- Change default ALERTMANAGER_EMAIL_TO from admin@localhost to domain-based
- Use alerts@auth.jfraeys.com as default (configurable via env/vault)
- Remove hardcoded localhost email reference
Fixes: Alert delivery to proper domain email instead of localhost
- Enable SMTP with GF_SMTP_ENABLED: true
- Configure internal Postfix relay (postfix:25)
- Set FROM address to grafana@grafana.jfraeys.com
- Disable TLS verification for internal relay (GF_SMTP_SKIP_VERIFY)
- Clear username/password for unauthenticated internal relay
Note: Grafana role currently commented out in playbook (1GB node constraint)
- Add Python script to extract certificates from Traefik acme.json
- Mount extracted certs to /etc/ssl in container for TLS support
- Enable smtpd_tls_security_level: may for incoming STARTTLS
- Remove failed_when: false on cert extraction to catch failures early
- Fix relayhost username to default to password (Postmark server token auth)
- Change default Postmark port from 2525 to 587 (blocked on some networks)
- Create SSL directory before extraction
Fixes: SMTP authentication failures and enables TLS for Authelia password reset
- Add AI scrapers robots.txt update script with weekly cron job
- Add OIDC group claim and admin group configuration for Authelia
- Add UI settings (SHOW_USER_EMAIL: false)
- Increase memory limit to 512M
- Change default relay port from 587 to 2525 (Postmark)
- Add Docker provider environment variables for API version compatibility
- Configure for Postmark server token authentication
- Add vault vars include with traefik tag for CF_DNS_API_TOKEN availability
- Add Docker provider socket and API version to home compose
- Add Forgejo router to file provider as fallback (Docker provider broken due to API version mismatch)
- Fixes 404 errors on git.jfraeys.com when Docker provider fails
- Systemd service and timer for deployment orchestration
- Webhook listener for Git-triggered deployments
- Forgejo Actions workflow for CI/CD pipeline
- Deployment scripts with rollback capability
- Deploy token validation for security
- Add Redis cache support to Forgejo for improved performance
- Add AI scrapers blocking with update script and robots.txt
- Update Forgejo runner tasks with improved caching support
- Add OIDC authentication configuration tasks
- Add firewall role for UFW/iptables management
- Add fail2ban role for intrusion prevention with Docker-aware jails
- Add postfix role for mail relay capabilities
- Add backups role for automated infrastructure backups
- systemd timer for scheduled backups
- Backup scripts for Docker volumes and configurations
- Persist runner registration state by setting container working_dir to /data\n- Add post-register assertion that /opt/forgejo-runner/data/.runner exists
- Add infra_controller role to provision a dedicated user\n- Install register/deregister forced-command authorized_keys entries\n- Read SSH public keys from vault/env and restrict access by source IP
- Add app_ssh_access role to install forced-command keys for infra-register-stdin and infra-deregister\n- Ensure required infra-controller runtime directories exist on services host\n- Add helper script to generate/register both Actions SSH secrets and update vault public keys
