summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorLines
2026-07-02Disable IKE fragmentation, use IP-level fragmentation for iOSyyamashita-1/+2
iOS may have a bug where it advertises N(FRAG_SUP) but fails to reassemble IKE fragments in IKE_AUTH responses. Switching to fragmentation=no forces the large IKE_AUTH response to be sent as a single UDP packet with IP-level fragmentation, which iOS's standard IP stack handles correctly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-02Send only YE1+RootYE intermediates, skip cross-signed ISRG Root X2yyamashita-0/+3
iOS 14+ and Android 11+ have ISRG Root X2 in their trust store. Sending the cross-signed ISRG Root X2 alongside the trusted self-signed version can confuse the cert path-building algorithm. Chain: leaf -> YE1 -> Root YE -> [ISRG Root X2 from trust store] Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-02Fix VPN cert chain: split multi-cert PEM for strongSwanyyamashita-1/+18
Caddy's cert chain contains 4 certs: 1. leaf (signed by YE1) 2. YE1 (signed by Root YE) 3. Root YE (cross-signed by ISRG Root X2) 4. ISRG Root X2 (cross-signed by ISRG Root X1) iOS/Android trust ISRG Root X1 but not Root YE directly. The full cross-signed chain must be sent in IKE_AUTH. strongSwan only reads the first cert from a multi-cert PEM file, so entrypoint.sh now splits server-chain.crt into individual files in x509ca/ before starting charon. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-02Restore intermediate cert + reduce IKE fragment size to 512 bytesyyamashita-0/+2
iOS/Android VPN stacks don't follow AIA to download intermediate certs, so YE1 must be sent by the server for cert chain validation. The original 1236-byte IKE fragment was being dropped mid-path. Setting fragment_size=512 splits the 1776-byte IKE_AUTH into ~4 fragments of ≤560 bytes each, which should traverse any NAT/router. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Remove intermediate CA cert to fix IKE fragmentationyyamashita-1/+0
YE1 intermediate cert was inflating IKE_AUTH response to 1776 bytes, causing it to be split into 2 IKE fragments that iOS/Android clients could not reassemble. Both iOS and Android 12 (Beam Pro) have Let's Encrypt trust chain in their system store, so the intermediate cert is not needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Revert VPN file logging (caused container crash)yyamashita-9/+0
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Add file logging to VPN container for diagnosticsyyamashita-0/+9
Logs to /home/yyamashita/vpn-logs/charon.log (readable without root) to diagnose iPhone IKEv2 connection failures. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Revert fragmentation=no to restore iPhone VPN connectivityyyamashita-1/+0
fragmentation=no caused IP-level fragmentation (1808-byte packets) which is blocked by mobile networks. Default IKE fragmentation (RFC 7383) works for iOS/macOS with 2 fragments. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Fix IKE fragmentation: use fragmentation=no instead of fragment_size=0yyamashita-1/+1
fragment_size=0 was interpreted as minimum fragment size (resulting in 4 tiny fragments), not disabled. fragmentation=no in swanctl.conf is the correct per-connection setting to disable IKE fragmentation entirely. The server now sends a single large UDP packet; the OS kernel handles IP fragmentation instead of the IKE layer. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Restore intermediate CA cert, disable IKE fragmentationyyamashita-0/+2
Android (XREAL Beam Pro) fails to reassemble IKE fragments even though FRAG_SUP is negotiated. IP-level fragmentation (handled by the OS kernel) works better. Removing the intermediate cert broke macOS/iOS. This config: - Sends leaf cert + YE1 intermediate (so any client can verify the chain) - fragment_size=0 disables IKE fragmentation; the 1776-byte IKE_AUTH response is sent as one large UDP packet (OS handles IP fragmentation) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Serve YE1 intermediate CA cert for Android VPN trust chainyyamashita-1/+18
Android (XREAL Beam Pro) can't validate the server cert because it lacks the Let's Encrypt YE1 hierarchy in its system trust store. The fix: - Serve YE1 cert at https://vpn.yyamashita.com/ca.pem via Caddy - Android VPN profile: set CA certificate to this downloaded cert - install.sh / renew-cert.sh now extract and copy YE1 to caddy dir Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Remove intermediate CA cert mount to fix Android IKEv2 fragmentationyyamashita-1/+0
