# 2026-02-19

## SSH Keys Added
- `johanjongsma@Johans-MacBook-Pro.local` → added to forge authorized_keys
- `johan@thinkpad-x1` → added to forge authorized_keys
- ThinkPad X1: 2019 model, Ubuntu 24.04 desktop, IP 192.168.0.223 (WiFi), hostname `johan-x1`, kernel 6.17
- James SSH key (james@forge) added to ThinkPad X1 — forge can now SSH in

## Rogue Agent — Go Environment
- At 23:30 tonight a rogue agent ran: `apt install golang-go` (Go 1.22.2), installed libgtk-3-dev + libwebkit2gtk-4.1-dev (Wails deps), installed `~/go/bin/wails` binary
- Was setting up Wails framework
- Fix: removed apt golang packages, Go 1.23.6 from /usr/local/go restored as active
- PATH fixed in .bashrc: `/usr/local/go/bin` now at FRONT (was at end — easily shadowed by apt)
- wails binary left in ~/go/bin — Johan's call whether to keep

## Win Alerts Fix (M365 → Fully)
- Kaseya win alerts (winalert@kaseya.com) were still posting to Fully tablet
- Fix: added silent sender filter in connector_m365.go — suppresses Fully alerts for:
  - winalert@kaseya.com, lostalert@kaseya.com, standard.instrumentation@kaseya.com, noreply@salesforce.com
- Committed `b408ebc` on mc-unified branch, mail-bridge restarted

## Zurich Infrastructure Rebuild (MAJOR)
The night's biggest event — Zurich's services were all broken/missing.

### Root Cause
- Caddy was NOT installed on Zurich (despite memory notes saying it was). Services (ntfy, Uptime Kuma) were not running.
- Stalwart had claimed port 443 when set up Feb 17, and vault.inou.com DNS pointed to Zurich with no Vaultwarden behind it.
- The home Caddy had `includeSubDomains` HSTS on inou.com, causing Chrome to hard-block vault.inou.com when cert was wrong.

### What Was Installed Tonight
1. **Caddy** — installed fresh on Zurich, now owns port 443
2. **Stalwart** — moved HTTPS from public :443 → localhost:8443 (mail ports unchanged)
3. **Vaultwarden** — deployed at /opt/vaultwarden, serving vault.jongsma.me (Johan wanted it on Zurich)
4. **ntfy** — fresh install, /opt/ntfy, user `james` / `JamesNtfy2026!`, token `tk_ggphzgdis49ddsvu51qam6bgzlyxn`
5. **Uptime Kuma** — fresh install, /opt/uptime-kuma, all monitors lost (0 monitors currently)

### DNS Changes
- `vault.jongsma.me` → 82.24.174.112 (Zurich) — was caught by *.jongsma.me wildcard pointing to home

### Vaultwarden Drama
- Johan asked "vault.jongsma.me or vault.inou.com?" — I answered vault.inou.com (wrong)
- No data found anywhere — original Vaultwarden install may never have existed or data was lost
- Johan's passwords are still in Proton Pass (unchanged)
- Fresh Vaultwarden at https://vault.jongsma.me — Johan needs to create account + import

### ntfy Token Changed
- Old token: `tk_k120jegay3lugeqbr9fmpuxdqmzx5` (was in TOOLS.md)  
- New token: `tk_ggphzgdis49ddsvu51qam6bgzlyxn` — TOOLS.md updated

### Uptime Kuma Monitors Lost
All 8 monitors need to be re-added. Known from memory:
1. inou.com HTTP
2. inou.com API
3. Zurich VPS
4. DNS
5. SSL Cert
6. Forge — OpenClaw (push token: r1G9JcTYCg) → ntfy
7. Forge — Message Center (push token: rLdedldMLP) → OC webhook
8. Home Network Public (ping 47.197.93.62) → ntfy

Johan hasn't confirmed if he wants them rebuilt.

## Claude Usage
- 73% weekly (resets Fri Feb 21 ~2pm ET)
- Warning posted to Fully dashboard
- K2.5 emergency switch available if needed

## Zurich Caddy Config (current state)
```
vault.jongsma.me → 127.0.0.1:8222 (Vaultwarden)
ntfy.inou.com → 127.0.0.1:2586 (ntfy)
kuma.inou.com → 127.0.0.1:3001 (Uptime Kuma)
mail.inou.com, mail.jongsma.me → 127.0.0.1:8443 (Stalwart)
```

## Stalwart Mail Migration: Amsterdam → Zurich (2026-02-19 overnight)

### What happened
- rsync completed (19GB RocksDB from /opt/stalwart-mail/data/ on Amsterdam → /opt/stalwart/data/ on Zurich)
- Discovered Zurich Stalwart config was bare skeleton (missing ACME, hostname, trusted-networks)
- Updated /opt/stalwart/etc/config.toml with Amsterdam's config values
- Flipped mail.inou.com DNS from Amsterdam (82.24.174.112) → Zurich (82.22.36.202) via Cloudflare
- Stalwart running on Zurich: ports 25/465/587/143/993/995 all up, TLS 1.3, valid LE cert

### SMTP security audit + fixes
All 6 issues found and resolved:
1. jongsma.me SPF → v=spf1 a:mail.jongsma.me -all (was ProtonMail)
2. jongsma.me DKIM → stalwart._domainkey.jongsma.me added (ed25519 key cwP26...)
3. jongsma.me DMARC → p=reject, rua=mailto:dmarc@jongsma.me (was p=none)
4. Rate limiting → already configured (5/1s per IP, 25/hr per sender), confirmed working
5. AUTH PLAIN/LOGIN → was never broken, shows correctly after STARTTLS
6. inou.com DKIM DNS mismatch → updated to 8QPYBCe... (DB key was different from old DNS)
Also: cleaned up duplicate jongsma-me DKIM signature created by mistake

