dan/ops-jrz1
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

bd daemon sync: 2026-01-07 09:43:31

Browse source
This commit is contained in:
Dan 2026-01-07 09:43:31 -08:00
parent 2c885f335b
commit e992dd8cd8
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.beads/issues.jsonl
View file

@ -2,6 +2,7 @@
{"id":"ops-jrz1-03o","title":"Upgrade mautrix-slack to v25.11","description":"Upgrade is just flake update + deploy. Current deployed: v0.2.3+dev.unknown (Oct 13). Flake lock: v25.10 (Oct 22). Latest nixpkgs-unstable: v25.11. Run: nix flake update nixpkgs-unstable \u0026\u0026 deploy. May fix edit panic (ops-jrz1-qxr).","status":"closed","priority":2,"issue_type":"task","created_at":"2025-12-05T18:24:18.332067067-08:00","updated_at":"2025-12-05T19:07:09.156981447-08:00","closed_at":"2025-12-05T19:07:09.156981447-08:00"}
{"id":"ops-jrz1-0nt","title":"Enable fail2ban module (imported but not active)","description":"modules/security/fail2ban.nix is imported in hosts/ops-jrz1.nix but security.fail2ban-enhanced.enable is never set to true. SSH brute force protection is not active. Fix: Add security.fail2ban-enhanced.enable = true to hosts config.","status":"closed","priority":1,"issue_type":"bug","created_at":"2026-01-05T15:44:24.970052917-08:00","created_by":"dan","updated_at":"2026-01-05T22:58:18.196427827-08:00","closed_at":"2026-01-05T22:58:18.196427827-08:00","close_reason":"Wontfix: key-only SSH is sufficient. fail2ban adds complexity without real security value. If log noise becomes an issue, CrowdSec is the modern alternative."}
{"id":"ops-jrz1-0tk","title":"Set up backup strategy for /home dev directories","description":"User home directories contain work that should be backed up. Options: (1) Daily tarball to object storage, (2) Restic/borg to remote, (3) Syncthing to another host, (4) Just document that users should push to git. Consider: frequency, retention, restore process, cost.","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-03T14:17:56.208262155-08:00","created_by":"dan","updated_at":"2026-01-03T14:17:56.208262155-08:00"}
{"id":"ops-jrz1-13e","title":"Emes agent workflow rollout on ops-jrz1","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-07T09:43:31.294962856-08:00","created_by":"dan","updated_at":"2026-01-07T09:43:31.294962856-08:00"}
{"id":"ops-jrz1-1bk","title":"Add CPU watchdog timer","description":"Systemd timer that detects sustained CPU abuse and kills offending user.\n\n## Script: /usr/local/bin/cpu-watchdog\n```bash\n#\\!/usr/bin/env bash\n# Detect sustained CPU abuse, kill after 5 consecutive violations\nTHRESHOLD=180 # 180% CPU (almost 2 cores)\nCOUNTFILE=\"/var/lib/cpu-watchdog\"\nmkdir -p \"$COUNTFILE\"\n\nfor user in $(ls /home); do\n id \"$user\" \u0026\u003e/dev/null || continue\n pct=$(ps -u \"$user\" -o %cpu= 2\u003e/dev/null | awk '{s+=$1}END{print int(s)}')\n pct=${pct:-0}\n \n if [ \"$pct\" -gt \"$THRESHOLD\" ]; then\n count=$(cat \"$COUNTFILE/$user\" 2\u003e/dev/null || echo 0)\n count=$((count + 1))\n echo \"$count\" \u003e \"$COUNTFILE/$user\"\n logger -t cpu-watchdog \"User $user at ${pct}% CPU (strike $count/5)\"\n \n if [ \"$count\" -ge 5 ]; then\n /usr/local/bin/killswitch \"$user\" \"sustained CPU abuse (${pct}%)\"\n rm -f \"$COUNTFILE/$user\"\n fi\n else\n rm -f \"$COUNTFILE/$user\"\n fi\ndone\n```\n\n## Systemd timer\n```nix\nsystemd.services.cpu-watchdog = {\n script = ''/usr/local/bin/cpu-watchdog'';\n serviceConfig.Type = \"oneshot\";\n};\nsystemd.timers.cpu-watchdog = {\n wantedBy = [ \"timers.target\" ];\n timerConfig = {\n OnBootSec = \"1min\";\n OnUnitActiveSec = \"1min\";\n };\n};\n```\n\n## Behavior\n- Runs every minute\n- 5 consecutive minutes at \u003e180% CPU = kill\n- Resets counter if CPU drops below threshold","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T20:20:53.246401154-08:00","created_by":"dan","updated_at":"2026-01-02T21:02:35.469465906-08:00","closed_at":"2026-01-02T21:02:35.469465906-08:00","close_reason":"Closed","dependencies":[{"issue_id":"ops-jrz1-1bk","depends_on_id":"ops-jrz1-396","type":"blocks","created_at":"2026-01-02T20:21:14.270063028-08:00","created_by":"dan"}]}
{"id":"ops-jrz1-1kv","title":"Set up terminfo for xterm-ghostty and other modern terminals","status":"closed","priority":3,"issue_type":"task","created_at":"2026-01-03T11:34:42.133192121-08:00","created_by":"dan","updated_at":"2026-01-03T18:02:28.819727599-08:00","closed_at":"2026-01-03T18:02:28.819727599-08:00","close_reason":"Added pkgs-unstable.ghostty.terminfo and kitty.terminfo to configuration.nix, deployed successfully"}
{"id":"ops-jrz1-2bh","title":"Notification system for Claude agent input requests","description":"Notify phone when Claude Code needs input. Research notes:\n\nDetection options:\n- Claude Code hooks (check if CC has \"waiting for input\" hook)\n- Terminal idle detection (tmux/script watches for prompt pattern)\n- Process state (detect claude waiting on stdin)\n\nNotification services to evaluate:\n- ntfy.sh (free, self-hostable, good mobile apps)\n- Matrix (already running - could use dedicated room)\n- Pushover ($5 one-time, dead simple)\n- Custom webhook\n\nReference: granda.org article mentions \"Poke webhooks\"","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-05T17:25:32.788319213-08:00","created_by":"dan","updated_at":"2026-01-05T17:57:45.888639591-08:00"}