div class="size-h6 color-subdue" style="white-space: nowrap;">{{ if $storageOK }}{{ printf "%.1f" $percentage }}% belegt{{ else }}Speicher API n/v{{ end }}</div>
            </div>
        - type: group
          widgets:
            - type: monitor
              title: Core
              cache: 1m
              sites:
                - title: AdGuard Home
                  url: http://192.168.178.58:8082
                  check-url: http://adguard
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/adguard-home.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Authelia
                  url: https://auth.kaleschke.info
                  check-url: http://authelia:9091/api/health
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/authelia.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Gitea
                  url: https://git.kaleschke.info
                  check-url: http://gitea:3000/api/healthz
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/gitea.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Traefik
                  url: https://traefik.kaleschke.info
                  check-url: http://traefik:8082/metrics
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/traefik.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Vaultwarden
                  url: https://vault.kaleschke.info
                  check-url: http://vaultwarden/alive
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/vaultwarden.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Komodo
                  url: https://komodo.kaleschke.info
                  check-url: http://komodo-core:9120
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/komodo.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Glance
                  url: https://glance.kaleschke.info
                  check-url: http://glance:8080
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/glance.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
            - type: monitor
              title: Apps
              cache: 1m
              sites:
                - title: Paperless-ngx
                  url: https://paperless.kaleschke.info
                  check-url: http://paperless-ngx:8000
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/paperless-ngx.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Paperless-GPT
                  url: https://paperless-gpt.kaleschke.info
                  check-url: http://paperless-gpt:8080
                  icon: mdi:robot
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Immich
                  url: https://immich.kaleschke.info
                  check-url: http://immich_server:2283/api/server/ping
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/immich.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Mealie
                  url: https://mealie.kaleschke.info
                  check-url: http://mealie:9000
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/mealie.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Nextcloud
                  url: https://cloud.kaleschke.info
                  check-url: http://nextcloud/status.php
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/nextcloud.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: ntfy
                  url: https://ntfy.kaleschke.info
                  check-url: http://ntfy/v1/health
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/ntfy.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Mail Archiver
                  url: https://mail.kaleschke.info
                  check-url: http://mail-archiver:5000
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/mailcow.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: BentoPDF
                  url: https://pdf.kaleschke.info
                  check-url: http://bentopdf:8080
                  icon: mdi:file-pdf-box
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
            - type: monitor
              title: Ops
              cache: 1m
              sites:
                - title: Monitoring Grafana
                  url: https://monitoring.kaleschke.info
                  check-url: http://monitoring-grafana:3000/api/health
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/grafana.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Glances
                  url: https://glances.kaleschke.info
                  check-url: http://glances:61208
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/glances.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Scrutiny
                  url: https://scrutiny.kaleschke.info
                  check-url: http://scrutiny:8080
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/scrutiny.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Speedtest Tracker
                  url: https://speedtest.kaleschke.info
                  check-url: http://speedtest-tracker
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/speedtest-tracker.png
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Filebrowser
                  url: https://files.kaleschke.info
                  check-url: http://filebrowser
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/filebrowser.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: code-server
                  url: https://code.kaleschke.info
                  check-url: http://code-server:8443
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/vscode.svg
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
                - title: Borg UI
                  url: https://borg.kaleschke.info
                  check-url: http://borg-ui:8081
                  icon: mdi:archive-sync
                  timeout: 5s
                  alt-status-codes: [200, 302, 401, 403]
    - size: small
      widgets:
        - type: custom-api
          title: Internet
          title-url: https://speedtest.kaleschke.info
          cache: 1h
          url: http://speedtest-tracker/api/v1/results/latest
          headers:
            Authorization: Bearer ${GLANCE_SPEEDTEST_API_KEY}
            Accept: application/json
          subrequests:
            stats:
              url: http://speedtest-tracker/api/v1/stats
              headers:
                Authorization: Bearer ${GLANCE_SPEEDTEST_API_KEY}
                Accept: application/json
          template: |
            {{ $ip := .JSON.String "external_ip" }}
            {{ if eq $ip "" }}{{ $ip = .JSON.String "data.interface.externalIp" }}{{ end }}
            {{ if eq $ip "" }}{{ $ip = .JSON.String "data.data.interface.externalIp" }}{{ end }}
            {{ $isp := .JSON.String "isp" }}
            {{ if eq $isp "" }}{{ $isp = .JSON.String "data.isp" }}{{ end }}
            {{ if eq $isp "" }}{{ $isp = .JSON.String "data.data.isp" }}{{ end }}
            {{ $download := .JSON.Float "download" }}
            {{ if eq $download 0.0 }}{{ $download = .JSON.Float "data.download" }}{{ end }}
            {{ if eq $download 0.0 }}{{ $download = div (.JSON.Float "download_bits") 1000000.0 }}{{ end }}
            {{ if eq $download 0.0 }}{{ $download = div (.JSON.Float "data.download_bits") 1000000.0 }}{{ end }}
            {{ if eq $download 0.0 }}{{ $download = div (mul (.JSON.Float "data.data.download.bandwidth") 8.0) 1000000.0 }}{{ end }}
            {{ $upload := .JSON.Float "upload" }}
            {{ if eq $upload 0.0 }}{{ $upload = .JSON.Float "data.upload" }}{{ end }}
            {{ if eq $upload 0.0 }}{{ $upload = div (.JSON.Float "upload_bits") 1000000.0 }}{{ end }}
            {{ if eq $upload 0.0 }}{{ $upload = div (.JSON.Float "data.upload_bits") 1000000.0 }}{{ end }}
            {{ if eq $upload 0.0 }}{{ $upload = div (mul (.JSON.Float "data.data.upload.bandwidth") 8.0) 1000000.0 }}{{ end }}
            {{ if gt $download 100000.0 }}{{ $download = div (mul $download 8.0) 1000000.0 }}{{ end }}
            {{ if gt $upload 100000.0 }}{{ $upload = div (mul $upload 8.0) 1000000.0 }}{{ end }}
            {{ $ping := .JSON.Float "ping" }}
            {{ if eq $ping 0.0 }}{{ $ping = .JSON.Float "data.ping" }}{{ end }}
            {{ if eq $ping 0.0 }}{{ $ping = .JSON.Float "data.data.ping.latency" }}{{ end }}
            <div class="text-center" style="margin-bottom: 10px;">
              <div class="color-primary size-h3" style="font-weight: 700;">{{ if ne $ip "" }}{{ $ip }}{{ else }}WAN online{{ end }}</div>
              <div class="size-h6 color-subdue">{{ if ne $isp "" }}{{ $isp }}{{ else }}Speedtest Tracker{{ end }}</div>
            </div>
            {{ if and (eq $download 0.0) (eq $upload 0.0) }}
            <div class="text-center color-subdue size-h6">Keine aktuellen Messdaten</div>
            {{ else }}
            <div class="flex justify-between text-center">
              <div>
                <div class="color-highlight size-h4">{{ printf "%.1f" $download }}</div>
                <div class="size-h6 color-subdue">MBIT DOWN</div>
              </div>
              <div>
                <div class="color-highlight size-h4">{{ printf "%.1f" $upload }}</div>
                <div class="size-h6 color-subdue">MBIT UP</div>
              </div>
              <div>
                <div class="color-highlight size-h4">{{ printf "%.0f ms" $ping }}</div>
                <div class="size-h6 color-subdue">PING</div>
              </div>
            </div>
            {{ end }}
        - type: dns-stats
          title: DNS Stats
          service: adguard
          url: http://adguard
          username: ${GLANCE_ADGUARD_USERNAME}
          password: ${GLANCE_ADGUARD_PASSWORD}
        - type: custom-api
          title: Borg Backup
          title-url: https://borg.kaleschke.info
          cache: 15m
          url: http://monitoring-prometheus:9090/api/v1/query?query=(time()-homelab_borg_last_completed_timestamp_seconds)/3600
          subrequests:
            success:
              url: http://monitoring-prometheus:9090/api/v1/query?query=homelab_borg_last_success
          template: |
            {{ $ageHours := .JSON.Float "data.result.0.value.1" }}
            {{ $archive := .JSON.String "data.result.0.metric.archive" }}
            {{ $succ := .Subrequest "success" }}
            {{ $ok := $succ.JSON.Float "data.result.0.value.1" }}
            {{ $status := $succ.JSON.String "data.result.0.metric.status" }}
            {{ if eq (len (.JSON.Array "data.result")) 0 }}
            <div class="text-center color-subdue">Keine Backup-Metrik gefunden</div>
            {{ else }}
            <div class="text-center">
              <div class="size-h2 {{ if gt $ageHours 30.0 }}color-negative{{ else }}color-positive{{ end }}">vor {{ printf "%.0f" $ageHours }} h</div>
              <div class="size-h6 color-subdue" style="margin-top: 4px;">letztes abgeschlossenes Backup</div>
              <div class="size-h6 {{ if eq $ok 1.0 }}color-positive{{ else }}color-negative{{ end }}" style="margin-top: 6px;">
                {{ if eq $ok 1.0 }}letzter Job erfolgreich{{ else }}letzter Job: {{ $status }}{{ end }}
              </div>
              {{ if ne $archive "" }}<div class="size-h6 color-subdue text-truncate" style="margin-top: 2px;">{{ $archive }}</div>{{ end }}
            </div>
            {{ end }}
        - type: group
          widgets:
            - type: docker-containers
              title: Network
              category: network
              hide-by-default: true
              sock-path: tcp://glance-docker-socket-proxy:2375
              containers:
                $include: containers-map.yml
            - type: docker-containers
              title: Apps
              category: apps
              hide-by-default: true
              sock-path: tcp://glance-docker-socket-proxy:2375
              containers:
                $include: containers-map.yml
            - type: docker-containers
              title: Ops
              category: ops
              hide-by-default: true
              sock-path: tcp://glance-docker-socket-proxy:2375
              containers:
                $include: containers-map.yml
@@ -1,244 +0,0 @@
 - name: Infrastructure and Media
  slug: infrastructure
  width: wide
  columns:
    - size: small
      widgets:
        - type: bookmarks
          title: Core
          groups:
            - title: Control Plane
              color: 212 100 50
              links:
                - title: Komodo
                  url: https://komodo.kaleschke.info
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/komodo.svg
                - title: Gitea
                  url: https://git.kaleschke.info
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/gitea.svg
                - title: Traefik
                  url: https://traefik.kaleschke.info
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/traefik.svg
                - title: Authelia
                  url: https://auth.kaleschke.info
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/authelia.svg
        - type: bookmarks
          title: Media und Apps
          groups:
            - title: Apps
              color: 140 70 40
              links:
                - title: Immich
                  url: https://immich.kaleschke.info
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/immich.svg
                - title: Paperless
                  url: https://paperless.kaleschke.info
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/paperless-ngx.svg
                - title: Nextcloud
                  url: https://cloud.kaleschke.info
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/nextcloud.svg
                - title: Mealie
                  url: https://mealie.kaleschke.info
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/mealie.svg
        - type: custom-api
          title: Scrutiny Disk Health
          title-url: https://scrutiny.kaleschke.info
          cache: 30m
          url: http://scrutiny:8080/api/summary
          template: |
            {{ $disks := .JSON.Array "data.summary.@values" }}
            {{ if eq (len $disks) 0 }}
            <div class="text-center color-subdue">Keine Disks gemeldet.</div>
            {{ else }}
            <ul class="list list-gap-4">
              {{ range $disks }}
              {{ $status := .Int "device.device_status" }}
              <li class="flex justify-between">
                <div class="color-highlight">{{ .String "device.device_name" }}</div>
                <div class="size-h6 uppercase {{ if eq $status 0 }}color-positive{{ else }}color-negative{{ end }}">
                  {{ if eq $status 0 }}OK{{ else }}FAILED{{ end }}
                </div>
              </li>
              {{ end }}
            </ul>
            {{ end }}
    - size: full
      widgets:
        - type: custom-api
          title: GitOps - homelab-infra
          title-url: https://git.kaleschke.info/Micha/homelab-infra
          cache: 5m
          url: http://gitea:3000/api/v1/repos/Micha/homelab-infra/commits?limit=5&stat=false
          headers:
            Authorization: token ${GLANCE_GITEA_TOKEN}
            Accept: application/json
          subrequests:
            repo:
              url: http://gitea:3000/api/v1/repos/Micha/homelab-infra
              headers:
                Authorization: token ${GLANCE_GITEA_TOKEN}
                Accept: application/json
          template: |
            {{ $repo := .Subrequest "repo" }}
            {{ $repoOK := and (ge $repo.Response.StatusCode 200) (le $repo.Response.StatusCode 299) }}
            {{ if $repoOK }}
            <div class="flex justify-between text-center" style="margin-bottom: 12px;">
              <div>
                <div class="color-highlight size-h3">{{ $repo.JSON.Int "open_issues_count" }}</div>
                <div class="size-h6 uppercase">Issues</div>
              </div>
              <div>
                <div class="color-highlight size-h3">{{ $repo.JSON.Int "open_pr_counter" }}</div>
                <div class="size-h6 uppercase">PRs</div>
              </div>
              <div>
                <div class="color-highlight size-h3">{{ $repo.JSON.String "default_branch" }}</div>
                <div class="size-h6 uppercase">Branch</div>
              </div>
            </div>
            {{ end }}
            <ul class="list list-gap-6">
              {{ range .JSON.Array "@this" }}
              <li>
                <div class="flex justify-between">
                  <div class="color-highlight text-truncate" style="max-width: 75%;">{{ .String "commit.message" | replaceMatches "(?s)\n.*" "" }}</div>
                  <div class="size-h6 color-subdue">{{ slice (.String "sha") 0 7 }}</div>
                </div>
                <div class="size-h6 color-subdue">{{ .String "commit.author.name" }} · <span {{ .String "commit.author.date" | parseTime "rfc3339" | toRelativeTime }}></span></div>
              </li>
              {{ end }}
            </ul>
        - type: monitor
          title: Platform Checks
          cache: 1m
          sites:
            - title: Gitea
              url: https://git.kaleschke.info
              check-url: http://gitea:3000/api/healthz
              icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/gitea.svg
              timeout: 5s
              alt-status-codes: [200, 302, 401, 403]
            - title: Monitoring Grafana
              url: https://monitoring.kaleschke.info
              check-url: http://monitoring-grafana:3000/api/health
              icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/grafana.svg
              timeout: 5s
              alt-status-codes: [200, 302, 401, 403]
            - title: Glance
              url: https://glance.kaleschke.info
              check-url: http://glance:8080
              icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/glance.svg
              timeout: 5s
              alt-status-codes: [200, 302, 401, 403]
            - title: Immich
              url: https://immich.kaleschke.info
              check-url: http://immich_server:2283/api/server/ping
              icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/immich.svg
              timeout: 5s
              alt-status-codes: [200, 302, 401, 403]
            - title: Paperless-ngx
              url: https://paperless.kaleschke.info
              check-url: http://paperless-ngx:8000
              icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/paperless-ngx.svg
              timeout: 5s
              alt-status-codes: [200, 302, 401, 403]
            - title: Nextcloud
              url: https://cloud.kaleschke.info
              check-url: http://nextcloud/status.php
              icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/nextcloud.svg
              timeout: 5s
              alt-status-codes: [200, 302, 401, 403]
        - type: group
          widgets:
            - type: docker-containers
              title: Core
              category: core
              hide-by-default: true
              sock-path: tcp://glance-docker-socket-proxy:2375
              containers:
                $include: containers-map.yml
            - type: docker-containers
              title: Apps
              category: apps
              hide-by-default: true
              sock-path: tcp://glance-docker-socket-proxy:2375
              containers:
                $include: containers-map.yml
            - type: docker-containers
              title: Ops
              category: ops
              hide-by-default: true
              sock-path: tcp://glance-docker-socket-proxy:2375
              containers:
                $include: containers-map.yml
    - size: small
      widgets:
        - type: custom-api
          title: Paperless-ngx
          title-url: https://paperless.kaleschke.info
          cache: 15m
          url: http://paperless-ngx:8000/api/statistics/
          headers:
            Authorization: Token ${GLANCE_PAPERLESS_TOKEN}
            Accept: application/json
          template: |
            {{ $total := .JSON.Int "documents_total" }}
            {{ $inbox := .JSON.Int "documents_inbox" }}
            <div class="flex justify-between text-center">
              <div>
                <div class="color-highlight size-h3">{{ $total | formatNumber }}</div>
                <div class="size-h6 uppercase">Dokumente</div>
              </div>
              <div>
                <div class="size-h3 {{ if gt $inbox 0 }}color-negative{{ else }}color-positive{{ end }}">{{ $inbox }}</div>
                <div class="size-h6 uppercase">Inbox</div>
              </div>
            </div>
        - type: custom-api
          title: Mealie
          title-url: https://mealie.kaleschke.info
          cache: 1h
          url: http://mealie:9000/api/admin/about/statistics
          headers:
            Authorization: Bearer ${GLANCE_MEALIE_TOKEN}
            Accept: application/json
          template: |
            <div class="flex justify-between text-center">
              <div>
                <div class="color-highlight size-h3">{{ .JSON.Int "totalRecipes" | formatNumber }}</div>
                <div class="size-h6 uppercase">Rezepte</div>
              </div>
              <div>
                <div class="color-highlight size-h3">{{ .JSON.Int "totalCategories" }}</div>
                <div class="size-h6 uppercase">Kategorien</div>
              </div>
              <div>
                <div class="color-highlight size-h3">{{ .JSON.Int "totalUsers" }}</div>
                <div class="size-h6 uppercase">Nutzer</div>
              </div>
            </div>
        - type: bookmarks
          title: Ops
          groups:
            - title: Tools
              color: 4 78 57
              links:
                - title: Glances
                  url: https://glances.kaleschke.info
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/glances.svg
                - title: Scrutiny
                  url: https://scrutiny.kaleschke.info
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/scrutiny.svg
                - title: Speedtest
                  url: https://speedtest.kaleschke.info
                  icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/speedtest-tracker.png
@@ -1,80 +0,0 @@
 - name: Ops und Releases
  slug: ops
  width: wide
  columns:
    - size: small
      widgets:
        - type: rss
          title: Selfhosted News
          style: vertical-list
          limit: 12
          collapse-after: 6
          cache: 6h
          feeds:
            - url: https://selfh.st/rss/
              title: selfh.st
            - url: https://tailscale.com/blog/index.xml
              title: Tailscale Blog
    - size: full
      widgets:
        - type: releases
          title: Image Releases
          cache: 12h
          show-source-icon: true
          collapse-after: 15
          repositories:
            - glanceapp/glance
            - traefik/traefik
            - go-gitea/gitea
            - moghtech/komodo
            - immich-app/immich
            - paperless-ngx/paperless-ngx
            - AdguardTeam/AdGuardHome
            - dani-garcia/vaultwarden
            - authelia/authelia
            - mealie-recipes/mealie
            - nextcloud/server
            - AnalogJ/scrutiny
            - alexjustesen/speedtest-tracker
            - binwiederhier/ntfy
            - filebrowser/filebrowser
            - coder/code-server
            - qdm12/ddns-updater
            - nicolargo/glances
    - size: small
      widgets:
        - type: custom-api
          title: Letzte Commits
          title-url: https://git.kaleschke.info/Micha/homelab-infra/commits/branch/master
          cache: 5m
          url: http://gitea:3000/api/v1/repos/Micha/homelab-infra/commits?limit=8&stat=false
          headers:
            Authorization: token ${GLANCE_GITEA_TOKEN}
            Accept: application/json
          template: |
            <ul class="list list-gap-6 collapsible-container" data-collapse-after="5">
              {{ range .JSON.Array "@this" }}
              <li>
                <div class="color-highlight text-truncate">{{ .String "commit.message" | replaceMatches "(?s)\n.*" "" }}</div>
                <div class="size-h6 color-subdue">{{ slice (.String "sha") 0 7 }} · <span {{ .String "commit.author.date" | parseTime "rfc3339" | toRelativeTime }}></span></div>
              </li>
              {{ end }}
            </ul>
        - type: bookmarks
          title: Deploy-Kette
          groups:
            - title: GitOps
              color: 212 100 50
              links:
                - title: Gitea Repo
                  url: https://git.kaleschke.info/Micha/homelab-infra
                  icon: si:gitea
                - title: Komodo Stacks
                  url: https://komodo.kaleschke.info
                  icon: sh:komodo
                - title: Grafana
                  url: https://monitoring.kaleschke.info
                  icon: si:grafana
@@ -1,3 +0,0 @@
 $include: home.yml
 $include: infrastructure.yml
 $include: ops.yml
@@ -9,20 +9,11 @@ services:
      GLANCE_ADGUARD_USERNAME: ${GLANCE_ADGUARD_USERNAME:-}
      GLANCE_ADGUARD_PASSWORD: ${GLANCE_ADGUARD_PASSWORD:-}
      GLANCE_SPEEDTEST_API_KEY: ${GLANCE_SPEEDTEST_API_KEY:-}
      GLANCE_KOMODO_API_KEY: ${GLANCE_KOMODO_API_KEY:-}
      GLANCE_KOMODO_API_SECRET: ${GLANCE_KOMODO_API_SECRET:-}
      GLANCE_GITEA_TOKEN: ${GLANCE_GITEA_TOKEN:-}
      GLANCE_PAPERLESS_TOKEN: ${GLANCE_PAPERLESS_TOKEN:-}
      GLANCE_MEALIE_TOKEN: ${GLANCE_MEALIE_TOKEN:-}
      GLANCE_HA_TOKEN: ${GLANCE_HA_TOKEN:-}
    volumes:
      - ./config:/app/config:ro
      - ./assets:/app/assets:ro
    networks:
      - frontend_net
      - glance_socket_net
      # monitoring_net nur lesend fuer Prometheus-Query des Borg-Backup-Widgets
      - monitoring_net
    depends_on:
      - glance-docker-socket-proxy
    labels:
@@ -59,8 +50,6 @@ services:
 networks:
  frontend_net:
    external: true
  monitoring_net:
    external: true
  glance_socket_net:
    name: glance_socket_net
    internal: true
@@ -1,6 +1,6 @@
 services:
  glances:
-    image: nicolargo/glances:latest-full@sha256:58651aabedf62db8bfc1d252f8d3889675dfcdb5d0ad1c177ae5879c21626f3a
+    image: nicolargo/glances:latest-full@sha256:60872a1af0e40a3150975617c7e811ad7ad48f95bc45d033fb0c1737a037e4d2
    container_name: glances
    restart: unless-stopped
    pid: host
@@ -1,6 +1,6 @@
 # H:/ Nearline-Backup — Struktur und Betrieb
-Stand: 2026-06-21
+Stand: 2026-06-10
 ## Rolle der H:/
@@ -25,30 +25,6 @@ Nichts weiteres gehört dauerhaft auf die H:/.
