Check-in — 2026-06-23¶
End-of-session diary after Phase 8 pass-1 live deploy and ARA client wiring.
Prior snapshot: 2026-06-22 check-in · Phase 8 patching notes.
TL;DR¶
Phase 8 is live. Coordinated patching ran successfully from infra-services with
rich Discord + enriched ntfy notifications. ARA records playbook runs at
ara.infra.realemail.app. prox joined
ansible-pull (root-only hypervisor) after fixing SSH and bootstrap gaps. Docs and
cursor rules updated; push to main refreshes Cloudflare Pages.
Phase status¶
| Phase | Status | Notes |
|---|---|---|
| 8 — Coordinated OS patching | Live (pass-1) | Timer, waves, notifications, Grafana, ARA |
| 7R leftovers | Parked | Aqara HA, TP-Link EP10 |
| 9+ | Backlog | SIEM, InfluxDB consolidation, Proxmox guest review |
README Owner TODO rows for Phase 8 marked complete.
What shipped tonight¶
| Area | Outcome |
|---|---|
| Patch orchestrator | Live run — 3 hosts, Discord embed, exit 0 |
| Discord | Rich embeds via discord_patch_notify.py (#15–17) |
| ntfy | Tags, click, actions, Alertmanager ?template=alertmanager |
| ARA | ara_default callback + /etc/homelab/ara-callback.env on pull hosts |
| prox ansible-pull | Bootstrapped; age key + GitHub deploy key; pull success |
| CI | test-patch-ntfy, test-patch-discord, test-ara-client dry-run jobs |
| Ansible fixes | prox PermitRootLogin, skip timesyncd on PVE, tailscale SOPS guard |
flowchart LR
subgraph pull_hosts [ansible-pull hosts]
IS[infra-services]
SP[saltierpoop]
PX[prox]
end
ARA[(ARA API)]
IS -->|patch push| SP
IS -->|patch push root| PX
IS -->|patch self| IS
pull_hosts -->|ara_default callback| ARA
IS -->|orchestrator runs| ARAKnown gaps / lessons¶
| Issue | Cause | Mitigation in repo |
|---|---|---|
| prox SSH lockout | common_ssh_permit_root: no on root-only host |
host_vars/prox.yml → prohibit-password |
| prox ansible-pull fail | No age key; tailscale SOPS decrypt | Copy key on bootstrap; tailscale skips decrypt if key missing |
| Cursor → prox failed | Used someone@ not root@; WSL 1Password agent |
Use ssh proxbox (Windows) or infra-services-cursor + patch-controller jump |
| ARA empty UI | Wrong callback name + missing pip/plugin path | ara_default, ara-client.yml, ara-callback.env |
Parked: Discord forum threads per-host (documented as future in runbook only).
Parked: backup-fetch key corrupt on infra-services (separate from Phase 8).
What remains¶
| Item | Owner | Priority |
|---|---|---|
| Weekly timer only (no more manual patch needed) | — | Done — Sun 04:00 PT |
| Cloudflare Access on docs site | owner | Low |
| Komodo webhook (vs polling) | owner | Low |
| Aqara / TP-Link 7R | owner | When hardware ready |
| InfluxDB / SIEM / guest consolidation | owner | Next cohort |
Docs deploy¶
Push to main triggers
.github/workflows/docs.yml
→ hldocs-c0acdec9.pages.dev.