From d000f646f0d922c6712b43bc0f93b915e033bb72 Mon Sep 17 00:00:00 2001 From: Vadym Samoilenko Date: Sun, 3 May 2026 18:46:49 +0100 Subject: [PATCH] vault backup: 2026-05-03 18:46:49 --- .obsidian/plugins/hoarder-sync/data.json | 2 +- 02 Areas/Pending Commands.md | 110 +++++++---------------- 99 Daily/2026-05-03.md | 6 ++ 3 files changed, 37 insertions(+), 81 deletions(-) diff --git a/.obsidian/plugins/hoarder-sync/data.json b/.obsidian/plugins/hoarder-sync/data.json index 6b18312..e49f88a 100644 --- a/.obsidian/plugins/hoarder-sync/data.json +++ b/.obsidian/plugins/hoarder-sync/data.json @@ -4,7 +4,7 @@ "syncFolder": "Hoarder", "attachmentsFolder": "Hoarder/attachments", "syncIntervalMinutes": 60, - "lastSyncTimestamp": 1777826360368, + "lastSyncTimestamp": 1777829889811, "updateExistingFiles": false, "excludeArchived": true, "onlyFavorites": false, diff --git a/02 Areas/Pending Commands.md b/02 Areas/Pending Commands.md index 7535a9c..7523962 100644 --- a/02 Areas/Pending Commands.md +++ b/02 Areas/Pending Commands.md @@ -6,78 +6,8 @@ Commands that need to be run on servers. Move to **Done** after confirmation. ## Pending -### P0 — Do immediately - -#### pve: Update router DHCP DNS -On TP-Link AX72 web UI → Network → DHCP Server → Primary DNS: -``` -Change: 192.168.1.62 → 192.168.1.225 -Secondary DNS: 1.1.1.1 -``` -_Why: CT101 (192.168.1.62) is legacy, CT102 Docker AdGuard is the new DNS_ - -#### pve: Fix CT105 Immich GPU (2 commands) -```bash -ssh pve "pct set 105 --delete dev1 && pct set 105 --delete dev2" -ssh pve "pct start 105" -``` -_Why: Host only has card1 + renderD128. CT105 conf had dev1=renderD129 and dev2=card0 which don't exist_ - -#### pve: Free CT102 thin-pool (fstrim) -```bash -ssh pve "pct exec 102 -- fstrim -av" -ssh pve "pct exec 102 -- systemctl enable fstrim.timer && systemctl start fstrim.timer" -``` -_Why: vm-102-disk-0 shows 99.39% thin-pool allocation, df shows only 36% — blocks were written then deleted but not trimmed_ - -#### pve: Destroy legacy LXCs (after router DNS update) -```bash -# First verify CT101 is no longer needed as DNS (router updated) -ssh pve "pct stop 101 && pct destroy 101" -``` -_Why: CT101 is legacy AdGuard, replaced by CT102 Docker AdGuard_ - -#### CT102: Fix dead NPM proxy hosts (disable/delete) -```bash -# In NPM admin (http://192.168.1.225:81): -# Delete or disable: id=5 (flow.ai-impress.com → dead), id=6 (ssh → dead), -# id=8 (grafana → dead), id=12 (auth → Authentik deleted) -# Update: id=10 (dns.ai-impress.com) → change backend to 192.168.1.225:8053 -``` - -#### CT102: Fix Stirling-PDF OIDC -```bash -ssh pve "pct exec 102 -- bash -lc 'cd /opt/services/stirling-pdf && docker compose down && \ - sed -i \"s/SECURITY_OAUTH2_ENABLED=true/SECURITY_OAUTH2_ENABLED=false/g\" docker-compose.yml && \ - docker compose up -d'" -# If no env var, manually edit docker-compose.yml: set SECURITY_OAUTH2_ENABLED=false -``` - ### P1 — This week -#### CT102: Restrict docker-socket-proxy to localhost only -```bash -# Edit /opt/services/ or wherever it's defined -# Change: "0.0.0.0:2376:2375" → "127.0.0.1:2376:2375" -# Then: docker compose up -d --force-recreate -``` -_Why: Exposes Docker API to entire LAN on 0.0.0.0:2376 — security risk_ - -#### pve: Enable Tailscale subnet-router (LAN access remotely) -```bash -ssh pve "tailscale up --advertise-routes=192.168.1.0/24 --accept-routes" -# Then: approve the subnet in Tailscale admin console (https://login.tailscale.com/admin/machines) -``` -_Why: Currently no subnet route — LAN-only services not accessible when remote_ - -#### CT102: Configure Promtail for Loki -```bash -# Create /opt/monitoring/promtail-config.yml -# Add to /opt/monitoring/docker-compose.yml: promtail service -# Loki URL: http://loki:3100 -``` -_Why: Loki running but no Promtail — logs not aggregated_ - #### CT102: Add CrowdSec bouncer for NPM ```bash # Install nginx-proxy-manager bouncer for crowdsec @@ -85,24 +15,42 @@ _Why: Loki running but no Promtail — logs not aggregated_ ``` _Why: CrowdSec running but no bouncer — IPS observing but not blocking_ -#### pve: vzdump restore drill -```bash -# Test restoring a backup to verify backups work -ssh pve "qmrestore /mnt/usb-backup/dump/.vma.zst 299 --storage local-lvm" -ssh pve "qm start 299 && qm status 299" -ssh pve "qm stop 299 && qm destroy 299" -``` -_Why: vzdump runs daily but restore procedure never tested_ +### P2 — Phase 3: Review all app configs +- Review each service in CT102 /opt/services/*/docker-compose.yml against checklist (restart, healthcheck, logging, networks, secrets) +- Special: Nextcloud (cron container), Vaultwarden (SIGNUPS_ALLOWED=false), Paperless (OCR_LANGUAGE=eng+rus) + +### P3 — Phase 4: *arr stack + Russian content +- Add Bazarr (CT111), Recyclarr (CT111), Readarr (CT111) +- Configure Sonarr/Radarr custom formats for Russian audio (score +200) +- Configure Prowlarr: add rutracker, kinozal, rutor, NNM-Club +- qBit: set listening port 50000, add router Virtual Server 50000 TCP+UDP → 192.168.1.230:50000 +- Jellyfin: add Sonarr/Radarr connect webhooks for instant library scan +- Jellyfin: set default audio/subtitle language to Russian + +### P4 — Phase 5: Dashboards A/B/C +- Rebuild Glance (4 pages: Home/Infrastructure/Media/Monitoring), add power widget (RAPL/Prometheus) +- Deploy Dashy on port 8086 at dashy.ai-impress.com +- Deploy Dashbrr on port 8087 at dashbrr.ai-impress.com +- After comparison: keep 1-2, destroy others --- ## Done -_(Move entries here after confirmation)_ - | Date | Command | Result | |------|---------|--------| | 2026-05-03 | Live audit of pve server | Completed — all files updated in Obsidian | +| 2026-05-03 | Router DNS updated | 192.168.1.62 → 192.168.1.225 (done by user) | +| 2026-05-03 | CT105 Immich GPU fix | Already fixed (native LXC, dev1/dev2 removed, immich running) | +| 2026-05-03 | CT102 fstrim | 99.39% → 35.81%, issue_discards=1 enabled in lvm.conf | +| 2026-05-03 | CT101 destroyed | pct stop 101 && pct destroy 101 --purge | +| 2026-05-03 | NPM dead proxies removed | id=5,6,8,12,20 deleted; id=10 updated to :8053; id=26 trimmed | +| 2026-05-03 | Stirling-PDF OIDC | Already fixed (SECURITY_ENABLELOGIN=false, no OAuth in compose) | +| 2026-05-03 | docker-socket-proxy → localhost | Recreated with -p 127.0.0.1:2376:2375 | +| 2026-05-03 | rpcbind :111 closed | systemctl disable --now rpcbind rpcbind.socket | +| 2026-05-03 | Tailscale subnet-router | 192.168.1.0/24 advertised + approved in admin console; IP forwarding enabled in /etc/sysctl.d/99-tailscale.conf | +| 2026-05-03 | Promtail for Loki | Added to /opt/monitoring/docker-compose.yml, container running, Docker targets discovered | +| 2026-05-03 | vzdump restore drill | CT102 backup restored as CT999, hostname verified, CT999 destroyed | --- @@ -111,3 +59,5 @@ _(Move entries here after confirmation)_ - Commands for CT102 Docker services always via: `ssh pve "pct exec 102 -- bash -lc '...'"` or `ssh pve "pct exec 102 -- docker compose -f /path/to/compose.yml ..."` - After any DNS change: flush on clients and wait for DHCP lease renewal (24h default) - NPM admin: http://192.168.1.225:81 (password: check ~/.secrets/ on local machine) +- fstrim for CT disks: mount /dev/mapper/pve-vm----disk--0 /mnt/trim-ctXXX && fstrim -v /mnt/trim-ctXXX && umount (from pve host, container running is OK) +- Tailscale subnet approved in admin: https://login.tailscale.com/admin/machines → pve → Edit route settings diff --git a/99 Daily/2026-05-03.md b/99 Daily/2026-05-03.md index d02f86e..38798fa 100644 --- a/99 Daily/2026-05-03.md +++ b/99 Daily/2026-05-03.md @@ -38,3 +38,9 @@ tags: [daily] - 17:57 (19min) | `aimpress` - **Asked:** Asked | Audit PVE server containers, services, and network configurations to document setup and identify improvements | infrastructure/_index.md, homelab/_index.md, Known Issues section - **Done:** Done | Indexed all containers and services, documented local vs internet-accessible resources, and updated infrastructure documentation with current live data | infrastructure/_index.md, homelab/_index.md +- 18:45 (30min) | `aimpress` + - **Asked:** Complete Proxmox homelab audit, document all containers/services, identify issues and create improvement plan with focus on *arr stack, qBittorrent, and Glance dashboard setup. + - **Done:** Conducted comprehensive server inventory, validated Tailscale configuration parameters, executed successful restore drill, and documented completed tasks in Obsidian. +- 18:45 | `aimpress` + - **Asked:** Conducted comprehensive audit of Proxmox homelab server, documented all containers and services with configurations, and identified issues and duplicates. + - **Done:** Completed Phase 1 and Phase 2 improvements including container cleanup, storage optimization, security fixes, and monitoring setup across 10+ tasks.