MajorLinux
155651c373
Two related additions covering the 2026-05-31 cutover-night incidents on majorlinux and majortoot-hetzner. ssh-socket-tailscale-race-condition.md (update Race 1 fix): - After=tailscaled.service Requires=tailscaled.service orders against the service becoming active, not against tailscale0 having an IPv4 — hosts kept losing SSH intermittently after reboots (incident: majorlinux + majortoot-hetzner 2026-05-31, during cutover-night Ansible reboot). - Canonical fix: a oneshot tailscale-wait-ready.service that polls `ip -4 -o addr show tailscale0` until an address is present, with ssh.socket After=/Requires= that service. Document the full evolution (2026-05-19 BindsTo → 2026-05-23 Requires → 2026-05-31 wait-ready) so future readers don't try the half-fixes thinking they're sufficient. - Add majortoot-hetzner to affected hosts. mastodon-post-install-hardening.md (new): Four upstream-install gaps that bit during the majortoot-hetzner cutover: 1. /home/mastodon at 0750 (useradd default) → nginx www-data can't traverse → every static asset 403s → unstyled "purple screen" in the browser while API/HTML still work through the puma proxy. 2. .env.production at 0644 (mastodon-setup default) → DB_PASS, SECRET_KEY_BASE, OTP_SECRET world-readable once gap (1) is fixed. 3. mastodon user shell at /usr/sbin/nologin → `su - mastodon` blocked. 4. rbenv init in .bashrc only → login shells don't source .bashrc; even when chained, Ubuntu's .bashrc returns early for non-interactive shells. Fix: .bash_profile sets up rbenv BEFORE sourcing .profile + .bashrc, so it works for both interactive and non-interactive logins. All four codified in MajorAnsible configure_mastodon_permissions.yml with self-asserting verification steps. 02-selfhosting/index.md + SUMMARY.md: Add a "Services" section to the selfhosting index linking the mastodon-post-install-hardening article (and the other orphaned services/ entries while there). SUMMARY.md gains one new entry. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
52 lines
2.2 KiB
Markdown
52 lines
2.2 KiB
Markdown
---
|
|
created: 2026-04-13T10:15
|
|
updated: 2026-05-31
|
|
---
|
|
# 🏠 Self-Hosting & Homelab
|
|
|
|
Guides for running your own services at home, including Docker, reverse proxies, DNS, storage, monitoring, and security.
|
|
|
|
## Docker & Containers
|
|
|
|
- [Self-Hosting Starter Guide](docker/self-hosting-starter-guide.md)
|
|
- [Docker vs VMs for the Homelab](docker/docker-vs-vms-homelab.md)
|
|
- [Debugging Broken Docker Containers](docker/debugging-broken-docker-containers.md)
|
|
|
|
## Reverse Proxies
|
|
|
|
- [Setting Up Caddy as a Reverse Proxy](reverse-proxy/setting-up-caddy-reverse-proxy.md)
|
|
|
|
## DNS & Networking
|
|
|
|
- [Tailscale for Homelab Remote Access](dns-networking/tailscale-homelab-remote-access.md)
|
|
|
|
## Storage & Backup
|
|
|
|
- [rsync Backup Patterns](storage-backup/rsync-backup-patterns.md)
|
|
|
|
## Monitoring
|
|
|
|
- [Tuning Netdata Web Log Alerts](monitoring/tuning-netdata-web-log-alerts.md)
|
|
- [Tuning Netdata Docker Health Alarms](monitoring/netdata-docker-health-alarm-tuning.md)
|
|
- [Deploying Netdata to a New Server](monitoring/netdata-new-server-setup.md)
|
|
|
|
## Services
|
|
|
|
- [Mastodon Instance Tuning](services/mastodon-instance-tuning.md)
|
|
- [Mastodon Post-Install Hardening (Permissions + Account)](services/mastodon-post-install-hardening.md)
|
|
- [Mastodon DB Maintenance](services/mastodon-db-maintenance.md)
|
|
- [Mastodon Federation](services/mastodon-federation.md)
|
|
- [Mastodon `--prune-profiles` Trap](services/mastodon-prune-profiles-trap.md)
|
|
- [Ghost SMTP via Mailgun](services/ghost-smtp-mailgun-setup.md)
|
|
- [Updating n8n Docker](services/updating-n8n-docker.md)
|
|
- [Claude Code Remote Control](services/claude-code-remote-control.md)
|
|
|
|
## Security
|
|
|
|
- [Linux Server Hardening Checklist](security/linux-server-hardening-checklist.md)
|
|
- [Standardizing unattended-upgrades with Ansible](security/ansible-unattended-upgrades-fleet.md)
|
|
- [Fail2ban Custom Jail: Apache 404 Scanner Detection](security/fail2ban-apache-404-scanner-jail.md)
|
|
- [Fail2ban Custom Jail: Apache PHP Webshell Probe Detection](security/fail2ban-apache-php-probe-jail.md)
|
|
- [Fail2ban Custom Jail: WordPress Login Brute Force](security/fail2ban-wordpress-login-jail.md)
|
|
- [SELinux: Fixing Fail2ban grep execmem Denial](security/selinux-fail2ban-execmem-fix.md)
|
|
- [UFW Firewall Management](security/ufw-firewall-management.md)
|