7.9 KiB
7.9 KiB
Known Quirks
Per-service gotchas that aren't bugs but will bite you if you forget them.
PlausibleDeniability
n8n workflow 16 (NFS Watchdog)
- Runs
sudo docker restartandsudo /usr/bin/bash .../mount-unraid-nfs.shover SSH from n8n container - Requires a NOPASSWD sudoers rule or SSH commands will hang waiting for a password:
Add via
truenas_admin ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/bin/bash /mnt/tank/docker/scripts/mount-unraid-nfs.shsudo visudo -f /etc/sudoers.d/n8n-watchdog - Must use
/usr/bin/bashnot/bin/bash— on TrueNAS SCALE, bash is at/usr/bin/bash. The sudoers rule and the workflow command must match exactly or sudo will prompt for a password. - SSH credential in n8n must use key-based auth (see n8n-workflows/README.md for keygen steps)
immich-ml
- Healthcheck has no curl/wget — uses
/proc/net/tcp6pattern - Cache goes to
/mnt/docker-ssd/docker/appdata/immich-ml(separate from immich-server's appdata)
rackpeek
- No curl/wget in image — healthcheck uses
/proc/net/tcp6
donetick
- Env vars alone are insufficient for DB type selection
- Requires
/mnt/tank/docker/appdata/donetick/config/selfhosted.yamlwith full DB config - Uses viper config loader —
DT_ENVcontrols config file path - Public exposure through Pangolin can stay unhealthy after renumbering if the target health-check hostname is stale even when the target IP/port are already fixed; verify both
ipandhcHostname - If PD-side Pangolin/Newt targets still probe a stale pre-renumbering host IP (for example
10.5.1.6) but the backend is otherwise healthy, the fastest reversible recovery is a runtime/32compatibility alias on PD while the authoritative Pangolin target/health-check state is corrected - If the PD
newt-loopback-bridgehelper is usingnetwork_mode: "container:<newt>", restartingix-newt-newt-1can leave the loopback relays broken untilnewt-loopback-bridgeis also restarted; symptom is public 502/503 onlocalhost-backed Pangolin routes even after target health turns green - OIDC metadata for the frontend is exposed from
/api/v1/resource; if the login button is missing, check that endpoint before debugging the SPA
homepage
- Live config is
/mnt/tank/docker/appdata/homepage/services.yaml; it is not currently repo-managed, so live edits should be mirrored back into docs when they matter operationally books.paccoco.comis the working public Calibre-Web route;calibre.paccoco.com/kindle.paccoco.comare legacy/broken unless separate Pangolin resources are created for them- RoMm widget URLs must use a backend Homepage can actually reach from PD; if the only working path is the auth-gated public Pangolin route, remove the widget instead of leaving a stale literal LAN IP
shlink
- Data directory must be
chmod 777— runs as non-root user that doesn't match host default ownership
openwebui
- DB: user=
openwebui, db=openwebuion shared-postgres - If restart-looping with auth errors: container wasn't on
ix-databases_shared-databasesat creation time — mustdown && up
plex
- Port
5353/udpconflicts with system avahi/mDNS — remove from port mappings
scriberr (shelved)
- SQLite incompatible with ZFS nfsv4 ACLs (SQLITE_CANTOPEN error 14)
- Revisit when Postgres support available in CUDA image
meshmonitor (auto-upgrade)
AUTO_UPGRADE_ENABLED=truecauses crashes on TrueNAS if bind mount source directories don't exist- The upgrader container mounts compose dir as
/compose— relative paths resolve differently - Fix: pre-create all bind mount source directories before deploying
Any container using down && up requirement
- Network attachments happen at container creation, not restart
docker restartordocker compose restartwill NOT fix missing network attachments- Must use
docker compose --env-file .env down <service> && docker compose --env-file .env up -d <service>
UniFi Protect WiFi chimes after doorbell/network changes
- A UniFi Protect WiFi chime can look healthy in UniFi Network while still showing offline in Protect if a per-client Camera virtual-network override puts it on a lane that does not preserve the required Protect path.
- In John's current environment, the known-good fallback for the two Wi-Fi chimes is Management/default
UniFi Wireless, not the Camera-lane override that was tried on 2026-05-22. - After a doorbell is re-adopted, also verify each chime's
ringSettings.cameraIdstill points at the current doorbell object; a stale camera binding can break ringing even when the network path is healthy. - Treat "device online in UniFi Network" and "device healthy in Protect / rings for the current doorbell" as separate checks.
Serenity
qBit Mover Script
- Pauses torrents 0–4 days old before running mover to prevent partial file moves
- MAM-init script updates MyAnonamouse IP inside qbit container on startup
Unraid-Cloudflared-Tunnel
- Older notes called this dead, but live inspection on 2026-05-25 showed active Cloudflare QUIC edge registrations and a configured tunnel token.
- Follow-up audit showed it is only transport-alive: current-run metrics reported zero proxied requests, its remote-managed ingress config still points at legacy
192.168.1.xorigins, and the listed public hostnames appear to be served elsewhere now. - Retired on 2026-05-25: the container was stopped and removed, sampled public hostnames stayed healthy, and Cloudflare-side cleanup can now happen separately from Serenity runtime cleanup.
Serenity Wave 1 cleanup guardrails
Unraid-Cloudflared-Tunnelhas already been retired from Serenity runtime; any remaining cleanup is Cloudflare-side control-plane cleanup, not local container cleanup.- Serenity's legacy Pi-hole HA containers were retired on 2026-05-25 after mixed-host DNS verification; if future DNS issues appear, investigate the surviving Technitium/other-resolver path rather than trying to resurrect those old Pi-hole containers by default.
- Recent
Createdcontainers on Unraid may represent intentionally retained templates rather than stale debris; distinguish them from long-dead exited containers before pruning.
Serenity Newt / Pangolin stale health-check IP drift
- Several Serenity Newt-backed Pangolin targets were corrected to
ip=localhost/10.5.30.5but still retained stalehcHostname=10.5.1.5, so Newt health checks failed withno route to host - Verified affected target IDs on 2026-05-25:
15,20,25,29,56,57,58,69 - A temporary local
/32alias on Serenity (ip addr add 10.5.1.5/32 dev br0) proved the diagnosis by flipping multiple targets back to healthy - That alias was then removed because the old
10.5.1.5address is no longer allowed on the VLAN - After removal, targets immediately fell back to unhealthy on the same stale health-check URLs, confirming the real problem is authoritative Pangolin metadata drift, not local app failure
- Treat the alias only as a diagnostic probe; do not persist it. The correct fix is to rewrite Pangolin health-check hostnames away from the stale pre-renumbering IP.
- Authoritative fix completed for the Serenity audit set on 2026-05-25: targets
15,20,25,29,56,57,58, and69now use10.5.30.5for both routing and health checks, and no audited Serenity Pangolin target still carries10.5.1.5in live API state.
N.O.M.A.D.
NVIDIA Container Toolkit
- Repo has invalid GPG key — remove
/etc/apt/sources.list.d/*nvidia*if apt errors
Pelican / Wings
- Interactive artisan commands break over SSH (stty issue) — always use inline flags:
--email=x --username=y --password=z --admin=1 - Wings CORS derived from
remote:URL, notallowed_origins— keep remote ashttps:// panel.paccoco.comin/etc/hosts→127.0.0.1for NAT loopback- Wings uses
--ignore-certificate-errorsfor local self-signed cert
Port 8080
- Occupied by
nomad_admincontainer — Wings uses 8443 instead