49 changed files with 44 additions and 1938 deletions
--- a/Netgrimoire/Audits/first.md
+++ b/Netgrimoire/Audits/first.md
@ -1,25 +0,0 @@
 ---
 title: Untitled Page
 description: 
 published: true
 date: 2026-04-01T01:56:08.260Z
 tags: 
 editor: markdown
 dateCreated: 2026-04-01T01:50:18.740Z
 ---
 # Header
 dffasdf
 asdf
 asd
 asdf
 asdf
 asdf
 asdf
 asdf
 asdf
 asdf
 asdf
 asdf
 asdf
 asdf
--- a/Netgrimoire/Authentication/ldap-client-setup.md
+++ b/Netgrimoire/Authentication/ldap-client-setup.md
@ -2,7 +2,7 @@
 title: LDAP Client Setup
 description: 
 published: true
-date: 2026-02-20T04:33:31.862Z
+date: 2026-01-22T03:36:37.380Z
 tags: 
 editor: markdown
 dateCreated: 2026-01-21T13:21:40.588Z
--- a/Netgrimoire/Backup/Immich_Backup.md
+++ b/Netgrimoire/Backup/Immich_Backup.md
@ -2,7 +2,7 @@
 title: Immich Backup and Restore
 description: Immich backup with Kopia
 published: true
-date: 2026-02-20T04:11:52.181Z
+date: 2026-02-14T23:34:02.017Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-14T03:14:32.594Z
--- a/Netgrimoire/Backup/MailCow_Backup.md
+++ b/Netgrimoire/Backup/MailCow_Backup.md
@ -2,7 +2,7 @@
 title: Mailcow Backup and Restore Strategy
 description: Mailcow backup
 published: true
-date: 2026-02-20T04:15:25.924Z
+date: 2026-02-13T22:23:40.797Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-11T01:20:59.127Z
--- a/Netgrimoire/Backup/Nextcloud_Backup.md
+++ b/Netgrimoire/Backup/Nextcloud_Backup.md
@ -2,7 +2,7 @@
 title: Nextcloud Backup
 description: Native + Kopia
 published: true
-date: 2026-02-20T04:19:28.405Z
+date: 2026-02-18T04:40:14.455Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-14T23:52:25.405Z
--- a/Netgrimoire/Backup/Services_Backup.md
+++ b/Netgrimoire/Backup/Services_Backup.md
@ -2,7 +2,7 @@
 title: Services Backup
 description: 
 published: true
-date: 2026-02-20T04:08:15.923Z
+date: 2026-02-14T23:51:09.146Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-05T21:28:23.152Z
--- a/Netgrimoire/Backup/Wiki_Backup.md
+++ b/Netgrimoire/Backup/Wiki_Backup.md
@ -2,7 +2,7 @@
 title: Wikijs Backup
 description: Backup Wikijs
 published: true
-date: 2026-02-23T04:35:32.870Z
+date: 2026-02-23T04:35:24.121Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-23T04:35:24.121Z
--- a/Netgrimoire/Documentation_Standards.md
+++ b/Netgrimoire/Documentation_Standards.md
@ -2,7 +2,7 @@
 title: Netgrimoire Documentation
 description: How to create and use Netgrimoire Docs
 published: true
-date: 2026-02-20T04:16:19.329Z
+date: 2026-02-03T02:54:56.444Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-03T02:54:56.444Z
--- a/Netgrimoire/Netgrimoire_Theme.md
+++ b/Netgrimoire/Netgrimoire_Theme.md
@ -2,7 +2,7 @@
 title: Documentation Style Guide
 description: Applying a theme
 published: true
-date: 2026-02-25T21:32:16.786Z
+date: 2026-02-25T21:32:08.276Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-24T14:03:00.791Z
--- a/Netgrimoire/Network/Port_Assignments.md
+++ b/Netgrimoire/Network/Port_Assignments.md
@ -2,7 +2,7 @@
 title: Port Assignments
 description: 
 published: true
-date: 2026-02-20T04:21:52.996Z
+date: 2026-01-27T13:15:17.556Z
 tags: 
 editor: markdown
 dateCreated: 2026-01-27T03:42:58.945Z
--- a/Netgrimoire/Network/Security/Caddy.md
+++ b/Netgrimoire/Network/Security/Caddy.md
@ -2,7 +2,7 @@
 title: Caddy Reverse Proxy
 description: Curreent and future config
 published: true
-date: 2026-02-25T01:50:20.558Z
+date: 2026-02-25T01:50:11.740Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-23T22:09:16.106Z
--- a/Netgrimoire/Network/Security/OPnSense_IDS.md
+++ b/Netgrimoire/Network/Security/OPnSense_IDS.md
@ -2,7 +2,7 @@
 title: OpnSense-IDS/IPS
 description: IDS
 published: true
-date: 2026-02-23T21:51:49.920Z
+date: 2026-02-23T21:51:41.041Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-23T21:49:16.861Z
--- a/Netgrimoire/Network/Security/OpnSense_AppInspection.md
+++ b/Netgrimoire/Network/Security/OpnSense_AppInspection.md
@ -2,7 +2,7 @@
 title: OpnSense - App Protection
 description: App Inspection
 published: true
-date: 2026-02-23T21:52:43.630Z
+date: 2026-02-23T21:52:34.981Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-23T21:50:37.324Z
--- a/Netgrimoire/Network/Security/OpnSense_Firewall.md
+++ b/Netgrimoire/Network/Security/OpnSense_Firewall.md
@ -2,7 +2,7 @@
 title: OpnSense
 description: Grimoire Firewall Configuration
 published: true
-date: 2026-02-23T21:31:26.008Z
+date: 2026-02-23T21:31:15.244Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-23T21:31:15.244Z
--- a/Netgrimoire/Network/Security/OpnSense_Git.md
+++ b/Netgrimoire/Network/Security/OpnSense_Git.md
@ -2,7 +2,7 @@
 title: OpnSense - GIT Integration
 description: Git Integration
 published: true
-date: 2026-02-23T21:53:24.522Z
+date: 2026-02-23T21:53:15.906Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-23T21:48:01.779Z
--- a/Netgrimoire/Network/Security/OpnSense_Ntfy.md
+++ b/Netgrimoire/Network/Security/OpnSense_Ntfy.md
@ -2,7 +2,7 @@
 title: OpnSense - NTFY Integration
 description: Security Notifications
 published: true
-date: 2026-02-23T22:00:46.462Z
+date: 2026-02-23T22:00:37.268Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-23T22:00:37.268Z
--- a/Netgrimoire/Network/Security/opnsense_blocklist.md
+++ b/Netgrimoire/Network/Security/opnsense_blocklist.md
@ -2,7 +2,7 @@
 title: Opnsense - Additional Blocklists
 description: Blocklists
 published: true
-date: 2026-02-23T21:54:13.019Z
+date: 2026-02-23T21:54:04.063Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-23T21:46:39.562Z
--- a/Netgrimoire/Nucking-Futz/Scripts/vhs_restoration.md
+++ b/Netgrimoire/Nucking-Futz/Scripts/vhs_restoration.md
@ -2,7 +2,7 @@
 title: Video Restoration Script
 description: Restore VHS Video Captures
 published: true
-date: 2026-03-06T03:48:12.713Z
+date: 2026-03-06T03:48:05.841Z
 tags: 
 editor: markdown
 dateCreated: 2026-03-06T03:48:05.841Z
--- a/Netgrimoire/Nucking-Futz/Services/Stash/Stash-Management.md
+++ b/Netgrimoire/Nucking-Futz/Services/Stash/Stash-Management.md
@ -2,7 +2,7 @@
 title: Stashapp Workflow
 description: 
 published: true
-date: 2026-02-20T04:25:56.467Z
+date: 2026-02-18T13:08:53.604Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-18T13:08:53.604Z
--- a/Netgrimoire/Pocket/Deployment_Guide.md
+++ b/Netgrimoire/Pocket/Deployment_Guide.md
@ -2,7 +2,7 @@
 title: Pocket Grimoire 
 description: 
 published: true
-date: 2026-02-26T12:42:50.676Z
+date: 2026-02-22T05:00:02.026Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-20T04:41:35.122Z
@ -354,23 +354,6 @@ sudo raspi-config
 # System Options → Locale → en_US.UTF-8
 ```
 **⚠️ Important: Ubuntu Pi Boot Configuration Note**
 Ubuntu on Raspberry Pi uses a different boot config location than Raspberry Pi OS.
 The active kernel command line is in:
 ```
 /boot/firmware/current/cmdline.txt
 ```
 **Do NOT edit** `/boot/firmware/cmdline.txt` for kernel parameters — that file is only read during `tryboot` scenarios and is ignored on normal boot.
 Any kernel parameters (including USB quirks for drives) must go in `/boot/firmware/current/cmdline.txt` as a single unbroken line.
 This is critical for applying USB storage quirks (see Troubleshooting section if you experience drive issues).
 ---
 ### 2. Install VeraCrypt (Optional - For Encrypted Container Files)
 **VeraCrypt** allows you to mount encrypted container files as virtual drives. This is useful for:
@ -2950,86 +2933,6 @@ sudo syncoid vault/Green/Pocket greenpg/Pocket       # if greenpg
 **Best practice:** After first import to Pocket, the pool is permanently `greenpg`
 ### Kanguru UltraLock UAS Errors / Pool Suspended
 **Symptoms:**
 - ZFS pool repeatedly suspending with `error=5` (EIO)
 - dmesg showing `uas_eh_abort_handler` every ~30 seconds
 - Pool status shows `SUSPENDED`
 - Drive resets cycling: `uas_eh_device_reset_handler start/success` repeating
 ```
 sd 0:0:0:0: [sda] tag#8 uas_eh_abort_handler 0 uas-tag 3 inflight: CMD IN
 scsi host0: uas_eh_device_reset_handler start
 scsi host0: uas_eh_device_reset_handler success
 WARNING: Pool 'greenpg' has encountered an uncorrectable I/O failure and has been suspended.
