# 2026-02-19 ## SSH Keys Added - `johanjongsma@Johans-MacBook-Pro.local` → added to forge authorized_keys - `johan@thinkpad-x1` → added to forge authorized_keys - ThinkPad X1: 2019 model, Ubuntu 24.04 desktop, IP 192.168.0.223 (WiFi), hostname `johan-x1`, kernel 6.17 - James SSH key (james@forge) added to ThinkPad X1 — forge can now SSH in ## Rogue Agent — Go Environment - At 23:30 tonight a rogue agent ran: `apt install golang-go` (Go 1.22.2), installed libgtk-3-dev + libwebkit2gtk-4.1-dev (Wails deps), installed `~/go/bin/wails` binary - Was setting up Wails framework - Fix: removed apt golang packages, Go 1.23.6 from /usr/local/go restored as active - PATH fixed in .bashrc: `/usr/local/go/bin` now at FRONT (was at end — easily shadowed by apt) - wails binary left in ~/go/bin — Johan's call whether to keep ## Win Alerts Fix (M365 → Fully) - Kaseya win alerts (winalert@kaseya.com) were still posting to Fully tablet - Fix: added silent sender filter in connector_m365.go — suppresses Fully alerts for: - winalert@kaseya.com, lostalert@kaseya.com, standard.instrumentation@kaseya.com, noreply@salesforce.com - Committed `b408ebc` on mc-unified branch, mail-bridge restarted ## Zurich Infrastructure Rebuild (MAJOR) The night's biggest event — Zurich's services were all broken/missing. ### Root Cause - Caddy was NOT installed on Zurich (despite memory notes saying it was). Services (ntfy, Uptime Kuma) were not running. - Stalwart had claimed port 443 when set up Feb 17, and vault.inou.com DNS pointed to Zurich with no Vaultwarden behind it. - The home Caddy had `includeSubDomains` HSTS on inou.com, causing Chrome to hard-block vault.inou.com when cert was wrong. ### What Was Installed Tonight 1. **Caddy** — installed fresh on Zurich, now owns port 443 2. **Stalwart** — moved HTTPS from public :443 → localhost:8443 (mail ports unchanged) 3. **Vaultwarden** — deployed at /opt/vaultwarden, serving vault.jongsma.me (Johan wanted it on Zurich) 4. **ntfy** — fresh install, /opt/ntfy, user `james` / `JamesNtfy2026!`, token `tk_ggphzgdis49ddsvu51qam6bgzlyxn` 5. **Uptime Kuma** — fresh install, /opt/uptime-kuma, all monitors lost (0 monitors currently) ### DNS Changes - `vault.jongsma.me` → 82.24.174.112 (Zurich) — was caught by *.jongsma.me wildcard pointing to home ### Vaultwarden Drama - Johan asked "vault.jongsma.me or vault.inou.com?" — I answered vault.inou.com (wrong) - No data found anywhere — original Vaultwarden install may never have existed or data was lost - Johan's passwords are still in Proton Pass (unchanged) - Fresh Vaultwarden at https://vault.jongsma.me — Johan needs to create account + import ### ntfy Token Changed - Old token: `tk_k120jegay3lugeqbr9fmpuxdqmzx5` (was in TOOLS.md) - New token: `tk_ggphzgdis49ddsvu51qam6bgzlyxn` — TOOLS.md updated ### Uptime Kuma Monitors Lost All 8 monitors need to be re-added. Known from memory: 1. inou.com HTTP 2. inou.com API 3. Zurich VPS 4. DNS 5. SSL Cert 6. Forge — OpenClaw (push token: r1G9JcTYCg) → ntfy 7. Forge — Message Center (push token: rLdedldMLP) → OC webhook 8. Home Network Public (ping 47.197.93.62) → ntfy Johan hasn't confirmed if he wants them rebuilt. ## Claude Usage - 73% weekly (resets Fri Feb 21 ~2pm ET) - Warning posted to Fully dashboard - K2.5 emergency switch available if needed ## Zurich Caddy Config (current state) ``` vault.jongsma.me → 127.0.0.1:8222 (Vaultwarden) ntfy.inou.com → 127.0.0.1:2586 (ntfy) kuma.inou.com → 127.0.0.1:3001 (Uptime Kuma) mail.inou.com, mail.jongsma.me → 127.0.0.1:8443 (Stalwart) ``` ## Stalwart Mail Migration: Amsterdam → Zurich (2026-02-19 overnight) ### What happened - rsync completed (19GB RocksDB from /opt/stalwart-mail/data/ on Amsterdam → /opt/stalwart/data/ on Zurich) - Discovered Zurich Stalwart config was bare skeleton (missing ACME, hostname, trusted-networks) - Updated /opt/stalwart/etc/config.toml with Amsterdam's config values - Flipped mail.inou.com DNS from Amsterdam (82.24.174.112) → Zurich (82.22.36.202) via Cloudflare - Stalwart running on Zurich: ports 25/465/587/143/993/995 all up, TLS 1.3, valid LE cert ### SMTP security audit + fixes All 6 issues found and resolved: 1. jongsma.me SPF → v=spf1 a:mail.jongsma.me -all (was ProtonMail) 2. jongsma.me DKIM → stalwart._domainkey.jongsma.me added (ed25519 key cwP26...) 3. jongsma.me DMARC → p=reject, rua=mailto:dmarc@jongsma.me (was p=none) 4. Rate limiting → already configured (5/1s per IP, 25/hr per sender), confirmed working 5. AUTH PLAIN/LOGIN → was never broken, shows correctly after STARTTLS 6. inou.com DKIM DNS mismatch → updated to 8QPYBCe... (DB key was different from old DNS) Also: cleaned up duplicate jongsma-me DKIM signature created by mistake ### Amsterdam state - Stalwart: stopped and disabled (data preserved at /opt/stalwart-mail/) - Shannon: fully removed - Duplicate Kuma/Vaultwarden/ntfy: still running, to be cleaned up later - DO NOT start Amsterdam Stalwart, do NOT delete data yet ### DNS state (all correct at Cloudflare/1.1.1.1) - mail.inou.com → 82.22.36.202 (Zurich) - mail.jongsma.me → 82.22.36.202 (Zurich) - stalwart._domainkey.inou.com → 8QPYBCeqIm1WMXH0f1VBTeSt0hIIAYPrh7fcV4IHGnM= - stalwart._domainkey.jongsma.me → cwP26GBsSjSGXakknI8TiD7nPUjAp8nqTl05XNaYFgE= - v=spf1 a:mail.jongsma.me -all (jongsma.me) - _dmarc.jongsma.me → p=reject