- Remove tools server entirely (roles/tools, playbooks/tools.yml, CI deploy step)
- Remove Vaultwarden (already absent from compose, clean up vars)
- Remove node-exporter, cadvisor, promtail from main stack
- Remove grafana/uptime-kuma Traefik routes (pointed to tools)
- Remove monitoring network from docker-compose
- Remove tools vault vars (grafana_admin_password, alertmanager telegram)
- Rename domain_plane: plane.walava.io → hub.walava.io
- Update CI workflow to only deploy main server
- Update STATUS.md and BACKLOG.md to reflect current state
- Rotate ci_deploy_pubkey to new ed25519 key (old key lost after
server rebuild; Forgejo secret SSH_PRIVATE_KEY updated to match)
- Increase plane-api start_period 60s→120s, retries 5→10 to give
Django time to run DB migrations after backup restore
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add outline-mcp service to tools docker-compose (was running unmanaged)
- Update OUTLINE_URL from csrx.ru → walava.io via domain_wiki variable
- Bind port 8765 to 127.0.0.1 only (was 0.0.0.0 — security improvement)
- Add vault_outline_mcp_api_key to vault + alias in main.yml
- Remove stale authelia_* aliases from main.yml (authelia removed)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- domain_base changed to walava.io
- domain_n8n now auto.walava.io
- Added domain_landing for walava.io root
- Added walava-web landing page container + Traefik route
- Updated Cloudflare token/zone_id for walava.io account
- Updated ACME email to walava@tutamail.com
- Fixed discord-bot image to use domain_base variable
- DNS records already created in Cloudflare
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add vault_forgejo_api_token (Personal Access Token with write:repository)
- Ansible task now creates Discord webhook on both jack/infra and jack/discord-bot
- Webhooks already created manually for this deploy
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Added vault_openrouter_api_key for n8n AI automations
- Added openrouter_api_key alias in main.yml
- Removed vault_syncthing_basic_auth_htpasswd (Syncthing was removed)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add docker-mailserver (Postfix+Dovecot) with SSL via certbot+Cloudflare DNS-01
- Add SnappyMail webmail client at webmail.csrx.ru (port 8888)
- Open UFW ports 25/465/587/993 on tools server
- Create mail accounts: noreply@, admin@, jack@csrx.ru
- Generate DKIM key and print DNS instructions on first run
- Add Traefik route on main server proxying webmail → tools:8888
- Add all secrets to vault (mailserver passwords, snappymail admin)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds docker-mailserver (SMTP_ONLY mode) to the tools stack so Outline
can send magic-link emails without depending on an external SMTP provider.
Changes:
- docker-compose.yml.j2: add mailserver service + mail-internal network
outline gets mail-internal network to reach mailserver
- env.j2: point Outline SMTP at local mailserver:587 with noreply account
- defaults/main.yml: add mailserver_image (v14)
- tasks/main.yml: create mailserver dirs, wait for postfix ready,
idempotent account creation, DKIM key generation + DNS instructions
- inventory/group_vars/all/main.yml: add mailserver_noreply_password alias
- vault.yml: add vault_mailserver_noreply_password
After deploy, Ansible will print DKIM/SPF/DMARC DNS records to add
to Cloudflare.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add vault_s3_access_key / vault_s3_secret_key to Ansible Vault
- Expose via s3_access_key / s3_secret_key in all/main.yml
- Add s3_endpoint + s3_bucket to backup role defaults
- Install awscli via apt in backup role tasks
- Extend backup.sh.j2: upload *.gz to S3 after local backup,
prune S3 objects older than backup_retention_days
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Adds monitoring Docker network (internal)
- Prometheus scrapes node-exporter (host metrics) and cAdvisor (containers)
with 30-day retention
- Grafana exposed at dashboard.csrx.ru with pre-provisioned datasource
and two dashboards: Node Exporter Full (1860) and cAdvisor (14282)
- Vault secret: vault_grafana_admin_password
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
vault.yml was in .gitignore so CI jobs had no vault variables.
The file is AES-256 encrypted — safe to commit to a private repo.
The password stays in ~/.vault-password-file (still gitignored).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add vault password step to syntax-check job (ansible needs it even for --syntax-check)
- Regenerate CI deploy SSH key (old private key was lost, new pair generated)
- Add VAULT_PASSWORD and SSH_PRIVATE_KEY secrets to Forgejo via API
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add gitea/act_runner:0.3.0 to docker-compose stack on runner-jobs network
- Add act_runner config template and directory provisioning
- Add FORGEJO_RUNNER_TOKEN to env template
- Add CI deploy SSH public key to authorized_keys via base role
- Create .forgejo/workflows/deploy.yml: syntax-check on PR, deploy on push to master
- Add .claude/launch.json with ansible-playbook configurations
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