 ```
 **Root Cause:**
 The Kanguru UltraLock (`idVendor=1e1d, idProduct=2001`) uses the UAS driver by default. The Raspberry Pi 4's xhci USB controller has a known incompatibility with UAS on certain drives. The fix is to force the drive to use the `usb-storage` driver instead via a kernel quirk parameter.
 **Fix (Ubuntu Pi — permanent):**
 ```bash
 # Edit the correct cmdline file (NOT /boot/firmware/cmdline.txt)
 sudo nano /boot/firmware/current/cmdline.txt
 ```
 Add `usb-storage.quirks=1e1d:2001:u` to the end of the existing single line:
 ```
 console=serial0,115200 multipath=off dwc_otg.lpm_enable=0 console=tty1 root=LABEL=writable rootfstype=ext4 panic=10 rootwait fixrtc usb-storage.quirks=1e1d:2001:u
 ```
 ```bash
 # Verify: should show ONE $ at end, no blank lines
 cat -A /boot/firmware/current/cmdline.txt
 # Reboot
 sudo reboot
 ```
 **Verify fix after reboot:**
 ```bash
 sudo dmesg | grep -i "kanguru\|uas\|usb-storage" | head -10
 ```
 Confirmed working output:
 ```
 usb 2-2: UAS is ignored for this device, using usb-storage instead
 usb-storage 2-2:1.0: USB Mass Storage device detected
 usb-storage 2-2:1.0: Quirks match for vid 1e1d pid 2001: 800000
 scsi host0: usb-storage 2-2:1.0
 ```
 **Recover suspended pool after applying fix:**
 ```bash
 sudo zpool clear greenpg
 sudo zfs load-key greenpg/Pocket
 sudo zfs mount -a
 ```
 If pool has data errors from before the fix:
 ```bash
 sudo zpool status -v greenpg
 sudo zpool scrub greenpg
 # If metadata errors remain and can't be repaired, destroy and resync from Netgrimoire
 ```
 **Why `/boot/firmware/cmdline.txt` doesn't work:**
 On Ubuntu Pi, `/boot/firmware/config.txt` only reads `cmdline=cmdline.txt` under the `[tryboot]` section. The active boot uses `/boot/firmware/current/cmdline.txt` instead. This differs from Raspberry Pi OS where `/boot/firmware/cmdline.txt` is the correct file.
 **Hardware reference:**
 - Kanguru UltraLock USB ID: `1e1d:2001`
 - Pi 4 USB controller: xhci_hcd (Broadcom BCM2711)
 - Issue: xhci + UAS incompatibility on large USB drives
 *Fix discovered and documented during greenpg pool troubleshooting, February 2026*
 ### Docker Containers Not Starting
 ```bash
 # Check if ZFS pools are mounted first
--- a/Netgrimoire/Pocket/Hardware.md
+++ b/Netgrimoire/Pocket/Hardware.md
@ -2,7 +2,7 @@
 title: Pocket Grimoire - Hardware
 description: Hardware for Pocket Grimoire
 published: true
-date: 2026-02-20T04:29:06.922Z
+date: 2026-02-03T17:22:16.329Z
 tags: 
 editor: markdown
 dateCreated: 2026-01-28T23:07:03.685Z
--- a/Netgrimoire/Pocket/ONN_Media_Streamer.md
+++ b/Netgrimoire/Pocket/ONN_Media_Streamer.md
@ -2,7 +2,7 @@
 title: Stream Box
 description: Configure ONN Media Box
 published: true
-date: 2026-02-20T04:50:44.701Z
+date: 2026-02-20T04:50:34.384Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-20T04:50:34.384Z
--- a/Netgrimoire/Pocket/Software.md
+++ b/Netgrimoire/Pocket/Software.md
@ -2,7 +2,7 @@
 title: Pocket Grimoire Software
 description: 
 published: true
-date: 2026-02-20T04:30:28.681Z
+date: 2026-01-29T04:40:00.733Z
 tags: 
 editor: markdown
 dateCreated: 2026-01-29T04:37:33.794Z
--- a/Netgrimoire/Pocket/Stash_Integration.md
+++ b/Netgrimoire/Pocket/Stash_Integration.md
@ -2,7 +2,7 @@
 title: Pocket Clips
 description: Integrating Stash
 published: true
-date: 2026-02-22T05:20:31.865Z
+date: 2026-02-22T05:20:21.030Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-20T04:48:11.191Z
--- a/Netgrimoire/Service_Document_Template.md
+++ b/Netgrimoire/Service_Document_Template.md
@ -2,7 +2,7 @@
 title: Service Documentation Template
 description: Describe the service
 published: true
-date: 2026-02-20T04:24:03.727Z
+date: 2026-02-03T02:57:07.462Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-03T02:57:07.462Z
--- a/Netgrimoire/Services/AI/Netgrimoire_Agent.md
+++ b/Netgrimoire/Services/AI/Netgrimoire_Agent.md
@ -2,7 +2,7 @@
 title: Ollama with agent
 description: The smart home reference
 published: true
-date: 2026-03-05T02:26:41.506Z
+date: 2026-03-05T02:26:34.682Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-18T22:14:41.533Z
--- a/Netgrimoire/Services/AI/Readme.md
+++ b/Netgrimoire/Services/AI/Readme.md
@ -2,7 +2,7 @@
 title: Readme
 description: Readme file generated by AI
 published: true
-date: 2026-03-05T02:28:03.404Z
+date: 2026-03-05T02:27:57.522Z
 tags: 
 editor: markdown
 dateCreated: 2026-03-05T02:27:57.522Z
--- a/Netgrimoire/Services/Immich/Convert_Immich.md
+++ b/Netgrimoire/Services/Immich/Convert_Immich.md
@ -2,7 +2,7 @@
 title: Immich on ZFS
 description: Moving Immich to its own ZFS dataset
 published: true
-date: 2026-02-20T04:13:02.502Z
+date: 2026-02-06T15:57:04.261Z
 tags: service zfs immich dataset
 editor: markdown
 dateCreated: 2026-02-06T15:57:04.261Z
--- a/Netgrimoire/Services/MailCow/MXRoute_Integration.md
+++ b/Netgrimoire/Services/MailCow/MXRoute_Integration.md
@ -2,7 +2,7 @@
 title: Integrating MXRoute with MailCow
 description: 
 published: true
-date: 2026-02-25T21:04:37.135Z
+date: 2026-02-25T21:04:26.849Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-25T19:22:31.514Z
--- a/Netgrimoire/Services/MailCow/MailCOw_Install.md
+++ b/Netgrimoire/Services/MailCow/MailCOw_Install.md
@ -2,7 +2,7 @@
 title: Mailcow Dockerized Install and Config
 description: 
 published: true
-date: 2026-02-25T21:05:48.256Z
+date: 2026-02-25T21:05:38.864Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-25T21:05:38.864Z
--- a/Netgrimoire/Services/MailCow/Mailcow_Hardening.md
+++ b/Netgrimoire/Services/MailCow/Mailcow_Hardening.md
@ -2,7 +2,7 @@
 title: MailCow Hardening
 description: Securing Mailcow
 published: true
-date: 2026-02-23T21:56:32.211Z
+date: 2026-02-23T21:56:22.998Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-23T21:56:22.997Z
--- a/Netgrimoire/Services/MailCow/Mailcow_MXRoute.md
+++ b/Netgrimoire/Services/MailCow/Mailcow_MXRoute.md
@ -2,7 +2,7 @@
 title: Forwarding Mailcow through MXRoute
 description: Maintaining reputation
 published: true
-date: 2026-02-20T04:10:37.730Z
+date: 2026-02-15T01:42:12.478Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-15T01:42:12.478Z
--- a/Netgrimoire/Services/MailCow/Sample_Domain_Setup.md
+++ b/Netgrimoire/Services/MailCow/Sample_Domain_Setup.md
@ -2,7 +2,7 @@
 title: Sample Domain Setup
 description: Graymutt@nucking-futz.com
 published: true
-date: 2026-03-16T00:34:08.387Z
+date: 2026-03-16T00:34:02.401Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-25T22:02:27.719Z
--- a/Netgrimoire/Services/MailCow/mxroute_mailcow.md
+++ b/Netgrimoire/Services/MailCow/mxroute_mailcow.md
@ -2,7 +2,7 @@
 title: Recieving Mail thru MXRoute
 description: Trusted receiver
 published: true
-date: 2026-02-25T17:18:16.273Z
+date: 2026-02-25T17:18:07.245Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-15T01:44:15.683Z
--- a/Netgrimoire/Storage/Kopia.md
+++ b/Netgrimoire/Storage/Kopia.md
@ -2,7 +2,7 @@
 title: Setting Up Kopia
 description: 
 published: true
-date: 2026-02-20T04:27:59.823Z
+date: 2026-02-13T17:10:40.442Z
 tags: 
 editor: markdown
 dateCreated: 2026-01-23T22:14:17.009Z
--- a/Netgrimoire/Storage/Storage_Layout.md
+++ b/Netgrimoire/Storage/Storage_Layout.md
@ -2,7 +2,7 @@
 title: Netgrimoire Storage
 description: Where is it at 
 published: true
-date: 2026-02-23T18:38:27.621Z
+date: 2026-02-23T18:38:18.651Z
 tags: 
 editor: markdown
 dateCreated: 2026-01-22T21:10:37.035Z
--- a/Netgrimoire/Storage/ZFS-Commands.md
+++ b/Netgrimoire/Storage/ZFS-Commands.md
@ -2,7 +2,7 @@
 title: ZFS Common Commands
 description: ZFS Commands
 published: true
-date: 2026-02-20T04:26:23.798Z
+date: 2026-02-18T12:38:32.940Z
 tags: zfs commands
 editor: markdown
 dateCreated: 2026-01-31T15:23:07.585Z
--- a/Netgrimoire/Storage/ZNAS_NFS_Exports.md
+++ b/Netgrimoire/Storage/ZNAS_NFS_Exports.md
@ -2,7 +2,7 @@
 title: ZFS-NFS-Exports
 description: Exporting NFS shares from ZFS datasets
 published: true
-date: 2026-02-23T21:58:20.626Z
+date: 2026-02-23T21:58:11.949Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-01T20:45:40.210Z
--- a/Netgrimoire/service_Catalog.md
+++ b/Netgrimoire/service_Catalog.md
@ -1,355 +0,0 @@
 ---
 title: Netgrimoire Service Catalog
 description: Done or soon to be
 published: true
 date: 2026-03-29T16:05:32.761Z
 tags: 
 editor: markdown
 dateCreated: 2026-03-29T16:05:26.168Z
 ---
 # Netgrimoire Service Catalog
 > **Living document** — tracks all deployed, configured, and planned services across the Netgrimoire homelab.
