docs: record Serenity cloudflared audit
Some checks failed
secret-guardrails / gitleaks (push) Has been cancelled
secret-guardrails / artifact-secret-scan (push) Has been cancelled

This commit is contained in:
Fizzlepoof
2026-05-25 22:00:23 +00:00
parent eba18beabe
commit 60de92339d
3 changed files with 33 additions and 8 deletions

View File

@@ -168,6 +168,25 @@ Before deleting each one:
- It is already documented in repo docs as dead/stale.
- Pangolin/Newt is the active exposure pattern now.
- Live audit on 2026-05-25 showed the container is a remote-managed Cloudflare Tunnel carrying a stale legacy config, not an active Serenity service path.
### Live audit findings (2026-05-25)
- `Unraid-Cloudflared-Tunnel` is healthy at the transport layer (`/ready` reported 4 ready connections), but metrics showed `cloudflared_tunnel_total_requests 0` and `cloudflared_tunnel_request_errors 0` for the current run.
- Startup logs exposed the remote-managed ingress set as legacy hostnames pointed at old `192.168.1.x` origins:
- `wazuh.paccoco.com` -> `https://192.168.1.102`
- `remotely.paccoco.com` -> `http://192.168.1.180:5001`
- `hp.paccoco.com` -> `http://192.168.1.180:3000`
- `octoprint.paccoco.com` -> `http://192.168.1.52`
- `audiobookshelf.paccoco.com` -> `http://192.168.1.5:13378`
- `spoolman.paccoco.com` -> `http://192.168.1.202:7912`
- `node1.paccoco.com` -> `https://192.168.1.189:8080`
- `hp2.paccoco.com` -> `http://192.168.1.224:3000`
- `panel.paccoco.com` -> `https://192.168.1.189`
- `nextcloud.paccoco.com` -> `http://192.168.1.5:11000`
- The tunnel has no local config files under `/mnt/user/appdata/cloudflared`; it is driven entirely by Cloudflare-side config plus a token.
- Public checks for those hostnames currently resolve to `172.245.79.139` and return either live responses or front-door 404s without producing any new tunnel traffic, indicating the present public path is elsewhere and not traversing this Serenity container.
- Repo/docs no longer identify this tunnel as an intended live exposure path; the only repeated modern exposure requirement in Serenity docs is the local Pangolin/Newt lane.
### Preconditions
@@ -175,12 +194,17 @@ Before deleting each one:
2. verify no local notes still treat it as the active exposure path
3. verify Newt-based routes are the real live path
### Action
Status after live audit:
- (1) satisfied enough for container retirement: no observed current public traffic is reaching this tunnel
- (2) satisfied: local docs treat it as stale legacy deadwood, not the intended active path
- (3) satisfied for Serenity-hosted apps: Pangolin/Newt remains the intentionally preserved exposure path
- stop container
- observe briefly for any missed dependency
- remove container
- leave appdata for later deletion if not immediately certain
### Recommended retirement path
1. stop the container and watch briefly for any unexpected complaint or new public breakage
2. remove the container
3. keep `/mnt/user/appdata/cloudflared` during a cooling-off window even though it appears empty/unneeded
4. later, from the Cloudflare side, delete or repoint the stale tunnel config/hostnames if they still exist there
## Wave 1-D: DB-backed migration ordering

View File

@@ -66,8 +66,8 @@ These are live today, but they are not good long-term reasons to keep Serenity a
These should be treated as cleanup targets unless a specific live dependency is rediscovered.
- `Unraid-Cloudflared-Tunnel`
- already documented as dead/stale in repo docs
- should be removed after one final dependency check
- live audit on 2026-05-25 showed a remote-managed Cloudflare Tunnel with stale legacy `192.168.1.x` origins and zero observed proxied requests on the current run
- public hostnames in its remote config now appear to be served elsewhere, so it should be removed after a brief stop/remove observation window rather than treated as an active dependency
- `binhex-official-pihole`
- `pihole-serenity`
- `unbound-pihole-serenity`

View File

@@ -69,7 +69,8 @@ Per-service gotchas that aren't bugs but will bite you if you forget them.
### Unraid-Cloudflared-Tunnel
- Older notes called this dead, but live inspection on 2026-05-25 showed active Cloudflare QUIC edge registrations and a configured tunnel token.
- Treat it as a live service pending usage audit, not a safe blind-removal candidate.
- Follow-up audit showed it is only transport-alive: current-run metrics reported zero proxied requests, its remote-managed ingress config still points at legacy `192.168.1.x` origins, and the listed public hostnames appear to be served elsewhere now.
- Treat it as removable stale Cloudflare deadwood after a brief stop/remove observation window; preserve appdata during the cooling-off period and clean up Cloudflare-side tunnel config separately.
### Serenity Wave 1 cleanup guardrails
- Do not assume `Unraid-Cloudflared-Tunnel` is dead just because it looked obsolete in older notes; live inspection on 2026-05-25 showed active Cloudflare tunnel registrations, so audit usage before removal.