2026-06-13: Oracle VPS migration started, OpenProject removed, Forgejo fixes noted

MEMORY.md

@@ -1,3 +1,3 @@
-- [KiteStacks migration + Hetzner cloud failover (COMPLETE)](project-kitestacks-migration.md) — monk primary, kscloud1 cloud replica, Oracle VPS coming. 2026-06-12 DONE: OSticket live, Portainer SSO live on both hosts (portainer.kitestacks.com HTTP 200, noTLSVerify fixed via CF API), docs v1.4.0 in Forgejo. NEXT: Oracle Cloud ARM VPS (user provisioning manually — 4 OCPU 24GB Ampere A1). OSticket is x86-only so needs swap for Oracle ARM. CF API token kitestacks-dns-fix rolled 2026-06-12 (was previously exposed in chat).
+- [KiteStacks migration + Hetzner cloud failover (COMPLETE)](project-kitestacks-migration.md) — monk primary, kscloud1 cloud replica, Oracle VPS migration IN PROGRESS. 2026-06-13: OpenProject removed permanently (EE license required). Oracle ARM A1 4OCPU/24GB Chicago $8.50/mo — capacity issues, provisioning pending. OSticket needs QEMU binfmt (x86-only image). Forgejo SSO button renamed to Authentik. kscloud1 Forgejo has wrong ROOT_URL + only 1 repo — fix during Oracle migration.
 - [Forgejo doc redaction rule](feedback-forgejo-redaction.md) — always redact IPs, ports, and passwords in any homelab Forgejo repo files before committing.
 - [A+ Core 2 study plan](project-a-plus-core2.md) — exam goal June 28 2026, started 2026-06-11 9:15 PM, Professor Messer diagnostic first, CertMaster next week.

project-kitestacks-migration.md

@@ -439,3 +439,69 @@ Portal card update (3 files) also still pending until tunnel+OAuth done.
 
 ## Phase 2 Planned: Obsidian Mind Map → HTML Mind Map Sync
 User wants to create an Obsidian mind map of the KiteStacks homelab that syncs/exports to a live HTML mind map embedded in the homelab portal or a standalone page. To be built after full Obsidian+samurai setup is complete.
+
+## 2026-06-13: OpenProject removed + Oracle VPS migration started
+
+### OpenProject REMOVED permanently
+OpenProject requires Enterprise Edition license for SSO (confirmed last session).
+Removed from local stack (monk):
+- Docker volume `openproject_openproject_assets` deleted
+- `/home/kenpatmonk/kitestacks-live/docker/openproject/` directory removed (pgdata dir
+  needed sudo — user ran manually; pgdata was owned by container UID mapped to `avahi`)
+- NOT deploying on Oracle VPS
+- tasks.kitestacks.com subdomain is now dead — update Cloudflare/portal accordingly
+TODO: remove `apps/openproject/` from kitestacks-homelab Forgejo repo once user can log in.
+
+### Forgejo issues found + partially fixed (2026-06-13)
+Forgejo login page has two issues:
+1. URL banner: "configured to be served on http://5.78.233.28:3000/" — caused by kscloud1's
+   Forgejo having wrong ROOT_URL. kscloud1 Forgejo has only 1 repo (separate DB from monk's
+   13-repo instance). Cloudflare tunnel load-balances between monk and kscloud1 Forgejo.
+   FIX PENDING: stop Forgejo on kscloud1 (or fix its ROOT_URL). Deferred — do during Oracle migration.
+2. SSO button says "Proceed with OpenID" instead of "Authentik".
+   PARTIAL FIX: renamed login_source from `authentik` → `Authentik` via admin CLI:
+   `docker exec -u git forgejo /app/gitea/gitea admin auth update-oauth --id 1 --name Authentik ...`
+   Provider type remains `openidConnect` — button text may still say "OpenID" (depends on
+   Forgejo 11 template behavior). User to verify after refresh. Full fix may require admin UI
+   once user can log into Forgejo.
+Forgejo DB: 13 repos under `kenpat`, 1 user (kenpat, admin, active, no 2FA).
+Forgejo login: username `kenpat`, direct password login works on the same page.
+
+### kitestacks-homelab repo: apps/forgejo/docker-compose.yml has wrong ROOT_URL
+`FORGEJO__server__ROOT_URL=http://192.168.1.205:3006` — old local IP, never updated.
+The LIVE local stack (`~/kitestacks-live/docker/forgejo/docker-compose.yml`) is correct
+(`https://gitforge.kitestacks.com/`). The repo copy needs updating.
+TODO: fix and commit once user can log in and clone the repo.
+
+### Oracle VPS migration plan (kscloud1 → Oracle Cloud)
+Goal: replace Hetzner kscloud1 (5.78.233.28, $14.50/mo) with Oracle Cloud ARM VPS ($8.50/mo).
+Oracle instance: Ampere A1 Flex, 4 OCPU / 24 GB RAM, Chicago region (us-chicago-1).
+Status as of 2026-06-13: user is provisioning — hit "no capacity" in Chicago.
+Workarounds tried: capacity not available for 4 OCPU config. Options:
+- Try smaller shape (1 OCPU / 6 GB), resize after provisioning
+- Subscribe to another region (Frankfurt, Osaka, Toronto have better A1 availability)
+- Keep retrying (capacity opens randomly, early UTC morning tends to be better)
+
+ARM64 compatibility analysis (all images verified):
+- ✅ All services ARM64-compatible EXCEPT OSticket
+- ❌ OSticket (`campbellsoftwaresolutions/osticket`) — x86 only
+  FIX: enable QEMU binfmt emulation on Oracle ARM host, run with `--platform linux/amd64`
+  Performance acceptable for a ticket system.
+- ⚠️ Shaarli — verify ARM64 at deploy time
+
+Services to deploy on Oracle VPS (OpenProject EXCLUDED):
+authentik, bookstack, cloudflared, forgejo, grafana, homepage/portal,
+karakeep (+meilisearch +chrome), kavita, kite-ai (litellm+openwebui),
+linkding, osticket, portainer, prometheus+node-exporter, shaarli, uptime-kuma
+
+Migration phases:
+1. Oracle VPS provisioning (in progress)
+2. Oracle initial setup: Ubuntu 22.04 ARM64, Docker, iptables flush (Oracle blocks by default),
+   QEMU binfmt for OSticket x86 emulation
+3. Deploy full stack — fix Forgejo ROOT_URL correctly from day one
+4. Connect cloudflared on Oracle to KiteStacks tunnel (same TUNNEL_TOKEN)
+5. Verify all services, then remove kscloud1 from tunnel + cancel Hetzner
+NOTE: same active-active pattern as kscloud1 — shared Authentik Postgres+Redis over
+Tailscale, same TUNNEL_TOKEN, fresh DBs for stateful apps except identity (authentik/kavita).
+IMPORTANT Oracle gotcha: Ubuntu on Oracle has iptables rules that block all traffic at boot
+even after Security List rules are opened. Must flush iptables as part of initial setup.