 > Source of truth: Forgejo repo — `compose/` = Docker Compose per host | `swarm/` = Docker Swarm | `archive/` = not running
 >
 > Status: ✅ Deployed & Configured | 🔧 Deployed, Needs Config | 📋 Planned | 🔍 Evaluating | ❌ Abandoned/Archived
 ---
 ## 🏗️ Infrastructure Overview
 | Host | Role | IP | Runtime |
 |------|------|----|---------|
 | znas | NAS / Primary Swarm node | 192.168.5.10 | Docker Compose + Swarm manager |
 | docker2 | VPN gateway host | — | Docker Compose |
 | docker3 | LibreNMS host | — | Docker Compose |
 | docker4 (hermes) | Mail server host | 192.168.5.16 | Docker Compose |
 | docker5 | Media host | 192.168.5.18 | Docker Compose |
 | Pi4s / NUCs | Swarm worker nodes | various | Docker Swarm workers |
 ---
 ## 📡 Network & Reverse Proxy
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | OPNsense | Firewall appliance | — | Firewall / Dual-WAN / NAT | ATT igc1 primary; 5 static IPs allocated; legacy WAN retiring |
 | 🔧 | Caddy (new) | znas / Swarm | — | Reverse proxy — CrowdSec edition | `serfriz/caddy-crowdsec-geoip-ratelimit-security-dockerproxy`; migration in progress; `caddy.yaml` |
 | ✅ | Caddy (legacy) | znas / Swarm | — | Reverse proxy | `lucaslorentz/caddy-docker-proxy`; `caddy-1.yaml` |
 | ✅ | Authentik | znas / Swarm | — | SSO / IdP | Protects `*.netgrimoire.com` services |
 | ✅ | Authelia | znas / Swarm | — | SSO / IdP | Protects `*.wasted-bandwidth.net` services |
 | ✅ | WireGuard | OPNsense | — | VPN | Peers: Obie (.2), pncfishandmore (.3), GLNet (.4/.6), PortaPotty (.5) — 192.168.32.0/24 |
 | ✅ | OpenVPN | OPNsense | — | VPN | Configured alongside WireGuard |
 | ✅ | Gluetun | docker2 / Compose | — | VPN gateway container | PIA VPN; Jackett + Transmission share `network_mode: container:gluetun` |
 | ✅ | Internal DNS | 192.168.5.7 | dns.netgrimoire.com | Internal name resolution | Technitium DNS; behind Authentik |
 | ✅ | LLDAP | znas / Swarm | ldap.netgrimoire.com | Lightweight LDAP directory | `lldap/lldap:stable` + postgres; user management backend |
 | 📋 | dnscrypt-proxy | TBD | — | Encrypted upstream DNS | Pending install |
 | 📋 | Suricata | OPNsense | — | IDS/IPS | Pending config |
 | 📋 | Zenarmor | OPNsense | — | Deep packet inspection (free tier) | Pending install |
 | 📋 | os-git-backup | OPNsense | — | OPNsense config backup to git | Pending install |
 ---
 ## 🔒 Security
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | CrowdSec | OPNsense + Swarm | — | Threat intelligence / IP blocking | OPNsense bouncer active; Caddy bouncer in progress |
 | ✅ | Vaultwarden | znas / Swarm | pass.netgrimoire.com | Password manager | `vaultwarden/server` |
 | 🔧 | CrowdSec Caddy Bouncer | znas / Swarm | — | HTTP-level blocking | Gradual rollout via `caddy.import=crowdsec` label per service |
 | 🔧 | OPNsense Spamhaus + GeoIP | OPNsense | — | IP blocklist / geo-blocking | Currently DISABLED — needs fixing |
 | 📋 | YubiKey PIV (SSH) | All hosts | — | Smartcard SSH authentication | Highest-impact pending integration |
 | 📋 | YubiKey Challenge-Response | znas | — | LUKS / Kopia key derivation | Planned |
 ---
 ## 📧 Email
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | MailCow | docker4 / Compose | mail.netgrimoire.com + all domains | Self-hosted mail server | hermes.netgrimoire.com; MXRoute inbound filter + outbound relay for all 8 domains |
 | ✅ | Roundcube | docker4 / Swarm | — | Webmail | SSL peer verify disabled for internal dovecot; SRS catch-all aliases configured |
 | ✅ | MXRoute | External | — | Inbound filter + outbound relay | Two DKIM selectors: `mailcow` + `mxroute` |
 | 📋 | Dedicated ATT_Mail IP | OPNsense | — | Separate static IP for mail traffic | Assignment still pending |
 **Domains:** netgrimoire.com · pncharris.com · nucking-futz.com · wasted-bandwidth.net · florosafd.org · gnarlypandaproductions.com · pncfishandmore.com · pncharrisenterprises.com
 ---
 ## 🎬 Media — Video
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Jellyfin | docker5 / Compose | — | Media server | Port 8096; VAAPI via `/dev/dri`; dedicated static IP 107.133.34.147 |
 | ✅ | Jellyfinx | docker5 / Compose | — | Green Door media server | Port 7096; separate instance; Green + AfterDark library mounts |
 | ✅ | Sonarr | znas / Swarm | — | TV show downloader | `linuxserver/sonarr` |
 | ✅ | Radarr | znas / Swarm | — | Movie downloader | `linuxserver/radarr` |
 | ✅ | Bazarr | znas / Swarm | bazarr.netgrimoire.com | Subtitle management | `linuxserver/bazarr` |
 | ✅ | Tunarr | znas / Swarm | — | IPTV channel creation | `chrisbenincasa/tunarr`; ErsatzTV replacement (ErsatzTV archived Feb 2026) |
 | ✅ | JellySeerr | znas / Swarm | requests.netgrimoire.com | Media request management | `fallenbagel/jellyseerr` |
 | ✅ | JellyStat | znas / Swarm | — | Jellyfin usage statistics | `cyfershepard/jellystat` + postgres |
 | ✅ | TinyMediaManager | znas / Swarm | tmm.netgrimoire.com | Media metadata manager | `tinymediamanager/tinymediamanager` |
 | ✅ | Pinchflat | znas / Swarm | pinchflat.netgrimoire.com | YouTube channel downloader | `kieraneglin/pinchflat` |
 | 📋 | MeTube | TBD | — | YouTube downloader | Needed for Tunarr period-accurate filler sourcing workflow |
 | 🔍 | Wizarr | TBD | — | Jellyfin user onboarding | Evaluating |
 ---
 ## 🎵 Media — Audio
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Lidarr | znas / Swarm | — | Music downloader | (Caddy label not found in yaml — likely static Caddyfile entry) |
 | ✅ | Beets | znas / Swarm | beets.netgrimoire.com | Music library tagging | `linuxserver/beets` |
 | 🔍 | Navidrome | TBD | — | Music streaming server | Lightweight Subsonic-compatible |
 | 🔍 | Soularr | TBD | — | Soulseek integration for Lidarr | Strongly recommended; fills gaps Usenet/torrents miss |
 | 🔍 | Tubifarry | TBD | — | Spotify playlists → YouTube → Lidarr | https://github.com/TypNull/Tubifarry |
 ---
 ## 📚 Media — Books & Comics
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Calibre | znas / Compose | calibre.netgrimoire.com | Ebook library management | `linuxserver/calibre`; port 7070; behind Authentik; requires `seccomp=unconfined` (Compose-only) |
 | ✅ | Calibre-Web Automated | znas / Swarm | books.netgrimoire.com · books.pncharris.com | Web UI + auto-import | `crocodilestick/calibre-web-automated`; dual-domain Caddy label |
 | ✅ | Calibre-Web (library) | znas / Swarm | — | Secondary Calibre-Web instance | `linuxserver/calibre-web`; hostname `calibre-netgrimoire`; `library.yaml` |
 | ✅ | Readarr | znas / Swarm | — | Book downloader | Using `blampe/rreading-glasses` image |
 | 📋 | Mylar | znas / Swarm | — | Comic book downloader | Not currently running; needs setup soon. Reference `archive/arr.yaml` for old config |
 | ✅ | Kavita | znas / Swarm | kavita.netgrimoire.com | Ebook/comic reader | `jvmilazz0/kavita` |
 | ✅ | Comixed | znas / Swarm | comics.netgrimoire.com | Comic library server | `comixed/comixed` |
 | ✅ | FreshRSS | znas / Swarm | rss.netgrimoire.com | RSS aggregator | `linuxserver/freshrss` |
 | 🔍 | Komga | TBD | — | Comic/manga server | Evaluating vs Kavita/Comixed |
 | 🔍 | MyAnonaMouse | TBD | — | Private ebook tracker | Worth investigating |
 ---
 ## 📥 Download Stack
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | NZBGet | znas / Swarm | — | Usenet download manager | `linuxserver/nzbget` |
 | ✅ | SABnzbd | znas / Swarm | — | Usenet download manager | `linuxserver/sabnzbd` |
 | ✅ | NZBHydra | znas / Swarm | hydra.netgrimoire.com | Usenet indexer aggregator | `linuxserver/nzbhydra2:dev`; altHUB, NZBGeek, Drunken Slug, Usenet Crawler, DogNZB |
 | ✅ | Jackett | docker2 / Compose | jackett.netgrimoire.com | Torrent indexer | Runs inside Gluetun network; behind Authentik |
 | ✅ | Transmission | docker2 / Compose | — | Torrent client | `network_mode: container:gluetun`; shares Gluetun VPN |
 | ✅ | Recyclarr | znas / Swarm | — | Sonarr/Radarr quality profile sync | `recyclarr/recyclarr` |
 | ✅ | Profilarr | znas / Swarm | profilarr.netgrimoire.com | Quality profile management | `santiagosayshey/profilarr` |
 | ✅ | Configarr | znas / Swarm | configarr.netgrimoire.com | Arr config management | `raydak-labs/configarr` |
 | 📋 | Prowlarr | TBD | — | Unified indexer manager | Low priority — light torrent usage; NZBHydra covers current needs |
 ---
 ## 🤖 AI & Automation (Gremlin Stack)
 > All pinned to `znas` node on Docker Swarm via `swarm/ollama.yaml`.
