Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
cd650b19ac057a1b74ac63503e5dba50eaf5b8ea
homelab-infra/services/posture-check/unraid-user-scripts.md
T
Micha cd650b19ac Close Gitea signup, dedup posture-check alerts, extend Borg scope 
Operational hardening across several services after live incident
analysis between 2026-05-18 and 2026-05-20:

- Gitea: disable public registration and OpenID signup/signin to
  stop the external POST / 5xx bursts that triggered availability
  alerts. New repo-wide policy requires every productive
  Micha/homelab-infra Komodo stack to ship with an active
  Gitea->Komodo webhook on the current stack ID (documented in
  CLAUDE.md, AI_CONTEXT.md, WORKFLOW.md).
- posture-check: extract the Disk1 fstype check into its own
  function so the documented Disk1 NTFS exception no longer raises
  ntfy warnings, skip POSIX inode checks on NTFS, and dedup ntfy
  alerts via a fingerprint state file with ALERT_REPEAT_SECONDS
  (default 24h). Repeat-spam on the same cause now suppressed.
- docker-critical-events: parse the event JSON for container name,
  action, exit code and signal; drop `die exit=0` events (clean
  stops); ship a structured ntfy message instead of the raw event
  line.
- Borg UI: mount /mnt/user/services into the backup container as
  /local/services:ro and include homelab-infra, stacks and
  posture-check in all-important-sources.txt. RESTORE_MATRIX and
  DISASTER_RECOVERY updated accordingly.
- Unraid user scripts: document the new
  homelab-operations-report-daily cron job and the SMTP password
  file it expects on the host.
- MIGRATION_LOG: capture the four live events from this window -
  Gitea 5xx burst + signup closure, Komodo webhook reconciliation,
  posture-check host-version verification, Borg scope extension,
  and Traefik 5xx alert detuning.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-23 11:05:35 +02:00

2.1 KiB
Raw Blame History

Unraid User Scripts fuer Posture-Checks

Host-Repo-Pfad:

/mnt/user/services/homelab-infra

posture-check-at-start

Zeit: Array Start.

#!/bin/bash
bash /mnt/user/services/homelab-infra/services/posture-check/posture-check.sh

posture-check-hourly

Zeit: stuendlich bei Minute 17, Cron 17 * * * *.

#!/bin/bash
bash /mnt/user/services/homelab-infra/services/posture-check/posture-check.sh

cert-token-check-daily

Zeit: taeglich 06:10, Cron 10 6 * * *.

#!/bin/bash
bash /mnt/user/services/homelab-infra/services/posture-check/cert-token-check.sh

compose-runtime-drift-daily

Zeit: taeglich 06:20, Cron 20 6 * * *.

#!/bin/bash
bash /mnt/user/services/homelab-infra/services/posture-check/compose-runtime-drift.sh

homelab-operations-report-daily

Zeit: taeglich nach Borg und den Morgenchecks, z. B. 07:30, Cron 30 7 * * *.

Voraussetzung: SMTP-Passwort liegt nicht im Repo, sondern auf dem Host:

mkdir -p /mnt/user/appdata/secrets
chmod 700 /mnt/user/appdata/secrets
printf '%s' 'SMTP_PASSWORT_HIER_EINTRAGEN' > /mnt/user/appdata/secrets/homelab_smtp_password.txt
chmod 600 /mnt/user/appdata/secrets/homelab_smtp_password.txt

User Script:

#!/bin/bash
SEND_MAIL=1 \
MAIL_MODE=always \
MAIL_FROM="michideheld@gmx.de" \
MAIL_TO="Mi.Kaleschke@gmx.de" \
SMTP_HOST="smtp.gmx.net" \
SMTP_PORT="587" \
SMTP_USER="michideheld@gmx.de" \
SMTP_PASS_FILE="/mnt/user/appdata/secrets/homelab_smtp_password.txt" \
bash /mnt/user/services/homelab-infra/services/posture-check/daily-status-report.sh

docker-critical-events-at-start

Zeit: Array Start. Dieser Job startet einen Hintergrund-Watcher und beendet sich sofort.

#!/bin/bash
ps -ef | grep -F -- "docker events --filter event=die --filter event=oom --filter event=kill" | grep -v grep >/dev/null && exit 0
mkdir -p /mnt/user/services/posture-check
nohup bash /mnt/user/services/homelab-infra/services/posture-check/docker-critical-events.sh >/mnt/user/services/posture-check/docker-critical-events.out 2>&1 </dev/null &
exit 0
Reference in New Issue View Git Blame Copy Permalink