 Temporäre Recovery- oder Backup-Ordner aus Notfallsituationen sind nach
 Abschluss zu löschen.
 ## Restore aus H:/ (DR-Fall)
 Wenn Unraid/Hetzner nicht erreichbar sind, ist die H:/ die schnellste **lokale**
 Quelle für die aktuellsten DB-Dumps und Gitea-Bundles. Sie ersetzt **nicht** die
 Hetzner-Borg-Kette (Einordnung: `docs/CAPACITY_AND_LIFECYCLE.md`), verkürzt aber
 den Wiederanlauf, solange die Artefakte frisch sind.
 Inhalt und Restore-Weg:
 - **DB-Dumps:** `H:\kallilab-nearline-backups\borg-dumps\latest\*` — dieselben
  Dateien wie `/mnt/user/backups/borg/dumps/latest`. Im DR-Fall auf den neu
  aufgesetzten Host nach `/mnt/user/backups/borg/dumps/latest` zurückspielen
  (SMB/Robocopy), dann pro Dienst nach `docs/RESTORE_MATRIX.md` einspielen.
 - **Gitea-Bundles:** `H:\kallilab-nearline-backups\git-bundles\gitea\` — bare
  Repo-Bundles für den Gitea-Bootstrap (Reihenfolge: `docs/SERVICES_RECOVERY.md`).
 - **DR-Kit (Keys/Secrets):** `H:\kallilab-nearline-backups\_dr-kit\` — SSH-Keys
  und Offline-Secrets, siehe Abschnitt `_dr-kit` unten.
 > **Vor dem Verlassen auf H:/ immer die Frische prüfen:** Die LastWriteTime der
 > Dumps muss vom selben Tag sein
 > (`Get-ChildItem H:\kallilab-nearline-backups\borg-dumps\latest`). Ein still
 > veralteter Spiegel (siehe S4U-Vorfall unten) ist als Restore-Quelle wertlos —
 > dann stattdessen aus Hetzner-Borg restaurieren.
 ## Automatischer Pull
 `pull-critical-backups.ps1` zieht per Robocopy vom Unraid-SMB-Share:
@@ -59,25 +35,7 @@ Inhalt und Restore-Weg:
 Der Windows Scheduled Task `KalliLab H Drive Nearline Pull` laeuft seit
 2026-05-28 taeglich 05:30. Das Script kopiert bewusst **nicht** mit `/MIR` und
 loescht nichts auf H:/; alte Artefakte werden nur nach manueller Sichtpruefung
-entfernt.
+entfernt. Aufruf zum Testen:
 > **Wichtig — Task-LogonType (kein S4U!):** Der Task darf **nicht** mit `S4U`
 > laufen ("Unabhaengig von der Benutzeranmeldung ausfuehren" *mit* angehaktem
 > "Kennwort nicht speichern"). S4U-Laeufe haben keine Netzwerk-Anmelde-
 > informationen und erreichen den authentifizierten SMB-Share
 > `\\192.168.178.58\backups` nicht -> jeder geplante Lauf bricht still mit
 > Exitcode 1 ab, ohne Report. Genau das passierte 2026-06-19 bis 2026-06-21
 > (Spiegel still veraltet).
 >
 > **Behoben am 2026-06-21:** Task auf **"Nur ausfuehren, wenn der Benutzer
 > angemeldet ist"** (LogonType `Interactive`) umgestellt. Das braucht **kein**
 > gespeichertes Passwort und funktioniert, weil `michi` der dauerhaft
 > angemeldete Konsolen-User ist (gesperrter Bildschirm zaehlt als angemeldet).
 > Per Planer ausgeloest und mit Ergebnis `0x0` verifiziert. Alternative waere
 > LogonType `Password` (gespeichertes Passwort), erfordert aber das
 > Windows-Passwort.
 Aufruf zum Testen:
 ```powershell
 powershell.exe -NoProfile -ExecutionPolicy Bypass -File G:\Gitea_Clone\homelab-infra\ops\h-drive-nearline\pull-critical-backups.ps1 -WhatIf
@@ -87,47 +45,6 @@ Das Script schließt bewusst aus:
 - `unraid-flash-config.tar.gz` (0600 root:root, nicht per SMB zugänglich → Restore aus Hetzner-Borg)
 - Migration-/Cutover-Verzeichnisse (`immich-vectorchord-*`, `pg18-major-*`, `redis8-*` etc.)
 ## Externer Dead-Man's-Switch
 Der Pull lief ~2026-06-04 bis 2026-06-18 still gestoppt, ohne dass etwas Alarm
 schlug (Scheduled Task fehlte; Prometheus auf Unraid sieht den baerchen-Pull
 nicht). Gegenmittel: ein externer Heartbeat. `pull-critical-backups.ps1` pingt am
 Lauf-Anfang `/start`, am Ende den Erfolg und im Fehlerfall `/fail`. Bleibt der
 Erfolgs-Ping aus, alarmiert der externe Dienst von aussen.
 Die Integration ist **endpoint-agnostisch**: jede Healthchecks-kompatible URL
 funktioniert (Healthchecks.io-Cloud oder self-hosted). Ist keine URL gesetzt, ist
 der Switch ein No-Op und der Pull laeuft unveraendert weiter.
 URL-Quelle (in dieser Reihenfolge):
 1. Parameter `-HealthchecksUrl`
 2. ENV `HEALTHCHECKS_NEARLINE_URL`
 3. Datei `%USERPROFILE%\.kallilab\healthchecks-nearline-url.txt`
 Die Ping-URL ist eine Capability-URL -> wie ein Secret behandeln, nie ins Repo
 (siehe `docs/SECRETS_MAP.md`).
 ### Operator-Setup (einmalig)
 1. Check anlegen (Healthchecks.io oder self-hosted): Period = 1 Tag, Grace z. B.
   2-3 h passend zum taeglichen 05:30-Task. Ping-URL kopieren.
 2. Auf baerchen die URL hinterlegen, z. B. als Datei:
   ```powershell
   New-Item -ItemType Directory -Force -Path "$HOME\.kallilab" | Out-Null
   Set-Content -LiteralPath "$HOME\.kallilab\healthchecks-nearline-url.txt" -Value "https://hc-ping.com/<uuid>" -NoNewline
   ```
   (alternativ als persistente User-Umgebungsvariable `HEALTHCHECKS_NEARLINE_URL`.)
 3. Testlauf: `pull-critical-backups.ps1` ausfuehren; im Healthchecks-Dashboard
   muss ein "success"-Ping ankommen.
 ### Borg-Pre-Hook-Pendant
 Den gleichen Switch gibt es host-seitig in `ops/borg-ui/scripts/pre-borg.sh`.
 URL dort via ENV `HEALTHCHECKS_BORG_URL` oder Datei
 `/mnt/user/appdata/secrets/healthchecks_borg_url` (chmod 600), bewusst als
 **eigener** Check (getrennter Heartbeat fuer die Unraid-Backup-Vorpruefung).
 ## _dr-kit
 Enthält offline hinterlegte Schlüssel und Secrets für den DR-Fall:
@@ -1,35 +1,11 @@
 param(
  [string]$SourceRoot = "\\192.168.178.58\backups",
  [string]$DestinationRoot = "H:\kallilab-nearline-backups",
  [string]$HealthchecksUrl = $env:HEALTHCHECKS_NEARLINE_URL,
  [switch]$WhatIf
 )
 $ErrorActionPreference = "Stop"
 # Externer Dead-Man's-Switch (endpoint-agnostisch: Healthchecks.io-Cloud oder
 # self-hosted). Bleibt der Erfolgs-Ping aus, alarmiert der externe Dienst von
 # aussen - genau den Fall, den Prometheus auf Unraid fuer den baerchen-Pull
 # nicht sieht. Die Ping-URL ist eine Capability-URL -> wie ein Secret behandeln,
 # niemals ins Repo. Quelle: -HealthchecksUrl -> $env:HEALTHCHECKS_NEARLINE_URL
 # -> Datei im Userprofil. Ist keine URL gesetzt, ist der Switch ein No-Op.
 if (-not $HealthchecksUrl) {
  $hcUrlFile = Join-Path $HOME ".kallilab\healthchecks-nearline-url.txt"
  if (Test-Path -LiteralPath $hcUrlFile) {
    $HealthchecksUrl = (Get-Content -LiteralPath $hcUrlFile -Raw).Trim()
  }
 }
 function Send-HealthcheckPing {
  param([string]$Suffix = "")
  if (-not $HealthchecksUrl) { return }
  try {
    Invoke-RestMethod -Uri ("{0}{1}" -f $HealthchecksUrl, $Suffix) -Method Get -TimeoutSec 15 | Out-Null
  } catch {
    Write-Warning "Healthchecks ping ('$Suffix') failed: $($_.Exception.Message)"
  }
 }
 $Jobs = @(
  @{
    Name = "borg-dumps-latest"
@@ -49,7 +25,6 @@ $Jobs = @(
      "immich.dump",
      "komodo-mongo.archive.gz",
      "mealie.dump",
      "n8n.sqlite.dump",
      "nextcloud.dump",
      "postgresql17-authelia.dump",
      "postgresql17-globals.sql",
@@ -169,58 +144,44 @@ if ($WhatIf) {
  exit 0
 }
-# Echter Lauf -> Dead-Man's-Switch aktiv. /start misst die Laufzeit, /fail
+$destinationDrive = Split-Path -Qualifier $DestinationRoot
-# meldet einen abgebrochenen Lauf sofort, der Erfolgs-Ping am Ende bestaetigt.
+Assert-PathExists -Path $destinationDrive -Label "Destination drive"
 Send-HealthcheckPing "/start"
 try {
  $destinationDrive = Split-Path -Qualifier $DestinationRoot
  Assert-PathExists -Path $destinationDrive -Label "Destination drive"
-  $logRoot = Join-Path $DestinationRoot "_logs"
+$logRoot = Join-Path $DestinationRoot "_logs"
-  $reportRoot = Join-Path $DestinationRoot "_reports"
+$reportRoot = Join-Path $DestinationRoot "_reports"
-  New-Item -ItemType Directory -Force -Path $DestinationRoot, $logRoot, $reportRoot | Out-Null
+New-Item -ItemType Directory -Force -Path $DestinationRoot, $logRoot, $reportRoot | Out-Null
-  $results = foreach ($job in $Jobs) {
+$results = foreach ($job in $Jobs) {
-    Invoke-RobocopyJob -Job $job -LogRoot $logRoot
+  Invoke-RobocopyJob -Job $job -LogRoot $logRoot
  }
  $reportPath = Join-Path $reportRoot ("nearline-pull-{0}.md" -f (Get-Date -Format "yyyy-MM-dd-HHmmss"))
  $lines = @()
  $lines += "# H:/ Nearline Pull Report - $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
  $lines += ""
  $lines += "- Source root: ``$SourceRoot``"
  $lines += "- Destination root: ``$DestinationRoot``"
  $lines += "- Mode: non-destructive copy, no ``/MIR``, no purge"
  $lines += ""
  $lines += "| Job | Exit code | Source | Destination | Log |"
  $lines += "|---|---:|---|---|---|"
  foreach ($result in $results) {
    $lines += "| $($result.Name) | $($result.ExitCode) | ``$($result.Source)`` | ``$($result.Destination)`` | ``$($result.Log)`` |"
  }
  $lines += ""
  $lines += "Expected critical artifacts after run:"
  $lines += ""
  $lines += "- ``borg-dumps/latest/immich.dump``"
  $lines += "- ``borg-dumps/latest/komodo-mongo.archive.gz``"
  $lines += "- ``git-bundles/gitea/latest-report.md``"
  $lines += "- ``git-bundles/gitea/micha/*.bundle``"
  $lines += ""
  $lines += "Bewusst NICHT in Nearline-Scope:"
  $lines += ""
  $lines += "- ``unraid-flash-config.tar.gz`` (hostseitig 0600 root:root; Restore aus Hetzner-Borg)"
  $lines | Set-Content -LiteralPath $reportPath -Encoding UTF8
  Write-Host "H:/ nearline pull completed."
  Write-Host "Report: $reportPath"
  Send-HealthcheckPing
  # Explizit erfolgreich beenden: sonst leakt der letzte robocopy-Exitcode
  # (1 = "Dateien kopiert") als Prozess-Exit und der Scheduled Task meldet
  # 0x1, obwohl der Lauf sauber war.
  exit 0
 } catch {
  Send-HealthcheckPing "/fail"
  throw
 }
 $reportPath = Join-Path $reportRoot ("nearline-pull-{0}.md" -f (Get-Date -Format "yyyy-MM-dd-HHmmss"))
 $lines = @()
 $lines += "# H:/ Nearline Pull Report - $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
 $lines += ""
 $lines += "- Source root: ``$SourceRoot``"
 $lines += "- Destination root: ``$DestinationRoot``"
 $lines += "- Mode: non-destructive copy, no ``/MIR``, no purge"
 $lines += ""
 $lines += "| Job | Exit code | Source | Destination | Log |"
 $lines += "|---|---:|---|---|---|"
 foreach ($result in $results) {
  $lines += "| $($result.Name) | $($result.ExitCode) | ``$($result.Source)`` | ``$($result.Destination)`` | ``$($result.Log)`` |"
 }
 $lines += ""
 $lines += "Expected critical artifacts after run:"
 $lines += ""
 $lines += "- ``borg-dumps/latest/immich.dump``"
 $lines += "- ``borg-dumps/latest/komodo-mongo.archive.gz``"
 $lines += "- ``git-bundles/gitea/latest-report.md``"
 $lines += "- ``git-bundles/gitea/micha/*.bundle``"
 $lines += ""
 $lines += "Bewusst NICHT in Nearline-Scope:"
 $lines += ""
 $lines += "- ``unraid-flash-config.tar.gz`` (hostseitig 0600 root:root; Restore aus Hetzner-Borg)"
 $lines | Set-Content -LiteralPath $reportPath -Encoding UTF8
 Write-Host "H:/ nearline pull completed."