Android (XREAL Beam Pro) advertises FRAG_SUP but fails to reassemble IKE fragments. The IKE_AUTH response was 1776 bytes (leaf + YE1 intermediate) requiring fragmentation into 2 packets. Without x509ca mount, only the leaf cert is sent (~886 bytes total), fitting in a single packet without fragmentation. Android fetches the intermediate CA (YE1) via AIA extension before tunnel setup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Fix VPN: send certificate always, split cert chain, fix entrypointyyamashita-16/+21
- swanctl.conf.tpl: send_cert = always (fix Android cert verification failure) - docker-compose.yml: mount intermediate CAs to /etc/swanctl/x509ca/ - install.sh: split server.crt into leaf + chain for proper chain distribution - entrypoint.sh: run charon directly for Docker log visibility, fix sysctl error handling, fix charon binary path - strongswan.conf: increase IKE log level to 4 for debugging Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-30Fix VPN entrypoint: handle sysctl read-only in host network modeyyamashita-3/+7
network_mode: host では /proc/sys への書き込みが制限されるため、 sysctl の失敗を無視してホスト側の設定値を確認するよう変更。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-30Add strongSwan IKEv2 VPN serviceyyamashita-1/+270
- vpn/: Dockerfile, docker-compose.yml, swanctl.conf.tpl, entrypoint.sh - install.sh: Caddy 証明書流用 + コンテナ起動 - renew-cert.sh: 証明書更新 + swanctl ホットリロード - caddy/Caddyfile: vpn.yyamashita.com 追加(Let's Encrypt 証明書取得用) - post-receive: vpn/deploy.sh を追加 - setup-route53.py: WEB_SUBDOMAINS に vpn を追加 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-20Add Restart Claude Sessions command to hetzner-adminyyamashita-0/+10
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19Add microblog serviceyyamashita-1/+16
- Caddy: route blog.yyamashita.com → microblog-app:3000 - git: add microblog post-receive hook and update work tree path to /app/microblog - DNS: add blog subdomain to Route 53 WEB_SUBDOMAINS Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19Add microblog repo and Claude sessionyyamashita-0/+2
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19Rename hetzner-admin domain and use CNAME for web subdomainsyyamashita-7/+53
- caddy/Caddyfile: admin.yyamashita.com → hetzner-admin.yyamashita.com - mail/dns/setup-route53.py: add A record for primary, CNAME records for all web service subdomains pointing to hetzner.yyamashita.com - CLAUDE.md: update access URL Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19Add hetzner-admin: SSH-based server management web UIyyamashita-7/+207
Basic Auth protected web UI with buttons to restart services and reboot. SSH key with authorized_keys command= restriction limits executable commands. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-10Add mosquitone-admin repo and Claude sessionyyamashita-0/+6
Register mosquitone-admin as a managed git repo with post-receive checkout hook, and add yyamashita:mosquitone-admin to the Claude Code session list. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-09Switch mail container from SES relay to direct deliveryyyamashita-14/+2
Port 25 outbound is no longer blocked on Hetzner, so SES relay is unnecessary. Remove relayhost, SASL auth config, and libsasl2-modules. Postfix now delivers directly to recipient MX; inet_protocols=ipv4 already present to avoid IPv6 PTR issues. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-02Revert "Add cron job registration to install.sh"yyamashita-18/+0
This reverts commit 5e9ed4fe05eda672293dbfe6bf10da6d9635261b.
2026-06-02Add cron job registration to install.shyyamashita-0/+18
Registers daily scrape (05:00 JST) and recap email (08:00 JST) jobs for tokyo-livehouse-events via idempotent crontab install. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01Add libsasl2-modules to mail container for Postfix SASL authyyamashita-0/+1
Required for smtp_sasl_auth_enable with Amazon SES. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01Configure Amazon SES relay for Postfix (port 25 blocked by Hetzner)yyamashita-2/+14
SES credentials are injected via .env file (not committed). entrypoint.sh creates sasl_passwd at runtime from SES_ACCESS_KEY_ID / SES_SMTP_PASSWORD. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01entrypoint: copy resolv.conf etc into Postfix chroot before startyyamashita-0/+8
smtp プロセスは chroot 環境で動くため /etc/resolv.conf が見えず MX ルックアップが失敗していた。chroot (/var/spool/postfix/etc/) に resolv.conf / hosts / services / nsswitch.conf をコピーして解決。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01entrypoint: fix DNS via cat-to-bind-mount (no python3/sed needed)yyamashita-9/+5
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01entrypoint: use python3 for resolv.conf edit (sed -i fails on bind mount)yyamashita-3/+8
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01entrypoint: replace Docker embedded DNS with external resolversyyamashita-0/+5
127.0.0.11 は MX クエリを正しく処理できないため 8.8.8.8/1.1.1.1 に差し替える。 メールコンテナはコンテナ名解決が不要なため問題なし。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01Fix milter IPv4 binding and container DNS for MX lookupsyyamashita-3/+6
