dan/ops-jrz1
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

bd daemon sync: 2026-01-07 10:45:55

Browse source
This commit is contained in:
Dan 2026-01-07 10:45:55 -08:00
parent e4d2aa619d
commit d44a46df19
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.beads/issues.jsonl
View file

@ -37,6 +37,7 @@
{"id":"ops-jrz1-6t9","title":"Evaluate llm CLI: per-repo vs system-wide install","description":"Simon Willison's llm CLI tool. Options: (1) System-wide via nixpkgs, (2) Per-user via uv/pip, (3) Per-project .envrc. Consider: multiple users, plugin ecosystem, update frequency.","status":"open","priority":3,"issue_type":"task","created_at":"2026-01-03T09:35:13.705897177-08:00","created_by":"dan","updated_at":"2026-01-03T09:35:13.705897177-08:00"}
{"id":"ops-jrz1-7j4","title":"Git credential strategy for non-programmers","description":"Non-programmers can't manage SSH keys. Pre-configure git-credential-store or provide simple PAT workflow with docs. Store in persistent home with 600 perms.","status":"closed","priority":2,"issue_type":"task","created_at":"2025-12-05T15:32:19.673999683-08:00","updated_at":"2025-12-05T17:38:54.788694408-08:00","closed_at":"2025-12-05T17:38:54.788694408-08:00","dependencies":[{"issue_id":"ops-jrz1-7j4","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:05:47.139749437-08:00","created_by":"daemon","metadata":"{}"}]}
{"id":"ops-jrz1-7vf","title":"Enable ssh-hardening module (imported but not active)","description":"ssh-hardening module has critical bugs that break SSH when enabled:\n\n1. UsePAM=false - NixOS SSH auth requires PAM even for key-based auth\n2. Protocol=2 - deprecated in OpenSSH 7.6+, causes sshd to crash\n3. AllowUsers default [\"admin\"] - locks out root and all dev users\n\nPartial fixes applied (removed UsePAM/Protocol, made AllowUsers conditional) but module needs full review before enabling. See commit bcfdf96.\n\nTODO:\n- [ ] Test module in VM before production\n- [ ] Verify all settings against modern OpenSSH\n- [ ] Consider removing AllowUsers entirely or rethinking default\n- [ ] Add integration test","status":"closed","priority":1,"issue_type":"bug","created_at":"2026-01-05T15:44:25.134403571-08:00","created_by":"dan","updated_at":"2026-01-05T23:09:25.390696268-08:00","closed_at":"2026-01-05T23:09:25.390696268-08:00","close_reason":"Wontfix: server already has solid SSH config (key-only, modern ciphers, no password auth). Module adds marginal hardening with deployment risk. Not worth the complexity."}
{"id":"ops-jrz1-85v","title":"npm registry blocked by Cloudflare (IP reputation)","description":"Cannot install/update/audit npm packages from VPS. Cloudflare blocking registry.npmjs.org and google.com. Likely IP reputation filtering on Vultr VPS range. Workarounds: use alternative registry, proxy through allowed endpoint, or request IP reputation review.","status":"open","priority":2,"issue_type":"bug","created_at":"2026-01-07T10:45:54.736616259-08:00","created_by":"dan","updated_at":"2026-01-07T10:45:54.736616259-08:00"}
{"id":"ops-jrz1-86g","title":"Add per-user resource limits (not just slice-wide)","description":"Currently user.slice has TasksMax=500, MemoryMax=80%, but individual user-XXXX.slice has infinity. One user can starve others. Add per-user limits via systemd drop-ins or user-XXXX.slice config.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-03T08:40:25.937465595-08:00","created_by":"dan","updated_at":"2026-01-03T10:00:36.908904643-08:00","closed_at":"2026-01-03T10:00:36.908904643-08:00","close_reason":"Added per-user limits via activation script drop-in: MemoryMax=50%, TasksMax=200, CPUQuota=200%"}
{"id":"ops-jrz1-88o","title":"Implement backup strategy for VPS","description":"No backups configured. Critical data: Matrix DB (622M), PostgreSQL (161M), Forgejo (2.5M), maubot (320K). No recovery path if disk fails. Need automated backups with off-site storage.","status":"closed","priority":1,"issue_type":"task","created_at":"2025-12-04T22:55:25.546850172-08:00","updated_at":"2025-12-05T00:56:27.720623612-08:00","closed_at":"2025-12-05T00:56:27.720623612-08:00"}
{"id":"ops-jrz1-8m7","title":"Add cgroups limits for user slices","description":"Add soft resource limits to prevent one user/agent from crashing server.\n\n## Config\n```nix\nsystemd.slices.\"user\".sliceConfig = {\n MemoryMax = \"80%\";\n TasksMax = 500;\n CPUWeight = 100; # Fair sharing, no hard quota\n};\n```\n\n## Behavior\n- Memory: Users collectively can't exceed 80% RAM\n- Tasks: Max 500 processes per user (prevents fork bombs)\n- CPU: Fair sharing when contended, bursts allowed\n\n## Testing\n- Verify with `systemctl show user-1001.slice`\n- Test fork bomb doesn't crash server","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T20:16:22.600133044-08:00","created_by":"dan","updated_at":"2026-01-02T21:02:35.455928291-08:00","closed_at":"2026-01-02T21:02:35.455928291-08:00","close_reason":"Closed"}