 Write-Host "Report: $reportPath"
@@ -1,4 +1,4 @@
-FROM nousresearch/hermes-agent:v2026.6.19
+FROM nousresearch/hermes-agent:v2026.6.5
 USER root
@@ -45,13 +45,13 @@
      "description": "VPN / Remote-Zugang",
      "tier": 1,
      "category": "core",
-      "container_name": null,
+      "container_name": "tailscale",
      "dependencies": [],
      "url": null,
      "dump_file": null,
-      "data_paths": ["/boot/config/plugins/tailscale/state"],
+      "data_paths": ["/mnt/user/appdata/tailscale"],
-      "first_check": "Tailscale Status auf Host pruefen; native Unraid-Plugin-Instanz und Subnet-Route aktiv?",
+      "first_check": "Tailscale Status auf Host pruefen; State-Datei fuer Key-Renewal vorhanden?",
-      "notes": "Natives Unraid-Plugin, nicht Docker/Komodo-verwaltet; State liegt im Flash-Backup. Alter Docker-State ist archiviert unter /mnt/user/appdata/_archive/tailscale-removed-2026-06-06/"
+      "notes": "network_mode: host; NET_ADMIN, NET_RAW, /dev/net/tun — dokumentierte VPN-Ausnahmen"
    },
    "gitea": {
      "description": "Git-Server — operative Quelle der Wahrheit fuer GitOps",
@@ -75,14 +75,14 @@ services:
    description: VPN / Remote-Zugang
    tier: 1
    category: core
-    container_name: null
+    container_name: tailscale
    dependencies: []
    url: null
    dump_file: null
    data_paths:
-      - /boot/config/plugins/tailscale/state
+      - /mnt/user/appdata/tailscale
-    first_check: "Tailscale Status auf Host pruefen; native Unraid-Plugin-Instanz und Subnet-Route aktiv?"
+    first_check: "Tailscale Status auf Host pruefen; State-Datei fuer Key-Renewal vorhanden?"
-    notes: "Natives Unraid-Plugin, nicht Docker/Komodo-verwaltet; State liegt im Flash-Backup. Alter Docker-State ist archiviert unter /mnt/user/appdata/_archive/tailscale-removed-2026-06-06/"
+    notes: "network_mode: host; NET_ADMIN, NET_RAW, /dev/net/tun — dokumentierte VPN-Ausnahmen"
  gitea:
    description: Git-Server — operative Quelle der Wahrheit fuer GitOps
@@ -74,13 +74,6 @@ services:
      - traefik.http.routers.komodo.tls=true
      - traefik.http.routers.komodo.tls.certresolver=le
      - traefik.http.services.komodo.loadbalancer.server.port=9120
      # Audit 2026-06-23 (P1): Komodo war public mit 200 erreichbar + RW-Docker-Socket-Kette.
      # IP-Allowlist begrenzt den GANZEN Router auf Tailnet + LAN (public -> 403). KEINE ForwardAuth
      # (Webhooks/Periphery laufen intern ueber komodo-core:9120, nicht ueber Traefik).
      # ACHTUNG: Self-Stack ist inline in Komodo verwaltet -> diese Labels muessen in der Komodo-UI
      # am Inline-Compose gesetzt werden; diese Datei ist nur Spiegel.
      - traefik.http.routers.komodo.middlewares=komodo-allowlist@docker
      - traefik.http.middlewares.komodo-allowlist.ipallowlist.sourcerange=100.64.0.0/10,192.168.178.0/24
    security_opt:
      - no-new-privileges:true
@@ -59,7 +59,7 @@ Stand 2026-06-11 ist der Betrieb auf V1+ (validierte Bash-Host-Jobs mit ntfy):
 # Frische-Check
 bash /mnt/user/services/homelab-infra/ops/restore-tests/run-restore-checks.sh freshness
-# Dienst-Restore-Check (vaultwarden|gitea|paperless|immich|authelia|adguard|redis|homeassistant|komodo-bootstrap|nextcloud|hetzner-snapshot)
+# Dienst-Restore-Check (vaultwarden|gitea|paperless|immich|authelia|adguard|redis|komodo-bootstrap|nextcloud)
 bash /mnt/user/services/homelab-infra/ops/restore-tests/run-restore-checks.sh <dienst>
 # Negativtest des Alarmwegs (quartalsweise)
@@ -77,9 +77,7 @@ Einziger Status-Ort ist die **Reifegrad-Tabelle** in `docs/RESTORE_MATRIX.md`
 - **Nextcloud:** Test am 2026-06-03 erfolgreich, aber mit Unraid-shfs-Eigenheit: Nextcloud fuehrt `chmod()` unter `/var/www/html` aus, was auf FUSE/shfs scheitert. Das Skript patcht `check_data_directory_permissions: false` und legt den `.ncdata`-Marker an.
 - **Authelia:** bewusst Config-Smoke ohne produktiven Dump-Restore (Storage-Encryption-Key-Kopplung).
 - **Immich:** Foto-Dateien-Restore ist bewusst nicht Teil des Smokes (separater DR-Drill); Test-Postgres nutzt das produktive VectorChord-Image.
 - **Home Assistant:** nutzt das neueste HA-native Backup-Artefakt und eine Kopie der Mosquitto-Appdata; Testcontainer laufen nur auf localhost-Ports, ohne Traefik/Public Route.
 - **Unraid-Flash / Tailscale:** noch ohne vollstaendigen Erstlauf - `unraid-flash-runbook.md`, `tailscale-runbook.md`; offene Schritte in `docs/MASTER_TODO.md`.
 - **Hetzner-Snapshot:** Infrastruktur-Test (kein Service-Restore): prueft `.zfs/snapshot` der Storage Box (Existenz, Retention, Einzeldatei-Restore) und belegt den snapshot-basierten Off-site-Schutz. Dispatcher `hetzner-snapshot`, Runbook `hetzner-snapshot-runbook.md`. Live validiert 2026-06-23 (7 Snapshots, Einzeldatei-Restore ok); monatlich im `schedule.md`.
 ## Naechste Ausbaustufen
@@ -1,6 +1,6 @@
 services:
  restoretest-adguard:
-    image: adguard/adguardhome:v0.107.77@sha256:e6f2b8bcda06064ab055b44933a4f0e983c35558b9cdb8d2e7ab1efcee36d890
+    image: adguard/adguardhome:v0.107.76@sha256:7157eb1dc3b26c7af1d6898759a7b3f7d0fa09891fbd2d3caa6abc1057a9179b
    container_name: restoretest-adguard
    restart: "no"
    ports:
@@ -6,7 +6,6 @@ param(
 )
 $checks = @(
  @{ Name = "postgresql17-globals.sql"; Path = Join-Path $DumpRoot "postgresql17-globals.sql" },
  @{ Name = "postgresql17-paperless.dump"; Path = Join-Path $DumpRoot "postgresql17-paperless.dump" },
  @{ Name = "postgresql17-mailarchiver.dump"; Path = Join-Path $DumpRoot "postgresql17-mailarchiver.dump" },
  @{ Name = "mealie.dump"; Path = Join-Path $DumpRoot "mealie.dump" },
@@ -14,7 +13,6 @@ $checks = @(
  @{ Name = "nextcloud.dump"; Path = Join-Path $DumpRoot "nextcloud.dump" },
  @{ Name = "gitea.sqlite.dump"; Path = Join-Path $DumpRoot "gitea.sqlite.dump" },
  @{ Name = "vaultwarden.sqlite.dump"; Path = Join-Path $DumpRoot "vaultwarden.sqlite.dump" },
  @{ Name = "n8n.sqlite.dump"; Path = Join-Path $DumpRoot "n8n.sqlite.dump" },
  @{ Name = "speedtest-tracker.sqlite.dump"; Path = Join-Path $DumpRoot "speedtest-tracker.sqlite.dump" },
  @{ Name = "filebrowser.bolt.dump"; Path = Join-Path $DumpRoot "filebrowser.bolt.dump" },
  @{ Name = "unraid-flash-config.tar.gz"; Path = Join-Path $DumpRoot "unraid-flash-config.tar.gz" }
@@ -89,7 +89,6 @@ check_pg_header() {
 }
 for dump in \
  postgresql17-globals.sql \
  postgresql17-paperless.dump \
  postgresql17-mailarchiver.dump \
  mealie.dump \
@@ -97,7 +96,6 @@ for dump in \
  nextcloud.dump \
  gitea.sqlite.dump \
  vaultwarden.sqlite.dump \
  n8n.sqlite.dump \
  speedtest-tracker.sqlite.dump \
  filebrowser.bolt.dump \
  unraid-flash-config.tar.gz; do
@@ -1,187 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 # Hetzner Storage Box Snapshot Restore Test
 #
 # Belegt, dass der Off-site-Schutz wirklich greift. Append-only ist bewusst NICHT
 # umgesetzt (DECISIONS 2026-06-01); der Schutz ist snapshot-basiert (DECISIONS
 # 2026-06-11): operative Borg-Creds koennen weiter prune/compact, die ZFS-
 # Snapshots der Storage Box sind hostseitig aber nicht loeschbar. Dieser Test
 # macht den am 2026-06-23 manuell gefuehrten Beweis wiederholbar und ueberwachbar.
 #
 # Scope (READ-ONLY gegen die Storage Box, ueber den borg-ui-Container):
 #   1. .zfs/snapshot/ listen -> Anzahl + neuesten Snapshot bestimmen (Retention)
 #   2. Alter des neuesten Snapshots aus dem Namen pruefen (Automatic-<ISO>)
 #   3. eine kleine Datei (Borg-Repo `README`) aus dem neuesten Snapshot per SFTP
 #      in den Container nach /tmp holen, Groesse + SHA256 pruefen, danach loeschen
 #   4. Report nach /mnt/user/backups/restore-reports/
 #
 # KEIN Schreibzugriff auf die Box, kein borg prune/compact, keine produktiven Pfade.
 #
 # Verbindung wird aus der in borg-ui konfigurierten Borg-Repo-URL abgeleitet
 # (kein Secret im Skript). SSH-Key + known_hosts liegen bereits im borg-ui-
 # Container und werden via BORG_RSH-Konvention genutzt.
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 . "$SCRIPT_DIR/common.sh"
 WHATIF=0
 for arg in "$@"; do
  case "$arg" in
    --what-if) WHATIF=1 ;;
    *) echo "Unknown argument: $arg" >&2; exit 1 ;;
  esac
 done
 REPORT_ROOT="/mnt/user/backups/restore-reports"
 REPORT_FILE="$REPORT_ROOT/hetzner-snapshot-$(date +%F).md"
 # Erwartungswerte = Zielbild lt. DECISIONS 2026-06-11 (taeglich, Retention 7 Tage).
 MIN_SNAPSHOTS="${MIN_SNAPSHOTS:-5}"
 MAX_SNAPSHOT_AGE_HOURS="${MAX_SNAPSHOT_AGE_HOURS:-48}"
 SNAPSHOT_DIR="${SNAPSHOT_DIR:-.zfs/snapshot}"
 PROBE_FILE="${PROBE_FILE:-README}"          # jede Borg-Repo-Wurzel hat README + config
 SNAPSHOT_NAME_GLOB="${SNAPSHOT_NAME_GLOB:-Automatic-}"
 # Zusaetzliche ssh/sftp-Optionen; Default nutzt borg-uis known_hosts wie BORG_RSH.
 SNAPSHOT_SSH_OPTS="${SNAPSHOT_SSH_OPTS:--o UserKnownHostsFile=/data/known_hosts -o StrictHostKeyChecking=yes -o BatchMode=yes}"
 PROBE_TMP_DIR="${PROBE_TMP_DIR:-/tmp/hetzner-snapshot-probe}"
 if [ "$WHATIF" -eq 1 ]; then
  cat <<EOF
 Hetzner Storage Box snapshot restore test
 Mode: WhatIf
 Container: $BORG_CONTAINER
 Snapshot dir (rel. login home): $SNAPSHOT_DIR
 Probe file: <repo>/$PROBE_FILE
 Min snapshots: $MIN_SNAPSHOTS
 Max age (h): $MAX_SNAPSHOT_AGE_HOURS
 Scope: list snapshots + SFTP get one small file from newest snapshot + sha256
 Note: connection derived from borg-ui repo URL; no productive write.
 EOF
  exit 0
 fi
 require_cmd docker
 require_cmd date
 require_borg_container
 # --- Borg-Repo-URL aus borg-ui-DB; daraus user/host/port + Repo-Verzeichnis ----
 repo="$(borg_repo_url)"
 if [ -z "$repo" ]; then
  echo "Could not resolve Borg repo URL from borg-ui database" >&2
  exit 1
 fi
 # Unterstuetzte Formen:  ssh://user@host:port/./reldir   |   user@host:reldir
 proto_stripped="${repo#ssh://}"
 if [ "$proto_stripped" != "$repo" ]; then
  userhostport="${proto_stripped%%/*}"
  repo_path="/${proto_stripped#*/}"
 else
  userhostport="${proto_stripped%%:*}"
  repo_path="${proto_stripped#*:}"
 fi
 ssh_user="${userhostport%%@*}"
 hostport="${userhostport#*@}"
 ssh_host="${hostport%%:*}"
 if [ "$hostport" = "$ssh_host" ]; then ssh_port=22; else ssh_port="${hostport##*:}"; fi
 # Repo-Verzeichnis relativ zum Login-Home: fuehrende /, ./ und /./ entfernen
 repo_dir="$repo_path"
 repo_dir="${repo_dir#/}"; repo_dir="${repo_dir#./}"; repo_dir="${repo_dir#/}"
 if [ -z "$ssh_user" ] || [ -z "$ssh_host" ] || [ -z "$repo_dir" ]; then
  echo "Could not parse user/host/repo-dir from repo URL: $repo" >&2
  exit 1
 fi
 run_sftp() { # liest Batch-Kommandos von stdin
  # shellcheck disable=SC2086
  docker exec -i "$BORG_CONTAINER" sftp -q -P "$ssh_port" $SNAPSHOT_SSH_OPTS -b - "$ssh_user@$ssh_host"
 }
 # --- 1) Snapshots listen --------------------------------------------------------
 snap_list="$(printf 'ls -1 %s\nbye\n' "$SNAPSHOT_DIR" | run_sftp 2>/dev/null \
  | tr -d '\r' | grep -F "$SNAPSHOT_NAME_GLOB" | sed 's#.*/##' | sort -u || true)"
 if [ -z "$snap_list" ]; then
  echo "No snapshots found in $SNAPSHOT_DIR on $ssh_host (glob: $SNAPSHOT_NAME_GLOB)" >&2
  exit 1
 fi
 snap_count="$(printf '%s\n' "$snap_list" | grep -c . || true)"
 newest="$(printf '%s\n' "$snap_list" | sort | tail -n 1)"
 # --- 2) Alter des neuesten Snapshots aus dem Namen ableiten ---------------------
 # Format: Automatic-YYYY-MM-DDTHH-MM-SS
 age_hours="unknown"
 ts="${newest#${SNAPSHOT_NAME_GLOB}}"
 date_part="${ts%%T*}"
 time_part="${ts#*T}"
 time_colons="$(printf '%s' "$time_part" | tr '-' ':')"
 if snap_epoch="$(date -d "$date_part $time_colons" +%s 2>/dev/null)"; then
  now_epoch="$(date +%s)"
  age_hours="$(( (now_epoch - snap_epoch) / 3600 ))"
 fi
 # --- 3) Einzeldatei aus dem neuesten Snapshot holen + pruefen -------------------
 remote_probe="$SNAPSHOT_DIR/$newest/$repo_dir/$PROBE_FILE"
 docker exec -i "$BORG_CONTAINER" sh -c "rm -rf '$PROBE_TMP_DIR' && mkdir -p '$PROBE_TMP_DIR'"
 probe_ok="no"
 probe_size=0
 probe_sha256="n/a"
 if printf 'get %s %s/%s\nbye\n' "$remote_probe" "$PROBE_TMP_DIR" "$PROBE_FILE" | run_sftp 2>/dev/null; then
  if docker exec -i "$BORG_CONTAINER" test -s "$PROBE_TMP_DIR/$PROBE_FILE"; then
    probe_ok="yes"
    probe_size="$(docker exec -i "$BORG_CONTAINER" stat -c '%s' "$PROBE_TMP_DIR/$PROBE_FILE" 2>/dev/null || echo 0)"
    probe_sha256="$(docker exec -i "$BORG_CONTAINER" sha256sum "$PROBE_TMP_DIR/$PROBE_FILE" 2>/dev/null | awk '{print $1}' || echo n/a)"
  fi
 fi
 # Temp im Container wieder loeschen (kein Datenrest)
 docker exec -i "$BORG_CONTAINER" rm -rf "$PROBE_TMP_DIR" >/dev/null 2>&1 || true
 # --- Bewertung ------------------------------------------------------------------
 result="SUCCESS"
 fail_reason=""
 if [ "$probe_ok" != "yes" ]; then
  result="FAILED"; fail_reason="Einzeldatei-Restore aus Snapshot fehlgeschlagen ($remote_probe)"
 elif [ "$snap_count" -lt "$MIN_SNAPSHOTS" ]; then
  result="FAILED"; fail_reason="Zu wenige Snapshots: $snap_count < $MIN_SNAPSHOTS"
 elif [ "$age_hours" != "unknown" ] && [ "$age_hours" -gt "$MAX_SNAPSHOT_AGE_HOURS" ]; then
  result="FAILED"; fail_reason="Neuester Snapshot zu alt: ${age_hours}h > ${MAX_SNAPSHOT_AGE_HOURS}h"
 fi
 write_report "$REPORT_FILE" <<EOF
 # Hetzner Storage Box Snapshot Restore Test - $(date +%F)
 - Scope: \`Off-site Snapshot-Schutz (nicht append-only)\`
 - Storage Box host: \`$ssh_host\`
 - Borg repo dir: \`$repo_dir\`
 - Snapshot dir: \`$SNAPSHOT_DIR\`
 - Result: \`$result\`
 ## Checks
 - Snapshots gefunden: \`$snap_count\` (min \`$MIN_SNAPSHOTS\`)
 - Neuester Snapshot: \`$newest\`
 - Alter neuester Snapshot: \`${age_hours}h\` (max \`${MAX_SNAPSHOT_AGE_HOURS}h\`)
 - Probe-Datei: \`$repo_dir/$PROBE_FILE\`
 - Einzeldatei-Restore aus Snapshot: \`$probe_ok\`
 - Probe-Groesse: \`${probe_size} B\`
 - Probe-SHA256: \`$probe_sha256\`
 $( [ -n "$fail_reason" ] && echo "- Fehlergrund: \`$fail_reason\`" )
 ## Notes
 - READ-ONLY: nur \`ls\` + \`get\` einer kleinen Datei via SFTP; kein Schreibzugriff,
  kein borg prune/compact, keine produktiven Pfade.
 - Verbindung aus der borg-ui-Repo-URL abgeleitet; Secrets/known_hosts bleiben im Container.
 - Schutzmodell ist snapshot-basiert, append-only bewusst nicht (DECISIONS 2026-06-01/-11).
 EOF
 if [ "$result" != "SUCCESS" ]; then
  echo "Hetzner snapshot restore test FAILED: $fail_reason -> $REPORT_FILE" >&2
  exit 1
 fi
 echo "Hetzner snapshot restore test ok ($snap_count snapshots, newest $newest, probe ${probe_size}B) -> $REPORT_FILE"
@@ -1,44 +0,0 @@
 # Hetzner Storage Box Snapshot Restore - Runbook
 Typ: Runbook · Stand: 2026-06-23 · Status: aktiv (live validiert 2026-06-23)
 Belegt den Off-site-Schutz der Hetzner Storage Box. Append-only ist bewusst NICHT
 umgesetzt (DECISIONS 2026-06-01); der Schutz ist snapshot-basiert (DECISIONS
 2026-06-11): operative Borg-Creds koennen weiter `prune`/`compact`, die ZFS-
 Snapshots der Box sind hostseitig nicht loeschbar (taeglich 05:30 UTC, Retention 7 Tage).
