"vault backup: 2026-03-08 14:11:41 from Flow"

21-Server Reference/CLAUDE.md

@@ -0,0 +1,45 @@
+# Server Reference — Claude Instructions
+
+This directory is living documentation for a two-server home infrastructure. Your job is to keep it accurate as things change.
+
+## The Servers
+
+- **Homelab** — Primary server. SSH hostname: `homelab`. Dockhand API: `?env=1`
+- **Raspberry Pi** — Secondary server. SSH hostname: `raspi`. Dockhand API: `?env=2`
+
+## How to Pull Data
+
+Read `AI-UPDATE-INSTRUCTIONS.md` in this directory. It has every API endpoint, SSH command, and a step-by-step update checklist. Always start there.
+
+## Ground Rules
+
+- **Read before you write.** Always read the relevant doc file before comparing it to live data. Never overwrite blindly.
+- **Credentials live in `credentials.gpg`** — AES256 GPG symmetric. Do not write credentials in plaintext anywhere in this directory.
+- **Compose files contain redacted secrets** — use `<redacted>` as a placeholder for any passwords, tokens, or keys in compose blocks.
+- **This is a personal vault** — be direct, no fluff. Documentation should be useful to a new admin, not padded.
+
+## File Structure
+
+```
+21-Server Reference/
+├── CLAUDE.md                   ← You are here
+├── README.md                   ← Root index
+├── AI-UPDATE-INSTRUCTIONS.md   ← How to pull data and update docs
+├── credentials.gpg             ← Encrypted credentials
+├── homelab/                    ← Primary server docs
+│   ├── README.md
+│   ├── hardware.md
+│   ├── network.md
+│   ├── environments.md
+│   └── stacks/                 ← One file per Docker stack
+└── pihole/                     ← Raspberry Pi docs
+    ├── README.md
+    └── stacks/
+```
+
+## When Asked to Update
+
+1. Read `AI-UPDATE-INSTRUCTIONS.md`
+2. Read the existing doc files that are relevant
+3. Pull live data from Dockhand API (or SSH if needed)
+4. Update only what changed — don't rewrite sections that are still accurate

21-Server Reference/homelab/network.md

@@ -39,13 +39,13 @@ Each major service registers itself as a separate Tailscale node via the sidecar
 | 3000 | TCP | Gitea web UI |
 | 5001 | TCP | Linkwarden |
 | 5010 | TCP | OpenProject |
-| 5100 | TCP | Python process (unknown) |
+| 5100 | TCP | Kao |
 | 5555 | TCP | Dockhand |
 | 5678 | TCP | n8n |
 | 8001 | TCP | Gluetun HTTP control server |
 | 8388 | TCP/UDP | Gluetun Shadowsocks |
 | 8888 | TCP | Gluetun HTTP proxy |
-| 9170 | TCP | system-bridge |
+| 9170 | TCP | system-bridge (Home Assistant connector) |
 | 25565 | TCP | Minecraft |
 | 24454 | UDP | Minecraft voice chat |
 | 35000 | TCP | Homepage |
@@ -70,4 +70,4 @@ Each major service registers itself as a separate Tailscale node via the sidecar
 ## DNS
 
 - `127.0.0.53` — systemd-resolved (stub resolver)
-- Gluetun is configured to use `192.168.2.112` as DNS (likely the Pihole on the LAN)
+- Gluetun is configured to use `192.168.2.112` as DNS — this is the Raspberry Pi running Pi-hole (`raspi`)

21-Server Reference/homelab/stacks/README.md

@@ -30,12 +30,9 @@ Most stacks include a `tailscale/tailscale` sidecar that joins the Tailnet and m
 - **Dockhand vulnerability scanner caches** use named volumes (`dockhand-grype-db`, `dockhand-trivy-db`)
 
 ### Orphaned Volumes
-The following named volumes exist but are not attached to any running container — likely leftovers from deleted stacks:
-- `moltis_moltis-data`
-- `moltis_moltis-config`
-- `moltis_moltis-tailscale-state`
+The following named volumes exist but are not attached to any running container — leftovers from deleted stacks. Safe to prune:
 - `portainer_data`
 - `open-project_open_project_tailscale_state`
 - `openproject_openproject_tailscale_state` (from an older `openproject` stack iteration)
 
-> Orphaned networks (`blight_default`, old `openproject_default`) have been pruned.
+> Orphaned networks (`blight_default`, old `openproject_default`) and `moltis_*` volumes have been pruned.