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Ollama | znas / Swarm | — | Local LLM inference | CPU-only (Ryzen); 3B–14B models |
 | ✅ | Open WebUI | znas / Swarm | — | Chat interface for Ollama | `ghcr.io/open-webui/open-webui` |
 | ✅ | Qdrant | znas / Swarm | — | Vector database for RAG | Wiki.js / markdown doc search |
 | ✅ | n8n | znas / Swarm | — | Workflow automation | Forgejo webhook → doc gen, compose validation, alert triage |
 | 🔍 | Perplexica | TBD | — | Self-hosted AI search | https://github.com/ItzCrazyKns/Perplexica |
 ---
 ## ☁️ Files, Notes & Personal Apps
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Nextcloud AIO | znas / Compose | cloud.netgrimoire.com | File sync / cloud storage | `nextcloud/all-in-one`; data at `/srv/NextCloud-AIO`; Caddy → port 11000 |
 | ✅ | Immich | znas / Compose | immich.netgrimoire.com | Photo management | Port 2283; Postgres dump + Kopia backup; external photo + Nextcloud mounts |
 | ✅ | Joplin Server | znas / Swarm | joplin.netgrimoire.com | Note sync server | `joplin/server` + postgres; Homepage widget configured |
 | ✅ | Vikunja | znas / Swarm | task.netgrimoire.com | Task management | `vikunja/vikunja` + MariaDB |
 | ✅ | Linkding | znas / Swarm | link.netgrimoire.com | Bookmark manager | `sissbruecker/linkding:1.13.0` |
 | ✅ | Mealie | znas / Swarm | recipe.netgrimoire.com | Recipe manager | `ghcr.io/mealie-recipes/mealie` |
 | ✅ | Wallos | znas / Swarm | expense.netgrimoire.com | Subscription / expense tracker | `bellamy/wallos` |
 | ✅ | DailyTxT | znas / Swarm | — | Encrypted diary | `phitux/dailytxt:2.x.x` |
 | ✅ | Bigcapital | docker5 / Compose | accounts.netgrimoire.com | Accounting / invoicing | Static Caddyfile entry; `{{upstreams}}` doesn't work for Compose stacks |
 | ✅ | Scanopy | znas / Swarm | scn.netgrimoire.com | Document scanner | `ghcr.io/scanopy/scanopy` (server + daemon) + postgres |
 | ✅ | Glance | znas / Swarm | home.netgrimoire.com | Alternative dashboard | `glanceapp/glance` |
 | 📋 | Memos | TBD | — | Self-hosted journaling | Preferred journal addition (alongside Joplin for notes) |
 | 🔍 | Wallabag | TBD | — | Read-it-later / article saving | |
 | 🔍 | Fluid Calendar | TBD | — | Self-hosted calendar | https://github.com/dotnetfactory/fluid-calendar |
 | 🔍 | Firefly III | TBD | — | Personal finance / budgeting | |
 | 🔍 | Stirling-PDF | TBD | — | PDF editor / tools | |
 | 🔍 | Excalidraw | TBD | — | Collaborative whiteboard | |
 | 🔍 | Baikal | TBD | — | CalDAV / CardDAV sync | https://sabre.io/baikal/ |
 ---
 ## 📝 Documentation & Dev
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Wiki.js | znas / Swarm | wiki.netgrimoire.com | Documentation wiki | `requarks/wiki:2` + postgres; Grimoire theme; Forgejo git backend |
 | ✅ | Draw.io | znas / Swarm | draw.netgrimoire.com | Diagramming | `jgraph/drawio`; co-deployed in `wiki.yaml` |
 | ✅ | Forgejo | znas / Swarm | git.netgrimoire.com | Self-hosted Git | `codeberg.org/forgejo/forgejo:11`; source of truth for Wiki.js + Gremlin |
 | ✅ | Forgejo Runner | znas / Swarm | — | CI/CD | `data.forgejo.org/forgejo/runner:4.0.0`; `gitrunner.yaml` |
 | ✅ | VS Code Server | znas / Swarm | code.netgrimoire.com | Web-based IDE | `linuxserver/code-server` |
 | ✅ | Webtop (ubuntu-kde) | znas / Compose | webtop.netgrimoire.com | Browser-based desktop | Software rendering via llvmpipe; behind Authentik |
 | ✅ | Firefox (container) | znas / Swarm | firefox.netgrimoire.com | Containerized browser | `jlesage/firefox` |
 ---
 ## 📊 Monitoring & Observability
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Uptime Kuma | znas / Swarm | — | Service uptime monitoring | `louislam/uptime-kuma:1` |
 | ✅ | AutoKuma | znas / Swarm | — | Auto-create Kuma monitors from labels | `ghcr.io/bigboot/autokuma`; co-deployed in `kuma.yaml` |
 | ✅ | Beszel | znas / Swarm | — | Docker resource monitoring | `henrygd/beszel` hub + agents on all nodes |
 | ✅ | DIUN | znas / Swarm | — | Docker image update notifications | `crazymax/diun`; label-based per-service |
 | ✅ | ntfy | znas / Swarm | ntfy.netgrimoire.com | Push notifications | `binwiederhier/ntfy`; OPNsense alerts via CrowdSec HTTP plugin |
 | ✅ | Dozzle | znas / Swarm | dozzle.netgrimoire.com | Real-time container logs | `amir20/dozzle`; behind Authentik |
 | ✅ | Scrutiny | znas / Compose | scrutiny.netgrimoire.com | Disk S.M.A.R.T. monitoring | `analogj/scrutiny:master-omnibus`; monitors /dev/sda–sdg; behind Authentik |
 | ✅ | Glances | znas / Compose | — | Real-time system stats | `nicolargo/glances`; `network_mode: host`; co-deployed in `monitor.yaml` |
 | ✅ | Graylog | docker4 / Compose | log.netgrimoire.com | Log aggregation | Graylog 6.0 + MongoDB 5 + DataNode (OpenSearch); compose-only (noted in file) |
 | ✅ | LibreNMS | docker3 / Compose | nms.netgrimoire.com | Network/SNMP monitoring | Full stack: librenms + dispatcher + syslog-ng + snmptrapd + MariaDB + Redis; port 8000 |
 | ✅ | Homelable | znas / Compose | — | Infrastructure visualizer | Frontend + Backend via GHCR; MCP deferred (requires build from source) |
 | ✅ | phpIPAM | znas / Swarm | ipam.netgrimoire.com | IP address management | `phpipam/phpipam-www` + cron + MariaDB |
 | ✅ | Homepage | znas / Swarm | — | Primary dashboard | `ghcr.io/gethomepage/homepage` |
 | ✅ | Glance | znas / Swarm | home.netgrimoire.com | Alternative dashboard | `glanceapp/glance` |
 | ✅ | Dockpeek | znas / Swarm | dockpeek.netgrimoire.com | Container inspector | `dockpeek/dockpeek` |
 | ✅ | Loki + Promtail + Grafana | znas / Swarm | — | Metrics/log stack | `logging.yaml`; Grafana 10.4.2 + Loki 2.9.3 + Promtail 2.9.3 |
 | ✅ | phpMyAdmin + phpPgAdmin | znas / Swarm | — | DB admin UIs | `SQL-mgmt.yaml` |
 | ✅ | pgAdmin | znas / Swarm | — | Postgres admin | `dpage/pgadmin4`; `database.yaml` |
 | 🔍 | WatchYourLAN | TBD | — | Network device tracker | https://github.com/aceberg/WatchYourLAN |
 | 🔍 | NUT UPS | TBD | — | UPS power management | https://hub.docker.com/r/instantlinux/nut-upsd |
 | 🔍 | OliveTin | TBD | — | Web button → shell command | Run commands from web UI |
 | 🔍 | Swarm Dashboard | TBD | — | Docker Swarm visualizer | https://github.com/mohsenasm/swarm-dashboard |
 ---
 ## 💾 Storage & Backup
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | OpenZFS (ZNAS) | znas | — | Primary storage | ~94TB raw, two RAIDZ1 VDEVs; vault pool |
 | ✅ | NFSv4 | znas | — | Shared storage for Swarm | Loopback NFS at `/data/nfs/znas`; ZFS must fully mount before NFS starts |
 | ✅ | Kopia (primary vault) | znas / Swarm | kopia.netgrimoire.com | Primary backup repo | `kopia.yaml`; dedup + replication |
 | ✅ | Kopia (offsite vault) | znas / Swarm | vault.netgrimoire.com | Offsite replication server | `vault.yaml`; port 51516; separate dataset → ZFS raw send to Pi vaults |
 | ✅ | syncoid | znas | — | ZFS replication | Syncs vault/Green/Pocket → Pocket Grimoire |
 | ✅ | Nextcloud AIO BorgBackup | znas | — | Nextcloud-native backup | Local snapshots before Kopia |
 | ✅ | Czkawka | znas / Swarm | dupes.netgrimoire.com | Duplicate file finder | `jlesage/czkawka` |
 | ✅ | Cloud Commander | znas / Swarm | — | Web file manager | `coderaiser/cloudcmd`; **two instances** (`cloudcmd.yaml` + `commander.yaml`) — verify if intentional |
 | ✅ | File Browser | znas / Swarm | — | Web file manager | `filebrowser/filebrowser` |
 | 🔍 | Manyfold | TBD | — | 3D print model collector | https://github.com/manyfold3d/manyfold |
 ---
 ## 🖥️ Management & Remote Access
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Portainer | znas / Swarm | docker.netgrimoire.com | Container management UI | `portainer/portainer-ce:2.33.6` + agents on all nodes |
