From 602103ede138575e9780954185dde49ad3dbb335 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 19 Apr 2026 12:05:18 +0000
Subject: [PATCH] [owntracks] Strip face avatar from hook payload + drop orphan
 PVC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bundles two small follow-ups to the live bridge + port-fix work:

## Face avatar fix (dawarich-hook.lua)

After the Recorder ran in production for a while it began enriching
publish payloads with a `face` field — the base64-encoded user avatar
uploaded via the Recorder's web UI (~120 KB). Our Lua hook builds a
curl command that embeds the JSON payload as `-d '<payload>'`, which
hit `E2BIG` / `Argument list too long` (os.execute reason=code=7) on
Linux's `execve` argv limit (~128 KB). Every live POST stopped making
it to Dawarich, even though the HTTP POST from the phone to Owntracks
still returned 200 and the .rec write still happened.

Fix: `data.face = nil` before serializing. Dawarich doesn't use it
anyway (not persisted into any column — `raw_data` stored without it).

Also upgraded the debug log: on failure we now emit
`dawarich-bridge: FAIL tst=... reason=... code=... cmd=...` so any
future variant of this problem (next big field surfaced upstream, etc.)
is one log tail away from a diagnosis.

```
$ kubectl -n owntracks logs deploy/owntracks --tail=5 | grep dawarich-bridge
+ dawarich-bridge: init
+ dawarich-bridge: ok tst=1776600238
```

## Orphan PVC removal (main.tf)

`owntracks-data-proxmox` (1 Gi, proxmox-lvm, unencrypted) was a leftover
from the encrypted-migration attempt; the Deployment has been mounting
`owntracks-data-encrypted` the whole time. Verified `Used By: <none>`
on the live PVC before removal. Removing the resource from Terraform
destroys the PVC — harmless, no data loss.

## Test Plan

### Automated

```
$ ../../scripts/tg plan
Plan: 0 to add, 1 to change, 1 to destroy.

$ ../../scripts/tg apply --non-interactive
Apply complete! Resources: 0 added, 1 changed, 1 destroyed.

$ kubectl -n owntracks get pvc
NAME                       STATUS   VOLUME ...
owntracks-data-encrypted   Bound    ...
(owntracks-data-proxmox gone)
```

### Manual Verification

```
$ VIKTOR_PW=$(vault kv get -field=credentials secret/owntracks | jq -r .viktor)
$ TST=$(date +%s)
$ kubectl -n owntracks run t --rm -i --image=curlimages/curl -- \
    curl -s -w 'HTTP %{http_code}\n' -X POST -u "viktor:$VIKTOR_PW" \
    -H 'Content-Type: application/json' \
    -H 'X-Limit-U: viktor' -H 'X-Limit-D: iphone-15pro' \
    -d "{\"_type\":\"location\",\"lat\":51.5074,\"lon\":-0.1278,\"tst\":$TST,\"tid\":\"vb\"}" \
    https://owntracks.viktorbarzin.me/pub
HTTP 200

$ sleep 3 && kubectl -n dbaas exec pg-cluster-1 -c postgres -- \
    psql -U postgres -d dawarich -tAc \
    "SELECT ST_AsText(lonlat::geometry) FROM points WHERE user_id=1 AND timestamp=$TST"
POINT(-0.1278 51.5074)
```

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 stacks/owntracks/dawarich-hook.lua | 15 ++++++++++++---
 stacks/owntracks/main.tf           | 22 ----------------------
 2 files changed, 12 insertions(+), 25 deletions(-)

diff --git a/stacks/owntracks/dawarich-hook.lua b/stacks/owntracks/dawarich-hook.lua
index 0edff91e..8238dedc 100644
--- a/stacks/owntracks/dawarich-hook.lua
+++ b/stacks/owntracks/dawarich-hook.lua
@@ -58,6 +58,10 @@ function otr_hook(topic, _type, data)
     otr.log("dawarich-bridge: DAWARICH_API_KEY missing — dropping point")
     return
   end
+  -- Strip the base64 user avatar: ot-recorder appends a ~120KB `face` field
+  -- to enriched payloads which pushes the curl command past ARG_MAX (code=7
+  -- "Argument list too long"). Dawarich doesn't need it.
+  data.face = nil
   local url = "https://dawarich.viktorbarzin.me/api/v1/owntracks/points?api_key=" .. api_key
   local payload = to_json(data)
   local cmd = table.concat({
@@ -67,7 +71,12 @@ function otr_hook(topic, _type, data)
     escape_shell_single(url),
     "&",
   }, " ")
-  local ok = os.execute(cmd)
-  otr.log(string.format("dawarich-bridge: tst=%s lat=%s lon=%s ok=%s",
-    tostring(data.tst), tostring(data.lat), tostring(data.lon), tostring(ok)))
+  local ok, reason, code = os.execute(cmd)
+  if not ok then
+    otr.log("dawarich-bridge: FAIL tst=" .. tostring(data.tst) ..
+            " reason=" .. tostring(reason) .. " code=" .. tostring(code) ..
+            " cmd=" .. cmd)
+  else
+    otr.log("dawarich-bridge: ok tst=" .. tostring(data.tst))
+  end
 end
diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf
index 0e21420d..38608ebf 100644
--- a/stacks/owntracks/main.tf
+++ b/stacks/owntracks/main.tf
@@ -96,28 +96,6 @@ resource "kubernetes_config_map" "dawarich_hook" {
   }
 }
 
-resource "kubernetes_persistent_volume_claim" "data_proxmox" {
-  wait_until_bound = false
-  metadata {
-    name      = "owntracks-data-proxmox"
-    namespace = kubernetes_namespace.owntracks.metadata[0].name
-    annotations = {
-      "resize.topolvm.io/threshold"     = "80%"
-      "resize.topolvm.io/increase"      = "100%"
-      "resize.topolvm.io/storage_limit" = "5Gi"
-    }
-  }
-  spec {
-    access_modes       = ["ReadWriteOnce"]
-    storage_class_name = "proxmox-lvm"
-    resources {
-      requests = {
-        storage = "1Gi"
-      }
-    }
-  }
-}
-
 resource "kubernetes_deployment" "owntracks" {
   metadata {
     name      = "owntracks"