21-Server Reference/homelab/stacks/matrix.md

@@ -144,7 +144,23 @@ volumes:
 | `/home/artanis/DockerFiles/Matrix/slackdata` | Slack bridge config/state |
 | `/home/artanis/DockerFiles/Matrix/discorddata` | Discord bridge config/state |
 
+## Matrix Relay
+
+`matrix-relay` is a small custom Python/Flask app. Its purpose is to receive Matrix push notifications and forward them to Home Assistant via webhook.
+
+- **Source:** `/home/artanis/DockerFiles/Matrix/matrix_relay.py`
+- **Dockerfile:** `/home/artanis/DockerFiles/Matrix/matrix_relay.Dockerfile`
+- **Listens on:** port `5101` (internal only)
+- **Forwards to:** `https://homeassistant.bunny-wyvern.ts.net/api/webhook/artanis_matrix_push`
+- **Stack rebuild docs:** check `/home/artanis/DockerFiles/Matrix/` for any additional docs
+
+To rebuild the image after source changes:
+```bash
+cd /home/artanis/DockerFiles/Matrix/matrix
+docker compose build matrix-relay
+docker compose up -d matrix-relay
+```
+
 ## Notes
-- The `matrix-relay` container is built from a local `matrix_relay.Dockerfile` located one directory up from the compose file (`/home/artanis/DockerFiles/Matrix/`)
 - Synapse does not expose any ports to the host — it is only reachable via the `matrix_matrix-internal` network and through Tailscale
 - The Tailscale sidecar attaches to `synapse`'s network namespace, so Synapse's internal ports (8008, 8448) become accessible at `matrix.bunny-wyvern.ts.net`

21-Server Reference/homelab/stacks/n8n.md

@@ -55,6 +55,6 @@ services:
 
 ## Notes
 - Database: SQLite (stored in the `n8n_storage` named volume)
-- `N8N_HOST` and `DOMAIN_NAME` are set via `.env` file at `/home/artanis/DockerFiles/n8n/.env`
+- `.env` at `/home/artanis/DockerFiles/n8n/.env` sets `DOMAIN_NAME=bunny-wyvern.ts.net` and `SUBDOMAIN=n8n`, resolving `N8N_HOST` to `n8n.bunny-wyvern.ts.net`
 - `N8N_RUNNERS_ENABLED=true` enables the task runner mode for better workflow execution performance
 - `N8N_SECURE_COOKIE` is commented out — HTTPS is handled by Tailscale so cookies are secure by default

21-Server Reference/pihole/README.md

@@ -6,12 +6,36 @@ Secondary server — a Raspberry Pi that supports the main [[../homelab/README|h
 
 | Property | Value |
 |---|---|
+| Hostname | `raspi` |
+| LAN IP | `192.168.2.112` |
 | Tailscale IP | `100.89.172.56` |
-| Tailscale Hostname | (on `bunny-wyvern.ts.net`) |
 | Connection to Dockhand | Hawser agent (env=2) |
 | Docker Files | `/home/artanis/` (Desktop + TS_KH_Bridge dirs) |
 
-> Hardware details (CPU, RAM, model) are not yet documented. To be filled in.
+## Hardware
+
+| Property | Value |
+|---|---|
+| Model | Raspberry Pi 4 Model B Rev 1.2 |
+| CPU | Cortex-A72 (ARM v8), 4 cores |
+| RAM | 1.8 GB total (~963 MB used at idle) |
+| Swap | 199 MB |
+| OS | Debian GNU/Linux 12 (Bookworm) |
+| Kernel | 6.12.47+rpt-rpi-v8 (aarch64) |
+| Storage | 32 GB microSD (`/dev/mmcblk0`) — 19 GB used |
+
+## Pi-hole
+
+Pi-hole runs **natively** on the Pi OS (not in Docker). It serves as the DNS server for the entire LAN — all clients including Gluetun on the homelab point to `192.168.2.112` for DNS.
+
+| Property | Value |
+|---|---|
+| Core | v6.3 |
+| Web Interface | v6.4 |
+| FTL | v6.4.1 |
+| Status | Blocking enabled, listening on port 53 (UDP+TCP, IPv4+IPv6) |
+
+> Updates available: Core → v6.4, Web → v6.4.1, FTL → v6.5. Run `sudo pihole -up` to update.
 
 ## Stacks
 
@@ -32,4 +56,4 @@ Secondary server — a Raspberry Pi that supports the main [[../homelab/README|h
 - No centralized `DockerFiles` directory — compose files are scattered across `~/Desktop/` and `~/TS_KH_Bridge/`
 - Home Assistant uses `network_mode: host` (full host network) for mDNS/Bluetooth/Zigbee discovery
 - Much lighter workload — only 3 stacks, 5 containers total
-- Pihole (DNS/ad-blocking) likely runs natively on the Pi OS, not in Docker — no container found for it
+- **Pi-hole** — Network-wide DNS ad-blocker running natively on the Pi OS. All LAN clients use `192.168.2.112` as their DNS server