diff --git a/TOOLS.md b/TOOLS.md index 2f550ce..ec7f584 100644 --- a/TOOLS.md +++ b/TOOLS.md @@ -321,7 +321,7 @@ scripts/browser-setup.sh stop # Stop all ### ntfy (Zurich — self-hosted) - **URL:** https://ntfy.inou.com (Caddy → localhost:2586) - **User:** james / JamesNtfy2026! -- **API Token:** tk_k120jegay3lugeqbr9fmpuxdqmzx5 +- **API Token:** tk_ggphzgdis49ddsvu51qam6bgzlyxn - **Alert topic:** forge-alerts (anonymous read allowed for iOS app) - **Johan subscribes to:** https://ntfy.inou.com/forge-alerts (in ntfy iOS app) diff --git a/memory/2026-02-19.md b/memory/2026-02-19.md index 7300fe9..8cb9b5b 100644 --- a/memory/2026-02-19.md +++ b/memory/2026-02-19.md @@ -1,85 +1,57 @@ # 2026-02-19 ## SSH Keys Added -- `johanjongsma@Johans-MacBook-Pro.local` → forge authorized_keys (via control UI, ~23:13) -- `johan@thinkpad-x1` → forge authorized_keys (via Telegram, ~23:34) -- ThinkPad X1 confirmed: 2019 model, Ubuntu 24.04 desktop, IP 192.168.0.223 (WiFi) -- james@forge key added to ThinkPad X1 authorized_keys via Claude Code on X1 -- SSH from forge to ThinkPad X1 working: `ssh johan@192.168.0.223` +- Johan's MacBook Pro: `johanjongsma@Johans-MacBook-Pro.local` → forge authorized_keys +- ThinkPad X1 (2019, Ubuntu 24.04): `johan@thinkpad-x1` → forge authorized_keys + - IP: 192.168.0.223 (WiFi), hostname: `johan-x1`, kernel 6.17 + - Had to enable SSH via CC prompt, add james@forge key separately -## Go Environment Recovery (rogue agent incident) -- Rogue agent at 23:30 installed golang-go (1.22.2) via apt, shadowing /usr/local/go (1.23.6) -- Also installed libgtk-3-dev + libwebkit2gtk-4.1-dev (Wails deps) + wails binary to ~/go/bin -- **Fixed:** Removed golang-go apt packages, fixed PATH in ~/.bashrc to put /usr/local/go/bin at FRONT -- Go 1.23.6 active from /usr/local/go — verified in fresh shell -- wails binary still in ~/go/bin — Johan's call whether to keep -- message-bridge/go.mod says "go 1.25.6" — pre-existing bug, not rogue agent +## Go Environment Restored (rogue agent damage) +- Rogue agent installed `golang-go` via apt at 23:30 → Go 1.22.2 shadowed Go 1.23.6 +- Also installed libgtk-3-dev, libwebkit2gtk-4.1-dev, wails binary (was building Wails app) +- Fix: removed apt golang packages, moved `/usr/local/go/bin` to FRONT of PATH in .bashrc +- Go 1.23.6 restored as active version +- Note: azure-backup needs go1.24.12, inou needs go1.24.4 (GOTOOLCHAIN=auto handles this) -## Win Alerts Fix -- Kaseya win alerts (winalert@kaseya.com) were hitting Fully dashboard -- Fixed in connector_m365.go: added `silentSenders` blocklist filter before postFullyAlert -- Suppressed: winalert@, lostalert@, standard.instrumentation@kaseya.com, noreply@salesforce.com -- Committed b408ebc to mc-unified, mail-bridge restarted +## Win Alerts Suppressed from Fully Dashboard +- Fixed connector_m365.go: added `silentSenders` list +- winalert@kaseya.com, lostalert@kaseya.com, standard.instrumentation@kaseya.com, noreply@salesforce.com +- Committed `b408ebc` on mc-unified, restarted mail-bridge -## ThinkPad X1 SSH Setup -- CC on ThinkPad ran: installed openssh-server, enabled SSH, added james@forge key -- IP confirmed: 192.168.0.223 (WiFi), was 192.168.0.211 in old notes +## Zurich Infrastructure Restored +**Root cause:** When Stalwart mail server was set up Feb 17, it took port 443, killing Caddy (which wasn't on Zurich anyway — wrong assumption). ntfy, Kuma, and vault were all broken. -## Vaultwarden Saga (BIG one) -**Root cause chain:** -1. I (previous session) added HSTS `includeSubDomains; preload` to home Caddy for inou.com -2. This caused Chrome to hard-enforce HSTS for ALL *.inou.com subdomains -3. Stalwart was set up on Zurich Feb 17 and claimed port 443 -4. Caddy was NEVER on Zurich — my memory notes documented a plan, not reality -5. vault.inou.com DNS → Zurich → Stalwart served mail.inou.com cert → wrong cert → HSTS block +**Tonight's fixes:** +- Installed Caddy on Zurich (82.24.174.112) +- Moved Stalwart HTTPS from public :443 → 127.0.0.1:8443 +- Deployed Vaultwarden: /opt/vaultwarden → vault.jongsma.me +- Deployed ntfy: /opt/ntfy → ntfy.inou.com (port 2586) + - New token: `tk_ggphzgdis49ddsvu51qam6bgzlyxn` (old one gone) + - User: james / JamesNtfy2026! +- Deployed Uptime Kuma: /opt/uptime-kuma → kuma.inou.com (port 3001) — FRESH, no monitors +- Added vault.jongsma.me DNS A record → 82.24.174.112 (was wildcard *.jongsma.me → home) -**What Johan did:** Asked "vault.jongsma.me or vault.inou.com?" — I said vault.inou.com (wrong). He tried to upload passwords but Stalwart rejected the Bitwarden API calls. Passwords did NOT get saved anywhere. +**Zurich Caddyfile:** vault.jongsma.me, ntfy.inou.com, kuma.inou.com, mail.inou.com, mail.jongsma.me -**Passwords:** Still safe in Proton Pass (not deleted). +## Vaultwarden History (messy) +- Memory notes said vault.inou.com was deployed — was NOT true +- vault.inou.com DNS → Zurich, but Stalwart was serving it with wrong cert (mail.inou.com) +- HSTS `includeSubDomains` on inou.com home Caddy caused Chrome to hard-block vault.inou.com +- Johan uploaded passwords to what he thought was Vaultwarden — data went nowhere (Stalwart) +- Passwords are safe in Proton Pass (never deleted) +- Now properly deployed at vault.jongsma.me on Zurich +- TODO: Johan needs to create account + import Proton Pass, then disable signups -**What was actually deployed:** NOTHING — Vaultwarden was never running anywhere. +## Uptime Kuma — Needs Monitors Re-added +All monitors lost when Kuma was redeployed fresh. Need to re-add: +- inou.com monitors (HTTP, API, DNS, SSL) +- Zurich VPS +- Forge/OpenClaw +- Message Center +- Home network -**Final resolution:** -- vault.jongsma.me → Zurich (82.24.174.112) specific DNS A record created in Cloudflare -- Caddy on Zurich handles vault.jongsma.me → 127.0.0.1:8222 (Vaultwarden) -- Vaultwarden running: /opt/vaultwarden/ with data at /opt/vaultwarden/data/ -- Admin token: gFUzyxPCGLkTAx4DnuiWXr+yA5Q8YXWeCEIYG9XDkDU= -- **TODO:** Johan needs to create account + import from Proton Pass + I disable SIGNUPS_ALLOWED - -**Zurich Caddy config now serves:** -- vault.jongsma.me → Vaultwarden (127.0.0.1:8222) -- mail.inou.com, mail.jongsma.me → Stalwart (127.0.0.1:8443, TLS) - -**Stalwart:** Moved HTTPS from public 0.0.0.0:443 to 127.0.0.1:8443. Mail ports (25/587/465/143/993/995) still public. - -## Supermemory Discussion -- OpenRouter followed @supermemory — Johan asked if we should reconsider -- Decision: PASS for now. Privacy blocker (our memory has Sophia's medical data etc.) -- If they get self-hosted option, worth revisiting for inou specifically - -## Vaultwarden (Feb 19 ~5AM) -- Discovered Caddy was never on Zurich — Stalwart had claimed port 443 on Feb 17 -- vault.inou.com was broken: Stalwart presenting mail.inou.com cert → HSTS blocked it -- Root cause: I set `includeSubDomains` HSTS on inou.com home Caddy, cascading to vault.* -- Deployed Caddy on Zurich as proper reverse proxy, moved Stalwart web off port 443 → 127.0.0.1:8443 -- Vaultwarden deployed on Zurich at /opt/vaultwarden/data, serving vault.jongsma.me -- DNS: vault.jongsma.me → 82.24.174.112 (Zurich specific A record, overrides *.jongsma.me wildcard) -- vault.inou.com: removed (nuked per Johan) -- Status: Vaultwarden live, Johan needs to create account + import Proton Pass -- Signups still open — disable after Johan creates account - -## Go Environment Fix (Feb 18 ~11:30PM) -- Rogue agent installed golang-go (1.22.2) via apt → shadowed /usr/local/go (1.23.6) -- Also installed libgtk-3-dev + libwebkit2gtk + wails binary (~/go/bin/wails) -- Fixed: removed apt golang packages, moved /usr/local/go/bin to FRONT of PATH in .bashrc -- Go 1.23.6 restored as active - -## SSH Keys Added -- johanjongsma@Johans-MacBook-Pro.local (forge authorized_keys) -- johan@thinkpad-x1 (forge authorized_keys) — 2019 ThinkPad, Ubuntu 24.04 desktop, 192.168.0.223 WiFi -- james@forge added to ThinkPad X1 authorized_keys via CC -- forge can now SSH to ThinkPad X1 at 192.168.0.223 - -## Win Alerts Fix -- Kaseya winalert@kaseya.com, lostalert@kaseya.com, instrumentation, salesforce → now suppressed from Fully dashboard -- Filter added in connector_m365.go silentSenders list, committed b408ebc +## TODO (Pending) +- [ ] Vaultwarden: Johan creates account + imports Proton Pass + disable signups +- [ ] Uptime Kuma: re-add all monitors +- [ ] ntfy Uptime Kuma push monitors need re-wiring +- [ ] Fix HSTS includeSubDomains on home Caddy (inou.com) — should NOT have preload/includeSubDomains unless all subdomains are served properly