infra

Viktor Barzin df332b59e6 break-glass SSH: drop port-knock for exposed key-only :52222; version host config Viktor got locked out of the break-glass path (forgot the port-knock setup) and deleted the edge-router forwards, then asked to review and redesign it from scratch. Root cause of the lockout: the knock added no real security (key-only SSH is already brute-force-proof) and its only benefit — hiding the port — came at the cost of a circular dependency. The knock sequence lived only in in-cluster Vault, which is unreachable in the exact away/cold scenario break-glass exists for. So the unlock secret was unavailable precisely when needed. New model (self-contained, nothing to remember): plain key-only SSH on the Proxmox host's :52222, openly reachable. The edge router forwards WAN tcp/52222 -> 192.168.1.127:52222 (external port MUST equal internal on the TP-Link AX6000 - it rejects remaps; port 22 itself is reserved). The exposed port trusts only a dedicated break-glass key via `Match LocalPort` (a leak of any other root key does not grant internet access), rate-limited (iptables hashlimit) + fail2ban. - Removed knockd (package + config) and the legacy Synology SSH forward (ext 3333 -> .13:22, a needless WAN exposure the original plan wanted gone). - Fixed the fail2ban jail for Debian 13 (auth logs under sshd-session, not sshd - the stock journalmatch silently never banned). - Versioned the host config in scripts/ (it was applied ad-hoc, never committed) and recorded the deliberate Wave-1 "no public-IP" exception in security.md + .claude/CLAUDE.md. Superseded the 2026-05-30 port-knock design docs. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>		2026-06-11 18:23:39 +00:00
..
server_safe_poweroff	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
t3-dispatch	t3: connection logging across the path for drop attribution	2026-06-11 13:48:10 +00:00
workstation	workstation: lean managed-settings claudeMd — org red-lines + pointers [ci skip]	2026-06-11 18:02:43 +00:00
apply-mbps-caps.service	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
apply-mbps-caps.sh	apply-mbps-caps: compare normalized option sets (true idempotency) + devvm I/O-stall post-mortem [ci skip]	2026-06-11 18:00:08 +00:00
apply-mbps-caps.timer	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
breakglass-firewall.sh	break-glass SSH: drop port-knock for exposed key-only :52222; version host config	2026-06-11 18:23:39 +00:00
check-ingress-auth-comments.py	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
cluster_healthcheck.sh	technitium: mirror mail-auth records into internal zone; fix redfish check [ci skip]	2026-06-10 17:46:37 +00:00
cluster_manager.py	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
daily-backup.service	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
daily-backup.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
daily-backup.timer	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
devvm-promtail.service	t3: connection logging across the path for drop attribution	2026-06-11 13:48:10 +00:00
devvm-promtail.yaml	t3: connection logging across the path for drop attribution	2026-06-11 13:48:10 +00:00
extend_vm_storage.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
fail2ban-breakglass-sshd.local	break-glass SSH: drop port-knock for exposed key-only :52222; version host config	2026-06-11 18:23:39 +00:00
fan-control.env.example	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
fan-control.service	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
fan-control.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
forgejo-migrate-orphan-images.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
frigate-bulk-classify.js	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
frigate-inspect.mjs	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
gen_service_stacks.py	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
graceful-db-maintenance.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
image_pull.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
image_pull_remote.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
k8s-apiserver-audit-policy.yaml	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
kill_ns.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
lvm-pvc-snapshot.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
lvm-pvc-snapshot.timer	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
migrate-state-to-pg	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
migrate_service_state.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
nfs-change-tracker.service	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
nfs-mirror.service	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
nfs-mirror.sh	nfs-mirror: exclude /vzdump/ — it was reaping the new VM-image backups nightly	2026-06-10 09:04:57 +00:00
nfs-mirror.timer	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
node_registry_manager.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
offsite-sync-backup.service	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
