2026-02-19: Zurich infra restored, SSH keys, Go fix, win alerts suppressed
This commit is contained in:
James
parent
0e24c75976
commit
39b07e31dd
2
TOOLS.md
2
TOOLS.md
|
|
@ -321,7 +321,7 @@ scripts/browser-setup.sh stop # Stop all
|
||||||
### ntfy (Zurich — self-hosted)
|
### ntfy (Zurich — self-hosted)
|
||||||
- **URL:** https://ntfy.inou.com (Caddy → localhost:2586)
|
- **URL:** https://ntfy.inou.com (Caddy → localhost:2586)
|
||||||
- **User:** james / JamesNtfy2026!
|
- **User:** james / JamesNtfy2026!
|
||||||
- **API Token:** tk_k120jegay3lugeqbr9fmpuxdqmzx5
|
- **API Token:** tk_ggphzgdis49ddsvu51qam6bgzlyxn
|
||||||
- **Alert topic:** forge-alerts (anonymous read allowed for iOS app)
|
- **Alert topic:** forge-alerts (anonymous read allowed for iOS app)
|
||||||
- **Johan subscribes to:** https://ntfy.inou.com/forge-alerts (in ntfy iOS app)
|
- **Johan subscribes to:** https://ntfy.inou.com/forge-alerts (in ntfy iOS app)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,85 +1,57 @@
|
||||||
# 2026-02-19
|
# 2026-02-19
|
||||||
|
|
||||||
## SSH Keys Added
|
## SSH Keys Added
|
||||||
- `johanjongsma@Johans-MacBook-Pro.local` → forge authorized_keys (via control UI, ~23:13)
|
- Johan's MacBook Pro: `johanjongsma@Johans-MacBook-Pro.local` → forge authorized_keys
|
||||||
- `johan@thinkpad-x1` → forge authorized_keys (via Telegram, ~23:34)
|
- ThinkPad X1 (2019, Ubuntu 24.04): `johan@thinkpad-x1` → forge authorized_keys
|
||||||
- ThinkPad X1 confirmed: 2019 model, Ubuntu 24.04 desktop, IP 192.168.0.223 (WiFi)
|
- IP: 192.168.0.223 (WiFi), hostname: `johan-x1`, kernel 6.17
|
||||||
- james@forge key added to ThinkPad X1 authorized_keys via Claude Code on X1
|
- Had to enable SSH via CC prompt, add james@forge key separately
|
||||||
- SSH from forge to ThinkPad X1 working: `ssh johan@192.168.0.223`
|
|
||||||
|
|
||||||
## Go Environment Recovery (rogue agent incident)
|
## Go Environment Restored (rogue agent damage)
|
||||||
- Rogue agent at 23:30 installed golang-go (1.22.2) via apt, shadowing /usr/local/go (1.23.6)
|
- Rogue agent installed `golang-go` via apt at 23:30 → Go 1.22.2 shadowed Go 1.23.6
|
||||||
- Also installed libgtk-3-dev + libwebkit2gtk-4.1-dev (Wails deps) + wails binary to ~/go/bin
|
- Also installed libgtk-3-dev, libwebkit2gtk-4.1-dev, wails binary (was building Wails app)
|
||||||
- **Fixed:** Removed golang-go apt packages, fixed PATH in ~/.bashrc to put /usr/local/go/bin at FRONT
|
- Fix: removed apt golang packages, moved `/usr/local/go/bin` to FRONT of PATH in .bashrc
|
||||||
- Go 1.23.6 active from /usr/local/go — verified in fresh shell
|
- Go 1.23.6 restored as active version
|
||||||
- wails binary still in ~/go/bin — Johan's call whether to keep
|
- Note: azure-backup needs go1.24.12, inou needs go1.24.4 (GOTOOLCHAIN=auto handles this)
|
||||||
- message-bridge/go.mod says "go 1.25.6" — pre-existing bug, not rogue agent
|
|
||||||
|
|
||||||
## Win Alerts Fix
|
## Win Alerts Suppressed from Fully Dashboard
|
||||||
- Kaseya win alerts (winalert@kaseya.com) were hitting Fully dashboard
|
- Fixed connector_m365.go: added `silentSenders` list
|
||||||
- Fixed in connector_m365.go: added `silentSenders` blocklist filter before postFullyAlert
|
- winalert@kaseya.com, lostalert@kaseya.com, standard.instrumentation@kaseya.com, noreply@salesforce.com
|
||||||
- Suppressed: winalert@, lostalert@, standard.instrumentation@kaseya.com, noreply@salesforce.com
|
- Committed `b408ebc` on mc-unified, restarted mail-bridge
|
||||||
- Committed b408ebc to mc-unified, mail-bridge restarted
|
|
||||||
|
|
||||||
## ThinkPad X1 SSH Setup
|
## Zurich Infrastructure Restored
|
||||||
- CC on ThinkPad ran: installed openssh-server, enabled SSH, added james@forge key
|
**Root cause:** When Stalwart mail server was set up Feb 17, it took port 443, killing Caddy (which wasn't on Zurich anyway — wrong assumption). ntfy, Kuma, and vault were all broken.