- opendkim.conf / main.cf: localhost → 127.0.0.1 (getent がIPv6を優先し Postfix の inet_protocols=ipv4 と競合していた) - docker-compose.yml: dns: 8.8.8.8/1.1.1.1 を追加 (Docker embedded DNS が MX クエリを解決できなかった) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01setup-route53: apply records individually, skip CNAME conflictsyyamashita-12/+22
CNAME が既に存在するドメインへの TXT 追加は競合エラーになるため、 レコードを1件ずつ適用し、競合は SKIP してその他は継続する。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01Fix entrypoint: remove chmod on read-only mount, run opendkim as rootyyamashita-6/+3
/etc/opendkim が :ro マウントのため chmod/chown が失敗していた問題を修正。 opendkim.conf で UserID root に変更しコンテナ内でルートとして実行する。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01Fix DKIM key generation: use host opendkim-tools instead of Dockeryyamashita-18/+27
Ubuntu 24.04 ホストに直接 apt install して opendkim-genkey を実行する。 Debian Bookworm の Docker 内では OpenSSL 3.x 互換性問題で失敗するため。 setup-route53.py: ホストゾーン自動検出・SERVER_IP 自動取得を追加。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-01Add Postfix+OpenDKIM MTA with txt-based domain managementyyamashita-1/+380
- mail/ ディレクトリ追加: Postfix + OpenDKIM の Docker コンテナ - mail/domains.txt で送信ドメインを管理(現在: golive.yyamashita.com) - install.sh が domains.txt から KeyTable/SigningTable を動的生成 - setup-route53.py で SPF/DKIM/DMARC を Route 53 に一括設定 - post-receive フックに mail/deploy.sh を追加 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Fix cgit CSS/JS 404 and update docsyyamashita-3/+11
- lighttpd.conf: exempt static files from CGI rewrite - deploy.sh: add --build to rebuild image on config changes - CLAUDE.md, Deploy.md: add cgit directory and deploy notes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Use custom Dockerfile for cgit (klakegg/cgit removed from Docker Hub)yyamashita-1/+20
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Add cgit web interface at git.yyamashita.comyyamashita-0/+33
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Add README.md to each directoryyyamashita-0/+56
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Add server/ dir, CLAUDE.md, and SSH key management via install.shyyamashita-74/+105
- server/authorized_keys: root SSH keys managed in repo - server/requirements.md: list of required tools/packages - git/install.sh: now also applies authorized_keys on install - CLAUDE.md: repo overview for Claude Code - Deploy.md: simplified Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Update Deploy.md for new directory structureyyamashita-84/+61
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Reorganize repo into caddy/, git/, claude/ directoriesyyamashita-134/+49
- caddy/: Caddyfile, docker-compose.yml, deploy.sh (hook runs this only) - git/: repos.txt, hooks/*/post-receive, install.sh, server-setup.sh - claude/: sessions.txt, systemd/claude-code@.service, sync.sh Post-receive hook is now: checkout + bash caddy/deploy.sh Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Move tokyo-livehouse-events work tree from /app to /app/tokyo-livehouse-eventsyyamashita-6/+4
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Centralize repo and hook management: add repos.txt and install.shyyamashita-32/+79
All bare repo creation is now driven by repos.txt in this repo. install.sh replaces install-hooks.sh and handles both repo creation and hook deployment. Other repos' server-setup.sh no longer manage bare repos or hooks. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Remove inline hook from server-setup.sh; hooks managed via install-hooks.shyyamashita-14/+3
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Manage all server-side git hooks in this repositoryyyamashita-3/+88
Add server-hooks/<repo>/post-receive for all repos and scripts/install-hooks.sh to deploy them manually on the server. Hooks are not auto-installed on git push for security. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Add Claude Code session management via post-receive hookyyamashita-16/+117
Root's post-receive hook now calls scripts/sync-claude-services.sh to manage yyamashita's systemd user services on git push. Sessions are configured in claude-code-sessions.txt (user:repo format). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16Fix claude daemon: non-root user and PTY allocationyyamashita-2/+13
root 実行時のセキュリティ制限と TTY なし問題を修正。 claude-agent ユーザーを作成し、script コマンドで疑似 TTY を確保する。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16Fix claude remote-control command flag syntaxyyamashita-1/+1
--remote-control はサブコマンドではなくオプションフラグのため修正。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16Add Claude Code daemon setup for remote sessions per repoyyamashita-0/+77
systemd サービス (claude-infra/tokyo/whoisband) を生成・有効化するセットアップスクリプトを追加。 claude remote-control で各リポジトリの常駐セッションを起動し、claude.ai/code から接続できる。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>