- Remove tools server entirely (roles/tools, playbooks/tools.yml, CI deploy step)
- Remove Vaultwarden (already absent from compose, clean up vars)
- Remove node-exporter, cadvisor, promtail from main stack
- Remove grafana/uptime-kuma Traefik routes (pointed to tools)
- Remove monitoring network from docker-compose
- Remove tools vault vars (grafana_admin_password, alertmanager telegram)
- Rename domain_plane: plane.walava.io → hub.walava.io
- Update CI workflow to only deploy main server
- Update STATUS.md and BACKLOG.md to reflect current state
- wget not available in Docmost Node.js image → switch to curl
- Ansible now checks Docker health status instead of exec-ing into container
- Increased healthcheck start_period to 60s and retries to 10 for DB migrations
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
First deploy needs time for DB migrations and initial setup.
30×10s = 300s gives enough buffer for cold start.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On a fresh DB Outline shows a blank login page because there is no team
and emailSigninEnabled = false. Add idempotent Ansible tasks that:
1. Create the 'Visual' team if none exists
2. Set guestSignin=true so email magic-link login works
Triggered by: server rebuild lost Outline DB (no backup existed).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Monitoring stack (Prometheus, AlertManager, Grafana, Loki, Uptime Kuma)
moved from main to tools server. Prometheus now scrapes main exporters
over network (ip_main:9100/8080). Promtail pushes logs to ip_tools:3100.
Traefik routes for dash/status.walava.io updated to ip_tools. discord-bot
PROMETHEUS_URL updated to http://ip_tools:9090.
Outline S3 fix: remove AWS_S3_ACL=private (Timeweb doesn't support
per-object ACLs — caused upload failures). Add CORS configuration task
for browser-side presigned uploads.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
tools-server (85.193.83.9) has outbound SMTP ports 465/587 blocked by VPS
provider. Added tecnativa/postfix-relay container on main server that relays
to smtp.resend.com:587. Outline now uses ip_main:1025 as SMTP host.
- UFW rule: allow port 1025 from ip_tools only
- Remove stale authelia_image from docker pull list
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Ensures removed services (vaultwarden, mailserver, snappymail)
are automatically stopped on next deploy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Prevents the 'meta json: readObjectStart' error on fresh deploys.
Existing hooks already fixed via direct DB update.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add vault_forgejo_api_token (Personal Access Token with write:repository)
- Ansible task now creates Discord webhook on both jack/infra and jack/discord-bot
- Webhooks already created manually for this deploy
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
crowdsecurity/cs-firewall-bouncer:v0.0.31 does not exist on Docker Hub.
The bouncer service was already removed from docker-compose.yml.
Remove from pre-pull list and defaults to unblock CI/CD deploy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Adds monitoring Docker network (internal)
- Prometheus scrapes node-exporter (host metrics) and cAdvisor (containers)
with 30-day retention
- Grafana exposed at dashboard.csrx.ru with pre-provisioned datasource
and two dashboards: Node Exporter Full (1860) and cAdvisor (14282)
- Vault secret: vault_grafana_admin_password
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New Plane stable requires 3 frontend services:
- plane-admin (nginx:80) for /god-mode/ routes
- plane-space (node:3000) for /spaces/ routes
- plane-web (nginx:80) for all other routes
Also add APP/ADMIN/SPACE_BASE_URL env vars to plane-api so the
setup wizard knows where to redirect.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add gitea/act_runner:0.3.0 to docker-compose stack on runner-jobs network
- Add act_runner config template and directory provisioning
- Add FORGEJO_RUNNER_TOKEN to env template
- Add CI deploy SSH public key to authorized_keys via base role
- Create .forgejo/workflows/deploy.yml: syntax-check on PR, deploy on push to master
- Add .claude/launch.json with ansible-playbook configurations
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