 | ✅ | ISPConfig | 192.168.4.11 | — | Web/DNS hosting control panel | |
 | ✅ | Cockpit | All hosts | win.netgrimoire.com | Linux server management | Caddy → `192.168.5.10:8006` |
 | ✅ | Termix | znas / Swarm | termix.netgrimoire.com | Web-based terminal | `ghcr.io/lukegus/termix` |
 | ✅ | DumbTerm | znas / Swarm | — | Simple web terminal | `dockwareio/dumbterm` |
 | ✅ | Windows 7 (VM) | znas / Compose | — | Windows VM | `dockurr/windows`; `windows7.yaml` |
 | 🔍 | Guacamole | TBD | — | Remote desktop gateway | Previously tried as `nxterm` — in archive |
 | 🔍 | SSHwifty | TBD | — | SSH web client | In archive; reconsidering |
 ---
 ## 🎭 Green Door (Adult Content)
 > Protected behind Authelia (`*.wasted-bandwidth.net`)
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Whisparr | znas / Swarm | — | Adult content downloader | `ghcr.io/hotio/whisparr` |
 | ✅ | Namer | znas / Compose | namer.wasted-bandwidth.net | Scene file namer | `theporndatabase/namer`; port 6980; data → `/data/nfs/Baxter/Green/` |
 | ✅ | Stash (main) | znas / Compose | stash.wasted-bandwidth.net | Adult content library | `stashapp/stash`; port 9999 |
 | ✅ | PocketStash | znas / Compose | — | Stash for Pocket Grimoire | Separate instance; port 9998; data → `/export/Green/Pocket/`; `pocketstash.yaml` |
 ---
 ## 🌐 Web Hosting
 | Status | App | Host / Runtime | URL | Purpose | Notes |
 |--------|-----|----------------|-----|---------|-------|
 | ✅ | Apache/PHP web | znas / Swarm | fish.pncharris.com · www.wasted-bandwidth.net | Static/PHP web hosting | `php:8.2-apache`; `web.yaml`; replicas: 1 |
 ---
 ## 📦 Archive (Not Currently Running)
 > Files in `archive/` — previously evaluated or deployed, not currently active.
 | App | File | Notes |
 |-----|------|-------|
 | Plex | `plex.yaml` | Replaced by Jellyfin |
 | Komodo | `komodo.yaml` | Container management platform — evaluated, not deployed |
 | cAdvisor | `cadvisor.yaml` | Container metrics — not deployed |
 | Peekaping | `peekaping.yaml` | Uptime monitor — Kuma preferred |
 | WatchState | `WatchState.yaml` | Jellyfin/Plex watch state sync |
 | Nessus | `nessus.yaml` | Vulnerability scanner — evaluated |
 | NxTerm | `nxterm.yaml` | Guacamole-style remote desktop — evaluated |
 | SSHwifty | `sshwifty.yaml` | SSH web client — evaluated |
 | Wordpress Classifieds | `wordpress-classifieds.yaml` | Not deployed |
 | Cal (calendar?) | `cal.yaml` | Evaluated |
 | CrowdSec (standalone) | `crowdsec.yaml` | Merged into Caddy stack |
 | Arr stack | `arr.yaml` | Old consolidated arr compose — superseded by individual yamls |
 | Caddyfile.old | `Caddyfile.old` | Legacy Caddyfile |
 ---
 ## 🗃️ Ideas Backlog
 | App | Category | Notes |
 |-----|----------|-------|
 | Soularr | Audio | Soulseek for Lidarr; strongly recommended |
 | Tubifarry | Audio | Spotify → YouTube → Lidarr |
 | MeTube | Video | YouTube downloader for Tunarr filler |
 | Memos | Journal | Preferred self-hosted journal pick |
 | Wallabag | Reading | Read-it-later |
 | Firefly III | Finance | Budgeting |
 | Baikal | PIM | CalDAV/CardDAV |
 | Fluid Calendar | PIM | https://github.com/dotnetfactory/fluid-calendar |
 | Perplexica | AI | Self-hosted AI search |
 | WatchYourLAN | Network | Device tracker |
 | OliveTin | Automation | Web UI → shell commands |
 | Swarm Dashboard | Monitoring | Swarm-aware visualizer |
 | ContainerNursery | Automation | On-demand container start/stop |
 | NUT UPS | Power | UPS management |
 | Wire-pod for Vector | IoT | Anki Vector local server |
 | Kindle reuse | IoT | Repurpose Kindle as weather/info display |
 | Collectarr | Media | https://github.com/RiffSphere/Collectarr |
 | SuggestArr | Media | Automated media recommendations |
 | Recommendarr | Media | AI media recommendations |
 | Manyfold | 3D Print | Model library |
 | OrcaSlicer | 3D Print | Slicer web UI |
 | Memos / Journiv | Journal | Self-hosted journaling (Memos preferred) |
 | Romm | Gaming | ROM library manager |
 | EmulatorJS | Gaming | Browser-based emulation |
 ---
 ## 🔑 Key Architecture Decisions & Gotchas
 > Reference these before deploying or modifying services.
 - **MailCow network isolation:** Only `nginx-mailcow` on the `netgrimoire` overlay. All other containers stay on internal bridge. Mixing causes PHP-FPM → Redis DNS conflicts.
 - **caddy-docker-proxy + static Caddyfile conflict:** Never manage the same hostname via both Docker labels AND a static block. Pick one method exclusively per service.
 - **`{{upstreams}}` is Swarm-only:** Does not work for Docker Compose stacks. Use static Caddyfile with container name or pinned IP.
 - **Docker Compose `ports: []` override:** Does not nullify ports from base file. Remap to unused host ports instead.
 - **Graylog is Compose-only:** The `graylog.yaml` file explicitly notes this — do not attempt to run it in Swarm.
 - **Calibre requires `seccomp=unconfined`:** Necessary for the desktop app container; incompatible with Swarm mode — must remain in `compose/znas/`.
 - **Kopia repos not ZFS-separable:** Use separate repositories with independent retention (`kopia.yaml` vs `vault.yaml`) rather than trying to separate at the ZFS snapshot level.
 - **ZFS encryption:** In-place encryption impossible. Use rsync migration + `-w` flag for raw send to Pi vaults (no key needed on vault side).
 - **SRS rewrite:** All domains using MXRoute inbound forwarding require catch-all aliases in MailCow to prevent `reject_unlisted_sender` rejections.
 - **Docker Swarm DNS caching:** Use `endpoint_mode: dnsrr` for internal services; VIP only for published-port services.
 - **NFS boot ordering on znas:** ZFS must fully mount before NFS starts — systemd override required (`After=zfs-import.target zfs-mount.service`). Loopback NFS mount needs `x-systemd.after=nfs-server.service` in fstab.
 - **Wiki.js angle brackets:** `<value>` placeholders cause rendering hangs. Use `VALUE` or backtick format instead.
 - **bcrypt in `.env`:** Wrap full hash in single quotes to preserve leading `$`.
 - **Webtop GPU rendering:** Requires `LIBGL_ALWAYS_SOFTWARE=1` + `GALLIUM_DRIVER=llvmpipe`; remove `devices:/dev/dri` mapping.
 - **Cloud Commander duplication:** Two nearly identical `coderaiser/cloudcmd` stacks exist (`cloudcmd.yaml` + `commander.yaml`) — verify if intentional or a duplicate to clean up.
 - **Lidarr missing Caddy label:** Lidarr yaml has no caddy label — either routed via static Caddyfile or not yet exposed. Confirm and standardize.
 ---
 *Last updated: March 2026 | Source: Forgejo repo git archive*
--- a/Work/C9300GX-Port_Breakout.md
+++ b/Work/C9300GX-Port_Breakout.md
@ -2,7 +2,7 @@
 title: Nexus Upgrade port Breakout
 description: 
 published: true
-date: 2026-02-20T19:24:28.054Z
+date: 2026-02-20T19:24:19.622Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-19T20:55:53.800Z
--- a/Work/C9300GX_2_Build.md
+++ b/Work/C9300GX_2_Build.md
@ -2,7 +2,7 @@
 title: C9300GX Initial Build
 description: 
 published: true
-date: 2026-02-19T20:54:08.096Z
+date: 2026-02-19T20:53:59.281Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-19T20:50:41.541Z
--- a/Work/Cisco/NTP_ESS9300.md
+++ b/Work/Cisco/NTP_ESS9300.md
@ -1,899 +0,0 @@
 ---
 title: ESS9300 NTP
 description: 
 published: true
 date: 2026-03-31T21:25:14.679Z
 tags: 
 editor: markdown
 dateCreated: 2026-03-31T21:25:08.700Z
 ---
 # Cisco ESS 9300 (IE-9300) NTP Configuration and Troubleshooting Guide
 ## Overview
 This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Catalyst ESS 9300 (IE-9300) industrial Ethernet switch running IOS-XE. Accurate time synchronization is critical for logging, AAA, certificates, syslog correlation, and distributed system troubleshooting.
