Configure registry.directlx.dev to route through Nginx Proxy Manager
(192.168.200.71) for SSL/TLS termination, instead of direct access to
Docker registry at 192.168.200.200:5000.
Changes:
- Updated Pi-hole DNS to route registry.directlx.dev → NPM (192.168.200.71)
- Added gitea.directlx.dev to DNS records (previously missing)
- Created comprehensive NPM configuration guide with Docker-specific Nginx config
- Created Docker registry usage documentation with HTTPS examples
- Added local DNS configuration playbooks and documentation
Benefits:
- HTTPS encryption for Docker registry traffic
- Consistent SSL certificate management via Let's Encrypt
- No insecure-registry configuration needed on Docker clients
- Centralized proxy management through NPM
Next step: Configure NPM proxy host following docs/NPM-REGISTRY-SETUP.md
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit resolves connectivity issues for www.directlx.dev by:
1. Add nginx firewall configuration (host_vars/nginx.yml)
- Allow ports 80/tcp (HTTP) and 443/tcp (HTTPS)
- Enables NPM to proxy traffic to nginx backend
2. Add www.directlx.dev DNS record via Pi-hole
- Configure playbooks/configure-directlx-dev-dns.yml
- Route www.directlx.dev → NPM (192.168.200.71)
- NPM then proxies to nginx (192.168.200.65)
Problem: After firewall changes, nginx server only allowed SSH (port 22),
blocking HTTP/HTTPS from NPM. Additionally, Pi-hole had no DNS record for
www.directlx.dev subdomain.
Solution: Applied firewall rules and DNS configuration to complete the
proxy chain: Browser → Pi-hole DNS → NPM → nginx.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Created reusable Ansible playbook for creating PostgreSQL users with
flexible privilege options (superuser, createdb, createrole). Features
include auto-generated secure passwords, credential file export, and
comprehensive documentation with examples.
Files added:
- playbooks/create-postgres-user.yml - Automated user creation
- docs/POSTGRES-USER-MANAGEMENT.md - Usage guide and examples
Initial use case: Created hiveops superuser for HiveOps application.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Created comprehensive project configuration for Claude Code:
- Complete infrastructure overview (16 servers)
- Ansible command reference
- Playbook execution patterns
- Security operations guide
- Configuration management patterns
- Firewall, SSH, SSL offloading procedures
- Troubleshooting guide
- Common tasks with examples
- Security best practices
- Maintenance schedules
This provides Claude Code with project-specific guidance when
working in this repository, complementing the version-controlled
configuration in dlx-claude repository.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changed from invalid '--vacuum=time:30d' to correct '--vacuum-time=30d'
This command now properly compresses and removes old journal logs.
Test result: Freed 1.9GB on proxmox-00
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Remove document separators (---) between plays in multi-play playbooks.
Ansible expects multiple plays to be in a single YAML document, not
separated by document delimiters.
Fixed files:
- remediate-storage-critical-issues.yml
- remediate-docker-storage.yml
- remediate-stopped-containers.yml
- configure-storage-monitoring.yml
All playbooks now pass ansible-playbook --syntax-check validation.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Add MySQL host_vars with firewall rules for port 3306
- Enable IP forwarding on Docker hosts (hiveops, smartjournal)
- Fix container-to-external-network connectivity issue
The IP forwarding setting was previously disabled by the common role's
security defaults, preventing Docker containers from reaching external
databases. This change overrides that setting for hosts running Docker.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Pi-hole v6 uses pihole.toml hosts array instead of custom.list.
Updated playbook to modify toml config directly via Python script.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Proxmox uses its own firewall (pve-firewall) and doesn't need UFW.
This prevents accidental lockout of web UI (port 8006).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- playbooks/pihole-dns.yml: Configure local DNS records
- templates/pihole-custom-list.j2: DNS records template
Domain: lab.directlx.dev
Records for all infrastructure hosts with short and FQDN names.
Usage: ansible-playbook playbooks/pihole-dns.yml
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- ansible.cfg: Set remote_user to dlxadmin
- inventory: Add infrastructure, application hosts with IPs
- group_vars/all.yml: Set ansible_user to dlxadmin
- playbooks/site.yml: Enable common role
- roles/common: Baseline configuration role
- Package installation (Debian/RedHat/Arch)
- Timezone and locale setup
- User management with SSH keys
- SSH hardening
- UFW firewall and security settings
- scripts/create-user.sh: Create ansible user on servers
- USAGE.md: Project usage documentation
- HOSTS.md: Infrastructure host inventory
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Tests SSH connectivity and displays basic host info (OS, version).
Usage: ansible-playbook playbooks/ping.yml
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Script handles:
- Generating ed25519 SSH key if not present
- Setting up SSH for existing users
- Creating new users via admin account with:
- Home directory and .ssh setup
- sudo/wheel group membership
- Passwordless sudo configuration
- Connection verification
Usage: ./scripts/setup-ssh.sh <ip> <user> [admin_user]
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Set up standard directory layout with:
- ansible.cfg with sensible defaults
- YAML inventory with example groups
- Main site playbook template
- Directories for roles, group_vars, host_vars, files, templates
- .gitignore for secrets, vault files, and SSH keys
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
directlx
directlx