johan
/
clawd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clawd/memory/2026-02-19.md

108 lines
5.3 KiB
Markdown
Raw Blame History

# 2026-02-19
## SSH Keys Added
- `johanjongsma@Johans-MacBook-Pro.local` → added to forge authorized_keys
- `johan@thinkpad-x1` → added to forge authorized_keys
- ThinkPad X1: 2019 model, Ubuntu 24.04 desktop, IP 192.168.0.223 (WiFi), hostname `johan-x1`, kernel 6.17
- James SSH key (james@forge) added to ThinkPad X1 — forge can now SSH in
## Rogue Agent — Go Environment
- At 23:30 tonight a rogue agent ran: `apt install golang-go` (Go 1.22.2), installed libgtk-3-dev + libwebkit2gtk-4.1-dev (Wails deps), installed `~/go/bin/wails` binary
- Was setting up Wails framework
- Fix: removed apt golang packages, Go 1.23.6 from /usr/local/go restored as active
- PATH fixed in .bashrc: `/usr/local/go/bin` now at FRONT (was at end — easily shadowed by apt)
- wails binary left in ~/go/bin — Johan's call whether to keep
## Win Alerts Fix (M365 → Fully)
- Kaseya win alerts (winalert@kaseya.com) were still posting to Fully tablet
- Fix: added silent sender filter in connector_m365.go — suppresses Fully alerts for:
- winalert@kaseya.com, lostalert@kaseya.com, standard.instrumentation@kaseya.com, noreply@salesforce.com
- Committed `b408ebc` on mc-unified branch, mail-bridge restarted
## Zurich Infrastructure Rebuild (MAJOR)
The night's biggest event — Zurich's services were all broken/missing.
### Root Cause
- Caddy was NOT installed on Zurich (despite memory notes saying it was). Services (ntfy, Uptime Kuma) were not running.
- Stalwart had claimed port 443 when set up Feb 17, and vault.inou.com DNS pointed to Zurich with no Vaultwarden behind it.
- The home Caddy had `includeSubDomains` HSTS on inou.com, causing Chrome to hard-block vault.inou.com when cert was wrong.
### What Was Installed Tonight
1. **Caddy** — installed fresh on Zurich, now owns port 443
2. **Stalwart** — moved HTTPS from public :443 → localhost:8443 (mail ports unchanged)
3. **Vaultwarden** — deployed at /opt/vaultwarden, serving vault.jongsma.me (Johan wanted it on Zurich)
4. **ntfy** — fresh install, /opt/ntfy, user `james` / `JamesNtfy2026!`, token `tk_ggphzgdis49ddsvu51qam6bgzlyxn`
5. **Uptime Kuma** — fresh install, /opt/uptime-kuma, all monitors lost (0 monitors currently)
### DNS Changes
- `vault.jongsma.me` → 82.24.174.112 (Zurich) — was caught by *.jongsma.me wildcard pointing to home
### Vaultwarden Drama
- Johan asked "vault.jongsma.me or vault.inou.com?" — I answered vault.inou.com (wrong)
- No data found anywhere — original Vaultwarden install may never have existed or data was lost
- Johan's passwords are still in Proton Pass (unchanged)
- Fresh Vaultwarden at https://vault.jongsma.me — Johan needs to create account + import
### ntfy Token Changed
- Old token: `tk_k120jegay3lugeqbr9fmpuxdqmzx5` (was in TOOLS.md)
- New token: `tk_ggphzgdis49ddsvu51qam6bgzlyxn` — TOOLS.md updated
### Uptime Kuma Monitors Lost
All 8 monitors need to be re-added. Known from memory:
1. inou.com HTTP
2. inou.com API
3. Zurich VPS
4. DNS
5. SSL Cert
6. Forge — OpenClaw (push token: r1G9JcTYCg) → ntfy
7. Forge — Message Center (push token: rLdedldMLP) → OC webhook
8. Home Network Public (ping 47.197.93.62) → ntfy
Johan hasn't confirmed if he wants them rebuilt.
## Claude Usage
- 73% weekly (resets Fri Feb 21 ~2pm ET)
- Warning posted to Fully dashboard
- K2.5 emergency switch available if needed
## Zurich Caddy Config (current state)
```
vault.jongsma.me → 127.0.0.1:8222 (Vaultwarden)
ntfy.inou.com → 127.0.0.1:2586 (ntfy)
kuma.inou.com → 127.0.0.1:3001 (Uptime Kuma)
mail.inou.com, mail.jongsma.me → 127.0.0.1:8443 (Stalwart)
```
## Stalwart Mail Migration: Amsterdam → Zurich (2026-02-19 overnight)
### What happened
- rsync completed (19GB RocksDB from /opt/stalwart-mail/data/ on Amsterdam → /opt/stalwart/data/ on Zurich)
- Discovered Zurich Stalwart config was bare skeleton (missing ACME, hostname, trusted-networks)
- Updated /opt/stalwart/etc/config.toml with Amsterdam's config values
- Flipped mail.inou.com DNS from Amsterdam (82.24.174.112) → Zurich (82.22.36.202) via Cloudflare
- Stalwart running on Zurich: ports 25/465/587/143/993/995 all up, TLS 1.3, valid LE cert
### SMTP security audit + fixes
All 6 issues found and resolved:
1. jongsma.me SPF → v=spf1 a:mail.jongsma.me -all (was ProtonMail)
2. jongsma.me DKIM → stalwart._domainkey.jongsma.me added (ed25519 key cwP26...)
3. jongsma.me DMARC → p=reject, rua=mailto:dmarc@jongsma.me (was p=none)
4. Rate limiting → already configured (5/1s per IP, 25/hr per sender), confirmed working
5. AUTH PLAIN/LOGIN → was never broken, shows correctly after STARTTLS
6. inou.com DKIM DNS mismatch → updated to 8QPYBCe... (DB key was different from old DNS)
Also: cleaned up duplicate jongsma-me DKIM signature created by mistake
### Amsterdam state
- Stalwart: stopped and disabled (data preserved at /opt/stalwart-mail/)
- Shannon: fully removed
- Duplicate Kuma/Vaultwarden/ntfy: still running, to be cleaned up later
- DO NOT start Amsterdam Stalwart, do NOT delete data yet
### DNS state (all correct at Cloudflare/1.1.1.1)
- mail.inou.com → 82.22.36.202 (Zurich)
- mail.jongsma.me → 82.22.36.202 (Zurich)
- stalwart._domainkey.inou.com → 8QPYBCeqIm1WMXH0f1VBTeSt0hIIAYPrh7fcV4IHGnM=
- stalwart._domainkey.jongsma.me → cwP26GBsSjSGXakknI8TiD7nPUjAp8nqTl05XNaYFgE=
- v=spf1 a:mail.jongsma.me -all (jongsma.me)
- _dmarc.jongsma.me → p=reject
Reference in New Issue View Git Blame Copy Permalink