Every tile lacking a dot now has one, validated from the Homepage container's own
network vantage (status <400 = green). Targets chosen to avoid false-red:
- internal http:// url where a widget exposes one (bypasses edge/redirects)
- public href for href-only services (all resolve to own login/200 — none Authelia-gated)
- unauth health endpoints where the base URL false-reds:
CrowdSec /health, Loki :3100/ready, Stirling /api/v1/info/status
OMITTED (would be permanent false-red, flagged not added):
- Proxmox Beast, PBS: self-signed TLS -> SSL error (widgets already report health)
- Kometa: a CLI tool, no web service (href is a GitHub link)
Wazuh got a dot but currently renders RED — its backend returns 502 (genuinely
unreachable via Traefik); that's true state, not a false-red. Investigate separately.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add SABnzbd+Transmission to radarr-4k/sonarr-4k with distinct categories (sabnzbd
movies-4k/tv-4k, transmission radarr-uhd/sonarr-uhd; Transmission forbids digits) so
they dont cross-import the 1080p instances. Packaged into deploy-arrs-4k.yml via an
idempotent ensure-arrs-4k-dl.py (changed=0). Homepage Radarr 4K/Sonarr 4K tiles
(HOMEPAGE_VAR keys, siteMonitor). 4K path proven: Obsession routed to radarr-4k,
grabbed WEBDL-2160p, 1080p rejected 'not wanted in profile'. Keys via vault, no secrets.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Repoint the CrowdSec widget from the engine's own 'localhost' machine cred to a
dedicated 'homepage-widget' machine (cscli machines add, engine localhost cred
untouched). Username change only; password in observability/.env.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Mirror was stale (missing ~28 services incl. LubeLogger). Sync live->mirror and
redact every inline widget secret (19: plex/overseerr/tautulli/arr/sab keys +
proxmox/pbs/beszel/crowdsec passwords) to {{HOMEPAGE_VAR_*}} refs. Values now
live only in observability/.env (root:600, not a git repo), injected via env_file.
Verified: 21 referenced vars == 21 defined in container env (no referenced-but-
undefined); homepage healthy, widgets authenticate. Full-file + diff scan: clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
services.yaml now references key: "{{HOMEPAGE_VAR_HASS_TOKEN}}" instead of
the inline long-lived HA JWT (which was exposed in this public-fronted repo
and has been rotated + revoked). Secret now lives only in observability/.env
(untracked, mode 600). Add .gitignore for .env/secrets so this can't recur.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>