|
||||||
- IP confirmed: 192.168.0.223 (WiFi), was 192.168.0.211 in old notes
|
|
||||||
|
|
||||||
## Vaultwarden Saga (BIG one)
|
**Tonight's fixes:**
|
||||||
**Root cause chain:**
|
- Installed Caddy on Zurich (82.24.174.112)
|
||||||
1. I (previous session) added HSTS `includeSubDomains; preload` to home Caddy for inou.com
|
- Moved Stalwart HTTPS from public :443 → 127.0.0.1:8443
|
||||||
2. This caused Chrome to hard-enforce HSTS for ALL *.inou.com subdomains
|
- Deployed Vaultwarden: /opt/vaultwarden → vault.jongsma.me
|
||||||
3. Stalwart was set up on Zurich Feb 17 and claimed port 443
|
- Deployed ntfy: /opt/ntfy → ntfy.inou.com (port 2586)
|
||||||
4. Caddy was NEVER on Zurich — my memory notes documented a plan, not reality
|
- New token: `tk_ggphzgdis49ddsvu51qam6bgzlyxn` (old one gone)
|
||||||
5. vault.inou.com DNS → Zurich → Stalwart served mail.inou.com cert → wrong cert → HSTS block
|
- User: james / JamesNtfy2026!
|
||||||
|
- Deployed Uptime Kuma: /opt/uptime-kuma → kuma.inou.com (port 3001) — FRESH, no monitors
|
||||||
|
- Added vault.jongsma.me DNS A record → 82.24.174.112 (was wildcard *.jongsma.me → home)
|
||||||
|
|
||||||
**What Johan did:** Asked "vault.jongsma.me or vault.inou.com?" — I said vault.inou.com (wrong). He tried to upload passwords but Stalwart rejected the Bitwarden API calls. Passwords did NOT get saved anywhere.
|
**Zurich Caddyfile:** vault.jongsma.me, ntfy.inou.com, kuma.inou.com, mail.inou.com, mail.jongsma.me
|
||||||
|
|
||||||
**Passwords:** Still safe in Proton Pass (not deleted).
|
## Vaultwarden History (messy)
|
||||||
|
- Memory notes said vault.inou.com was deployed — was NOT true
|
||||||
|
- vault.inou.com DNS → Zurich, but Stalwart was serving it with wrong cert (mail.inou.com)
|
||||||
|
- HSTS `includeSubDomains` on inou.com home Caddy caused Chrome to hard-block vault.inou.com
|
||||||
|
- Johan uploaded passwords to what he thought was Vaultwarden — data went nowhere (Stalwart)
|
||||||
|
- Passwords are safe in Proton Pass (never deleted)