 ## Was der Test tut
 `ops/restore-tests/hetzner-snapshot-restore-test.sh` (Dispatcher: `hetzner-snapshot`):
 1. listet `.zfs/snapshot/` auf der Box (READ-ONLY, via SFTP aus dem `borg-ui`-Container)
 2. zaehlt Snapshots (Retention) + prueft das Alter des neuesten aus dessen Namen
 3. holt eine kleine Datei (`<repo>/README`) aus dem neuesten Snapshot, prueft Groesse + SHA256
 4. loescht die Temp-Datei und schreibt einen Report nach `/mnt/user/backups/restore-reports/`
 Verbindung (user/host/port/Repo-Verzeichnis) wird aus der in `borg-ui` konfigurierten
 Borg-Repo-URL abgeleitet; SSH-Key + `known_hosts` liegen bereits im Container. Kein
 Secret im Skript, kein Schreibzugriff, kein `prune`/`compact`.
 ## Manuell belegter Referenzlauf (2026-06-23, Codex)
 - Box `u565255.your-storagebox.de`, `.zfs/snapshot` sichtbar
 - Snapshots `2026-06-17`..`2026-06-23`, je `05:30` -> 7 Tage Retention
 - neuester: `Automatic-2026-06-23T05-30-24`
 - Probe `hetzner_borg_appdata_critical/README`, 73 B, SHA256 erzeugt, Temp geloescht
 ## Live-Validierung (2026-06-23, Codex): erfolgreich
 Erstlauf ohne ENV-Anpassung gruen (`SUCCESS`), Defaults passten direkt:
 - Report: `/mnt/user/backups/restore-reports/hetzner-snapshot-2026-06-23.md`
 - 7 Snapshots gefunden, neuester `Automatic-2026-06-23T05-30-24`
 - Einzeldatei-Restore aus `.zfs/snapshot` erfolgreich
 ENV-Override (`SNAPSHOT_DIR`, `PROBE_FILE`, `SNAPSHOT_NAME_GLOB`,
 `SNAPSHOT_SSH_OPTS`, `MIN_SNAPSHOTS`, `MAX_SNAPSHOT_AGE_HOURS`) bleibt fuer
 kuenftige Abweichungen verfuegbar.
 **Verbleibender Host-Schritt (Codex/Du):** Unraid-User-Script
 `restore-hetzner-snapshot-monthly` anlegen (Cron `0 6 15 * *`), Vorlage in
 `unraid-user-scripts.md`.
@@ -1,29 +0,0 @@
 services:
  restoretest-ha-mosquitto:
    image: eclipse-mosquitto:2.0.22@sha256:914f529386804c8278a4e581526b9be5e1604df44b30daabc70aa97dcefe5268
    container_name: restoretest-ha-mosquitto
    restart: "no"
    volumes:
      - ${RESTORE_ROOT:-/mnt/user/backups/restore-lab/homeassistant}/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf:ro
      - ${RESTORE_ROOT:-/mnt/user/backups/restore-lab/homeassistant}/mosquitto/appdata/config:/mosquitto/external_config:ro
      - ${RESTORE_ROOT:-/mnt/user/backups/restore-lab/homeassistant}/mosquitto/appdata/data:/mosquitto/data
      - ${RESTORE_ROOT:-/mnt/user/backups/restore-lab/homeassistant}/mosquitto/appdata/log:/mosquitto/log
    ports:
      - "127.0.0.1:11883:1883"
    security_opt:
      - no-new-privileges:true
  restoretest-homeassistant:
    image: ghcr.io/home-assistant/home-assistant:2026.6.1@sha256:59aa8824955c9db491b75d2eebe42bd68494f80c2ec69ec0d66d9dae37d37514
    container_name: restoretest-homeassistant
    restart: "no"
    depends_on:
      - restoretest-ha-mosquitto
    environment:
      TZ: Europe/Berlin
    volumes:
      - ${RESTORE_ROOT:-/mnt/user/backups/restore-lab/homeassistant}/homeassistant/config:/config
    ports:
      - "127.0.0.1:18123:8123"
    security_opt:
      - no-new-privileges:true
@@ -1,236 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 # Home Assistant + Mosquitto Restore Smoke Test
 #
 # Scope:
 # - Restore aus dem neuesten HA-nativen Backup-Artefakt
 # - Kopie der Mosquitto-Appdata in ein isoliertes Restore-Lab
 # - Kopie des Fachrepo-Clones zur Lesbarkeits-/Git-Status-Pruefung
 # - Start isolierter Testcontainer auf localhost-Ports, ohne Traefik/Public Route
 # - HA HTTP/API-Smoke und MQTT Publish/Subscribe + retained Topic nach Restart
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 . "$SCRIPT_DIR/common.sh"
 WHATIF=0
 KEEP_DATA=0
 for arg in "$@"; do
  case "$arg" in
    --what-if) WHATIF=1 ;;
    --keep-data) KEEP_DATA=1 ;;
    *) echo "Unknown argument: $arg" >&2; exit 1 ;;
  esac
 done
 RESTORE_ROOT="/mnt/user/backups/restore-lab/homeassistant"
 REPORT_ROOT="/mnt/user/backups/restore-reports"
 REPORT_FILE="$REPORT_ROOT/homeassistant-$(date +%F).md"
 COMPOSE_FILE="$SCRIPT_DIR/homeassistant-compose.test.yml"
 HA_BACKUP_DIR="/mnt/user/appdata/homeassistant/backups"
 MOSQUITTO_APPDATA="/mnt/user/appdata/mosquitto"
 MOSQUITTO_REPO_CONF="/mnt/user/services/homelab-infra/smart-home/mosquitto/config/mosquitto.conf"
 FACHREPO_SOURCE="/mnt/user/services/smart-home-kalli"
 HA_TOKEN_FILE="/mnt/user/appdata/secrets/ha_token_codex"
 if [ "$WHATIF" -eq 1 ]; then
  cat <<EOF
 Home Assistant restore test
 Mode: WhatIf
 RestoreRoot: $RESTORE_ROOT
 HA backup source: newest *.tar under $HA_BACKUP_DIR
 Mosquitto source: $MOSQUITTO_APPDATA
 Fachrepo source: $FACHREPO_SOURCE
 Test endpoints: HA http://127.0.0.1:18123, MQTT 127.0.0.1:11883
 Scope: HA backup extract + isolated HA boot + API token smoke + MQTT auth/retained smoke
 EOF
  exit 0
 fi
 require_cmd docker
 require_cmd tar
 require_cmd curl
 require_path "$COMPOSE_FILE"
 require_path "$HA_BACKUP_DIR"
 require_path "$MOSQUITTO_APPDATA/config/passwordfile"
 require_path "$MOSQUITTO_APPDATA/config/aclfile"
 require_path "$MOSQUITTO_APPDATA/data"
 require_path "$MOSQUITTO_REPO_CONF"
 require_path "$FACHREPO_SOURCE"
 require_path "$HA_TOKEN_FILE"
 RESTORE_SUCCESS=0
 cleanup() {
  RESTORE_ROOT="$RESTORE_ROOT" cleanup_compose "$COMPOSE_FILE"
  if [ "$RESTORE_SUCCESS" -ne 1 ]; then
    preserve_on_failure "homeassistant" "$RESTORE_ROOT"
    return
  fi
  if [ "$KEEP_DATA" -ne 1 ]; then
    rm -rf "$RESTORE_ROOT"
  fi
 }
 trap cleanup EXIT
 latest_backup="$(find "$HA_BACKUP_DIR" -maxdepth 1 -type f -name '*.tar' -printf '%T@ %p\n' | sort -nr | awk 'NR==1 {print substr($0, index($0,$2))}')"
 if [ -z "$latest_backup" ] || [ ! -f "$latest_backup" ]; then
  echo "No HA native backup tar found under $HA_BACKUP_DIR" >&2
  exit 1
 fi
 rm -rf "$RESTORE_ROOT"
 mkdir -p \
  "$RESTORE_ROOT/ha-backup" \
  "$RESTORE_ROOT/homeassistant/config" \
  "$RESTORE_ROOT/mosquitto/config" \
  "$RESTORE_ROOT/mosquitto/appdata/config" \
  "$RESTORE_ROOT/mosquitto/appdata/data" \
  "$RESTORE_ROOT/mosquitto/appdata/log" \
  "$RESTORE_ROOT/fachrepo"
 tar -xf "$latest_backup" -C "$RESTORE_ROOT/ha-backup"
 require_path "$RESTORE_ROOT/ha-backup/backup.json"
 require_path "$RESTORE_ROOT/ha-backup/homeassistant.tar.gz"
 tar -xzf "$RESTORE_ROOT/ha-backup/homeassistant.tar.gz" -C "$RESTORE_ROOT/homeassistant/config" --strip-components=1 data
 cp "$MOSQUITTO_REPO_CONF" "$RESTORE_ROOT/mosquitto/config/mosquitto.conf"
 cp -a "$MOSQUITTO_APPDATA/config/." "$RESTORE_ROOT/mosquitto/appdata/config/"
 cp -a "$MOSQUITTO_APPDATA/data/." "$RESTORE_ROOT/mosquitto/appdata/data/"
 if [ -d "$MOSQUITTO_APPDATA/log" ]; then
  cp -a "$MOSQUITTO_APPDATA/log/." "$RESTORE_ROOT/mosquitto/appdata/log/" || true
 fi
 cp -a "$FACHREPO_SOURCE/." "$RESTORE_ROOT/fachrepo/"
 ha_config="$RESTORE_ROOT/homeassistant/config"
 require_path "$ha_config/configuration.yaml"
 require_path "$ha_config/secrets.yaml"
 require_path "$ha_config/trusted_proxies.yaml"
 require_path "$ha_config/.storage/onboarding"
 require_path "$ha_config/.storage/auth"
 fachrepo_head="$(git -C "$RESTORE_ROOT/fachrepo" log -1 --oneline)"
 fachrepo_status="$(git -C "$RESTORE_ROOT/fachrepo" status --short)"
 if [ -n "$fachrepo_status" ]; then
  echo "Restored fachrepo clone is not clean:" >&2
  echo "$fachrepo_status" >&2
  exit 1
 fi
 backup_size="$(stat -c '%s' "$latest_backup")"
 ha_file_count="$(find "$ha_config" -type f | wc -l | tr -d ' ')"
 ha_bytes="$(du -sb "$ha_config" | awk '{print $1}')"
 mosquitto_data_bytes="$(du -sb "$RESTORE_ROOT/mosquitto/appdata" | awk '{print $1}')"
 RESTORE_ROOT="$RESTORE_ROOT" docker compose -f "$COMPOSE_FILE" down >/dev/null 2>&1 || true
 RESTORE_ROOT="$RESTORE_ROOT" docker compose -f "$COMPOSE_FILE" up -d >/dev/null
 mqtt_user="$(sed -n 's/^mqtt_username:[[:space:]]*//p' "$ha_config/secrets.yaml" | sed "s/^['\"]//;s/['\"]$//")"
 mqtt_pass="$(sed -n 's/^mqtt_password:[[:space:]]*//p' "$ha_config/secrets.yaml" | sed "s/^['\"]//;s/['\"]$//")"
 if [ -z "$mqtt_user" ] || [ -z "$mqtt_pass" ]; then
  echo "Missing mqtt_username or mqtt_password in restored HA secrets.yaml" >&2
  exit 1
 fi
 mqtt_topic="restoretest/homeassistant/smoke"
 mqtt_payload="ok-$(date +%s)"
 mqtt_out="$RESTORE_ROOT/mqtt-sub.out"
 rm -f "$mqtt_out"
 docker exec -e MQTT_USER="$mqtt_user" -e MQTT_PASS="$mqtt_pass" -e MQTT_TOPIC="$mqtt_topic" \
  restoretest-ha-mosquitto sh -lc \
  'mosquitto_sub -h 127.0.0.1 -p 1883 -u "$MQTT_USER" -P "$MQTT_PASS" -t "$MQTT_TOPIC" -C 1 -W 10' \
  > "$mqtt_out" &
 sub_pid=$!
 sleep 1
 docker exec -e MQTT_USER="$mqtt_user" -e MQTT_PASS="$mqtt_pass" -e MQTT_TOPIC="$mqtt_topic" -e MQTT_PAYLOAD="$mqtt_payload" \
  restoretest-ha-mosquitto sh -lc \
  'mosquitto_pub -h 127.0.0.1 -p 1883 -u "$MQTT_USER" -P "$MQTT_PASS" -t "$MQTT_TOPIC" -m "$MQTT_PAYLOAD"'
 wait "$sub_pid"
 mqtt_result="$(cat "$mqtt_out")"
 if [ "$mqtt_result" != "$mqtt_payload" ]; then
  echo "MQTT publish/subscribe smoke failed" >&2
  exit 1
 fi
 retained_topic="restoretest/homeassistant/retained"
 retained_payload="retained-$(date +%s)"
 docker exec -e MQTT_USER="$mqtt_user" -e MQTT_PASS="$mqtt_pass" -e MQTT_TOPIC="$retained_topic" -e MQTT_PAYLOAD="$retained_payload" \
  restoretest-ha-mosquitto sh -lc \
  'mosquitto_pub -h 127.0.0.1 -p 1883 -u "$MQTT_USER" -P "$MQTT_PASS" -t "$MQTT_TOPIC" -m "$MQTT_PAYLOAD" -r'
 docker restart restoretest-ha-mosquitto >/dev/null
 sleep 3
 retained_result="$(docker exec -e MQTT_USER="$mqtt_user" -e MQTT_PASS="$mqtt_pass" -e MQTT_TOPIC="$retained_topic" \
  restoretest-ha-mosquitto sh -lc \
  'mosquitto_sub -h 127.0.0.1 -p 1883 -u "$MQTT_USER" -P "$MQTT_PASS" -t "$MQTT_TOPIC" -C 1 -W 10' | tr -d '\r')"
 if [ "$retained_result" != "$retained_payload" ]; then
  echo "MQTT retained smoke failed" >&2
  exit 1
 fi
 ha_http_status=""
 ha_body="$RESTORE_ROOT/ha-http-body.html"
 for _ in $(seq 1 180); do
  ha_http_status="$(curl -sS -o "$ha_body" -w '%{http_code}' http://127.0.0.1:18123/ || true)"
  if [ "$ha_http_status" = "200" ] && grep -qi "Home Assistant" "$ha_body"; then
    break
  fi
  sleep 1
 done
 if [ "$ha_http_status" != "200" ] || ! grep -qi "Home Assistant" "$ha_body"; then
  echo "HA HTTP smoke failed, status=$ha_http_status" >&2
  docker logs --tail 120 restoretest-homeassistant >&2 || true
  exit 1
 fi
 ha_api_status="$(curl -sS -o "$RESTORE_ROOT/ha-api.json" -w '%{http_code}' \
  -H "Authorization: Bearer $(cat "$HA_TOKEN_FILE")" \
  -H 'Content-Type: application/json' \
  http://127.0.0.1:18123/api/ || true)"
 if [ "$ha_api_status" != "200" ]; then
  echo "HA API token smoke failed, status=$ha_api_status" >&2
  exit 1
 fi
 RESTORE_ROOT="$RESTORE_ROOT" docker compose -f "$COMPOSE_FILE" exec -T restoretest-homeassistant \
  python -m homeassistant --script check_config --config /config >/tmp/restoretest-ha-check-config.out
 write_report "$REPORT_FILE" <<EOF
 # Home Assistant Restore Test Report - $(date +%F)
 - Service: \`homeassistant\` + \`smarthome-mosquitto\`
 - HA backup source: \`$latest_backup\`
 - Restore root: \`$RESTORE_ROOT\`
 - Test containers:
  - \`restoretest-homeassistant\`
  - \`restoretest-ha-mosquitto\`
 - Test endpoints:
  - HA: \`http://127.0.0.1:18123\`
  - MQTT: \`127.0.0.1:11883\`
 - Result: \`SUCCESS\`
 ## Checks
 - HA-native backup tar readable: \`ok\`
 - HA inner archive restored: \`ok\`
 - HA backup size bytes: \`$backup_size\`
 - Restored HA file count: \`$ha_file_count\`
 - Restored HA bytes: \`$ha_bytes\`
 - Restored Mosquitto appdata bytes: \`$mosquitto_data_bytes\`
 - Fachrepo clone clean: \`ok\`
 - Fachrepo HEAD: \`$fachrepo_head\`
 - HA HTTP status: \`$ha_http_status\`
 - HA API token smoke: \`$ha_api_status\`
 - HA check_config: \`ok\`
 - MQTT publish/subscribe with restored credentials: \`ok\`
 - MQTT retained topic after broker restart: \`ok\`
 ## Notes
 - Productive \`homeassistant\` and \`smarthome-mosquitto\` containers were not used.
 - Test ran without Traefik and without the productive domain.
 - Test ports were bound to localhost only.
 - Token and MQTT password values were used for smoke tests but not printed.
