First deploy needs time for DB migrations and initial setup.
30×10s = 300s gives enough buffer for cold start.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Ansible evaluates Jinja2 expressions even in YAML comments, causing
'outline_mcp_image is undefined' error. Removed the entire block since
outline-mcp is no longer relevant (replaced Outline with Docmost).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On a fresh DB Outline shows a blank login page because there is no team
and emailSigninEnabled = false. Add idempotent Ansible tasks that:
1. Create the 'Visual' team if none exists
2. Set guestSignin=true so email magic-link login works
Triggered by: server rebuild lost Outline DB (no backup existed).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rotate ci_deploy_pubkey to new ed25519 key (old key lost after
server rebuild; Forgejo secret SSH_PRIVATE_KEY updated to match)
- Increase plane-api start_period 60s→120s, retries 5→10 to give
Django time to run DB migrations after backup restore
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
These custom images (discord-bot, walava-web) are built by their own
repos' CI/CD and pushed to git.walava.io registry. On a fresh server
Forgejo hasn't run yet so images don't exist — bootstrap chicken/egg.
Re-enable after Forgejo is up and images are pushed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
outline-mcp uses git.walava.io/jack/outline-mcp:latest which doesn't
exist in Forgejo registry yet (Forgejo itself wasn't running).
Comment out the service; re-enable after building the image.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Monitoring stack (Prometheus, AlertManager, Grafana, Loki, Uptime Kuma)
moved from main to tools server. Prometheus now scrapes main exporters
over network (ip_main:9100/8080). Promtail pushes logs to ip_tools:3100.
Traefik routes for dash/status.walava.io updated to ip_tools. discord-bot
PROMETHEUS_URL updated to http://ip_tools:9090.
Outline S3 fix: remove AWS_S3_ACL=private (Timeweb doesn't support
per-object ACLs — caused upload failures). Add CORS configuration task
for browser-side presigned uploads.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Outline needs proxy network for SMTP (Resend) and S3 (Timeweb).
n8n needs proxy network for external API calls in workflows.
Both were only on backend (internal:true) so DNS/TCP to internet was blocked.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
tools-server (85.193.83.9) has outbound SMTP ports 465/587 blocked by VPS
provider. Added tecnativa/postfix-relay container on main server that relays
to smtp.resend.com:587. Outline now uses ip_main:1025 as SMTP host.
- UFW rule: allow port 1025 from ip_tools only
- Remove stale authelia_image from docker pull list
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- domain_base changed to walava.io
- domain_n8n now auto.walava.io
- Added domain_landing for walava.io root
- Added walava-web landing page container + Traefik route
- Updated Cloudflare token/zone_id for walava.io account
- Updated ACME email to walava@tutamail.com
- Fixed discord-bot image to use domain_base variable
- DNS records already created in Cloudflare
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Ensures removed services (vaultwarden, mailserver, snappymail)
are automatically stopped on next deploy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Prevents the 'meta json: readObjectStart' error on fresh deploys.
Existing hooks already fixed via direct DB update.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add vault_forgejo_api_token (Personal Access Token with write:repository)
- Ansible task now creates Discord webhook on both jack/infra and jack/discord-bot
- Webhooks already created manually for this deploy
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Container was on backend (internal: true) only — couldn't resolve
discord.com for webhook notifications. Added proxy network which
has outbound internet access.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Leftover after Vaultwarden removal caused CI/CD deploy to fail with
'vaultwarden_admin_token is undefined' during .env template rendering.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without these env vars Next.js SSR renders with wrong base URL causing
React hydration error #418 — server/client HTML mismatch on first render.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add docker-mailserver (Postfix+Dovecot) with SSL via certbot+Cloudflare DNS-01
- Add SnappyMail webmail client at webmail.csrx.ru (port 8888)
- Open UFW ports 25/465/587/993 on tools server
- Create mail accounts: noreply@, admin@, jack@csrx.ru
- Generate DKIM key and print DNS instructions on first run
- Add Traefik route on main server proxying webmail → tools:8888
- Add all secrets to vault (mailserver passwords, snappymail admin)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Docker cannot mount to /var/log/traefik when /var/log is already
bind-mounted (read-only). The nested mount fails with 'read-only
file system' error in the overlay upper layer.
