diff --git a/MEMORY.md b/MEMORY.md index 446dc89..f727f0c 100644 --- a/MEMORY.md +++ b/MEMORY.md @@ -1,3 +1,3 @@ -- [KiteStacks migration + Hetzner cloud failover (COMPLETE)](project-kitestacks-migration.md) — monk primary, kscloud1 cloud replica, Oracle VPS coming. 2026-06-12 DONE: OSticket live, Portainer SSO live on both hosts (portainer.kitestacks.com HTTP 200, noTLSVerify fixed via CF API), docs v1.4.0 in Forgejo. NEXT: Oracle Cloud ARM VPS (user provisioning manually — 4 OCPU 24GB Ampere A1). OSticket is x86-only so needs swap for Oracle ARM. CF API token kitestacks-dns-fix rolled 2026-06-12 (was previously exposed in chat). +- [KiteStacks migration + Hetzner cloud failover (COMPLETE)](project-kitestacks-migration.md) — monk primary, kscloud1 cloud replica, Oracle VPS migration IN PROGRESS. 2026-06-13: OpenProject removed permanently (EE license required). Oracle ARM A1 4OCPU/24GB Chicago $8.50/mo — capacity issues, provisioning pending. OSticket needs QEMU binfmt (x86-only image). Forgejo SSO button renamed to Authentik. kscloud1 Forgejo has wrong ROOT_URL + only 1 repo — fix during Oracle migration. - [Forgejo doc redaction rule](feedback-forgejo-redaction.md) — always redact IPs, ports, and passwords in any homelab Forgejo repo files before committing. - [A+ Core 2 study plan](project-a-plus-core2.md) — exam goal June 28 2026, started 2026-06-11 9:15 PM, Professor Messer diagnostic first, CertMaster next week. diff --git a/project-kitestacks-migration.md b/project-kitestacks-migration.md index a1fb57b..d7a7f6d 100644 --- a/project-kitestacks-migration.md +++ b/project-kitestacks-migration.md @@ -439,3 +439,69 @@ Portal card update (3 files) also still pending until tunnel+OAuth done. ## Phase 2 Planned: Obsidian Mind Map → HTML Mind Map Sync User wants to create an Obsidian mind map of the KiteStacks homelab that syncs/exports to a live HTML mind map embedded in the homelab portal or a standalone page. To be built after full Obsidian+samurai setup is complete. + +## 2026-06-13: OpenProject removed + Oracle VPS migration started + +### OpenProject REMOVED permanently +OpenProject requires Enterprise Edition license for SSO (confirmed last session). +Removed from local stack (monk): +- Docker volume `openproject_openproject_assets` deleted +- `/home/kenpatmonk/kitestacks-live/docker/openproject/` directory removed (pgdata dir + needed sudo — user ran manually; pgdata was owned by container UID mapped to `avahi`) +- NOT deploying on Oracle VPS +- tasks.kitestacks.com subdomain is now dead — update Cloudflare/portal accordingly +TODO: remove `apps/openproject/` from kitestacks-homelab Forgejo repo once user can log in. + +### Forgejo issues found + partially fixed (2026-06-13) +Forgejo login page has two issues: +1. URL banner: "configured to be served on http://5.78.233.28:3000/" — caused by kscloud1's + Forgejo having wrong ROOT_URL. kscloud1 Forgejo has only 1 repo (separate DB from monk's + 13-repo instance). Cloudflare tunnel load-balances between monk and kscloud1 Forgejo. + FIX PENDING: stop Forgejo on kscloud1 (or fix its ROOT_URL). Deferred — do during Oracle migration. +2. SSO button says "Proceed with OpenID" instead of "Authentik". + PARTIAL FIX: renamed login_source from `authentik` → `Authentik` via admin CLI: + `docker exec -u git forgejo /app/gitea/gitea admin auth update-oauth --id 1 --name Authentik ...` + Provider type remains `openidConnect` — button text may still say "OpenID" (depends on + Forgejo 11 template behavior). User to verify after refresh. Full fix may require admin UI + once user can log into Forgejo. +Forgejo DB: 13 repos under `kenpat`, 1 user (kenpat, admin, active, no 2FA). +Forgejo login: username `kenpat`, direct password login works on the same page. + +### kitestacks-homelab repo: apps/forgejo/docker-compose.yml has wrong ROOT_URL +`FORGEJO__server__ROOT_URL=http://192.168.1.205:3006` — old local IP, never updated. +The LIVE local stack (`~/kitestacks-live/docker/forgejo/docker-compose.yml`) is correct +(`https://gitforge.kitestacks.com/`). The repo copy needs updating. +TODO: fix and commit once user can log in and clone the repo. + +### Oracle VPS migration plan (kscloud1 → Oracle Cloud) +Goal: replace Hetzner kscloud1 (5.78.233.28, $14.50/mo) with Oracle Cloud ARM VPS ($8.50/mo). +Oracle instance: Ampere A1 Flex, 4 OCPU / 24 GB RAM, Chicago region (us-chicago-1). +Status as of 2026-06-13: user is provisioning — hit "no capacity" in Chicago. +Workarounds tried: capacity not available for 4 OCPU config. Options: +- Try smaller shape (1 OCPU / 6 GB), resize after provisioning +- Subscribe to another region (Frankfurt, Osaka, Toronto have better A1 availability) +- Keep retrying (capacity opens randomly, early UTC morning tends to be better) + +ARM64 compatibility analysis (all images verified): +- ✅ All services ARM64-compatible EXCEPT OSticket +- ❌ OSticket (`campbellsoftwaresolutions/osticket`) — x86 only + FIX: enable QEMU binfmt emulation on Oracle ARM host, run with `--platform linux/amd64` + Performance acceptable for a ticket system. +- ⚠️ Shaarli — verify ARM64 at deploy time + +Services to deploy on Oracle VPS (OpenProject EXCLUDED): +authentik, bookstack, cloudflared, forgejo, grafana, homepage/portal, +karakeep (+meilisearch +chrome), kavita, kite-ai (litellm+openwebui), +linkding, osticket, portainer, prometheus+node-exporter, shaarli, uptime-kuma + +Migration phases: +1. Oracle VPS provisioning (in progress) +2. Oracle initial setup: Ubuntu 22.04 ARM64, Docker, iptables flush (Oracle blocks by default), + QEMU binfmt for OSticket x86 emulation +3. Deploy full stack — fix Forgejo ROOT_URL correctly from day one +4. Connect cloudflared on Oracle to KiteStacks tunnel (same TUNNEL_TOKEN) +5. Verify all services, then remove kscloud1 from tunnel + cancel Hetzner +NOTE: same active-active pattern as kscloud1 — shared Authentik Postgres+Redis over +Tailscale, same TUNNEL_TOKEN, fresh DBs for stateful apps except identity (authentik/kavita). +IMPORTANT Oracle gotcha: Ubuntu on Oracle has iptables rules that block all traffic at boot +even after Security List rules are opened. Must flush iptables as part of initial setup.