Blame
|
1 | --- |
||||||
| 2 | category: reference |
|||||||
| 3 | tags: [dev, vps, ops, v7] |
|||||||
| 4 | last_updated: 2026-03-15 |
|||||||
| 5 | confidence: high |
|||||||
| 6 | --- |
|||||||
| 7 | ||||||||
| 8 | # V7 Operational Hardening |
|||||||
| 9 | ||||||||
| 10 | Ansible roles for backup, health checks, logging, and disk monitoring on the robot.wtf VPS. Run via `ansible-playbook -i ansible/inventory.yml ansible/v7-harden.yml`. |
|||||||
| 11 | ||||||||
| 12 | ## Roles |
|||||||
| 13 | ||||||||
| 14 | ### backup (roles/backup/) |
|||||||
| 15 | SQLite `.backup` cron every 4 hours. Backs up `robot.db` and `mcp_oauth.db` to `/srv/backups/`. Prunes after 7 days. Uses `sqlite3 .backup` (handles WAL mode correctly without stopping services). VM-level backups via Proxmox snapshots are configured separately. |
|||||||
| 16 | ||||||||
| 17 | ### healthcheck (roles/healthcheck/) |
|||||||
| 18 | Per-minute cron checks all services: `systemctl is-active` + `curl localhost:port` for ports 8000-8003 and 8001. Emails via msmtp/Gmail on failure. |
|||||||
| 19 | ||||||||
| 20 | ### logging (roles/logging/) |
|||||||
| 21 | Configures systemd-journald: 500MB max, 200MB keep-free, 30-day retention. All services use `StandardOutput=journal`. |
|||||||
| 22 | ||||||||
| 23 | ### diskmon (roles/diskmon/) |
|||||||
| 24 | Hourly cron checks disk usage on `/` and `/srv`. Warns at 80%, critical at 90%. Emails via same msmtp config. |
|||||||
| 25 | ||||||||
| 26 | ## Prerequisites |
|||||||
| 27 | Set `smtp_user`, `smtp_password`, and `alert_email` in `ansible/group_vars/all/vault.yml` (encrypted) before running the hardening playbook. |
|||||||
| 28 | ||||||||
| 29 | ## Semantic Search Switch |
|||||||
| 30 | Switched from ChromaDB (server mode on port 8004) to FAISS + ONNX MiniLM embedding. ChromaDB service disabled. See [[Tasks/Semantic_Search_Multi_Tenant]] for the multi-tenant indexing issue. |
|||||||