9 Commits

Author SHA1 Message Date
tommy 9653af3d20 homepage: add siteMonitor status dots to 54 service tiles
Every tile lacking a dot now has one, validated from the Homepage container's own
network vantage (status <400 = green). Targets chosen to avoid false-red:
- internal http:// url where a widget exposes one (bypasses edge/redirects)
- public href for href-only services (all resolve to own login/200 — none Authelia-gated)
- unauth health endpoints where the base URL false-reds:
  CrowdSec /health, Loki :3100/ready, Stirling /api/v1/info/status

OMITTED (would be permanent false-red, flagged not added):
- Proxmox Beast, PBS: self-signed TLS -> SSL error (widgets already report health)
- Kometa: a CLI tool, no web service (href is a GitHub link)

Wazuh got a dot but currently renders RED — its backend returns 502 (genuinely
unreachable via Traefik); that's true state, not a false-red. Investigate separately.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-03 16:20:25 -05:00
tommy b25c3a4d5c 4K: download clients (packaged, idempotent) + Homepage tiles
Add SABnzbd+Transmission to radarr-4k/sonarr-4k with distinct categories (sabnzbd
movies-4k/tv-4k, transmission radarr-uhd/sonarr-uhd; Transmission forbids digits) so
they dont cross-import the 1080p instances. Packaged into deploy-arrs-4k.yml via an
idempotent ensure-arrs-4k-dl.py (changed=0). Homepage Radarr 4K/Sonarr 4K tiles
(HOMEPAGE_VAR keys, siteMonitor). 4K path proven: Obsession routed to radarr-4k,
grabbed WEBDL-2160p, 1080p rejected 'not wanted in profile'. Keys via vault, no secrets.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-03 09:43:18 -05:00
tommy 4b69f74f40 lubelogger+homepage: dedicated PBS tokens
- backup job -> dedicated root@pam!lubelogger-backup token (DatastoreBackup);
  prune made non-fatal pending a group-scoped PBS prune-job (Datastore.Prune deferred).
- Homepage PBS widget -> homepage@pbs!widget (Datastore.Audit); Proxmox Beast
  (root@pam!homepage) left intact, deferred. Secrets in vault/.env only.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 23:40:32 -05:00
tommy 739db1ddee homepage: crowdsec widget -> dedicated homepage-widget machine
Repoint the CrowdSec widget from the engine's own 'localhost' machine cred to a
dedicated 'homepage-widget' machine (cscli machines add, engine localhost cred
untouched). Username change only; password in observability/.env.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 21:59:15 -05:00
tommy b22697b2b9 homepage: canonize services.yaml mirror to live + redact all widget secrets
Mirror was stale (missing ~28 services incl. LubeLogger). Sync live->mirror and
redact every inline widget secret (19: plex/overseerr/tautulli/arr/sab keys +
proxmox/pbs/beszel/crowdsec passwords) to {{HOMEPAGE_VAR_*}} refs. Values now
live only in observability/.env (root:600, not a git repo), injected via env_file.
Verified: 21 referenced vars == 21 defined in container env (no referenced-but-
undefined); homepage healthy, widgets authenticate. Full-file + diff scan: clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 21:17:15 -05:00
tommy 0be9ae426b homepage: read HA token from env var; stop committing it in plaintext
services.yaml now references key: "{{HOMEPAGE_VAR_HASS_TOKEN}}" instead of
the inline long-lived HA JWT (which was exposed in this public-fronted repo
and has been rotated + revoked). Secret now lives only in observability/.env
(untracked, mode 600). Add .gitignore for .env/secrets so this can't recur.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 22:01:27 -05:00
tommy 331820b8de Fix PBS icon and datastore to Synology-Remote 2026-03-12 21:23:15 -05:00
tommy 5d5d123e7a Add Frigate to Monitoring group 2026-03-12 21:14:29 -05:00
tommy ea4db49b46 Add Homepage config files 2026-03-12 20:57:47 -05:00