 ---
 ## NTP Configuration
 ### Basic NTP Server Configuration
 ```cisco
 configure terminal
 ! Configure NTP servers (use multiple servers for redundancy)
 ntp server 10.1.1.10 prefer
 ntp server 10.1.1.11
 ntp server 192.0.2.1
 ! Configure NTP source interface (optional but recommended)
 ntp source GigabitEthernet1/1
 ! Alternatively, use management interface if configured
 ! ntp source GigabitEthernet0/0
 ! Set timezone (adjust to your location)
 clock timezone EST -5 0
 ! Configure daylight saving time (if applicable)
 clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
 ! Save configuration
 end
 write memory
 ```
 ### NTP Authentication (Recommended for Production)
 ```cisco
 configure terminal
 ! Enable NTP authentication
 ntp authenticate
 ! Create authentication keys (key ID 1-65535)
 ntp authentication-key 1 md5 YourSecureKey123
 ntp authentication-key 2 md5 AnotherSecureKey456
 ! Specify trusted keys
 ntp trusted-key 1
 ntp trusted-key 2
 ! Apply authentication to NTP servers
 ntp server 10.1.1.10 prefer key 1
 ntp server 10.1.1.11 key 2
 end
 write memory
 ```
 ### NTP Access Control (Security Best Practice)
 ```cisco
 configure terminal
 ! Define access control for NTP
 ! peer: Allow time sync from these sources
 ! serve: Respond to time requests from these sources
 ! serve-only: Respond to requests but don't sync from them
 ! query-only: Allow status queries only
 ntp access-group peer 10
 ntp access-group serve 20
 ntp access-group query-only 30
 ! Create access lists
 access-list 10 remark NTP Peers - Allow sync
 access-list 10 permit 10.1.1.0 0.0.0.255
 access-list 20 remark NTP Serve - Respond to requests
 access-list 20 permit 10.0.0.0 0.255.255.255
 access-list 30 remark NTP Query - Status queries only
 access-list 30 permit 192.168.0.0 0.0.255.255
 end
 write memory
 ```
 ### NTP Master Configuration (Switch as Time Source)
 ```cisco
 configure terminal
 ! Configure switch as NTP master (stratum level)
 ! Only use if external NTP servers are unavailable
 ntp master 8
 ! This makes the switch authoritative at stratum 8
 ! Lower stratum = higher priority (1 is highest, typically atomic clocks)
 ! Use stratum 8-15 for internal masters
 end
 write memory
 ```
 ### Advanced NTP Configuration
 ```cisco
 configure terminal
 ! Update calendar from NTP (hardware clock sync)
 ntp update-calendar
 ! Disable NTP on specific interfaces (if needed)
 interface GigabitEthernet1/10
 ntp disable
 exit
 ! Configure NTP broadcast (server mode)
 interface GigabitEthernet1/1
 ntp broadcast
 exit
 ! Configure NTP broadcast client (client mode)
 interface GigabitEthernet1/2
 ntp broadcast client
 exit
 ! Configure NTP logging
 service timestamps log datetime msec localtime show-timezone
 service timestamps debug datetime msec localtime show-timezone
 end
 write memory
 ```
 ---
 ## Verification Commands
 ### Check NTP Status
 ```cisco
 ! Show NTP status summary
 show ntp status
 ! Expected output when synchronized:
 ! Clock is synchronized, stratum 3, reference is 10.1.1.10
 ! nominal freq is 250.0000 Hz, actual freq is 250.0008 Hz, precision is 2**10
 ! ntp uptime is 86400 (1/100 of seconds), resolution is 4016
 ! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024)
 ! clock offset is -0.5234 msec, root delay is 12.34 msec
 ! root dispersion is 45.67 msec, peer dispersion is 1.23 msec
 ! loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000008234 s/s
 ! system poll interval is 64, last update was 25 sec ago
 ```
 ### Check NTP Associations
 ```cisco
 ! Show all NTP associations (peers)
 show ntp associations
 ! Detailed view
 show ntp associations detail
 ! Column descriptions:
 ! * = synchronized, + = candidate, # = selected, - = outlier
 ! address: NTP server address
 ! ref clock: reference source of the server
 ! st: stratum level
 ! when: last packet received (seconds)
 ! poll: polling interval (seconds)
 ! reach: reachability (377 octal = all 8 attempts successful)
 ! delay: round-trip delay (ms)
 ! offset: time difference (ms)
 ! disp: dispersion/jitter (ms)
 ```
 ### Check Clock and Time
 ```cisco
 ! Display current time
 show clock
 ! Display detailed clock information
 show clock detail
 ! Show calendar (hardware clock)
 show calendar
 ```
 ### Check NTP Configuration
 ```cisco
 ! Show all NTP configuration
 show ntp config
 ! Show running NTP configuration
 show running-config | include ntp
 show running-config | include clock
 ```
 ### Check NTP Authentication
 ```cisco
 ! Show authentication keys (hashed)
 show ntp authentication-keys
 ! Show authentication status
 show ntp status | include authentication
 ```
 ---
 ## Common Configuration Examples
 ### Example 1: Industrial Network Configuration
 ```cisco
 configure terminal
 ! Use site NTP servers
 ntp server 10.100.1.10 prefer
 ntp server 10.100.1.11
 ntp server 10.100.1.12
 ! Use primary uplink as source
 ntp source GigabitEthernet1/1
 ! Central Standard Time
 clock timezone CST -6 0
 clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
 ! Sync hardware clock
 ntp update-calendar
 ! Enable timestamps
 service timestamps log datetime msec localtime show-timezone
 service timestamps debug datetime msec localtime show-timezone
 end
 write memory
 ```
 ### Example 2: Secure Configuration with Authentication
 ```cisco
 configure terminal
 ! Enable NTP authentication
 ntp authenticate
 ntp authentication-key 10 md5 Ind_NTP_K3y_2024
 ntp trusted-key 10
 ! Configure authenticated servers
 ntp server 10.100.1.10 prefer key 10
 ntp server 10.100.1.11 key 10
 ! Access control
 ntp access-group peer 10
 ntp access-group query-only 30
 access-list 10 remark NTP Peers
 access-list 10 permit 10.100.1.0 0.0.0.255
 access-list 30 remark NTP Query
 access-list 30 permit 10.100.0.0 0.0.255.255
 ! Source and timezone
 ntp source GigabitEthernet1/1
 clock timezone CST -6 0
 clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
 ntp update-calendar
 service timestamps log datetime msec localtime show-timezone
 end
 write memory
 ```
 ### Example 3: Redundant Time Source with Fallback
 ```cisco
 configure terminal
 ! Primary NTP servers
 ntp server 10.100.1.10 prefer
 ntp server 10.100.1.11
 ! Fallback to public NTP if internal servers fail
 ntp server 129.6.15.28
 ntp server 132.163.96.1
 ! Use as master only if all external sources fail
 ntp master 10
 ntp source GigabitEthernet1/1
 clock timezone EST -5 0
 clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
 ntp update-calendar
 end
 write memory
 ```
 ---
 ## Troubleshooting Guide
 ### Issue: NTP Not Synchronizing
 **Symptoms:**
 - `show ntp status` shows "Clock is unsynchronized"
 - No asterisk (*) appears in `show ntp associations`
 - "unsynchronized" appears in status output
 **Troubleshooting Steps:**
 1. **Verify NTP servers are configured:**
   ```cisco
   show running-config | include ntp server
   ```
 2. **Check network connectivity to NTP servers:**
   ```cisco
   ping 10.1.1.10
   ping 10.1.1.10 source GigabitEthernet1/1
   traceroute 10.1.1.10
   ```
 3. **Verify NTP packets are being exchanged:**
   ```cisco
   show ntp associations detail
   ! Check 'reach' value - should be 377 (octal) = all attempts successful
   ! Check 'when' value - should be recent (< poll interval)
   ```
 4. **Check for authentication mismatches:**
   ```cisco
   show ntp status
   ! Look for authentication errors
   debug ntp all
   ! Watch for authentication failures
   undebug all
   ```
 5. **Verify access lists aren't blocking NTP:**
   ```cisco
   show access-lists
   ! NTP uses UDP port 123
   ! Verify ACLs allow UDP 123 traffic
   ```
 6. **Check for large time offset:**
   ```cisco
   show ntp associations detail
   ! If offset > 1000 seconds, manually set clock first
   clock set 14:30:00 15 January 2024
   ```
 7. **Verify source interface is up:**
   ```cisco
   show ip interface brief | include GigabitEthernet1/1
   ! Source interface must be up/up
   ```
 ### Issue: High Offset or Jitter
 **Symptoms:**
 - Time drifts significantly
 - High offset values in `show ntp associations`
 - Inconsistent time across devices
 **Troubleshooting Steps:**
 1. **Check network latency and stability:**
   ```cisco
   ping 10.1.1.10 repeat 100
   ! Look for:
   ! - Packet loss (should be 0%)
   ! - High round-trip time (> 100ms problematic)
   ! - Variable latency (jitter)
   ```
 2. **Verify stratum levels:**
   ```cisco
   show ntp associations
   ! Stratum (st) should be:
   ! - < 10 for reliable servers
   ! - Lower is better (1 = atomic clock, 2 = GPS)
   ! - Your switch should be stratum +1 from source
   ```
 3. **Increase number of NTP servers:**
   ```cisco
   ! Use at least 3 servers for best accuracy
   ! NTP uses voting algorithm to select best time source
   configure terminal
   ntp server 10.1.1.12
   ntp server 10.1.1.13
   ```
 4. **Check upstream NTP server health:**
   ```cisco
   show ntp associations detail
   ! Verify servers show:
   ! - condition = 'sys.peer' or 'candidate'
   ! - reach = 377
   ! - Low dispersion (disp)
   ```
 5. **Monitor polling interval:**
   ```cisco
   show ntp associations
   ! Poll interval should stabilize at 64-1024 seconds
   ! Frequent changes indicate instability
   ```
 ### Issue: Authentication Failures
 **Symptoms:**
 - Peers show as unreachable despite network connectivity
 - NTP status shows authentication errors
