Known Issues
A living list of deferred bugs, hygiene problems, and follow-up work. Items here are known — don't be surprised by them — but were not fixed in the docs-audit pass because scope was "docs only, leave code alone". PRs welcome.
Security
1. CrowdSec credential exposure in git history (rotation still required)
- Current state:
code/docker/homepage/services.yamlnow uses(no plaintext secret in tracked files). - Problem: The previously committed CrowdSec key is still exposed in git history.
- Fix: Rotate in CrowdSec (
cscli machines delete+cscli machines add) and update the new key incode/docker/.envasHOMEPAGE_VAR_CROWDSEC_KEY. - Note: File-level cleanup alone does not invalidate compromised historical credentials.
Hygiene
2. node_modules/ and dist/ checked into a public repo
- Paths:
node_modules/(repo root),dist/(repo root). - Problem: Both are in
.gitignorebut are present in the working tree and the index — shouldn't be. - Fix:
git rm -r --cached node_modules dist && git commit. Repo will shrink substantially.
3. Undefined image-pinning policy
- Files:
code/docker/docker-compose.yml— many services at:latest. - Fix: Follow the policy in upgrade_runbook.md. Start by pinning services with persistent on-disk format that haven't been pinned yet.
4. CI sed-patches host scripts at runtime
- File:
.github/workflows/e2e-tests.yml - Problem: The workflow rewrites
protect-data.sh(stripchflags) andgenerate-secrets.sh(BSD → GNU sed) inline. Any format change silently breaks CI. - Fix: Make
generate-secrets.shplatform-neutral (sed -i.bak -e ...; rm -f .bakworks on both). Guardchflagsbehind[ "$(uname)" = "Darwin" ].
5. postgres.json Grafana dashboard has no data
- File:
code/docker/grafana/dashboards/postgres.json - Problem: Dashboard queries
pg_*metrics but nopostgres_exporteris scraped. - Fix: Either add an exporter + scrape configs for Authentik/Immich/Nextcloud DBs, or remove the dashboard JSON.
Orphans
6. Unused docker subdirectories
| Path | Status | Suggested action |
|---|---|---|
code/docker/couchdb/local.ini | No couchdb service exists | Delete the directory |
code/docker/homepage/kubernetes.yaml | Empty Homepage placeholder | Delete |
code/docker/homepage/proxmox.yaml | Empty Homepage placeholder | Delete |
code/docker/homepage/custom.css | 0 bytes | Delete |
code/docker/homepage/custom.js | 0 bytes | Delete |
code/docker/mailserver/README.md | No mailserver service | Keep as pointer (see decisions/0001-no-self-hosted-email.md) |
code/docker/cloudflared/SETUP.md | Superseded by automation | Keep as deprecated fallback reference |
Code
7. apps/dashboard/ advertises a non-existent service
- File:
code/apps/dashboard/src/App.jsx— "Email" card links tohttps://mail.h5h.me. - Fix: Remove the Email card when the dashboard gets deployed (see apps/dashboard/README.md).
8. Dual backup paths
- Files:
code/scripts/backup.sh(manual tar, keeps 5) vsoffen/docker-volume-backup(nightly, 7-day prune). - Problem:
scripts/backup.shwrites to the same directory the offen container also manages. Running both periodically will interleave filenames. - Fix: Pick one. Recommend keeping offen + deleting
backup.sh, or makebackup.shwrite to a distinct path (data/manual-backups/).
Not-bugs (documented for clarity)
docker/cloudflared/SETUP.md— intentionally deprecated but retained as a manual fallback.make setup-tunnelis the supported path.docker/mailserver/— intentionally absent from compose. See ADR 0001.apps/dashboard/— intentionally not deployed. See ADR 0003.