offsite-sync-backup.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
offsite-sync-backup.timer	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
parse-postmortem-todos.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
pfsense-haproxy-bootstrap.php	pfsense: SNI-routed internal 443 — mail.viktorbarzin.me serves webmail everywhere	2026-06-10 18:41:07 +00:00
pfsense-nat-mailserver-haproxy-flip.php	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
pfsense-nat-mailserver-haproxy-unflip.php	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
postmortem-pipeline.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
provision-k8s-worker	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
pve-nfs-exports	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
pve-promtail.service	pve-host: ship journal to Loki (snoopy command audit + sshd-pve) for emo's root SSH	2026-06-10 19:31:45 +00:00
pve-promtail.yaml	pve-host/dns: register loki.viktorbarzin.lan CNAME, drop the /etc/hosts pin	2026-06-10 22:55:20 +00:00
pve-snoopy.ini	pve-host: ship journal to Loki (snoopy command audit + sshd-pve) for emo's root SSH	2026-06-10 19:31:45 +00:00
renew_worker_certs.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
setup-containerd-pullthrough.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
setup-forgejo-containerd-mirror.sh	dns: pfSense forward-zone for viktorbarzin.me, nodes fully stock [ci skip]	2026-06-10 08:32:34 +00:00
setup-task-pipeline.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
setup_containerd_mirrors.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
sshd-10-breakglass.conf	break-glass SSH: drop port-knock for exposed key-only :52222; version host config	2026-06-11 18:23:39 +00:00
state-sync	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
stop_storage_services.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
sudoers-t3-autopair	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
t3-autoupdate.service	t3: pin t3@0.0.24 + stop nightly auto-update (auth-outage fix) [ci skip]	2026-06-09 21:41:53 +00:00
t3-autoupdate.sh	t3: bump pin 0.0.24 -> 0.0.26 (fable-5) [ci skip]	2026-06-09 21:41:53 +00:00
t3-autoupdate.timer	t3: pin t3@0.0.24 + stop nightly auto-update (auth-outage fix) [ci skip]	2026-06-09 21:41:53 +00:00
t3-backup-state.service	t3: prepare to adopt 0.0.25 — version-agnostic dispatch + real pairing health-check + state backup [ci skip]	2026-06-09 21:41:53 +00:00
t3-backup-state.sh	t3: prepare to adopt 0.0.25 — version-agnostic dispatch + real pairing health-check + state backup [ci skip]	2026-06-09 21:41:53 +00:00
t3-backup-state.timer	t3: prepare to adopt 0.0.25 — version-agnostic dispatch + real pairing health-check + state backup [ci skip]	2026-06-09 21:41:53 +00:00
t3-dispatch.service	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
t3-mint	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
t3-provision-users.service	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
t3-provision-users.sh	workstation: per-user code_layout — workspace puts project repos under ~/code (ancamilea + tripit)	2026-06-10 18:05:31 +00:00
t3-provision-users.timer	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
t3-serve@.service	t3-serve@: contain agent memory storms; survive child OOM kills	2026-06-10 21:00:06 +00:00
task-processor.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
test-fan-control.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
test-vault-token-renew.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
tg	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
tmux-persist-restore.service	workstation: rename tmux persistence out of the t3 namespace [ci skip]	2026-06-10 17:42:52 +00:00
tmux-persist-save.service	workstation: rename tmux persistence out of the t3 namespace [ci skip]	2026-06-10 17:42:52 +00:00
tmux-persist-save.timer	workstation: rename tmux persistence out of the t3 namespace [ci skip]	2026-06-10 17:42:52 +00:00
tmux-persist.sh	tmux-persist: add single-user restore mode (`restore [user]`)	2026-06-10 21:08:57 +00:00
update-istio-injection.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
update_k8s.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
update_node.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
upgrade_state.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
vault-kubeconfig	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
vault-token-renew.service	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
vault-token-renew.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
vault-token-renew.timer	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00
vzdump-vms.service	backup: image-level vzdump of hand-managed VMs (devvm) — close no-VM-backup DR gap	2026-06-09 21:41:54 +00:00
vzdump-vms.sh	backup: fix vzdump-vms exit code — EXIT-trap && short-circuit falsely failed OK runs	2026-06-09 21:41:54 +00:00
vzdump-vms.timer	backup: image-level vzdump of hand-managed VMs (devvm) — close no-VM-backup DR gap	2026-06-09 21:41:54 +00:00
woodpecker-register-forgejo-repo.sh	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip]	2026-06-09 08:45:33 +00:00