The mount was unused anyway — promtail config only reads syslog,
auth.log, and Docker container logs via the socket.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
crowdsecurity/cs-firewall-bouncer:v0.0.31 does not exist on Docker Hub.
The bouncer service was already removed from docker-compose.yml.
Remove from pre-pull list and defaults to unblock CI/CD deploy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Switch Traefik ACME to dnsChallenge (provider: cloudflare)
- Add *.csrx.ru wildcard cert via tls.stores.default.defaultGeneratedCert
- Pass CLOUDFLARE_DNS_API_TOKEN to Traefik via env_file: .env
- Add Cloudflare IP ranges to forwardedHeaders.trustedIPs (real visitor IPs)
- Fix UFW: allow 172.16.0.0/12 on 80/443 so act_runner can reach Forgejo
- Add A records: auth.csrx.ru, status.csrx.ru, csrx.ru root → 87.249.49.32
Result: one *.csrx.ru cert covers all subdomains, auto-renewed by Traefik.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
DNS-01 + wildcard cert requires Cloudflare to be authoritative NS.
Until propagation completes, use httpChallenge on port 80.
Plan after Cloudflare NS is active:
1. Switch back to dnsChallenge in traefik.yml.j2
2. Re-enable tls.stores.default.defaultGeneratedCert in routes.yml.j2
3. Clear acme.json → Traefik issues *.csrx.ru wildcard cert
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add tls.stores.default.defaultGeneratedCert in dynamic config:
- Traefik requests one *.csrx.ru + csrx.ru SAN cert via DNS-01
- All existing and future subdomains use this single cert
- No per-service cert issuance wait when adding new services
- Cert auto-renewed by Traefik ~30 days before expiry
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Traefik traefik.yml.j2:
- Add forwardedHeaders.trustedIPs with all Cloudflare CIDR ranges
on both web and websecure entrypoints so rate limiting and
CrowdSec see real visitor IPs, not Cloudflare proxy IPs
firewall.yml:
- Replace open HTTP/HTTPS rules with per-CIDR allow rules
scoped to Cloudflare IP ranges only
- Direct access to ports 80/443 bypassing Cloudflare is now blocked
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cannot use comparison operators inside label matchers {}.
Move the > 0 filter outside braces as a scalar filter on the
denominator — idiomatic Prometheus way to exclude unlimited containers.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Adds monitoring Docker network (internal)
- Prometheus scrapes node-exporter (host metrics) and cAdvisor (containers)
with 30-day retention
- Grafana exposed at dashboard.csrx.ru with pre-provisioned datasource
and two dashboards: Node Exporter Full (1860) and cAdvisor (14282)
- Vault secret: vault_grafana_admin_password
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New Plane stable requires 3 frontend services:
- plane-admin (nginx:80) for /god-mode/ routes
- plane-space (node:3000) for /spaces/ routes
- plane-web (nginx:80) for all other routes
Also add APP/ADMIN/SPACE_BASE_URL env vars to plane-api so the
setup wizard knows where to redirect.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
makeplane/plane-backend:stable now requires:
- AMQP_URL: Celery broker URL (defaults to amqp://localhost, broken)
→ set to redis://plane-redis:6379/ to reuse existing Redis
- GUNICORN_WORKERS: must be set explicitly (empty string causes crash)
→ set to 2
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
makeplane/plane-frontend:stable now uses nginx (not Next.js/node).
Remove `command: node web/server.js` override and update Traefik
port from 3000 to 80.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Job containers run on runner-jobs network (internet only), so they
can't reach forgejo:3000 (backend-only). Use public https://git.csrx.ru
so both runner and job containers can reach Forgejo.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
