From 4234351cfab73c304efcb37eef97e7bad44f4191 Mon Sep 17 00:00:00 2001 From: Cal Corum Date: Thu, 2 Apr 2026 23:32:47 -0500 Subject: [PATCH 1/2] feat: add Ansible playbook to mask avahi-daemon on all Ubuntu VMs (#28) Closes #28 Adds mask-avahi.yml targeting the vms:physical inventory groups (all Ubuntu QEMU VMs + ubuntu-manticore). Also adds avahi masking to the cloud-init template so future VMs are hardened from first boot. Co-Authored-By: Claude Sonnet 4.6 --- ansible/playbooks/mask-avahi.yml | 43 +++++++++++++++++++ .../scripts/cloud-init-user-data.yaml | 7 ++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 ansible/playbooks/mask-avahi.yml diff --git a/ansible/playbooks/mask-avahi.yml b/ansible/playbooks/mask-avahi.yml new file mode 100644 index 0000000..0647d1e --- /dev/null +++ b/ansible/playbooks/mask-avahi.yml @@ -0,0 +1,43 @@ +--- +# Mask avahi-daemon on all Ubuntu hosts +# +# Avahi (mDNS/Bonjour) is not needed in a static-IP homelab with Pi-hole DNS. +# A kernel busy-loop bug in avahi-daemon was found consuming ~1.7 CPU cores +# across 5 VMs. Masking prevents it from ever starting again, surviving reboots. +# +# Targets: vms + physical (all Ubuntu QEMU VMs and ubuntu-manticore) +# Controller: ansible-controller (LXC 304 at 10.10.0.232) +# +# Usage: +# # Dry run +# ansible-playbook /opt/ansible/playbooks/mask-avahi.yml --check +# +# # Test on a single host first +# ansible-playbook /opt/ansible/playbooks/mask-avahi.yml --limit discord-bots +# +# # Roll out to all Ubuntu hosts +# ansible-playbook /opt/ansible/playbooks/mask-avahi.yml +# +# To undo: systemctl unmask avahi-daemon + +- name: Mask avahi-daemon on all Ubuntu hosts + hosts: vms:physical + become: true + + tasks: + - name: Stop avahi-daemon + ansible.builtin.systemd: + name: avahi-daemon + state: stopped + ignore_errors: true + + - name: Mask avahi-daemon + ansible.builtin.systemd: + name: avahi-daemon + masked: true + + - name: Verify avahi is masked + ansible.builtin.command: systemctl is-enabled avahi-daemon + register: avahi_status + changed_when: false + failed_when: avahi_status.stdout | trim != 'masked' diff --git a/vm-management/scripts/cloud-init-user-data.yaml b/vm-management/scripts/cloud-init-user-data.yaml index 23d1ffe..f504a55 100644 --- a/vm-management/scripts/cloud-init-user-data.yaml +++ b/vm-management/scripts/cloud-init-user-data.yaml @@ -67,10 +67,15 @@ runcmd: # Add cal user to docker group (will take effect after next login) - usermod -aG docker cal - + # Test Docker installation - docker run --rm hello-world + # Mask avahi-daemon — not needed in a static-IP homelab with Pi-hole DNS, + # and has a known kernel busy-loop bug that wastes CPU + - systemctl stop avahi-daemon || true + - systemctl mask avahi-daemon + # Write configuration files write_files: # SSH hardening configuration From 9e8346a8ab4211c77b454f440d7cd7368ec544c3 Mon Sep 17 00:00:00 2001 From: Cal Corum Date: Thu, 2 Apr 2026 23:57:55 -0500 Subject: [PATCH 2/2] =?UTF-8?q?chore:=20decommission=20VM=20105=20(docker-?= =?UTF-8?q?vpn)=20=E2=80=94=20repo=20cleanup=20(#20)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit VM 105 was already destroyed on Proxmox. This removes stale references: - Delete server-configs/proxmox/qemu/105.conf - Comment out docker-vpn entries in example SSH config and server inventory - Move VM 105 from Stopped/Investigate to Removed in upgrade plan - Check off decommission task in wave2 migration results Closes #20 Co-Authored-By: Claude Opus 4.6 (1M context) --- networking/examples/server_inventory.yaml | 13 +++++++------ networking/examples/ssh-homelab-setup.md | 13 +++++++------ server-configs/proxmox/qemu/105.conf | 15 --------------- .../proxmox-7-to-9-upgrade-plan.md | 4 ++-- vm-management/wave2-migration-results.md | 2 +- 5 files changed, 17 insertions(+), 30 deletions(-) delete mode 100644 server-configs/proxmox/qemu/105.conf diff --git a/networking/examples/server_inventory.yaml b/networking/examples/server_inventory.yaml index 8f0dd87..7697e56 100644 --- a/networking/examples/server_inventory.yaml +++ b/networking/examples/server_inventory.yaml @@ -47,12 +47,13 @@ home_network: services: ["media", "transcoding"] description: "Tdarr media transcoding" - vpn_docker: - hostname: "10.10.0.121" - port: 22 - user: "cal" - services: ["vpn", "docker"] - description: "VPN and Docker services" + # DECOMMISSIONED: vpn_docker (10.10.0.121) - VM 105 destroyed 2026-04 + # vpn_docker: + # hostname: "10.10.0.121" + # port: 22 + # user: "cal" + # services: ["vpn", "docker"] + # description: "VPN and Docker services" remote_servers: akamai_nano: diff --git a/networking/examples/ssh-homelab-setup.md b/networking/examples/ssh-homelab-setup.md index 2ce723e..8cd25a5 100644 --- a/networking/examples/ssh-homelab-setup.md +++ b/networking/examples/ssh-homelab-setup.md @@ -23,7 +23,7 @@ servers: pihole: 10.10.0.16 # Pi-hole DNS and ad blocking sba_pd_bots: 10.10.0.88 # SBa and PD bot services tdarr: 10.10.0.43 # Media transcoding - vpn_docker: 10.10.0.121 # VPN and Docker services + # vpn_docker: 10.10.0.121 # DECOMMISSIONED — VM 105 destroyed, migrated to arr-stack LXC 221 ``` ### Cloud Servers @@ -175,11 +175,12 @@ Host tdarr media Port 22 IdentityFile ~/.ssh/homelab_rsa -Host docker-vpn - HostName 10.10.0.121 - User cal - Port 22 - IdentityFile ~/.ssh/homelab_rsa +# DECOMMISSIONED: docker-vpn (10.10.0.121) - VM 105 destroyed, migrated to arr-stack LXC 221 +# Host docker-vpn +# HostName 10.10.0.121 +# User cal +# Port 22 +# IdentityFile ~/.ssh/homelab_rsa # Remote Cloud Servers Host akamai-nano akamai diff --git a/server-configs/proxmox/qemu/105.conf b/server-configs/proxmox/qemu/105.conf deleted file mode 100644 index 9a81d11..0000000 --- a/server-configs/proxmox/qemu/105.conf +++ /dev/null @@ -1,15 +0,0 @@ -agent: 1 -boot: order=scsi0;net0 -cores: 8 -memory: 16384 -meta: creation-qemu=6.1.0,ctime=1646688596 -name: docker-vpn -net0: virtio=76:36:85:A7:6A:A3,bridge=vmbr0,firewall=1 -numa: 0 -onboot: 1 -ostype: l26 -scsi0: local-lvm:vm-105-disk-0,size=256G -scsihw: virtio-scsi-pci -smbios1: uuid=55061264-b9b1-4ce4-8d44-9c187affcb1d -sockets: 1 -vmgenid: 30878bdf-66f9-41bf-be34-c31b400340f9 diff --git a/vm-management/proxmox-upgrades/proxmox-7-to-9-upgrade-plan.md b/vm-management/proxmox-upgrades/proxmox-7-to-9-upgrade-plan.md index e806ce5..043e79d 100644 --- a/vm-management/proxmox-upgrades/proxmox-7-to-9-upgrade-plan.md +++ b/vm-management/proxmox-upgrades/proxmox-7-to-9-upgrade-plan.md @@ -28,8 +28,8 @@ tags: [proxmox, upgrade, pve, backup, rollback, infrastructure] **Production Services** (7 LXC + 7 VMs) — cleaned up 2026-02-19: - **Critical**: Paper Dynasty/Major Domo (VM 115), Discord bots (VM 110), Gitea (LXC 225), n8n (LXC 210), Home Assistant (VM 109), Databases (VM 112), docker-home/Pi-hole 1 (VM 106) - **Important**: Claude Discord Coordinator (LXC 301), arr-stack (LXC 221), Uptime Kuma (LXC 227), Foundry VTT (LXC 223), Memos (LXC 222) -- **Stopped/Investigate**: docker-vpn (VM 105, decommissioning), docker-home-servers (VM 116, needs investigation) -- **Removed (2026-02-19)**: 108 (ansible), 224 (openclaw), 300 (openclaw-migrated), 101/102/104/111/211 (game servers), 107 (plex), 113 (tdarr - moved to .226), 114 (duplicate arr-stack), 117 (unused), 100/103 (old templates) +- **Stopped/Investigate**: docker-home-servers (VM 116, needs investigation) +- **Removed (2026-02-19)**: 108 (ansible), 224 (openclaw), 300 (openclaw-migrated), 101/102/104/111/211 (game servers), 107 (plex), 113 (tdarr - moved to .226), 114 (duplicate arr-stack), 117 (unused), 100/103 (old templates), 105 (docker-vpn - decommissioned 2026-04) **Key Constraints**: - Home Assistant VM 109 requires dual network (vmbr1 for Matter support) diff --git a/vm-management/wave2-migration-results.md b/vm-management/wave2-migration-results.md index 133827d..7f3a009 100644 --- a/vm-management/wave2-migration-results.md +++ b/vm-management/wave2-migration-results.md @@ -262,7 +262,7 @@ When connecting Jellyseerr to arr apps, be careful with tag configurations - inv - [x] Test movie/show requests through Jellyseerr ### After 48 Hours -- [ ] Decommission VM 121 (docker-vpn) +- [x] Decommission VM 121 (docker-vpn) - [ ] Clean up local migration temp files (`/tmp/arr-config-migration/`) ---