 - Test data was cleaned after success: \`$([ "$KEEP_DATA" -eq 1 ] && echo no || echo yes)\`
 EOF
 RESTORE_SUCCESS=1
 echo "Home Assistant restore test ok -> $REPORT_FILE"
@@ -55,12 +55,6 @@ case "$MODE" in
    fi
    exec "$SCRIPT_DIR/redis-restore-test.sh"
    ;;
  homeassistant)
    if [ "$WHATIF" = "--what-if" ]; then
      exec "$SCRIPT_DIR/homeassistant-restore-test.sh" --what-if
    fi
    exec "$SCRIPT_DIR/homeassistant-restore-test.sh"
    ;;
  nextcloud)
    if [ "$WHATIF" = "--what-if" ]; then
      exec "$SCRIPT_DIR/nextcloud-restore-test.sh" --what-if
@@ -103,14 +97,8 @@ case "$MODE" in
    fi
    exec "$SCRIPT_DIR/shared-pg-cluster-restore-test.sh"
    ;;
  hetzner-snapshot)
    if [ "$WHATIF" = "--what-if" ]; then
      exec "$SCRIPT_DIR/hetzner-snapshot-restore-test.sh" --what-if
    fi
    exec "$SCRIPT_DIR/hetzner-snapshot-restore-test.sh"
    ;;
  *)
-    echo "Usage: $0 {freshness|freshness-negative|vaultwarden|gitea|paperless|immich|authelia|adguard|redis|homeassistant|nextcloud|komodo-bootstrap|komodo-mongo-restore|traefik|mailarchiver|mealie|shared-pg-cluster|hetzner-snapshot} [--what-if]" >&2
+    echo "Usage: $0 {freshness|freshness-negative|vaultwarden|gitea|paperless|immich|authelia|adguard|redis|nextcloud|komodo-bootstrap|komodo-mongo-restore|traefik|mailarchiver|mealie|shared-pg-cluster} [--what-if]" >&2
    exit 1
    ;;
 esac
@@ -19,7 +19,6 @@ Monatlich:
 - `vaultwarden` Mini-Restore
 - `gitea` Mini-Restore, versetzt zum Vaultwarden-Lauf
 - `hetzner-snapshot` Storage-Box Snapshot-Restore-Test (read-only `.zfs/snapshot`; Erstlauf 2026-06-23 erfolgreich)
 Alle 2 Monate:
@@ -70,8 +69,6 @@ Immich am 2026-05-27; Paperless erneut am 2026-05-31; Authelia am
  - DR-/Restore-Sanity-Check
 - Quartalsweise am 2. Sonntag im zweiten Quartalsmonat, 08:30:
  - `immich`
 - Jeden 15. des Monats, 06:00:
  - `hetzner-snapshot`
 ## Unraid User Scripts Cron
@@ -86,7 +83,6 @@ Vixie-Cron (Unraid) verknuepft `day-of-month` und `day-of-week` mit **OR**, soba
 | `restore-authelia-bimonthly` | `30 7 * * 6` | `m=$(date +%-m); d=$(date +%-d); case "$m" in 2\|4\|6\|8\|10\|12) [ "$d" -ge 8 ] && [ "$d" -le 14 ];; *) false;; esac` | zweiter Samstag in geraden Monaten 07:30 |
 | `restore-immich-quarterly` | `30 8 * * 0` | `m=$(date +%-m); d=$(date +%-d); case "$m" in 2\|5\|8\|11) [ "$d" -ge 8 ] && [ "$d" -le 14 ];; *) false;; esac` | zweiter Sonntag in Feb/Mai/Aug/Nov 08:30 |
 | `monthly-random-restore` | `0 9 1 * *` | - | erster Kalendertag im Monat 09:00 |
 | `restore-hetzner-snapshot-monthly` | `0 6 15 * *` | - | 15. des Monats 06:00 (read-only Snapshot-Test) |
 **Warum so**: ein frueheres Schema wie `0 7 1-7 * 6` haette in Vixie-Cron die OR-Semantik ausgeloest und an jedem Tag 1-7 zusaetzlich zu jedem Samstag gefeuert (~11 Laeufe statt 1 pro Monat). Die obige Trennung Cron-Trigger + Shell-Guard ist die einzige robuste Loesung in Standard-Cron.
@@ -1,6 +1,6 @@
 services:
  scrutiny:
-    image: ghcr.io/starosdev/scrutiny:latest-omnibus@sha256:bf55bae54eb329d96261183ce4174a4000b6350a7a71dca704d3fef215d98199
+    image: ghcr.io/starosdev/scrutiny:latest-omnibus@sha256:228483f16a6236d2fa9b2fbfca2e76dc861e648fbc6ae6e680d23e5d00211a5d
    container_name: scrutiny
    restart: unless-stopped
    privileged: true
@@ -1,6 +1,6 @@
 services:
  speedtest-tracker:
-    image: lscr.io/linuxserver/speedtest-tracker:1.14.5@sha256:4c698dc3a5d989c8d92512600d303f23ff2e6e789c89674adb083372ac67fe2c
+    image: lscr.io/linuxserver/speedtest-tracker:1.14.3@sha256:c3750c40948a9360000ce62d694da92e85584b4ab6d3d9a9d1432d76fa5e0726
    container_name: speedtest-tracker
    restart: unless-stopped
    security_opt:
@@ -39,11 +39,10 @@
      "labels": ["dependencies", "minor-patch"]
    },
    {
-      "description": "Kritische Kerninfra (Traefik=Public-Entrypoint, AdGuard/Unbound=DNS, n8n, Nextcloud): nicht im Sammel-PR, eigene einzeln reviewbare PRs, kein Auto-Merge",
+      "description": "Kritische Kerninfra (Traefik=Public-Entrypoint, Unbound=DNS, n8n, Nextcloud): nicht im Sammel-PR, eigene einzeln reviewbare PRs, kein Auto-Merge",
      "matchManagers": ["docker-compose", "dockerfile"],
      "matchPackageNames": [
        "traefik",
        "adguard/adguardhome",
        "shaanmajid/unbound",
        "docker.n8n.io/n8nio/n8n",
        "nextcloud"
@@ -95,8 +94,7 @@
      "matchFileNames": [
        "infra/redis/docker-compose.yml",
        "apps/nextcloud/docker-compose.yml",
-        "apps/immich/docker-compose.yml",
+        "apps/immich/docker-compose.yml"
        "apps/dawarich/docker-compose.yml"
      ],
      "matchPackageNames": ["redis"],
      "allowedVersions": "/^8\\.\\d+\\.\\d+-alpine(?:\\d+\\.\\d+)?$/"
@@ -52,17 +52,6 @@ services:
      - traefik.http.routers.vaultwarden.tls=true
      - traefik.http.routers.vaultwarden.tls.certresolver=le
      - traefik.http.services.vaultwarden.loadbalancer.server.port=80
      # Audit 2026-06-23 (P1): /admin war public mit 200 erreichbar. Zweiter, hoeher
      # priorisierter Router scoped auf /admin und laesst nur Tailnet + LAN durch (sonst 403).
      # Hauptrouter oben bleibt nativ, damit Browser-/Mobile-Clients von ueberall funktionieren.
      - traefik.http.routers.vaultwarden-admin.rule=Host(`vault.kaleschke.info`) && PathPrefix(`/admin`)
      - traefik.http.routers.vaultwarden-admin.entrypoints=websecure
      - traefik.http.routers.vaultwarden-admin.tls=true
      - traefik.http.routers.vaultwarden-admin.tls.certresolver=le
      - traefik.http.routers.vaultwarden-admin.service=vaultwarden
      - traefik.http.routers.vaultwarden-admin.priority=100
      - traefik.http.routers.vaultwarden-admin.middlewares=vaultwarden-admin-allowlist@docker
      - traefik.http.middlewares.vaultwarden-admin-allowlist.ipallowlist.sourcerange=100.64.0.0/10,192.168.178.0/24
 networks:
  frontend_net:
@@ -30,7 +30,7 @@ parse_compose() {
      return value
    }
    function emit() {
-      if (service && image && !has_profile) {
+      if (service && image) {
        print clean(container) "\t" clean(image)
      }
    }
@@ -40,7 +40,6 @@ parse_compose() {
      sub(/:$/, "", service)
      image=""
      container=service
      has_profile=0
      next
    }
    service && /^    image:/ {
@@ -53,10 +52,6 @@ parse_compose() {
      sub(/^[[:space:]]*container_name:[[:space:]]*/, "", container)
      next
    }
    service && /^    profiles:/ {
      has_profile=1
      next
    }
    END { emit() }
  ' "$compose"
 }
@@ -13,7 +13,6 @@ CERT_MAX_ROWS="${CERT_MAX_ROWS:-12}"
 IMAGE_AGE_WARN_DAYS="${IMAGE_AGE_WARN_DAYS:-180}"
 IMAGE_AGE_ALLOW_FILE="${IMAGE_AGE_ALLOW_FILE:-/mnt/user/services/homelab-infra/services/posture-check/image-age-allow.patterns}"
 LOG_VOLUME_TOP_N="${LOG_VOLUME_TOP_N:-10}"
 LOG_VOLUME_OBSERVE_THRESHOLD="${LOG_VOLUME_OBSERVE_THRESHOLD:-100000}"
 DISK_USAGE_WARN_PCT="${DISK_USAGE_WARN_PCT:-85}"
 CERT_WARN_DAYS="${CERT_WARN_DAYS:-21}"
 BACKUP_DRIFT_FACTOR="${BACKUP_DRIFT_FACTOR:-2.0}"
@@ -24,8 +23,6 @@ MAIL_SCRIPT="${MAIL_SCRIPT:-/mnt/user/services/homelab-infra/services/posture-ch
 SEND_NTFY="${SEND_NTFY:-0}"
 NTFY_TOPIC="${NTFY_TOPIC:-homelab-info}"
 NTFY_SCRIPT="${NTFY_SCRIPT:-/mnt/user/services/homelab-infra/ops/restore-tests/send-ntfy.sh}"
 INCLUDE_WEATHER_REPORT="${INCLUDE_WEATHER_REPORT:-0}"
 WEATHER_REPORT_SCRIPT="${WEATHER_REPORT_SCRIPT:-/mnt/user/services/homelab-infra/services/posture-check/weather-day-report.sh}"
 BORG_CONTAINER="${BORG_CONTAINER:-borg-ui}"
 PROMETHEUS_CONTAINER="${PROMETHEUS_CONTAINER:-monitoring-prometheus}"
 TRAEFIK_ACME_PATH="${TRAEFIK_ACME_PATH:-/mnt/user/appdata/traefik/letsencrypt/acme.json}"
@@ -220,103 +217,6 @@ derive_report_status() {
  set_summary "report_status" "$REPORT_STATUS"
 }
 collect_weather_report() {
  [ "$INCLUDE_WEATHER_REPORT" = "1" ] || return 0
  append "## Wetterbericht"
  append ""
  if [ ! -f "$WEATHER_REPORT_SCRIPT" ]; then
    append "- Wetterbericht nicht erzeugt: Script fehlt unter \`$WEATHER_REPORT_SCRIPT\`."
    append ""
    record_section_error "weather" "Script $WEATHER_REPORT_SCRIPT fehlt"
    set_summary "weather_report_status" "missing-script"
    return 0
  fi
  local weather_out
  if weather_out="$(bash "$WEATHER_REPORT_SCRIPT" --heading-level 3 2>&1)"; then
    printf '%s\n\n' "$weather_out" >> "$BODY_PATH"
    set_summary "weather_report_status" "ok"
  else
    append "- Wetterbericht nicht erzeugt:"
    append ""
    append '```text'
    printf '%s\n' "$weather_out" >> "$BODY_PATH"
    append '```'
    append ""
    record_section_error "weather" "$(printf '%s' "$weather_out" | head -n 1 | shorten)"
    set_summary "weather_report_status" "failed"
  fi
 }
 print_status_reasons() {
  local count=0
  add_reason() {
    printf '%s\n' "- $1"
    count=$((count + 1))
  }
  [ "${borg_status:-unknown}" != "completed" ] && add_reason "Borg Backup ist \`${borg_status:-unknown}\` statt \`completed\`."
  [ "${prometheus_alerts:-0}" = "unknown" ] && add_reason "Prometheus Alerts konnten nicht sicher gelesen werden."
  [ "${cert_warnings:-0}" != "0" ] && add_reason "Zertifikatswarnungen: \`${cert_warnings:-0}\`."
  [ "${disk_warnings:-0}" != "0" ] && add_reason "Storage-Warnungen: \`${disk_warnings:-0}\`."
  if [ "${image_warnings:-0}" != "0" ]; then
    if [ -n "${image_warning_names:-}" ]; then
      add_reason "Image-Warnungen: \`${image_warnings:-0}\` (${image_warning_names})."
    else
      add_reason "Image-Warnungen: \`${image_warnings:-0}\`."
    fi
  fi
  [ "${containers_exited_nonzero:-0}" != "0" ] && add_reason "Container exited non-zero: \`${containers_exited_nonzero:-0}\`."
  [ "${host_recent_boot:-0}" = "1" ] && add_reason "Host-Reboot innerhalb der letzten 24 Stunden."
  [ "${backup_duration_drift:-0}" = "1" ] && add_reason "Backup-Dauer-Drift erkannt."
  [ "${noise_threshold_exceeded:-0}" != "0" ] && add_reason "Noise-Pattern ueber Eskalations-Schwelle: \`${noise_threshold_exceeded:-0}\`."
  if [ "${prometheus_alerts_pending:-0}" != "0" ] && [ "${prometheus_alerts_pending:-0}" != "unknown" ]; then
    add_reason "Prometheus pending Alerts: \`${prometheus_alerts_pending:-0}\`."
  fi
  if [ "${prometheus_alerts_firing:-0}" != "0" ] && [ "${prometheus_alerts_firing:-0}" != "unknown" ]; then
    add_reason "Prometheus firing Alerts: \`${prometheus_alerts_firing:-0}\`."
  fi
  [ "${containers_unhealthy:-0}" != "0" ] && add_reason "Unhealthy Container: \`${containers_unhealthy:-0}\`."
  if [ "$count" -eq 0 ]; then
    printf '%s\n' "- Keine direkten Ampel-Ausloeser im Summary-Set gefunden."
  fi
 }
 print_notable_observations() {
  local count=0
  add_observation() {
    printf '%s\n' "- $1"
    count=$((count + 1))
  }
  if [ "${traefik_5xx:-0}" != "0" ] && [ "${traefik_5xx:-0}" != "unknown" ]; then
    if [ -n "${traefik_5xx_top:-}" ] && [ "${traefik_5xx_top:-none}" != "none" ]; then
      add_observation "Traefik 5xx: \`${traefik_5xx:-0}\` (Top-Gruppe: \`${traefik_5xx_top}\`)."
    else
      add_observation "Traefik 5xx: \`${traefik_5xx:-0}\`."
    fi
  fi
  if [ "${log_highlights:-0}" != "0" ] && [ "${log_highlights:-0}" != "unknown" ]; then
    add_observation "Log-Highlights: \`${log_highlights:-0}\` handlungsrelevante Treffer; Beispiele stehen in der Log-Auswertung."
  fi
  if printf '%s' "${log_volume_total:-0}" | grep -Eq '^[0-9]+$' && [ "${log_volume_total:-0}" -ge "$LOG_VOLUME_OBSERVE_THRESHOLD" ]; then
    add_observation "Log-Volumen: \`${log_volume_total:-0}\` Zeilen im Zeitraum; Top-Verursacher stehen im Log-Volumen-Abschnitt."
  fi
  if [ "${docker_events:-0}" != "0" ] && [ "${docker_events:-0}" != "unknown" ]; then
    add_observation "Docker Critical Events: \`${docker_events:-0}\`."
  fi
  if [ "$count" -eq 0 ]; then
    printf '%s\n' "- Keine zusaetzlichen auffaelligen Beobachtungen im Management-Summary."
  fi
 }
 collect_borg() {
  append "## Borg Backup"
  append ""
@@ -684,7 +584,6 @@ collect_image_freshness() {
  local image_file="$TMP_DIR/images.tsv"
  local image_warnings=0
  local image_allowed=0
  local image_warning_names=""
  local now_epoch
  : > "$image_file"
  now_epoch="$(date +%s)"
@@ -731,7 +630,6 @@ collect_image_freshness() {
      else
        note="ueberaltert"
        image_warnings=$((image_warnings + 1))
        image_warning_names="${image_warning_names:+$image_warning_names,}$name:${age_days}d"
      fi
    fi
    printf '%d\t%s\t%s\t%s\n' "$age_days" "$name" "$image_tag" "$note" >> "$image_file"
@@ -739,7 +637,6 @@ collect_image_freshness() {
  set_summary "image_warnings" "$image_warnings"
  set_summary "image_allowed" "$image_allowed"
  set_summary "image_warning_names" "$image_warning_names"
  if [ ! -s "$image_file" ]; then
    append "- Keine Image-Daten verfuegbar."
@@ -884,16 +781,8 @@ collect_traefik_5xx() {
  set_summary "traefik_5xx" "$count"
  if [ "$count" -eq 0 ]; then
    set_summary "traefik_5xx_top" "none"
    append "- Keine 5xx-Antworten."
  else
    local top_group
    top_group="$(awk '{ code=$9; service=$12; gsub(/"/, "", service); counts[service " " code]++ } END { for (k in counts) print counts[k], k }' "$file" \
      | sort -nr \
      | head -n 1 \
      | awk '{ print $2 ":" $3 ":" $1 }' \
      | sed -E 's#[^A-Za-z0-9_.:@/-]+#_#g')"
    set_summary "traefik_5xx_top" "${top_group:-none}"
    append "- 5xx-Antworten: $count"
    append ""
    append "### Gruppiert nach Service/Code"
@@ -1292,20 +1181,10 @@ write_report() {
    if [ "$REPORT_STATUS" = "OK" ]; then
      printf 'Im betrachteten Zeitraum zeigt das Homelab eine stabile Betriebslage. Das letzte Borg-Backup ist erfolgreich abgeschlossen, Prometheus meldet keine firing Alerts, keine unhealthy Container, Zertifikate und Storage im erwarteten Bereich.\n\n'
    elif [ "$REPORT_STATUS" = "WARNUNG" ]; then
-      printf 'Im betrachteten Zeitraum gibt es Punkte, die Aufmerksamkeit verdienen. Der Betrieb ist nicht automatisch als kompromittiert zu bewerten; die konkreten Ampel-Ausloeser stehen direkt darunter.\n\n'
+      printf 'Im betrachteten Zeitraum gibt es Punkte, die Aufmerksamkeit verdienen. Der Betrieb ist nicht automatisch als kompromittiert zu bewerten, aber mindestens ein Signal (Backup, Pending Alert, Zertifikat, Storage, Image-Alter, Drift oder Reboot) weicht vom Normalzustand ab.\n\n'
    else
      printf 'Im betrachteten Zeitraum liegt ein kritisches Betriebssignal vor. Der Bericht sollte zeitnah gelesen und die betroffenen Komponenten priorisiert geprueft werden.\n\n'
    fi
    printf '### Warum dieser Status?\n\n'
    if [ "$REPORT_STATUS" = "OK" ]; then
      printf '%s\n\n' "- Keine Ampel-Ausloeser im Summary-Set."
    else
      print_status_reasons
      printf '\n'
    fi
    printf '### Weitere auffaellige Beobachtungen\n\n'
    print_notable_observations
    printf '\n'
    printf '### Management-Bewertung\n\n'
    printf '%s\n' "- Status: \`$REPORT_STATUS\`"
    printf '%s\n' "- Borg Backup: \`${borg_status:-unknown}\`"
@@ -1399,7 +1278,6 @@ Section errors: ${section_failures:-unknown}"
 main() {
  collect_overview
  collect_weather_report
  collect_host_health
  collect_borg
  collect_prometheus
@@ -4,11 +4,7 @@ set -euo pipefail
 TEXTFILE_DIR="${TEXTFILE_DIR:-/mnt/user/services/posture-check/textfile}"
 OUTPUT_FILE="${OUTPUT_FILE:-$TEXTFILE_DIR/homelab.prom}"
 BORG_CONTAINER="${BORG_CONTAINER:-borg-ui}"
-BORG_EXPECTED_SOURCES_FILE="${BORG_EXPECTED_SOURCES_FILE:-/local/services/homelab-infra/ops/borg-ui/all-important-sources.txt}"
+CRITICAL_CONTAINERS="${CRITICAL_CONTAINERS:-traefik authelia postgresql17 gitea komodo-core komodo-mongo komodo-periphery vaultwarden borg-ui ntfy adguard unbound monitoring-alertmanager monitoring-alertmanager-ntfy-bridge monitoring-blackbox-exporter monitoring-cadvisor monitoring-grafana monitoring-loki monitoring-node-exporter monitoring-promtail immich_server immich_postgres immich_redis paperless-ngx nextcloud nextcloud-postgres nextcloud-redis mealie mealie-postgres}"
 # Host-Pfad der aktuellen Dump-Artefakte (pre-backup-dumps.sh schreibt hierhin).
 # Wird host-seitig gestattet; der Exporter laeuft als Unraid User Script.
 BORG_DUMP_DIR="${BORG_DUMP_DIR:-/mnt/user/backups/borg/dumps/latest}"
 CRITICAL_CONTAINERS="${CRITICAL_CONTAINERS:-traefik authelia postgresql17 gitea komodo-core komodo-mongo komodo-periphery vaultwarden borg-ui ntfy adguard unbound monitoring-alertmanager monitoring-alertmanager-ntfy-bridge monitoring-blackbox-exporter monitoring-cadvisor monitoring-grafana monitoring-loki monitoring-node-exporter monitoring-promtail immich_server immich_postgres immich_redis paperless-ngx nextcloud nextcloud-postgres nextcloud-redis mealie mealie-postgres mail-archiver n8n homeassistant smarthome-mosquitto}"
 # Hinweis: Tailscale laeuft als natives Unraid-Plugin (kein Docker-Container) und
 # wird daher hier bewusst NICHT als kritischer Container gefuehrt (Stand 2026-06-06).
@@ -94,32 +90,11 @@ EOF
 # TYPE homelab_borg_last_success gauge
 # HELP homelab_borg_last_job_warning Whether the most recent Borg backup job completed with warnings.
 # TYPE homelab_borg_last_job_warning gauge
 # HELP homelab_borg_repository_last_check_timestamp_seconds Unix timestamp of the latest Borg repository check known to Borg UI.