 - Reach value remains 0
 **Troubleshooting Steps:**
 1. **Verify authentication is enabled:**
   ```cisco
   show ntp status | include authentication
   ! Should show: "authentication enabled"
   ```
 2. **Check authentication keys are configured:**
   ```cisco
   show ntp authentication-keys
   ! Verify key IDs exist
   ```
 3. **Verify trusted keys:**
   ```cisco
   show running-config | include ntp trusted-key
   ! Keys must be marked as trusted
   ```
 4. **Confirm server configuration uses correct key:**
   ```cisco
   show running-config | include ntp server
   ! Verify key ID matches trusted key
   ```
 5. **Debug authentication:**
   ```cisco
   debug ntp authentication
   debug ntp validity
   ! Watch for authentication failures
   ! Look for key mismatches
   undebug all
   ```
 6. **Temporarily disable authentication to test:**
   ```cisco
   configure terminal
   no ntp authenticate
   ! Test if synchronization works without auth
   ! Then re-enable:
   ntp authenticate
   ```
 ### Issue: Time Correct but Timezone Wrong
 **Symptoms:**
 - NTP shows synchronized
 - Time is off by exact number of hours
 - Logs show incorrect time
 **Troubleshooting Steps:**
 1. **Verify timezone configuration:**
   ```cisco
   show running-config | include clock timezone
   ! Ensure timezone offset is correct for your location
   ```
 2. **Check daylight saving time:**
   ```cisco
   show clock detail
   ! Verify DST rules are correct
   ! Look for summer-time configuration
   ```
 3. **Reconfigure timezone if needed:**
   ```cisco
   configure terminal
   clock timezone EST -5 0
   clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
   ```
 4. **Verify timestamps in logs:**
   ```cisco
   show running-config | include service timestamps
   ! Should include 'localtime' and 'show-timezone'
   ```
 ### Issue: Hardware Clock Not Updating
 **Symptoms:**
 - `show clock` shows correct time
 - `show calendar` shows old time
 - Time resets after reload
 **Troubleshooting Steps:**
 1. **Verify update-calendar is configured:**
   ```cisco
   show running-config | include ntp update-calendar
   ```
 2. **Manually update calendar:**
   ```cisco
   ntp update-calendar
   ! Or manually:
   clock update-calendar
   ```
 3. **Check calendar after sync:**
   ```cisco
   show calendar
   show clock
   ! Should match within a few seconds
   ```
 4. **Configure automatic update:**
   ```cisco
   configure terminal
   ntp update-calendar
   end
   write memory
   ```
 ### Issue: NTP Works but Stops After Time
 **Symptoms:**
 - NTP synchronizes initially
 - Loses sync after hours/days
 - Reach value degrades over time
 **Troubleshooting Steps:**
 1. **Check for network instability:**
   ```cisco
   show ntp associations detail
   ! Monitor 'reach' value over time
   ! Should remain at 377
   ```
 2. **Verify interface stability:**
   ```cisco
   show interface GigabitEthernet1/1
   ! Check for errors, resets, or flapping
   ```
 3. **Check for routing changes:**
   ```cisco
   show ip route 10.1.1.10
   ! Verify consistent route to NTP server
   ```
 4. **Monitor NTP server health:**
   ```cisco
   ! Check if NTP server itself is stable
   show ntp associations detail
   ! Look for increasing dispersion
   ```
 5. **Check for memory or CPU issues:**
   ```cisco
   show processes cpu sorted
   show processes memory sorted
   ! High CPU or memory can affect NTP
   ```
 ---
 ## Best Practices
 ### Redundancy
 - Configure at least **3 NTP servers** for optimal accuracy and fault tolerance
 - Use diverse network paths to NTP servers when possible
 - Consider geographic diversity for enterprise deployments
 - Use both on-site and off-site NTP sources
 ### Security
 - **Always use NTP authentication** in production industrial environments
 - Implement access control lists to restrict NTP access
 - Use MD5 authentication keys with strong passwords
 - Regularly rotate authentication keys (annually recommended)
 - Monitor for NTP-based attacks (amplification, spoofing)
 ### Performance
 - Use `prefer` keyword on the most reliable/accurate server
 - Choose NTP servers with low stratum (2-4 is ideal for enterprise)
 - Select geographically close servers to minimize latency
 - Avoid using stratum 1 servers directly (use stratum 2 instead)
 - Ensure stable network path to NTP servers
 ### Industrial Environment Considerations
 - Account for temperature variations in industrial settings
 - Use ruggedized NTP appliances in harsh environments
 - Consider GPS-based NTP servers for isolated sites
 - Implement redundant time sources for critical applications
 - Test NTP resilience during network outages
 ### Maintenance
 - Regularly verify NTP synchronization status (daily)
 - Monitor offset and jitter values (weekly)
 - Review NTP logs for anomalies
 - Update authentication keys periodically
 - Document your NTP server hierarchy
 - Test failover scenarios
 ### Time Initialization
 - When first configuring, manually set clock to within 1000 seconds
 - NTP will refuse to sync if initial offset is too large
 - Use `clock set` command before enabling NTP on new switches
 - Allow 10-15 minutes for initial synchronization
 - Monitor stabilization with `show ntp associations`
 ---
 ## Monitoring and Logging
 ### Regular Health Checks
 ```cisco
 ! Daily verification
 show ntp status | include Clock
 show ntp associations | include "\*"
 ! Weekly detailed check
 show ntp associations detail
 show clock detail
 ! Check for errors
 show logging | include NTP
 ```
 ### Enable SNMP Monitoring
 ```cisco
 configure terminal
 ! Enable SNMP for NTP monitoring
 snmp-server enable traps ntp
 ! Configure SNMP trap receiver
 snmp-server host 10.1.1.100 version 2c YourCommunity
 end
 write memory
 ```
 ### Syslog Monitoring
 ```cisco
 configure terminal
 ! Configure syslog server
 logging host 10.1.1.50
 ! Set logging level
 logging trap informational
 ! Enable timestamps
 service timestamps log datetime msec localtime show-timezone
 end
 write memory
 ```
 ### EEM Script for NTP Monitoring
 ```cisco
 configure terminal
 ! Create EEM applet to monitor NTP
 event manager applet NTP-Monitor
 event timer watchdog time 300
 action 1.0 cli command "enable"
 action 2.0 cli command "show ntp status | include Clock"
 action 3.0 regexp "unsynchronized" "$_cli_result"
 action 4.0 if $_regexp_result eq 1
 action 4.1  syslog msg "NTP ALERT: Clock is unsynchronized"
 action 4.2  cli command "show ntp associations"
 action 5.0 end
 end
 write memory
 ```
 ---
 ## Debug Commands
 ### NTP Debugging
 ```cisco
 ! Enable NTP debugging (use with caution in production)
 debug ntp all
 debug ntp authentication
 debug ntp events
 debug ntp packets
 debug ntp validity
 ! Disable debugging
 undebug all
 ! Or
 no debug all
 ```
 ### Conditional Debugging
 ```cisco
 ! Debug specific NTP server
 debug ntp packets 10.1.1.10
 ! View debug output
 terminal monitor
 ! Then enable debugging
 ```
 **Warning:** Debugging can generate significant CPU load. Use sparingly in production and disable when troubleshooting is complete.
 ---
 ## Quick Reference Commands
 | Command | Purpose |
 |---------|---------|
 | `show ntp status` | Display synchronization status |
 | `show ntp associations` | List all NTP peers and sync status |
 | `show ntp associations detail` | Detailed peer statistics |
 | `show clock` | Current system time |
 | `show clock detail` | Time with timezone and DST info |
 | `show calendar` | Hardware clock time |
 | `show running-config \| include ntp` | Display NTP configuration |
 | `show running-config \| include clock` | Display time configuration |
 | `show ntp authentication-keys` | List configured auth keys |
 | `ntp update-calendar` | Sync hardware clock from system |
 | `clock update-calendar` | Alternative calendar sync |
 | `clock set HH:MM:SS DD Month YYYY` | Manually set system time |
 ---
 ## IOS-XE Specific Features
 ### NTP Broadcast
 The ESS 9300 running IOS-XE supports NTP broadcast mode:
 ```cisco
 ! Server sends periodic broadcasts
 interface GigabitEthernet1/1
 ntp broadcast
 exit
 ! Client receives broadcasts
 interface GigabitEthernet1/2
 ntp broadcast client
 exit
 ```
 ### NTP Multicast
 ```cisco
 ! Server sends to multicast group
 interface GigabitEthernet1/1
 ntp multicast 224.0.1.1
 exit
 ! Client receives multicast
 interface GigabitEthernet1/2
 ntp multicast client 224.0.1.1
 exit
 ```
 ### IPv6 NTP Support
 ```cisco
 configure terminal
 ! IPv6 NTP server
 ntp server 2001:db8::10 prefer
 ! IPv6 source interface
 ntp source Vlan100
 end
 write memory
 ```
 ---
 ## Appendix: Public NTP Servers
 ### NIST (US Government)
 - `129.6.15.28` - NIST, Gaithersburg, Maryland
 - `129.6.15.29` - NIST, Gaithersburg, Maryland
 - `132.163.96.1` - NIST, Boulder, Colorado
 - `132.163.96.2` - NIST, Boulder, Colorado
 ### US Naval Observatory
 - `192.5.41.40` - tick.usno.navy.mil
 - `192.5.41.41` - tock.usno.navy.mil
 ### NTP Pool Project
 - `0.pool.ntp.org`
 - `1.pool.ntp.org`
 - `2.pool.ntp.org`
 - `3.pool.ntp.org`
 ### Regional Pools
 - `0.north-america.pool.ntp.org`
 - `0.us.pool.ntp.org`
 **Note:** For production industrial use, deploy internal GPS-synchronized NTP servers rather than having all devices query public servers directly. This improves reliability, reduces external dependencies, and provides better time accuracy.