### Amsterdam state
- Stalwart: stopped and disabled (data preserved at /opt/stalwart-mail/)
- Shannon: fully removed
- Duplicate Kuma/Vaultwarden/ntfy: still running, to be cleaned up later
- DO NOT start Amsterdam Stalwart, do NOT delete data yet

### DNS state (all correct at Cloudflare/1.1.1.1)
- mail.inou.com → 82.22.36.202 (Zurich)
- mail.jongsma.me → 82.22.36.202 (Zurich)
- stalwart._domainkey.inou.com → 8QPYBCeqIm1WMXH0f1VBTeSt0hIIAYPrh7fcV4IHGnM=
- stalwart._domainkey.jongsma.me → cwP26GBsSjSGXakknI8TiD7nPUjAp8nqTl05XNaYFgE=
- v=spf1 a:mail.jongsma.me -all (jongsma.me)
- _dmarc.jongsma.me → p=reject

## Afternoon Session (Feb 19) — Major Accomplishments

### Johan Career History (NEW — important context)
- Founded **Iaso Backup** → sold to GFI/Insight Partners 2013 → became **Cove Data Protection** at N-able = "his baby"
- Left N-able 2019, still most knowledgeable person on Cove architecture
- Now at Kaseya/Datto: building **Datto Endpoint Backup 2 (EPB2)** — Go rewrite, D2C agent + appliance compatible
- EPB2: 100k+ installations, shipping at scale
- Cove original code: C++ from 2009/2010, rock-solid, nobody dares touch it
- Engineering Leader frustration: took 1 year to ship Mac installer (software worked in Feb, released Dec)
- Kaseya context: almost all C-level <1 year tenure, new CTO has bigger fish to fry
- Openprovider account: `johan.jongsma@iasobackup.com` (kept old company domain)
- **Harry Haasjes**: Johan's sister Wenda's husband, Signal +31628124366, wants to write a book (topic unknown)

### N-able (NABL) Discussion
- Q4 2025: $130.3M revenue (+11.8%), ARR $539.7M, guiding 8-9% CC growth (deceleration)
- Thoma Bravo + Silver Lake each ~⅓ owners since SolarWinds LBO, explored sale at $2.5B (2024), now at $1B
- PE buyout thesis: 1.8x ARR, 30%+ EBITDA margins, MSP customer stickiness, both PE firms want exit
- Patrick Pulvermueller (ex-Acronis CEO) joined NABL board

### DNS Mass Fix
- 6 domains had wrong Cloudflare NS (aryanna/sage → should be arvind/wren) + DNSSEC pointing at dead zones
- **Root cause**: Cloudflare zone migration created new zones with arvind/wren but OpenProvider still pointed to old aryanna/sage zones (which were deleted)
- Fixed all 6: harryhaasjes.nl, johanjongsma.nl, localbackup.in, stpetersburgaquatics.com, x4.trading, 851brightwaters.com
- DNSSEC disabled on all 6 (DS records removed from TLDs)

### Harry Haasjes Full Setup
- harryhaasjes.nl: "coming soon" placeholder live on Zurich (Dutch, ✍️ theme)
- harry@harryhaasjes.nl: Stalwart account created, catch-all (@harryhaasjes.nl) added
- SFTP: user `harry-web`, pw `HarryWeb2026!`, chrooted to /var/www/harryhaasjes/
- All sent to Harry via Signal in Dutch
- Harry is NOT technical — keep all communication simple

### stpetersburgaquatics.com
- Site was hosted on old home IP 47.206.57.145 (Frontier, St. Petersburg FL) — dead
- Multiple domains used 47.206.57.x range (old home IPs, no longer valid)
- Coming soon page live on Zurich: 🏊 theme, dark blue

### Proton Bridge → Stalwart Migration (Message Center)
- MC now connects directly to Stalwart on mail.jongsma.me:993 (SSL/TLS)
- Passwords: tj@jongsma.me = `!Lekker69`, johan@jongsma.me = `!!Lekker69`
- YAML gotcha: `!` at start of value is YAML tag indicator — must quote: `password: "${VAR}"`
- systemd env gotcha: `!` in EnvironmentFile values needs quoting in systemd
- Proton Bridge: stopped + disabled
- SMS connector: disabled (phone disconnected, was causing 15s hangs on /messages/new)
- MC `/messages/new` was hanging due to SMS connector 15s timeout — fixed by disabling

### Email Triage (Full Inbox Catch-Up)
- Ran full triage on tj + johan inboxes (32 messages)
- Key finds: Delta flight today (TPA→JFK DL2475, return DL2093, conf F86VDN), Nordstrom bill $59.06 due 03/16
- memumi iPhone 17 cases arriving Saturday 2/21 — added to deliveries dashboard
- Moved all 18 johan inbox messages to Archive folder in Stalwart via IMAP (were marked read but not moved)

### OpenClaw Auth (Important!)
- Config shows `"mode": "token"` but this is misleading — that IS an OAuth token
- We are on **Claude Max subscription OAuth**, NOT API key
- This means Anthropic's crackdown on OpenClaw subscription use DOES apply to us
- Risk: Anthropic could cancel Johan's Max account
- Options discussed: switch to API key, switch to OpenAI, or accept risk
- Johan considering — no decision yet

### Delivery Preference Updated
- Briefings → **Telegram with rich format** (bold, italic, headers)
- Signal for alerts, quick pings, conversational replies