 # TYPE homelab_borg_repository_last_check_timestamp_seconds gauge
 # HELP homelab_borg_scope_expected_file_present Whether the expected Borg source list file is visible inside Borg UI.
 # TYPE homelab_borg_scope_expected_file_present gauge
 # HELP homelab_borg_scope_expected_sources_total Number of expected Borg source paths from the repo source list.
 # TYPE homelab_borg_scope_expected_sources_total gauge
 # HELP homelab_borg_scope_configured_sources_total Number of Borg source paths configured in Borg UI.
 # TYPE homelab_borg_scope_configured_sources_total gauge
 # HELP homelab_borg_scope_missing_sources_total Number of expected Borg source paths missing from Borg UI.
 # TYPE homelab_borg_scope_missing_sources_total gauge
 # HELP homelab_borg_scope_extra_sources_total Number of Borg UI source paths not present in the repo source list.
 # TYPE homelab_borg_scope_extra_sources_total gauge
 # HELP homelab_borg_scope_source_configured Whether an expected Borg source path is configured in Borg UI.
 # TYPE homelab_borg_scope_source_configured gauge
 # HELP homelab_borg_schedule_prune_after_enabled Whether a Borg scheduled job runs prune after backup.
 # TYPE homelab_borg_schedule_prune_after_enabled gauge
 # HELP homelab_borg_schedule_compact_after_enabled Whether a Borg scheduled job runs compact after backup.
 # TYPE homelab_borg_schedule_compact_after_enabled gauge
 EOF
  if docker inspect "$BORG_CONTAINER" >/dev/null 2>&1; then
-    docker exec -i -e BORG_EXPECTED_SOURCES_FILE="$BORG_EXPECTED_SOURCES_FILE" "$BORG_CONTAINER" python3 - <<'PY'
+    docker exec -i "$BORG_CONTAINER" python3 - <<'PY'
 import datetime as dt
 import json
 import os
 from pathlib import Path
 import sqlite3
 conn = sqlite3.connect("/data/borg.db")
@@ -160,9 +135,6 @@ def parse_ts(value):
 def escape_label(value):
    return (value or "").replace("\\", "\\\\").replace('"', '\\"')
 def bool_metric(value):
    return 1 if value else 0
 latest_status = latest["status"] if latest else "missing"
 latest_success = 1 if latest_status in ("completed", "completed_with_warnings") else 0
 latest_warning = 1 if latest_status == "completed_with_warnings" else 0
@@ -173,107 +145,12 @@ completed_archive = escape_label(completed["archive_name"] if completed else "")
 print(f'homelab_borg_last_success{{status="{latest_status}",archive="{latest_archive}"}} {latest_success}')
 print(f'homelab_borg_last_job_warning{{status="{latest_status}",archive="{latest_archive}"}} {latest_warning}')
 print(f'homelab_borg_last_completed_timestamp_seconds{{archive="{completed_archive}"}} {completed_ts}')
 repo = cur.execute("""
    select id, name, source_directories, last_check
      from repositories
     order by id
     limit 1
 """).fetchone()
 if repo:
    repo_name = escape_label(repo["name"] or str(repo["id"]))
    print(f'homelab_borg_repository_last_check_timestamp_seconds{{repository="{repo_name}"}} {parse_ts(repo["last_check"])}')
    try:
        configured_sources = json.loads(repo["source_directories"] or "[]")
    except json.JSONDecodeError:
        configured_sources = []
 else:
    configured_sources = []
 expected_path = Path(os.environ.get("BORG_EXPECTED_SOURCES_FILE", ""))
 expected_file_present = expected_path.is_file()
 if expected_file_present:
    expected_sources = [
        line.strip()
        for line in expected_path.read_text(encoding="utf-8").splitlines()
        if line.strip() and not line.lstrip().startswith("#")
    ]
 else:
    expected_sources = []
 configured_set = set(configured_sources)
 expected_set = set(expected_sources)
 missing_sources = [source for source in expected_sources if source not in configured_set]
 extra_sources = [source for source in configured_sources if source not in expected_set]
 print(f"homelab_borg_scope_expected_file_present {bool_metric(expected_file_present)}")
 print(f"homelab_borg_scope_expected_sources_total {len(expected_sources)}")
 print(f"homelab_borg_scope_configured_sources_total {len(configured_sources)}")
 print(f"homelab_borg_scope_missing_sources_total {len(missing_sources)}")
 print(f"homelab_borg_scope_extra_sources_total {len(extra_sources)}")
 for source in expected_sources:
    value = 1 if source in configured_set else 0
    print(f'homelab_borg_scope_source_configured{{source="{escape_label(source)}"}} {value}')
 for source in extra_sources:
    print(f'homelab_borg_scope_source_configured{{source="{escape_label(source)}",state="extra"}} 0')
 for schedule in cur.execute("""
    select id, name, run_prune_after, run_compact_after
      from scheduled_jobs
     where enabled = 1
     order by id
 """):
    schedule_name = escape_label(schedule["name"] or str(schedule["id"]))
    print(f'homelab_borg_schedule_prune_after_enabled{{schedule="{schedule_name}"}} {bool_metric(schedule["run_prune_after"])}')
    print(f'homelab_borg_schedule_compact_after_enabled{{schedule="{schedule_name}"}} {bool_metric(schedule["run_compact_after"])}')
 PY
  else
    printf 'homelab_borg_last_success{status="container_missing",archive=""} 0\n'
    printf 'homelab_borg_last_job_warning{status="container_missing",archive=""} 0\n'
    printf 'homelab_borg_last_completed_timestamp_seconds{archive=""} 0\n'
    printf 'homelab_borg_repository_last_check_timestamp_seconds{repository=""} 0\n'
    printf 'homelab_borg_scope_expected_file_present 0\n'
    printf 'homelab_borg_scope_expected_sources_total 0\n'
    printf 'homelab_borg_scope_configured_sources_total 0\n'
    printf 'homelab_borg_scope_missing_sources_total 0\n'
    printf 'homelab_borg_scope_extra_sources_total 0\n'
  fi
  # Dump-Frische host-seitig messen. Schliesst den Blindfleck, dass Borg
  # weiterlaeuft und stale Dumps archiviert, ohne dass ein Job-Fehler entsteht
  # (pre-backup-dumps.sh gestoppt). Laeuft ausserhalb des borg-ui-Containers,
  # weil die Dumps host-seitig unter $BORG_DUMP_DIR liegen.
  cat <<'EOF'
 # HELP homelab_borg_dump_present Whether an expected Borg pre-backup dump artifact exists in the latest dump set.
 # TYPE homelab_borg_dump_present gauge
 # HELP homelab_borg_dump_age_seconds Age in seconds of an expected Borg pre-backup dump artifact.
 # TYPE homelab_borg_dump_age_seconds gauge
 EOF
  for dump in \
    postgresql17-globals.sql \
    postgresql17-mailarchiver.dump \
    postgresql17-paperless.dump \
    mealie.dump \
    immich.dump \
    nextcloud.dump \
    gitea.sqlite.dump \
    vaultwarden.sqlite.dump \
    n8n.sqlite.dump \
    unraid-flash-config.tar.gz \
    komodo-mongo.archive.gz; do
    dump_path="$BORG_DUMP_DIR/$dump"
    if [ -f "$dump_path" ]; then
      dump_mtime="$(stat -c %Y "$dump_path" 2>/dev/null || echo 0)"
      printf 'homelab_borg_dump_present{dump="%s"} 1\n' "$dump"
      printf 'homelab_borg_dump_age_seconds{dump="%s"} %s\n' "$dump" "$(( now - dump_mtime ))"
    else
      printf 'homelab_borg_dump_present{dump="%s"} 0\n' "$dump"
    fi
  done
 } > "$tmp"
 # 0644 statt mktemp-default 0600, damit der node-exporter-Textfile-Collector
@@ -28,9 +28,3 @@ immich_postgres 2026-09-10
 # (Dez 2025). Das Image-Alter ist nur Build-Alter, keine veraltete Version.
 # Re-check: ob eine blackbox_exporter-Version > v0.28.0 erschienen ist.
 monitoring-blackbox-exporter 2026-09-10
 # glance-docker-socket-proxy: v0.4.2 ist am 2026-06-17 weiterhin der neueste
 # stabile Tag / latest. Neuere Tags sind nur master/nightly und werden fuer den
 # lesenden Glance-Socket-Proxy bewusst nicht produktiv eingesetzt.
 # Re-check: ob ein stabiler Tag > v0.4.2 erschienen ist.
 glance-docker-socket-proxy 2026-09-17
@@ -1,237 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Komodo-Stack-Hygiene-Check.
 #
 # Prueft, dass jeder Komodo-Stack sauber gegen das Git-Repo konfiguriert ist,
 # und dass jeder Compose-File im Repo einen passenden Komodo-Stack hat.
 # Findet die Klasse von Fehlern, die `immich_new` (2026-06-12) durchgelassen
 # hat: Stack RUNNING, aber kein Repo / kein Account / project_missing.
 REPO_ROOT="${REPO_ROOT:-$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)}"
 OUTPUT_PATH="${OUTPUT_PATH:-/mnt/user/services/posture-check/komodo-stack-hygiene-last.json}"
 NTFY_SCRIPT="${NTFY_SCRIPT:-$REPO_ROOT/ops/restore-tests/send-ntfy.sh}"
 NTFY_TOPIC="${NTFY_TOPIC:-homelab-alerts}"
 SEND_NTFY="${SEND_NTFY:-1}"
 KOMODO_ENV_FILE="${KOMODO_ENV_FILE:-/mnt/user/appdata/secrets/codex_komodo_api.env}"
 KOMODO_CONTAINER="${KOMODO_CONTAINER:-komodo-core}"
 # Komma-separierte Allowlist fuer bewusst inline-managed Stacks.
 # Quelle: memory/komodo-stack-inline-managed.md, CLAUDE.md.
 INLINE_ALLOWLIST="${INLINE_ALLOWLIST:-komodo,grafana}"
 # Compose-Files unter diesen Pfaden zaehlen NICHT als erwartete Stacks
 # (Beispiele, Archive, Submodule).
 COMPOSE_EXCLUDE_PATTERN="${COMPOSE_EXCLUDE_PATTERN:-/archive/|/examples/|/.git/}"
 # Compose-Dir-Namen, die bewusst NICHT als Komodo-Stack laufen sollen
 # (Work-in-progress, Build-/Dev-Compose, manuell deployed). Komma-separiert.
 EXPECTED_NOT_IN_KOMODO="${EXPECTED_NOT_IN_KOMODO:-hermes-agent}"
 TMP_DIR="${TMP_DIR:-/tmp/kallilab-komodo-stack-hygiene}"
 mkdir -p "$TMP_DIR"
 RESULTS_FILE="$TMP_DIR/results.$$"
 STACKS_FILE="$TMP_DIR/stacks.$$.json"
 : > "$RESULTS_FILE"
 trap 'rm -f "$RESULTS_FILE" "$STACKS_FILE"' EXIT
 json_escape() {
  sed -e 's/\\/\\\\/g' -e 's/"/\\"/g' -e 's/\t/\\t/g'
 }
 add_result() {
  printf '%s\t%s\t%s\n' "$1" "$2" "$3" >> "$RESULTS_FILE"
 }
 is_inline_allowed() {
  local name="$1"
  local IFS=,
  for entry in $INLINE_ALLOWLIST; do
    [ "$name" = "$entry" ] && return 0
  done
  return 1
 }
 is_expected_not_in_komodo() {
  local name="$1"
  local IFS=,
  for entry in $EXPECTED_NOT_IN_KOMODO; do
    [ "$name" = "$entry" ] && return 0
  done
  return 1
 }
 # True drift: do files inside this stack's compose-dir actually differ
 # between deployed_hash and latest_hash? Komodo's deployed_hash bumps only
 # on redeploy, while latest_hash tracks master HEAD - that produces a noisy
 # "Pending Update" even when the stack itself wasn't touched.
 stack_files_changed() {
  local name="$1" deployed="$2" latest="$3"
  local dir
  # Locate the stack's compose dir (case-insensitive, same as Mode 3).
  dir="$(find "$REPO_ROOT" -type d -iname "$name" -not -path "*/.git/*" 2>/dev/null | head -1)"
  [ -n "$dir" ] || return 0  # No dir -> can't tell, treat as drift to be safe
  ( cd "$REPO_ROOT" && git rev-parse --verify --quiet "$deployed" >/dev/null ) || return 0
  ( cd "$REPO_ROOT" && git rev-parse --verify --quiet "$latest"   >/dev/null ) || return 0
  local rel="${dir#$REPO_ROOT/}"
  if ( cd "$REPO_ROOT" && git diff --quiet "$deployed".."$latest" -- "$rel" ); then
    return 1  # no change
  fi
  return 0    # real change
 }
 # Komodo-API-Credentials laden und Stack-Liste holen.
 if [ ! -r "$KOMODO_ENV_FILE" ]; then
  add_result "warning" "komodo-api" "Komodo env file not readable: $KOMODO_ENV_FILE"
 else
  set -a
  # shellcheck disable=SC1090
  . "$KOMODO_ENV_FILE"
  set +a
  if ! docker exec \
        -e KOMODO_CLI_HOST \
        -e KOMODO_CLI_KEY \
        -e KOMODO_CLI_SECRET \
        "$KOMODO_CONTAINER" km list -a stacks -f json > "$STACKS_FILE" 2>/dev/null; then
    add_result "warning" "komodo-api" "km list stacks failed (container=$KOMODO_CONTAINER)"
    : > "$STACKS_FILE"
  fi
 fi
 # Per-Stack-Checks. Trenner: "|" statt Tab, weil IFS=Tab leere Felder kollabiert
 # (Tab ist Whitespace in IFS). "|" kommt in Stack-Namen/Repos/Hashes nicht vor.
 if [ -s "$STACKS_FILE" ]; then
  while IFS='|' read -r name repo project_missing missing_files state deployed_hash latest_hash files_on_host file_contents; do
    [ -n "$name" ] || continue
    if is_inline_allowed "$name"; then
      add_result "ok" "$name" "Inline-managed (allowlisted), skipping repo checks"
      continue
    fi
    # Failure-Mode 1: Stack hat keine Git-Quelle (immich_new-Symptom).
    if [ "$repo" = "-" ] && [ "$files_on_host" != "True" ] && [ "$file_contents" != "True" ]; then
      add_result "critical" "$name" "Stack has no repo configured and is not inline-allowed"
      continue
    fi
    # Failure-Mode 2: Komodo meldet Project Missing.
    if [ "$project_missing" = "True" ]; then
      add_result "critical" "$name" "project_missing=true (missing_files=$missing_files)"
      continue
    fi
    # Failure-Mode 3: Stack-Name passt zu keinem Compose-File im Repo.
    # Case-insensitive (Compose-Dir kann GroSs/klein abweichen, z.B. Adguard).
    match_found=""
    while IFS= read -r dir; do
      [ -n "$dir" ] || continue
      if [ -f "$dir/docker-compose.yml" ] \
        || [ -f "$dir/docker-compose.yaml" ] \
        || [ -f "$dir/compose.yml" ] \
        || [ -f "$dir/compose.yaml" ]; then
        match_found=1
        break
      fi
    done < <(find "$REPO_ROOT" -type d -iname "$name" -not -path "*/.git/*" 2>/dev/null)
    if [ -z "$match_found" ]; then
      # Verwaiste Stacks wie das frueher gesehene `immich_new`: Komodo kennt
      # ihn, aber im Repo gibt's keinen Compose-Pfad.
      add_result "warning" "$name" "Stack name does not match any compose directory in repo"