|
||||||
|
- Now properly deployed at vault.jongsma.me on Zurich
|
||||||
|
- TODO: Johan needs to create account + import Proton Pass, then disable signups
|
||||||
|
|
||||||
**What was actually deployed:** NOTHING — Vaultwarden was never running anywhere.
|
## Uptime Kuma — Needs Monitors Re-added
|
||||||
|
All monitors lost when Kuma was redeployed fresh. Need to re-add:
|
||||||
|
- inou.com monitors (HTTP, API, DNS, SSL)
|
||||||
|
- Zurich VPS
|
||||||
|
- Forge/OpenClaw
|
||||||
|
- Message Center
|
||||||
|
- Home network
|
||||||
|
|
||||||
**Final resolution:**
|
## TODO (Pending)
|
||||||
- vault.jongsma.me → Zurich (82.24.174.112) specific DNS A record created in Cloudflare
|
- [ ] Vaultwarden: Johan creates account + imports Proton Pass + disable signups
|
||||||
- Caddy on Zurich handles vault.jongsma.me → 127.0.0.1:8222 (Vaultwarden)
|
- [ ] Uptime Kuma: re-add all monitors
|
||||||
- Vaultwarden running: /opt/vaultwarden/ with data at /opt/vaultwarden/data/
|
- [ ] ntfy Uptime Kuma push monitors need re-wiring
|
||||||
- Admin token: gFUzyxPCGLkTAx4DnuiWXr+yA5Q8YXWeCEIYG9XDkDU=
|
- [ ] Fix HSTS includeSubDomains on home Caddy (inou.com) — should NOT have preload/includeSubDomains unless all subdomains are served properly
|
||||||
- **TODO:** Johan needs to create account + import from Proton Pass + I disable SIGNUPS_ALLOWED
|
|
||||||
|
|
||||||
**Zurich Caddy config now serves:**
|
|
||||||
- vault.jongsma.me → Vaultwarden (127.0.0.1:8222)
|
|
||||||
- mail.inou.com, mail.jongsma.me → Stalwart (127.0.0.1:8443, TLS)
|
|
||||||
|
|
||||||
**Stalwart:** Moved HTTPS from public 0.0.0.0:443 to 127.0.0.1:8443. Mail ports (25/587/465/143/993/995) still public.
|
|
||||||
|
|
||||||
## Supermemory Discussion
|
|
||||||
- OpenRouter followed @supermemory — Johan asked if we should reconsider
|
|
||||||
- Decision: PASS for now. Privacy blocker (our memory has Sophia's medical data etc.)
|
|
||||||
- If they get self-hosted option, worth revisiting for inou specifically
|
|
||||||
|
|
||||||
## Vaultwarden (Feb 19 ~5AM)
|
|
||||||
- Discovered Caddy was never on Zurich — Stalwart had claimed port 443 on Feb 17
|
|
||||||
- vault.inou.com was broken: Stalwart presenting mail.inou.com cert → HSTS blocked it
|
|
||||||
- Root cause: I set `includeSubDomains` HSTS on inou.com home Caddy, cascading to vault.*
|
|
||||||
- Deployed Caddy on Zurich as proper reverse proxy, moved Stalwart web off port 443 → 127.0.0.1:8443
|
|
||||||
- Vaultwarden deployed on Zurich at /opt/vaultwarden/data, serving vault.jongsma.me
|
|
||||||
- DNS: vault.jongsma.me → 82.24.174.112 (Zurich specific A record, overrides *.jongsma.me wildcard)
|
|
||||||
- vault.inou.com: removed (nuked per Johan)
|
|
||||||
- Status: Vaultwarden live, Johan needs to create account + import Proton Pass
|
|
||||||
- Signups still open — disable after Johan creates account
|
|
||||||
|
|
||||||
## Go Environment Fix (Feb 18 ~11:30PM)
|
|
||||||
- Rogue agent installed golang-go (1.22.2) via apt → shadowed /usr/local/go (1.23.6)
|
|
||||||
- Also installed libgtk-3-dev + libwebkit2gtk + wails binary (~/go/bin/wails)
|
|
||||||
- Fixed: removed apt golang packages, moved /usr/local/go/bin to FRONT of PATH in .bashrc
|
|
||||||
- Go 1.23.6 restored as active
|
|
||||||
|
|
||||||
## SSH Keys Added
|
|
||||||
- johanjongsma@Johans-MacBook-Pro.local (forge authorized_keys)
|
|
||||||
- johan@thinkpad-x1 (forge authorized_keys) — 2019 ThinkPad, Ubuntu 24.04 desktop, 192.168.0.223 WiFi
|
|
||||||
- james@forge added to ThinkPad X1 authorized_keys via CC
|
|
||||||
- forge can now SSH to ThinkPad X1 at 192.168.0.223
|
|
||||||
|
|
||||||
## Win Alerts Fix
|
|
||||||
- Kaseya winalert@kaseya.com, lostalert@kaseya.com, instrumentation, salesforce → now suppressed from Fully dashboard
|
|
||||||
- Filter added in connector_m365.go silentSenders list, committed b408ebc
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue