2026-02-19: Zurich infra restored, SSH keys, Go fix, win alerts suppressed
This commit is contained in:
James
parent
0e24c75976
commit
39b07e31dd
2
TOOLS.md
2
TOOLS.md
|
|
@ -321,7 +321,7 @@ scripts/browser-setup.sh stop # Stop all
|
|||
### ntfy (Zurich — self-hosted)
|
||||
- **URL:** https://ntfy.inou.com (Caddy → localhost:2586)
|
||||
- **User:** james / JamesNtfy2026!
|
||||
- **API Token:** tk_k120jegay3lugeqbr9fmpuxdqmzx5
|
||||
- **API Token:** tk_ggphzgdis49ddsvu51qam6bgzlyxn
|
||||
- **Alert topic:** forge-alerts (anonymous read allowed for iOS app)
|
||||
- **Johan subscribes to:** https://ntfy.inou.com/forge-alerts (in ntfy iOS app)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,85 +1,57 @@
|
|||
# 2026-02-19
|
||||
|
||||
## SSH Keys Added
|
||||
- `johanjongsma@Johans-MacBook-Pro.local` → forge authorized_keys (via control UI, ~23:13)
|
||||
- `johan@thinkpad-x1` → forge authorized_keys (via Telegram, ~23:34)
|
||||
- ThinkPad X1 confirmed: 2019 model, Ubuntu 24.04 desktop, IP 192.168.0.223 (WiFi)
|
||||
- james@forge key added to ThinkPad X1 authorized_keys via Claude Code on X1
|
||||
- SSH from forge to ThinkPad X1 working: `ssh johan@192.168.0.223`
|
||||
- Johan's MacBook Pro: `johanjongsma@Johans-MacBook-Pro.local` → forge authorized_keys
|
||||
- ThinkPad X1 (2019, Ubuntu 24.04): `johan@thinkpad-x1` → forge authorized_keys
|
||||
- IP: 192.168.0.223 (WiFi), hostname: `johan-x1`, kernel 6.17
|
||||
- Had to enable SSH via CC prompt, add james@forge key separately
|
||||
|
||||
## Go Environment Recovery (rogue agent incident)
|
||||
- Rogue agent at 23:30 installed golang-go (1.22.2) via apt, shadowing /usr/local/go (1.23.6)
|
||||
- Also installed libgtk-3-dev + libwebkit2gtk-4.1-dev (Wails deps) + wails binary to ~/go/bin
|
||||
- **Fixed:** Removed golang-go apt packages, fixed PATH in ~/.bashrc to put /usr/local/go/bin at FRONT
|
||||
- Go 1.23.6 active from /usr/local/go — verified in fresh shell
|
||||
- wails binary still in ~/go/bin — Johan's call whether to keep
|
||||
- message-bridge/go.mod says "go 1.25.6" — pre-existing bug, not rogue agent
|
||||
## Go Environment Restored (rogue agent damage)
|
||||
- Rogue agent installed `golang-go` via apt at 23:30 → Go 1.22.2 shadowed Go 1.23.6
|
||||
- Also installed libgtk-3-dev, libwebkit2gtk-4.1-dev, wails binary (was building Wails app)
|
||||
- Fix: removed apt golang packages, moved `/usr/local/go/bin` to FRONT of PATH in .bashrc
|
||||
- Go 1.23.6 restored as active version
|
||||
- Note: azure-backup needs go1.24.12, inou needs go1.24.4 (GOTOOLCHAIN=auto handles this)
|
||||
|
||||
## Win Alerts Fix
|
||||
- Kaseya win alerts (winalert@kaseya.com) were hitting Fully dashboard
|
||||
- Fixed in connector_m365.go: added `silentSenders` blocklist filter before postFullyAlert
|
||||
- Suppressed: winalert@, lostalert@, standard.instrumentation@kaseya.com, noreply@salesforce.com
|
||||
- Committed b408ebc to mc-unified, mail-bridge restarted
|
||||
## Win Alerts Suppressed from Fully Dashboard
|
||||
- Fixed connector_m365.go: added `silentSenders` list
|
||||
- winalert@kaseya.com, lostalert@kaseya.com, standard.instrumentation@kaseya.com, noreply@salesforce.com
|
||||
- Committed `b408ebc` on mc-unified, restarted mail-bridge
|
||||
|
||||
## ThinkPad X1 SSH Setup
|
||||
- CC on ThinkPad ran: installed openssh-server, enabled SSH, added james@forge key
|
||||
- IP confirmed: 192.168.0.223 (WiFi), was 192.168.0.211 in old notes
|
||||
## Zurich Infrastructure Restored
|
||||
**Root cause:** When Stalwart mail server was set up Feb 17, it took port 443, killing Caddy (which wasn't on Zurich anyway — wrong assumption). ntfy, Kuma, and vault were all broken.
|
||||
|
||||
## Vaultwarden Saga (BIG one)
|
||||
**Root cause chain:**
|
||||
1. I (previous session) added HSTS `includeSubDomains; preload` to home Caddy for inou.com
|
||||
2. This caused Chrome to hard-enforce HSTS for ALL *.inou.com subdomains
|
||||
3. Stalwart was set up on Zurich Feb 17 and claimed port 443
|
||||
4. Caddy was NEVER on Zurich — my memory notes documented a plan, not reality
|
||||
5. vault.inou.com DNS → Zurich → Stalwart served mail.inou.com cert → wrong cert → HSTS block
|
||||
**Tonight's fixes:**
|
||||
- Installed Caddy on Zurich (82.24.174.112)
|
||||
- Moved Stalwart HTTPS from public :443 → 127.0.0.1:8443
|
||||
- Deployed Vaultwarden: /opt/vaultwarden → vault.jongsma.me
|
||||
- Deployed ntfy: /opt/ntfy → ntfy.inou.com (port 2586)
|
||||
- New token: `tk_ggphzgdis49ddsvu51qam6bgzlyxn` (old one gone)
|
||||
- User: james / JamesNtfy2026!
|
||||
- Deployed Uptime Kuma: /opt/uptime-kuma → kuma.inou.com (port 3001) — FRESH, no monitors
|
||||
- Added vault.jongsma.me DNS A record → 82.24.174.112 (was wildcard *.jongsma.me → home)
|
||||
|
||||
**What Johan did:** Asked "vault.jongsma.me or vault.inou.com?" — I said vault.inou.com (wrong). He tried to upload passwords but Stalwart rejected the Bitwarden API calls. Passwords did NOT get saved anywhere.
|
||||
**Zurich Caddyfile:** vault.jongsma.me, ntfy.inou.com, kuma.inou.com, mail.inou.com, mail.jongsma.me
|
||||
|
||||
**Passwords:** Still safe in Proton Pass (not deleted).
|
||||
## Vaultwarden History (messy)
|
||||
- Memory notes said vault.inou.com was deployed — was NOT true
|
||||
- vault.inou.com DNS → Zurich, but Stalwart was serving it with wrong cert (mail.inou.com)
|
||||
- HSTS `includeSubDomains` on inou.com home Caddy caused Chrome to hard-block vault.inou.com
|
||||
- Johan uploaded passwords to what he thought was Vaultwarden — data went nowhere (Stalwart)
|
||||
- Passwords are safe in Proton Pass (never deleted)
|
||||
- Now properly deployed at vault.jongsma.me on Zurich
|
||||
- TODO: Johan needs to create account + import Proton Pass, then disable signups
|
||||
|
||||
**What was actually deployed:** NOTHING — Vaultwarden was never running anywhere.
|
||||
## Uptime Kuma — Needs Monitors Re-added
|
||||
All monitors lost when Kuma was redeployed fresh. Need to re-add:
|
||||
- inou.com monitors (HTTP, API, DNS, SSL)
|
||||
- Zurich VPS
|
||||
- Forge/OpenClaw
|
||||
- Message Center
|
||||
- Home network
|
||||
|
||||
**Final resolution:**
|
||||
- vault.jongsma.me → Zurich (82.24.174.112) specific DNS A record created in Cloudflare
|
||||
- Caddy on Zurich handles vault.jongsma.me → 127.0.0.1:8222 (Vaultwarden)
|
||||
- Vaultwarden running: /opt/vaultwarden/ with data at /opt/vaultwarden/data/
|
||||
- Admin token: gFUzyxPCGLkTAx4DnuiWXr+yA5Q8YXWeCEIYG9XDkDU=
|
||||
- **TODO:** Johan needs to create account + import from Proton Pass + I disable SIGNUPS_ALLOWED
|
||||
|
||||
**Zurich Caddy config now serves:**
|
||||
- vault.jongsma.me → Vaultwarden (127.0.0.1:8222)
|
||||
- mail.inou.com, mail.jongsma.me → Stalwart (127.0.0.1:8443, TLS)
|
||||
|
||||
**Stalwart:** Moved HTTPS from public 0.0.0.0:443 to 127.0.0.1:8443. Mail ports (25/587/465/143/993/995) still public.
|
||||
|
||||
## Supermemory Discussion
|
||||
- OpenRouter followed @supermemory — Johan asked if we should reconsider
|
||||
- Decision: PASS for now. Privacy blocker (our memory has Sophia's medical data etc.)
|
||||
- If they get self-hosted option, worth revisiting for inou specifically
|
||||
|
||||
## Vaultwarden (Feb 19 ~5AM)
|
||||
- Discovered Caddy was never on Zurich — Stalwart had claimed port 443 on Feb 17
|
||||
- vault.inou.com was broken: Stalwart presenting mail.inou.com cert → HSTS blocked it
|
||||
- Root cause: I set `includeSubDomains` HSTS on inou.com home Caddy, cascading to vault.*
|
||||
- Deployed Caddy on Zurich as proper reverse proxy, moved Stalwart web off port 443 → 127.0.0.1:8443
|
||||
- Vaultwarden deployed on Zurich at /opt/vaultwarden/data, serving vault.jongsma.me
|
||||
- DNS: vault.jongsma.me → 82.24.174.112 (Zurich specific A record, overrides *.jongsma.me wildcard)
|
||||
- vault.inou.com: removed (nuked per Johan)
|
||||
- Status: Vaultwarden live, Johan needs to create account + import Proton Pass
|
||||
- Signups still open — disable after Johan creates account
|
||||
|
||||
## Go Environment Fix (Feb 18 ~11:30PM)
|
||||
- Rogue agent installed golang-go (1.22.2) via apt → shadowed /usr/local/go (1.23.6)
|
||||
- Also installed libgtk-3-dev + libwebkit2gtk + wails binary (~/go/bin/wails)
|
||||
- Fixed: removed apt golang packages, moved /usr/local/go/bin to FRONT of PATH in .bashrc
|
||||
- Go 1.23.6 restored as active
|
||||
|
||||
## SSH Keys Added
|
||||
- johanjongsma@Johans-MacBook-Pro.local (forge authorized_keys)
|
||||
- johan@thinkpad-x1 (forge authorized_keys) — 2019 ThinkPad, Ubuntu 24.04 desktop, 192.168.0.223 WiFi
|
||||
- james@forge added to ThinkPad X1 authorized_keys via CC
|
||||
- forge can now SSH to ThinkPad X1 at 192.168.0.223
|
||||
|
||||
## Win Alerts Fix
|
||||
- Kaseya winalert@kaseya.com, lostalert@kaseya.com, instrumentation, salesforce → now suppressed from Fully dashboard
|
||||
- Filter added in connector_m365.go silentSenders list, committed b408ebc
|
||||
## TODO (Pending)
|
||||
- [ ] Vaultwarden: Johan creates account + imports Proton Pass + disable signups
|
||||
- [ ] Uptime Kuma: re-add all monitors
|
||||
- [ ] ntfy Uptime Kuma push monitors need re-wiring
|
||||
- [ ] Fix HSTS includeSubDomains on home Caddy (inou.com) — should NOT have preload/includeSubDomains unless all subdomains are served properly
|
||||
|
|
|
|||
Loading…
Reference in New Issue