    fi
    # Failure-Mode 4: Deployed-Hash hinkt latest hinterher UND der Stack-Dir
    # hat tatsaechlich File-Aenderungen dazwischen. Reine Komodo-Hash-Bewegung
    # ohne Stack-Inhalt aendert nichts und ist kein echter Drift.
    # "-" = unbekannt (z.B. gitea self-host edge case), nicht als Drift werten.
    if [ "$deployed_hash" != "-" ] && [ "$latest_hash" != "-" ] \
       && [ "$deployed_hash" != "$latest_hash" ] \
       && stack_files_changed "$name" "$deployed_hash" "$latest_hash"; then
      add_result "warning" "$name" "deployed_hash $deployed_hash != latest_hash $latest_hash (stack files changed)"
    fi
    # Failure-Mode 5: Stack ist down.
    if [ "$state" = "down" ] || [ "$state" = "unknown" ]; then
      add_result "warning" "$name" "Stack state is $state"
    fi
    add_result "ok" "$name" "Stack hygiene OK (state=$state, hash=$deployed_hash)"
  done < <(jq -r '.[] | [
      .name // "-",
      (.info.repo // "-"),
      (.info.project_missing | if . then "True" else "False" end),
      (((.info.missing_files // []) | join(",")) | if . == "" then "-" else . end),
      (.info.state // "-"),
      (.info.deployed_hash // "-"),
      (.info.latest_hash // "-"),
      (.info.files_on_host | if . then "True" else "False" end),
      (.info.file_contents | if . then "True" else "False" end)
    ] | join("|")' "$STACKS_FILE")
 fi
 # Failure-Mode 6: Compose-File im Repo, aber kein Komodo-Stack mit gleichem Namen.
 if [ -s "$STACKS_FILE" ]; then
  known_names="$(jq -r '.[].name' "$STACKS_FILE")"
  while IFS= read -r -d '' compose; do
    rel="${compose#$REPO_ROOT/}"
    if printf '%s' "$rel" | grep -Eq "$COMPOSE_EXCLUDE_PATTERN"; then
      continue
    fi
    dir_name="$(basename "$(dirname "$compose")")"
    if is_inline_allowed "$dir_name"; then
      continue
    fi
    if is_expected_not_in_komodo "$dir_name"; then
      continue
    fi
    # Case-insensitive, weil z.B. host-services/Adguard <-> Komodo-Stack adguard
    # legitim als gematched gilt.
    if ! printf '%s\n' "$known_names" | grep -Fixq "$dir_name"; then
      add_result "warning" "$dir_name" "Compose file $rel has no matching Komodo stack"
    fi
  done < <(find "$REPO_ROOT" -path "$REPO_ROOT/.git" -prune -o -type f \
            \( -name docker-compose.yml -o -name docker-compose.yaml \
               -o -name compose.yml -o -name compose.yaml \) -print0)
 fi
 timestamp="$(date -Iseconds)"
 critical_count="$(awk -F '\t' '$1 == "critical" { c++ } END { print c + 0 }' "$RESULTS_FILE")"
 warning_count="$(awk -F '\t' '$1 == "warning"  { c++ } END { print c + 0 }' "$RESULTS_FILE")"
 status="ok"
 [ "$warning_count" -gt 0 ] && status="warning"
 [ "$critical_count" -gt 0 ] && status="critical"
 mkdir -p "$(dirname "$OUTPUT_PATH")"
 {
  printf '{\n'
  printf '  "timestamp": "%s",\n' "$(printf '%s' "$timestamp" | json_escape)"
  printf '  "status": "%s",\n' "$status"
  printf '  "critical_count": %s,\n' "$critical_count"
  printf '  "warning_count": %s,\n' "$warning_count"
  printf '  "checks": [\n'
  first=1
  while IFS=$'\t' read -r severity name message; do
    if [ "$first" -eq 0 ]; then printf ',\n'; fi
    first=0
    printf '    {"severity":"%s","name":"%s","message":"%s"}' \
      "$(printf '%s' "$severity"  | json_escape)" \
      "$(printf '%s' "$name"      | json_escape)" \
      "$(printf '%s' "$message"   | json_escape)"
  done < "$RESULTS_FILE"
  printf '\n  ]\n}\n'
 } > "$OUTPUT_PATH.tmp"
 mv "$OUTPUT_PATH.tmp" "$OUTPUT_PATH"
 cat "$OUTPUT_PATH"
 if [ "$critical_count" -gt 0 ] || [ "$warning_count" -gt 0 ]; then
  if [ "$SEND_NTFY" = "1" ] && [ -x "$NTFY_SCRIPT" ]; then
    priority="default"
    [ "$warning_count" -gt 0 ] && priority="high"
    [ "$critical_count" -gt 0 ] && priority="urgent"
    "$NTFY_SCRIPT" "$NTFY_TOPIC" \
      "Komodo stack hygiene: $critical_count critical, $warning_count warning" \
      "See $OUTPUT_PATH" "$priority" || true
  fi
  [ "$critical_count" -gt 0 ] && exit 2
  exit 1
 fi
@@ -87,19 +87,3 @@ adguard.*bad question section.*only 1 question allowed
 #      this lookup is harmless and does not affect any dashboard.
 # Re-check: only if Amazon Prometheus is added as a datasource.
 monitoring-grafana.*grafana-amazonprometheus-datasource not found
 # cAdvisor stale container filesystem stats on Unraid.
 # Why: cAdvisor can keep reporting an already removed Docker container path in
 #      fsHandler even though the container and path no longer exist. This is a
 #      collector bookkeeping issue, not a failed workload or missing data path.
 # Re-check: if the message references an existing/running container, if
 #           Prometheus target health fails, or if broader cAdvisor errors appear.
 monitoring-cadvisor.*failed to collect filesystem stats.*var/lib/docker/containers/[0-9a-f]{64}
 # cAdvisor startup lines that match the generic "oom" / "failed" grep.
 # Why: "oom_event" is a metric name printed during startup, and Unraid loop
 #      devices can disappear while cAdvisor enumerates block devices.
 # Re-check: if cAdvisor target health fails or these messages appear outside
 #           container startup together with missing container metrics.
 monitoring-cadvisor.*enabled metrics:.*oom_event
 monitoring-cadvisor.*stat failed on /dev/loop[0-9]+ with error: no such file or directory
@@ -431,24 +431,24 @@ def render_summary_grid(entries):
        status = classify(label, value)
        theme = STATUS_THEMES.get(status, STATUS_THEMES["UNKNOWN"])
        cards.append(
-            '<td style="padding:6px;width:50%;vertical-align:top">'
+            '<td style="padding:6px;width:33.33%;vertical-align:top">'
            f'<div style="background:{theme["card_bg"]};'
            f'border:1px solid {theme["card_border"]};'
-            'border-radius:8px;padding:11px 12px;min-height:74px">'
+            'border-radius:8px;padding:12px 14px">'
            f'<div style="font-size:11px;color:#1e293b;'
-            'text-transform:uppercase;letter-spacing:0.04em;font-weight:700;'
+            'text-transform:uppercase;letter-spacing:0.08em;font-weight:700;'
-            f'line-height:1.35;opacity:0.78;overflow-wrap:anywhere">{html.escape(label)}</div>'
+            f'line-height:1.3;opacity:0.78">{html.escape(label)}</div>'
-            f'<div style="font-size:16px;font-weight:700;'
+            f'<div style="font-size:17px;font-weight:700;'
            f'color:{theme["card_text"]};margin-top:5px;line-height:1.25;'
-            f'word-break:normal;overflow-wrap:anywhere;font-variant-numeric:tabular-nums">'
+            f'word-break:break-word;font-variant-numeric:tabular-nums">'
            f'{html.escape(value)}</div>'
            '</div></td>'
        )
    rows_html = []
-    for chunk_start in range(0, len(cards), 2):
+    for chunk_start in range(0, len(cards), 3):
-        chunk = cards[chunk_start:chunk_start + 2]
+        chunk = cards[chunk_start:chunk_start + 3]
-        while len(chunk) < 2:
+        while len(chunk) < 3:
-            chunk.append('<td style="padding:6px;width:50%"></td>')
+            chunk.append('<td style="padding:6px;width:33.33%"></td>')
        rows_html.append("<tr>" + "".join(chunk) + "</tr>")
    return (
        '<table role="presentation" cellpadding="0" cellspacing="0" border="0" width="100%" '
@@ -76,25 +76,12 @@ printf '%s' 'SMTP_PASSWORT_HIER_EINTRAGEN' > /mnt/user/appdata/secrets/homelab_s
 chmod 600 /mnt/user/appdata/secrets/homelab_smtp_password.txt
 ```
 Optional fuer den Wetterbericht im Tagesreport: Grafana Service Account Token
 mit Leserechten auf die Datasource in eine Host-Secret-Datei legen:
 ```bash
 printf '%s' 'glsa_REPLACE_WITH_ROTATED_READ_TOKEN' > /mnt/user/appdata/secrets/monitoring_grafana_weather_report_token.txt
 chmod 600 /mnt/user/appdata/secrets/monitoring_grafana_weather_report_token.txt
 ```
 Der Wetterbericht-Generator nutzt `python3` auf dem Host, falls vorhanden.
 Ohne Host-`python3` faellt er automatisch auf Docker mit
 `python:3.13-alpine` zurueck.
 User Script:
 ```bash
 #!/bin/bash
 SEND_MAIL=1 \
 MAIL_MODE=always \
 INCLUDE_WEATHER_REPORT=1 \
 MAIL_FROM="michideheld@gmx.de" \
 MAIL_TO="Mi.Kaleschke@gmx.de" \
 SMTP_HOST="smtp.gmx.net" \
@@ -1,555 +0,0 @@
 #!/usr/bin/env python3
 """
 Generate a Markdown weather report for one KalliHome archive day.
 The script queries Grafana's InfluxDB datasource through /api/ds/query. It does
 not store credentials; provide a Grafana service account token through
 GRAFANA_SERVICE_ACCOUNT_TOKEN or GRAFANA_TOKEN_FILE.
 """
 from __future__ import annotations
 import argparse
 import json
 import math
 import os
 import sys
 import urllib.error
 import urllib.request
 from datetime import date, datetime, time, timedelta, timezone, tzinfo
 from typing import Any
 from zoneinfo import ZoneInfo, ZoneInfoNotFoundError
 DEFAULT_GRAFANA_URL = "https://monitoring.kaleschke.info"
 DEFAULT_TOKEN_FILE = "/mnt/user/appdata/secrets/monitoring_grafana_weather_report_token.txt"
 DATASOURCE_UID = "ha-weather-influx"
 DATASOURCE_TYPE = "influxdb"
 TEMP_TABLE = "\u00b0C"
 SOLAR_TABLE = "W/m\u00b2"
 class WeatherReportError(RuntimeError):
    pass
 def last_sunday(year: int, month: int) -> date:
    current = date(year, month + 1, 1) - timedelta(days=1) if month < 12 else date(year, 12, 31)
    return current - timedelta(days=(current.weekday() + 1) % 7)
 class EuropeBerlinFallback(tzinfo):
    """Small Europe/Berlin fallback for systems without IANA tzdata."""
    def _dst_bounds_utc(self, year: int) -> tuple[datetime, datetime]:
        start = datetime.combine(last_sunday(year, 3), time(1, 0), tzinfo=timezone.utc)
        end = datetime.combine(last_sunday(year, 10), time(1, 0), tzinfo=timezone.utc)
        return start, end
    def _is_dst_utc(self, dt: datetime) -> bool:
        utc_dt = dt.replace(tzinfo=timezone.utc) if dt.tzinfo is self else dt.astimezone(timezone.utc)
        start, end = self._dst_bounds_utc(utc_dt.year)
        return start <= utc_dt < end
    def _is_dst_local(self, dt: datetime) -> bool:
        naive = dt.replace(tzinfo=None)
        start = datetime.combine(last_sunday(naive.year, 3), time(2, 0))
        end = datetime.combine(last_sunday(naive.year, 10), time(3, 0))
        return start <= naive < end
    def utcoffset(self, dt: datetime | None) -> timedelta:
        if dt is not None and self._is_dst_local(dt):
            return timedelta(hours=2)
        return timedelta(hours=1)
    def dst(self, dt: datetime | None) -> timedelta:
        if dt is not None and self._is_dst_local(dt):
            return timedelta(hours=1)
        return timedelta(0)
    def tzname(self, dt: datetime | None) -> str:
        return "CEST" if dt is not None and self._is_dst_local(dt) else "CET"
    def fromutc(self, dt: datetime) -> datetime:
        offset = timedelta(hours=2) if self._is_dst_utc(dt) else timedelta(hours=1)
        return (dt.replace(tzinfo=timezone.utc) + offset).replace(tzinfo=self)
 def load_timezone(tz_name: str) -> tzinfo:
    try:
        return ZoneInfo(tz_name)
    except ZoneInfoNotFoundError:
        if tz_name == "Europe/Berlin":
            return EuropeBerlinFallback()
        raise
 def parse_args() -> argparse.Namespace:
    parser = argparse.ArgumentParser(description="Generate a KalliHome weather day report.")
    parser.add_argument(
        "--date",
        default=os.environ.get("WEATHER_REPORT_DATE"),
        help="Local report date as YYYY-MM-DD. Defaults to yesterday in --timezone.",
    )
    parser.add_argument(
        "--timezone",
        default=os.environ.get("WEATHER_REPORT_TZ", "Europe/Berlin"),
        help="IANA timezone for the local day boundary. Default: Europe/Berlin.",
    )
    parser.add_argument(
        "--grafana-url",
        default=os.environ.get("GRAFANA_URL", DEFAULT_GRAFANA_URL),
        help=f"Grafana base URL. Default: {DEFAULT_GRAFANA_URL}",
    )
    parser.add_argument(
        "--token-file",
        default=os.environ.get("GRAFANA_TOKEN_FILE", DEFAULT_TOKEN_FILE),
        help=f"Grafana service account token file. Default: {DEFAULT_TOKEN_FILE}",
    )
    parser.add_argument(
        "--heading-level",
        type=int,
        default=int(os.environ.get("WEATHER_REPORT_HEADING_LEVEL", "1")),
        choices=range(1, 5),
        help="Markdown heading level for the title. Default: 1.",
    )
    parser.add_argument(
        "--json",
        action="store_true",
        help="Print raw summarized values as JSON instead of Markdown.",
    )
    return parser.parse_args()
 def read_token(token_file: str) -> str:
    token = os.environ.get("GRAFANA_SERVICE_ACCOUNT_TOKEN", "").strip()
    if token:
        return token
    try:
        with open(token_file, "r", encoding="utf-8-sig") as handle:
            token = handle.read().strip()
    except FileNotFoundError as exc:
        raise WeatherReportError(
            f"Grafana token missing. Set GRAFANA_SERVICE_ACCOUNT_TOKEN or create {token_file}."
        ) from exc
    if not token:
        raise WeatherReportError(f"Grafana token file is empty: {token_file}")
    return token
 def day_bounds(report_date: str | None, tz_name: str) -> tuple[date, datetime, datetime]:
    tz = load_timezone(tz_name)
    if report_date:
        local_date = date.fromisoformat(report_date)
    else:
        local_date = datetime.now(tz).date() - timedelta(days=1)
    start_local = datetime.combine(local_date, time.min, tzinfo=tz)
    end_local = start_local + timedelta(days=1)
    return (
        local_date,
        start_local.astimezone(timezone.utc),
        end_local.astimezone(timezone.utc),
    )
 def sql_timestamp(dt: datetime) -> str:
    return dt.astimezone(timezone.utc).replace(microsecond=0).isoformat().replace("+00:00", "Z")
 def grafana_query(
    grafana_url: str,
    token: str,
    sql: str,
    start_utc: datetime,
    end_utc: datetime,
 ) -> list[dict[str, Any]]:
    url = grafana_url.rstrip("/") + "/api/ds/query"
    payload = {
        "queries": [
            {
                "refId": "A",
                "datasource": {"uid": DATASOURCE_UID, "type": DATASOURCE_TYPE},
                "rawQuery": True,
                "rawSql": sql,
                "format": "table",
            }
        ],
        "from": sql_timestamp(start_utc),
        "to": sql_timestamp(end_utc),
    }
    body = json.dumps(payload).encode("utf-8")
    request = urllib.request.Request(
        url,
        data=body,
        headers={
            "Authorization": f"Bearer {token}",
            "Content-Type": "application/json",
        },
        method="POST",
    )
    try:
        with urllib.request.urlopen(request, timeout=30) as response:
            data = json.loads(response.read().decode("utf-8"))
    except urllib.error.HTTPError as exc:
        detail = exc.read().decode("utf-8", errors="replace")
        raise WeatherReportError(f"Grafana query failed with HTTP {exc.code}: {detail}") from exc
    except urllib.error.URLError as exc:
        raise WeatherReportError(f"Grafana is not reachable: {exc}") from exc
    result = data.get("results", {}).get("A", {})
    if result.get("error"):
        raise WeatherReportError(f"Grafana datasource error: {result['error']}")
    frames = result.get("frames") or []
    if not frames:
        return []
    frame = frames[0]
    fields = [field["name"] for field in frame.get("schema", {}).get("fields", [])]
    values = frame.get("data", {}).get("values", [])
    if not fields or not values:
        return []
    rows: list[dict[str, Any]] = []
    for idx in range(len(values[0])):
        rows.append({field: values[pos][idx] for pos, field in enumerate(fields)})
    return rows
 def one(rows: list[dict[str, Any]]) -> dict[str, Any]:
    return rows[0] if rows else {}
 def by_entity(rows: list[dict[str, Any]], entity_id: str) -> dict[str, Any]:
    for row in rows:
        if row.get("entity_id") == entity_id:
            return row
    return {}
 def as_float(value: Any) -> float | None:
    if value is None:
        return None
    try:
        number = float(value)
    except (TypeError, ValueError):
        return None
    if math.isnan(number):
        return None
    return number
 def fmt(value: Any, digits: int = 1, missing: str = "n/a") -> str:
    number = as_float(value)
    if number is None:
        return missing
    return f"{number:.{digits}f}".replace(".", ",")
 def fmt_int(value: Any, missing: str = "n/a") -> str:
    number = as_float(value)
    if number is None:
        return missing
    return f"{round(number):d}"
 def fmt_signed(value: Any, digits: int = 1) -> str:
    number = as_float(value)
    if number is None:
        return "n/a"
    sign = "+" if number > 0 else ""
    return f"{sign}{number:.{digits}f}".replace(".", ",")
 def local_hhmm(value: Any, tz_name: str) -> str:
    if value in (None, ""):
        return "n/a"
    tz = load_timezone(tz_name)
    if isinstance(value, (int, float)):
        return datetime.fromtimestamp(float(value) / 1000, timezone.utc).astimezone(tz).strftime("%H:%M")
    if isinstance(value, str):
        try:
            # Grafana may return ISO timestamps or millisecond timestamps encoded as strings.
            if value.isdigit():
                return datetime.fromtimestamp(float(value) / 1000, timezone.utc).astimezone(tz).strftime("%H:%M")
            normalized = value.replace("Z", "+00:00")
            return datetime.fromisoformat(normalized).astimezone(tz).strftime("%H:%M")
        except ValueError:
            return value
    return str(value)
 def summarize(grafana_url: str, token: str, report_date: date, start_utc: datetime, end_utc: datetime) -> dict[str, Any]:
    start = sql_timestamp(start_utc)
    end = sql_timestamp(end_utc)
    where = f"time >= timestamp '{start}' AND time < timestamp '{end}'"
    temp = grafana_query(
        grafana_url,
        token,
        (
            f'SELECT entity_id, count(value) AS samples, min(value) AS min_value, '
            f'max(value) AS max_value, avg(value) AS avg_value FROM "{TEMP_TABLE}" '
            "WHERE entity_id IN ('gw3000a_outdoor_temperature',"
            "'gw3000a_feels_like_temperature','gw3000a_dewpoint') "
            f"AND {where} GROUP BY entity_id ORDER BY entity_id"
        ),
        start_utc,
        end_utc,
    )
    humidity = grafana_query(
        grafana_url,
        token,
        (
            'SELECT entity_id, count(value) AS samples, min(value) AS min_value, '
            'max(value) AS max_value, avg(value) AS avg_value FROM "%" '
            "WHERE entity_id IN ('gw3000a_humidity','gw3000a_indoor_humidity') "
            f"AND {where} GROUP BY entity_id ORDER BY entity_id"
        ),
        start_utc,
        end_utc,
    )
    wind = grafana_query(
        grafana_url,
        token,
        (
            'SELECT entity_id, count(value) AS samples, min(value) AS min_value, '
            'max(value) AS max_value, avg(value) AS avg_value FROM "km/h" '
            "WHERE entity_id IN ('gw3000a_wind_speed','gw3000a_wind_gust') "
            f"AND {where} GROUP BY entity_id ORDER BY entity_id"
        ),
        start_utc,
        end_utc,
    )
    return {
        "date": report_date.isoformat(),
        "start_utc": start,
        "end_utc": end,
        "outdoor_temperature": by_entity(temp, "gw3000a_outdoor_temperature"),
        "feels_like": by_entity(temp, "gw3000a_feels_like_temperature"),
        "dewpoint": by_entity(temp, "gw3000a_dewpoint"),
        "humidity": by_entity(humidity, "gw3000a_humidity"),
        "wind_speed": by_entity(wind, "gw3000a_wind_speed"),
        "wind_gust": by_entity(wind, "gw3000a_wind_gust"),
        "rain": one(
            grafana_query(
                grafana_url,
                token,
                f'SELECT count(value) AS samples, max(value) AS rain_mm FROM "mm" '
                f"WHERE entity_id = 'gw3000a_daily_rain' AND {where}",
                start_utc,
                end_utc,
            )
        ),
        "solar": one(
            grafana_query(
                grafana_url,
                token,
                f'SELECT count(value) AS samples, max(value) AS max_value, avg(value) AS avg_value '
                f'FROM "{SOLAR_TABLE}" WHERE entity_id = \'gw3000a_solar_radiation\' AND {where}',
                start_utc,
                end_utc,
            )
        ),
        "uv": one(
            grafana_query(
                grafana_url,
                token,
                f'SELECT count(value) AS samples, max(value) AS max_value, avg(value) AS avg_value '
                f'FROM "UV index" WHERE entity_id = \'gw3000a_uv_index\' AND {where}',
                start_utc,
                end_utc,
            )
        ),
        "pressure": one(
            grafana_query(
                grafana_url,
                token,
                f'SELECT count(value) AS samples, min(value) AS min_value, max(value) AS max_value, '
                f'avg(value) AS avg_value FROM "hPa" WHERE entity_id = \'gw3000a_relative_pressure\' AND {where}',
                start_utc,
                end_utc,
            )
        ),
        "pressure_start": one(
            grafana_query(
                grafana_url,
                token,
                f'SELECT time, value FROM "hPa" WHERE entity_id = \'gw3000a_relative_pressure\' '
                f"AND {where} ORDER BY time ASC LIMIT 1",
                start_utc,
                end_utc,
            )
        ),
        "pressure_end": one(
            grafana_query(
                grafana_url,
                token,
                f'SELECT time, value FROM "hPa" WHERE entity_id = \'gw3000a_relative_pressure\' '
                f"AND {where} ORDER BY time DESC LIMIT 1",
                start_utc,
                end_utc,
            )
        ),
        "temperature_min_time": one(
            grafana_query(
                grafana_url,
                token,
                f'SELECT time, value FROM "{TEMP_TABLE}" WHERE entity_id = \'gw3000a_outdoor_temperature\' '
                f"AND {where} ORDER BY value ASC LIMIT 1",
                start_utc,
                end_utc,
            )
        ),
        "temperature_max_time": one(
            grafana_query(
                grafana_url,
                token,
                f'SELECT time, value FROM "{TEMP_TABLE}" WHERE entity_id = \'gw3000a_outdoor_temperature\' '
                f"AND {where} ORDER BY value DESC LIMIT 1",
                start_utc,
                end_utc,
            )
        ),
        "gust_max_time": one(
            grafana_query(
                grafana_url,
                token,
                f'SELECT time, value FROM "km/h" WHERE entity_id = \'gw3000a_wind_gust\' '
                f"AND {where} ORDER BY value DESC LIMIT 1",
                start_utc,
                end_utc,
            )
        ),
        "solar_max_time": one(
            grafana_query(
                grafana_url,
                token,
                f'SELECT time, value FROM "{SOLAR_TABLE}" WHERE entity_id = \'gw3000a_solar_radiation\' '
                f"AND {where} ORDER BY value DESC LIMIT 1",
                start_utc,
                end_utc,
            )
        ),
        "uv_max_time": one(
            grafana_query(
                grafana_url,
                token,
                f'SELECT time, value FROM "UV index" WHERE entity_id = \'gw3000a_uv_index\' '
                f"AND {where} ORDER BY value DESC LIMIT 1",
                start_utc,
                end_utc,
            )
        ),
    }
 def render_markdown(summary: dict[str, Any], tz_name: str, heading_level: int) -> str:
    out_temp = summary["outdoor_temperature"]
    feels = summary["feels_like"]
    dew = summary["dewpoint"]
    humidity = summary["humidity"]
    wind_speed = summary["wind_speed"]
    wind_gust = summary["wind_gust"]
    rain = summary["rain"]
    solar = summary["solar"]
    uv = summary["uv"]
    pressure = summary["pressure"]
    pressure_start = as_float(summary["pressure_start"].get("value"))
    pressure_end = as_float(summary["pressure_end"].get("value"))
    pressure_trend = None if pressure_start is None or pressure_end is None else pressure_end - pressure_start
    solar_max = as_float(solar.get("max_value"))
    uv_max = as_float(uv.get("max_value"))
    temp_max = as_float(out_temp.get("max_value"))
    if solar_max is not None and uv_max is not None and solar_max >= 700 and uv_max >= 6:
        narrative = (
            "Der Tag war warm, hell und ueberwiegend sonnig; die hohe Solarstrahlung "
            f"und der UV-Index von {fmt(uv_max)} passen klar zu einem schoenen Sommertag."
        )
    elif temp_max is not None and temp_max >= 25:
        narrative = "Der Tag war warm; die Messwerte sprechen fuer sommerliches Wetter."
    else:
        narrative = "Der Tag war wettertechnisch unauffaellig; die folgenden Messwerte fassen ihn zusammen."
    rain_samples = int(as_float(rain.get("samples")) or 0)
    if rain_samples > 0:
        rain_line = f"- Regen: {fmt(rain.get('rain_mm'))} mm Tagesmenge laut daily_rain."
    else:
        rain_line = (
            f"- Regen: fuer {summary['date']} nicht belastbar auswertbar, "
            "weil `gw3000a_daily_rain` an dem Tag keine Samples hatte."
        )
    heading = "#" * heading_level
    lines = [
        f"{heading} Wetterbericht KalliHome - {summary['date']}",
        "",
        f"Zeitraum: {summary['date']} 00:00 bis 24:00 Europe/Berlin.",
        "",
        narrative,
        "",
        (
            f"- Temperatur aussen: {fmt(out_temp.get('min_value'))} bis {fmt(out_temp.get('max_value'))} °C, "
            f"Mittel {fmt(out_temp.get('avg_value'))} °C. "
            f"Minimum um {local_hhmm(summary['temperature_min_time'].get('time'), tz_name)}, "
            f"Maximum um {local_hhmm(summary['temperature_max_time'].get('time'), tz_name)}."
        ),
        (
            f"- Gefuehlt: Maximum {fmt(feels.get('max_value'))} °C, "
            f"Mittel {fmt(feels.get('avg_value'))} °C. "
            f"Taupunkt im Mittel {fmt(dew.get('avg_value'))} °C."
        ),
        (
            f"- Luftfeuchte aussen: {fmt_int(humidity.get('min_value'))} bis "
            f"{fmt_int(humidity.get('max_value'))} %, Mittel {fmt_int(humidity.get('avg_value'))} %."
        ),
        (
            f"- Wind: Mittel {fmt(wind_speed.get('avg_value'))} km/h, "
            f"Maximum Wind {fmt(wind_speed.get('max_value'))} km/h; "
            f"staerkste Boe {fmt(wind_gust.get('max_value'))} km/h um "
            f"{local_hhmm(summary['gust_max_time'].get('time'), tz_name)}."
        ),
        rain_line,
        (
            f"- Solarstrahlung: Maximum {fmt_int(solar.get('max_value'))} W/m² um "
            f"{local_hhmm(summary['solar_max_time'].get('time'), tz_name)}, "
            f"Mittel {fmt_int(solar.get('avg_value'))} W/m²."
        ),
        f"- UV-Index: Maximum {fmt(uv.get('max_value'))} um {local_hhmm(summary['uv_max_time'].get('time'), tz_name)}.",
        (
            f"- Luftdruck: {fmt_int(pressure.get('min_value'))} bis {fmt_int(pressure.get('max_value'))} hPa, "
            f"Mittel {fmt_int(pressure.get('avg_value'))} hPa; "
            f"Tendenz {fmt_signed(pressure_trend)} hPa ueber den Tag."
        ),
        "",
        "Datenabdeckung/Samples:",
        (
            f"- Temperatur aussen: {out_temp.get('samples', 0)}, "
            f"Luftfeuchte aussen: {humidity.get('samples', 0)}, "
            f"Wind: {wind_speed.get('samples', 0)}, Boeen: {wind_gust.get('samples', 0)}, "
            f"Regen: {rain.get('samples', 0)}, Solar: {solar.get('samples', 0)}, "
            f"UV: {uv.get('samples', 0)}, Luftdruck: {pressure.get('samples', 0)}"
        ),
    ]
    return "\n".join(lines)
 def main() -> int:
    args = parse_args()
    try:
        token = read_token(args.token_file)
        report_date, start_utc, end_utc = day_bounds(args.date, args.timezone)
        summary = summarize(args.grafana_url, token, report_date, start_utc, end_utc)
        if args.json:
            print(json.dumps(summary, ensure_ascii=False, indent=2))
        else:
            print(render_markdown(summary, args.timezone, args.heading_level))
    except Exception as exc:
        print(f"weather-day-report: {exc}", file=sys.stderr)
        return 1
    return 0
 if __name__ == "__main__":
    raise SystemExit(main())
@@ -1,31 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PY_SCRIPT="${WEATHER_REPORT_PY_SCRIPT:-$SCRIPT_DIR/weather-day-report.py}"
 TOKEN_FILE="${GRAFANA_TOKEN_FILE:-/mnt/user/appdata/secrets/monitoring_grafana_weather_report_token.txt}"
 PY_IMAGE="${WEATHER_REPORT_PY_IMAGE:-python:3.13-alpine}"
 if command -v python3 >/dev/null 2>&1; then
  exec python3 "$PY_SCRIPT" "$@"
 fi
 if ! command -v docker >/dev/null 2>&1; then
  echo "weather-day-report: neither python3 nor docker is available" >&2
  exit 1
 fi
 if [ ! -f "$TOKEN_FILE" ]; then
  echo "weather-day-report: token file missing: $TOKEN_FILE" >&2
  exit 1
 fi
 exec docker run --rm \
  --network host \
  -v "$PY_SCRIPT:/weather-day-report.py:ro" \
  -v "$TOKEN_FILE:/run/secrets/grafana_weather_report_token:ro" \
  -e GRAFANA_TOKEN_FILE=/run/secrets/grafana_weather_report_token \
  -e GRAFANA_URL="${GRAFANA_URL:-https://monitoring.kaleschke.info}" \
  -e WEATHER_REPORT_TZ="${WEATHER_REPORT_TZ:-Europe/Berlin}" \
  "$PY_IMAGE" \
  python /weather-day-report.py "$@"
@@ -1,58 +0,0 @@
 # Smart Home Runtime Stack
 Runtime-Zustand fuer Home Assistant auf Kallilabcore. Dieser Ordner gehoert zu
 `homelab-infra`, weil Komodo den Stack deployt und Renovate die Images pflegt.
 ## Dienste
 - `homeassistant`: Home Assistant Container, erreichbar ueber Traefik unter
  `https://home.kaleschke.info`
 - `smarthome-mosquitto`: interner MQTT-Broker fuer Home Assistant, spaeter
  Zigbee2MQTT und ESPHome
 ## Abhaengigkeiten
 - `frontend_net` existiert bereits und wird von Traefik genutzt.
 - `smarthome_net` wird durch diesen Stack angelegt und ist `internal: true`.
 - Das Fachrepo `smart-home-kalli` muss auf dem Unraid-Host unter
  `/mnt/user/services/smart-home-kalli` liegen. Nur ausgewählte YAML-Dateien
  werden read-only nach `/config` gemountet; `.storage` bleibt in
  `/mnt/user/appdata/homeassistant`.
 - Vor dem ersten Start muessen diese Dateien hostseitig angelegt werden:
  - `/mnt/user/appdata/homeassistant/secrets.yaml`
  - `/mnt/user/appdata/homeassistant/trusted_proxies.yaml`
  - `/mnt/user/appdata/mosquitto/config/passwordfile`
  - `/mnt/user/appdata/mosquitto/config/aclfile`
 Das detaillierte Host-Bootstrap-Runbook liegt unter
 `docs/runbooks/smart-home-bootstrap.md`.
 ## MQTT Bootstrap
 Beispiel fuer den initialen Home-Assistant-MQTT-User auf dem Unraid-Host:
 ```sh
 mkdir -p /mnt/user/appdata/mosquitto/config
 docker run --rm -it \
  -v /mnt/user/appdata/mosquitto/config:/mosquitto/external_config \
  eclipse-mosquitto:2.0.22 \
  mosquitto_passwd -c /mosquitto/external_config/passwordfile homeassistant
 cat > /mnt/user/appdata/mosquitto/config/aclfile <<'EOF'
 user homeassistant
 topic readwrite #
 EOF
 ```
 LAN-Port `1883` bleibt in Phase 1 geschlossen. Eine Portfreigabe fuer externe
 MQTT-Clients wird erst in der ESPHome-Phase mit ACLs und per-Device-Usern
 ergaenzt.
 ## Ecowitt
 Ecowitt wird nicht in Phase 1 exponiert. Wegen des globalen Traefik
 HTTP-zu-HTTPS-Redirects bleibt die Ingress-Entscheidung offen:
 1. Traefik-HTTP-Ausnahme nur fuer den Ecowitt-Webhook, falls der globale
   EntryPoint-Redirect gezielt abloesbar ist.
 2. Dokumentierter LAN-only Host-Port `8123` als Fallback, wenn Option 1 den
   bestehenden Traefik-Standard zu stark verbiegt.
@@ -1,71 +0,0 @@
 services:
  homeassistant:
    image: ghcr.io/home-assistant/home-assistant:2026.6.4@sha256:adb3341e31e03e0048e60d8c1cf952e118a381ae258bb921d3da12a3b27bf0c2
    container_name: homeassistant
    restart: unless-stopped
    environment:
      TZ: Europe/Berlin
    volumes:
      - /mnt/user/appdata/homeassistant:/config
      - /mnt/user/services/smart-home-kalli/home-assistant/configuration.yaml:/config/configuration.yaml:ro
      - /mnt/user/services/smart-home-kalli/home-assistant/automations.yaml:/config/automations.yaml:ro
      - /mnt/user/services/smart-home-kalli/home-assistant/scripts.yaml:/config/scripts.yaml:ro
      - /mnt/user/services/smart-home-kalli/home-assistant/scenes.yaml:/config/scenes.yaml:ro
      - /mnt/user/services/smart-home-kalli/home-assistant/packages:/config/packages:ro
    networks:
      - frontend_net
      - smarthome_net
      # Zugang zum bestehenden Monitoring-Netz nur fuer den InfluxDB-3-Writer
      # (Wetter-/Langzeitarchiv). HA schreibt intern an monitoring-influxdb3-core:8181,
      # kein Host-Port, keine LAN-Exposition. Siehe docs/DECISIONS.md (2026-06-13).
      - monitoring_net
    # LAN-only Host-Bind nur fuer den Ecowitt-HTTP-Push: das GW3000-Gateway kann
    # kein HTTPS und pusht per HTTP direkt an den HA-Webhook. Bindung ausschliesslich
    # auf die LAN-IP (nicht 0.0.0.0, nicht WAN). Dokumentierte Ausnahme analog
    # InfluxDB 8181, siehe docs/DECISIONS.md (2026-06-13) und Architektur-Master 10.
    ports:
      - "192.168.178.58:8123:8123"
    security_opt:
      - no-new-privileges:true
    depends_on:
      - mosquitto
    labels:
      - traefik.enable=true
      - traefik.docker.network=frontend_net
      - traefik.http.routers.homeassistant.rule=Host(`home.kaleschke.info`)
      - traefik.http.routers.homeassistant.entrypoints=websecure
      - traefik.http.routers.homeassistant.tls=true
      - traefik.http.routers.homeassistant.tls.certresolver=le
      - traefik.http.routers.homeassistant.middlewares=secure-headers@file
      - traefik.http.services.homeassistant.loadbalancer.server.port=8123
  mosquitto:
    image: eclipse-mosquitto:2.0.22@sha256:212f89e1eaeb2c322d6441b64396e3346026674db8fa9c27beac293405c32b3c
    container_name: smarthome-mosquitto
    restart: unless-stopped
    volumes:
      - ./mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf
      - /mnt/user/appdata/mosquitto/config:/mosquitto/external_config
      - /mnt/user/appdata/mosquitto/data:/mosquitto/data
      - /mnt/user/appdata/mosquitto/log:/mosquitto/log
    networks:
      - smarthome_net
    expose:
      - "1883"
    security_opt:
      - no-new-privileges:true
 networks:
  frontend_net:
    external: true
  smarthome_net:
    name: smarthome_net
    driver: bridge
    internal: true
  # Bestehendes Observability-Netz (vom monitoring-Stack angelegt); hier nur
  # extern referenziert, damit HA den InfluxDB-3-Writer erreicht.
  monitoring_net:
    external: true
    name: monitoring_net
--- a/Show More
+++ b/Show More
		`@@ -1 +0,0 @@`
			`replace-with-a-long-random-grafana-readonly-password`
		`@@ -1 +0,0 @@`
			`replace-with-a-long-random-metrics-password`
		`@@ -1 +0,0 @@`
			`replace-with-a-long-random-postgres-password`
		`@@ -1 +0,0 @@`
			`replace-with-a-long-random-url-safe-redis-password`
`@@ -1,4 +1,4 @@`
	`FROM nousresearch/hermes-agent:v2026.6.19`	`FROM nousresearch/hermes-agent:v2026.6.5`

	`USER root`	`USER root`