WireGuard for private service access (kobodl behind VPN).
kobodl downloads and de-DRMs Kobo store purchases.
calibre-web serves the library at books.monotrope.au.
sync.sh script handles ongoing download + import workflow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Config.yaml was bind-mounted, blocking runtime writes (/sethome).
Move it into the Docker volume via docker cp instead. Add
hermes-sync Makefile target that diffs remote config against local
before deploying, to catch runtime changes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Drop the miniflux pip client in favour of requests (already in the
container). Add update_feed_filters (keeplist/blocklist regex),
toggle_bookmark, get_entry (full content), and category filtering.
Remove the pip install step from Ansible.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Hermes plugins don't inherit container env vars. Switch the Miniflux
plugin to read credentials from a config.json written by Ansible,
and drop requires_env / container env vars.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Create external 'monotrope' Docker network so services can
communicate by container name
- Add Miniflux to the shared network (db stays on internal network)
- Add Hermes Miniflux plugin with list_feeds and get_unread_entries tools
- Mount plugin directory and pass Miniflux API key to Hermes container
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add Hermes (Nous Research LLM agent) with Telegram gateway,
Ansible provisioning, and Makefile targets
- Self-host JetBrains Mono and Spectral fonts (remove Google Fonts)
- Add "An Experiment in Self-Hosting" blog post
- Update CLAUDE.md with high-level server overview
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Pin Miniflux to 2.2.19, Gitea to 1.25 (from :latest)
- Add security headers (X-Content-Type-Options, X-Frame-Options,
Referrer-Policy, Permissions-Policy) to all Caddy sites
- Add Docker JSON log rotation (10m x 3 files) to all containers
- Add SHA256 checksum verification for GoatCounter binary download
- Install and configure unattended-upgrades for security patches
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Disable password auth, restrict root login, limit auth retries.
Add fail2ban with SSH jail (3 retries, 1hr ban). Remove setup.sh
which predated Ansible and was no longer used.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Docker Compose stack (Gitea + Postgres) on port 3000, SSH on 2222,
reverse-proxied via Caddy at git.monotrope.au.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add self-hosted GoatCounter via systemd binary service (stats.monotrope.au)
- Add Miniflux RSS reader via Docker Compose (reader.monotrope.au)
- Extend Ansible playbook with goatcounter and miniflux tags; all provisioning is idempotent
- Add Caddy reverse proxy blocks for both new services
- Inject GoatCounter script in baseof.html (production builds only)
- Add goatcounter and miniflux Makefile targets
- Rewrite CLAUDE.md to reflect actual project state
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
