infra

viktor/infra

Fork 0

Commit graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Viktor Barzin	bd60c3d5e0	pve-host/dns: register loki.viktorbarzin.lan CNAME, drop the /etc/hosts pin All checks were successful ci/woodpecker/push/default Pipeline was successful Details ci/woodpecker/push/build-cli Pipeline was successful Details Follow-up to the pve-host Loki shipper (`aac807fb`). The host reached Loki via an /etc/hosts pin of the Traefik LB IP — Viktor flagged that as the wrong solution (no hardcoding; the DNS infra should handle it). Registered loki.viktorbarzin.lan in Technitium as a CNAME -> ingress.viktorbarzin.lan (the anchor whose A record auto-tracks the live Traefik LB IP, so it's renumber-proof), via the Technitium API + zone-sync to all 3 instances. Removed the /etc/hosts pin from the PVE host; promtail now resolves the name purely via DNS (verified still shipping to Loki). insecure_skip_verify stays — the internal .lan cert isn't publicly trusted. Docs (monitoring.md) + the pve-promtail.yaml header updated to drop the pin references. The DNS record is API-managed (the viktorbarzin.lan zone convention), not in this repo; auto-managing .lan CNAMEs in technitium-ingress-dns-sync remains a noted follow-up. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-10 22:55:20 +00:00
Viktor Barzin	aac807fb3a	pve-host: ship journal to Loki (snoopy command audit + sshd-pve) for emo's root SSH All checks were successful ci/woodpecker/push/default Pipeline was successful Details ci/woodpecker/push/build-cli Pipeline was successful Details Emo's Claude agent was given root SSH to the Proxmox host (`ssh pve`, dedicated shared-root key emo-pve-agent@devvm) so he can manage the host — e.g. the R730 fan daemon — through his agent. To keep an audit trail of what that agent does, and to feed the long-pending Wave-1 S1 security rule, the PVE host now ships its systemd journal to cluster Loki: - snoopy logs every execve() to journald (identifier=snoopy), enabled via /etc/ld.so.preload; config scripts/pve-snoopy.ini. - promtail v3.5.1 (amd64) ships /var/log/journal to Loki as {job="pve-journal"} (full host journal; filter identifier="snoopy" for the command audit), and relabels sshd auth to {job="sshd-pve"} — which ACTIVATES S1 (it was PENDING only for lack of this shipper). Config/unit: scripts/pve-promtail.{yaml,service}. S1 won't false-fire on legitimate access: the devvm SNATs through pfSense to 192.168.1.2, which is already in the S1 source-IP allowlist. Loki is reached via an /etc/hosts pin (10.0.20.203 loki.viktorbarzin.lan); follow-up noted to register a Technitium CNAME so it auto-tracks LB renumbers. Host pieces are hand-managed (not Terraform), like fan-control and the rpi-sofia promtail — these files are the source of truth. Docs updated: security.md (S1 LIVE) and monitoring.md ("External host: pve"). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-10 19:31:45 +00:00

Viktor Barzin

bd60c3d5e0

pve-host/dns: register loki.viktorbarzin.lan CNAME, drop the /etc/hosts pin

ci/woodpecker/push/default Pipeline was successful

Details

ci/woodpecker/push/build-cli Pipeline was successful

Details

Follow-up to the pve-host Loki shipper (aac807fb). The host reached Loki via an
/etc/hosts pin of the Traefik LB IP — Viktor flagged that as the wrong solution
(no hardcoding; the DNS infra should handle it). Registered loki.viktorbarzin.lan
in Technitium as a CNAME -> ingress.viktorbarzin.lan (the anchor whose A record
auto-tracks the live Traefik LB IP, so it's renumber-proof), via the Technitium
API + zone-sync to all 3 instances. Removed the /etc/hosts pin from the PVE host;
promtail now resolves the name purely via DNS (verified still shipping to Loki).
insecure_skip_verify stays — the internal .lan cert isn't publicly trusted.

Docs (monitoring.md) + the pve-promtail.yaml header updated to drop the pin
references. The DNS record is API-managed (the viktorbarzin.lan zone convention),
not in this repo; auto-managing .lan CNAMEs in technitium-ingress-dns-sync
remains a noted follow-up.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-10 22:55:20 +00:00

Viktor Barzin

aac807fb3a

pve-host: ship journal to Loki (snoopy command audit + sshd-pve) for emo's root SSH

ci/woodpecker/push/default Pipeline was successful

Details

ci/woodpecker/push/build-cli Pipeline was successful

Details

Emo's Claude agent was given root SSH to the Proxmox host (`ssh pve`, dedicated
shared-root key emo-pve-agent@devvm) so he can manage the host — e.g. the R730
fan daemon — through his agent. To keep an audit trail of what that agent does,
and to feed the long-pending Wave-1 S1 security rule, the PVE host now ships its
systemd journal to cluster Loki:

- snoopy logs every execve() to journald (identifier=snoopy), enabled via
  /etc/ld.so.preload; config scripts/pve-snoopy.ini.
- promtail v3.5.1 (amd64) ships /var/log/journal to Loki as {job="pve-journal"}
  (full host journal; filter identifier="snoopy" for the command audit), and
  relabels sshd auth to {job="sshd-pve"} — which ACTIVATES S1 (it was PENDING
  only for lack of this shipper). Config/unit: scripts/pve-promtail.{yaml,service}.

S1 won't false-fire on legitimate access: the devvm SNATs through pfSense to
192.168.1.2, which is already in the S1 source-IP allowlist.

Loki is reached via an /etc/hosts pin (10.0.20.203 loki.viktorbarzin.lan);
follow-up noted to register a Technitium CNAME so it auto-tracks LB renumbers.

Host pieces are hand-managed (not Terraform), like fan-control and the rpi-sofia
promtail — these files are the source of truth. Docs updated: security.md
(S1 LIVE) and monitoring.md ("External host: pve").

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-10 19:31:45 +00:00

2 commits