Commit Graph

7 Commits

Author SHA1 Message Date
Maarten 95316a5bee Add IncusOS break-fix guide, incusos-health helper, immutability rules
Phase 4: Explore IncusOS immutability via the /os/1.0 API:
- incusos-health script with --status/--partitions/--tpm/--services/--network/--update
- Validated: TPM encryption (root+swap), Secure Boot with 4 certs, ZFS pool
- Documented A/B partition scheme, update mechanics, security chain
- Defined 4 break-fix exercises (update observation, failed update, network
  isolation, full node failure) with safety rules and pickup points

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 15:57:43 +01:00
Maarten cc017b648d Add observability stack: Prometheus, Grafana, Loki with dashboards
Deploy and validate full monitoring stack on the Incus cluster:
- Prometheus scraping 9 targets (3 Incus nodes, 2 HAProxy, 3 node-exporters, self)
- Grafana with 3 dashboards (cluster overview, HAProxy traffic, host resources)
- Loki + Promtail for log aggregation
- OVN network forward for LAN access (192.168.103.201:3000/9090)
- deploy-observability script with --deploy/--status/--cleanup/--doctor
- Solved OVN ACL challenges: Aether default-deny requires monitoring-allow ACL

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 15:44:59 +01:00
Maarten 91a87456a5 Add API interception guide, incus-mitm helper, and payload rules
Phase 2: captured Aether↔Incus API traffic using the event stream.
Identified callers by TLS certificate fingerprint (CLI vs Aether vs
cluster nodes). Documented API patterns for stop/start/snapshot/exec.
Key finding: Aether subscribes to lifecycle events and reactively
queries affected resources.

Deliverables:
- notes/api-interception-guide.md: capture setup + all API patterns
- incusos/helpers/incus-mitm: --capture/--live/--analyze/--callers
- .claude/rules/aether-api-payloads.md: context for AI assistants
- .mcp.json: add --ignore-https-errors for Playwright

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 15:01:56 +01:00
Maarten 94eb3c7cc4 Add OVN deep-dive guide, ovn-inspect helper, and internals rules
Phase 1 of observability plan: mapped the complete OVN topology at
logical (NB), physical (SB), and OVS layers. Traced packet path from
LAN through VIP LB to HAProxy backends. Documented naming conventions,
gateway failover, Geneve tunnels, and MTU implications.

Deliverables:
- notes/ovn-deep-dive.md: comprehensive OVN internals guide
- incusos/helpers/ovn-inspect: --nb/--sb/--ovs/--full/--trace actions
- .claude/rules/ovn-internals.md: context for AI assistants

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 14:52:37 +01:00
Maarten c047bc6ed4 Add HAProxy LB guide, deploy script, Playwright helper; validate end-to-end
Tear down and fully re-deploy HAProxy infrastructure from scratch to
validate the guide reads correctly. Key fixes from re-validation:

- Fix session API field names: lb_vip (not vip), target_ip/target_port
  (not ip/port), health_check_enabled (not health_check)
- Document that Aether does NOT create the OVN load balancer — must be
  created manually via incus network load-balancer
- Fix internal VIP test: OVN LB doesn't hairpin, use localhost instead
- Document OVN LB has no health checking (HAProxy failover not instant)
- Add cleanup step for manually-created OVN LB
- Add aether-browser Playwright helper and .mcp.json config
- Add deploy-haproxy script, haproxy-lb rules, full guide

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 14:08:43 +01:00
Maarten 0100182dd8 Validate AWX guide, document Aether API, enforce API-first policy
- AWX guide: fix wrong project ID (6→9), add dynamic ID lookups,
  add missing Step 5 push commands, add migration pod to expected
  output, replace PostgreSQL workaround with Aether UI instructions,
  reference deploy-awx as automated path
- Aether guide: document JWT REST API (auth, clusters, ACLs),
  swagger UI at /api/docs, rate limits, coverage vs UI-only features
- CLAUDE.md: add Aether API capability, add interaction hierarchy
  (API first → UI fallback → never root/DB in guides)
- deploy-awx: fix PLAYBOOK_DIR from "ansible/playbooks" to "playbooks"
- post-deploy.yml: clarify cert push path vs EE runtime mount path

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 10:33:46 +01:00
Maarten c4efcbe30d Modularize CLAUDE.md: rules, helpers, skills (866→112 lines)
Split monolithic CLAUDE.md into three layers:
- CLAUDE.md (112 lines): behavioral focus, capabilities, safety rules
- .claude/rules/ (8 files, 503 lines): topic-specific context with
  paths: frontmatter for conditional loading
- .claude/skills/ (2 files): /screenshot and /proxmox-api commands

Add helper scripts (incusos/helpers/):
- proxmox-screenshot: SSH→screendump→PPM→PNG pipeline with VMID safety
- proxmox-api: authenticated API calls handling ! in token quoting

Fix git workflow (master branch, both origin+aether remotes).
Add capabilities section for screenshots, API calls, live AWX output.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 09:48:25 +01:00