 ---
 ## Integration with Industrial Protocols
 ### PTP (Precision Time Protocol) Coexistence
 The ESS 9300 supports both NTP and PTP (IEEE 1588). Best practices:
 - Use **PTP for sub-microsecond precision** (automation, motion control)
 - Use **NTP for general timekeeping** (logging, AAA, management)
 - Keep NTP and PTP on separate VLANs if possible
 - Use NTP for non-critical devices
 - Reserve PTP for time-critical industrial applications
 ### Synchronization with PLCs and SCADA
 ```cisco
 ! Configure NTP to serve time to industrial devices
 configure terminal
 ntp master 3
 ntp source GigabitEthernet1/1
 ! Allow SCADA network to query time
 ntp access-group serve 20
 access-list 20 permit 10.50.0.0 0.0.255.255
 end
 write memory
 ```
 ---
 ## Differences from Nexus NX-OS
 Key differences when coming from Nexus switches:
 | Feature | Nexus (NX-OS) | ESS 9300 (IOS-XE) |
 |---------|---------------|-------------------|
 | VRF syntax | `use-vrf management` | Not required (use `source` instead) |
 | Feature enable | `feature ntp` | Not required (built-in) |
 | Calendar sync | N/A | `ntp update-calendar` |
 | Save config | `copy run start` | `write memory` or `copy run start` |
 | Auth key type | MD5 with type 7 | MD5 (auto-encrypted) |
 | Interface naming | `mgmt0` | `GigabitEthernet0/0` |
 ---
 ## Document Information
 **Target Platform:** Cisco Catalyst ESS 9300 (IE-9300)  
 **Operating System:** IOS-XE  
 **IOS-XE Versions:** 17.x  
 **Last Updated:** March 2026  
 **Document Purpose:** Configuration reference and troubleshooting guide for industrial Ethernet environments
 For Cisco IOS-XE command reference, consult the official Cisco documentation for your specific software version.
--- a/Work/Cisco/Nexus_NTP.md
+++ b/Work/Cisco/Nexus_NTP.md
@ -1,518 +0,0 @@
 ---
 title: NTP Deep dive on the Nexus
 description: Config and troubleshoot
 published: true
 date: 2026-03-31T20:46:08.474Z
 tags: 
 editor: markdown
 dateCreated: 2026-03-31T20:45:58.287Z
 ---
 # Cisco Nexus 93180 NTP Configuration and Troubleshooting Guide
 ## Overview
 This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Nexus 93180 switch running NX-OS. Accurate time synchronization is critical for logging, AAA, certificates, and distributed system correlation.
 ---
 ## NTP Configuration
 ### Basic NTP Server Configuration
    configure terminal
    ! Enable NTP feature (if not already enabled)
    feature ntp
    ! Configure NTP servers (use multiple servers for redundancy)
    ntp server 10.1.1.10 prefer use-vrf management
    ntp server 10.1.1.11 use-vrf management
    ntp server 192.0.2.1 use-vrf default
    ! Configure NTP source interface (optional but recommended)
    ntp source-interface mgmt0
    ! Set timezone (adjust to your location)
    clock timezone EST -5 0
    ! Configure daylight saving time (if applicable)
    clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60
    ! Save configuration
    copy running-config startup-config
 ### NTP Authentication (Recommended for Production)
    configure terminal
    ! Enable NTP authentication
    ntp authenticate
    ! Create authentication keys
    ntp authentication-key 1 md5 YourSecureKey123 7
    ntp authentication-key 2 md5 AnotherSecureKey456 7
    ! Specify trusted keys
    ntp trusted-key 1
    ntp trusted-key 2
    ! Apply authentication to NTP servers
    ntp server 10.1.1.10 prefer use-vrf management key 1
    ntp server 10.1.1.11 use-vrf management key 2
    copy running-config startup-config
 ### NTP Access Control (Security Best Practice)
    configure terminal
    ! Define access control for NTP
    ! peer: Allow sync and queries
    ! serve: Respond to queries only
    ! serve-only: Respond to queries but don't sync
    ! query-only: Allow queries only
    ntp access-group peer PeerACL
    ntp access-group serve ServeACL
    ntp access-group query-only QueryACL
    ! Create ACLs
    ip access-list NTP-Peers
      10 permit ip 10.1.1.0/24 any
      20 deny ip any any
    ip access-list NTP-Serve
      10 permit ip 10.0.0.0/8 any
      20 deny ip any any
    copy running-config startup-config
 ### NTP Master Configuration (Switch as Time Source)
    configure terminal
    ! Configure switch as NTP master (stratum level)
    ! Only use if external NTP servers are unavailable
    ntp master 8
    ! This makes the switch authoritative at stratum 8
    ! Lower stratum = higher priority (1 is highest)
    copy running-config startup-config
 ### Logging NTP Events
    configure terminal
    ! Enable logging for NTP
    ntp logging
    ! Adjust logging level if needed
    logging level ntp 6
    copy running-config startup-config
 ---
 ## Verification Commands
 ### Check NTP Status
    ! Show NTP status summary
    show ntp status
    ! Expected output when synchronized:
    ! Clock is synchronized, stratum 3, reference is 10.1.1.10
    ! nominal freq is 250.0000 Hz, actual freq is 250.0010 Hz, precision is 2**18
    ! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024)
    ! clock offset is -0.0023 msec, root delay is 12.34 msec
    ! root dispersion is 45.67 msec, peer dispersion is 1.23 msec
 ### Check NTP Peers
    ! Show all NTP peers and their status
    show ntp peers
    ! Column descriptions:
    ! * = synchronized, + = candidate, # = selected
    ! remote: NTP server address
    ! ref clock: reference source of the server
    ! st: stratum level
    ! when: last packet received (seconds)
    ! poll: polling interval
    ! reach: reachability (377 = all 8 attempts successful)
    ! delay: round-trip delay (ms)
    ! offset: time difference (ms)
    ! jitter: dispersion (ms)
 ### Check NTP Statistics
    ! Show detailed peer statistics
    show ntp peer-status
    ! Show specific peer details
    show ntp peer 10.1.1.10
 ### Check NTP Authentication
    ! Verify authentication keys
    show ntp authentication-keys
    ! Check authentication status
    show ntp authentication-status
 ### Check Time Configuration
    ! Display current clock settings
    show clock detail
    ! Show timezone configuration
    show running-config | include clock
 ---
 ## Common Configuration Examples
 ### Example 1: Enterprise Configuration with Multiple Servers
    configure terminal
    feature ntp
    ! Use company NTP servers in management VRF
    ntp server 10.10.1.10 prefer use-vrf management
    ntp server 10.10.1.11 use-vrf management
    ntp server 10.10.1.12 use-vrf management
    ! Use public NTP as backup in default VRF
    ntp server 129.6.15.28 use-vrf default
    ntp server 132.163.96.1 use-vrf default
    ntp source-interface mgmt0
    clock timezone EST -5 0
    clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60
    ntp logging
    copy running-config startup-config
 ### Example 2: Secure Configuration with Authentication
    configure terminal
    feature ntp
    ntp authenticate
    ntp authentication-key 10 md5 Pr0d_NTP_K3y_2024 7
    ntp trusted-key 10
    ntp server 10.10.1.10 prefer use-vrf management key 10
    ntp server 10.10.1.11 use-vrf management key 10
    ntp access-group peer NTP-PEERS
    ip access-list NTP-PEERS
      10 permit ip 10.10.1.0/24 any
      20 deny ip any any log
    ntp source-interface mgmt0
    ntp logging
    clock timezone EST -5 0
    clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60
    copy running-config startup-config
 ---
 ## Troubleshooting Guide
 ### Issue: NTP Not Synchronizing
 **Symptoms:**
 - `show ntp status` shows "Clock is unsynchronized"
 - No asterisk (*) appears in `show ntp peers`
 **Troubleshooting Steps:**
 1. **Verify NTP feature is enabled:**
       show feature | include ntp
       ! If disabled:
       configure terminal
       feature ntp
 2. **Check network connectivity to NTP servers:**
       ping 10.1.1.10 vrf management
       traceroute 10.1.1.10 vrf management
 3. **Verify NTP packets are being exchanged:**
       show ntp peer-status
       ! Check 'reach' column - should be 377 (binary 11111111)
       ! Check 'when' column - should be recent (< poll interval)
 4. **Check for authentication mismatches:**
       show ntp authentication-status
       ! Verify keys match between switch and server
 5. **Verify correct VRF is configured:**
       show running-config | include "ntp server"
       ! Ensure use-vrf matches your management connectivity
 6. **Check firewall/ACL blocking UDP port 123:**
       ! NTP uses UDP port 123
       show ip access-lists
 7. **Verify time offset isn't too large:**
       ! If offset > 1000 seconds, NTP may refuse to sync
       ! Manually set clock closer to correct time:
       clock set 14:30:00 15 January 2024
 ### Issue: High Offset or Jitter
 **Symptoms:**
 - Time drifts significantly
 - High offset values in `show ntp peers`
 **Troubleshooting Steps:**
 1. **Check network latency:**
       ping 10.1.1.10 vrf management repeat 100
       ! Look for packet loss and high/variable latency
 2. **Verify stratum levels:**
   ```cisco
   show ntp peers
   ! Stratum should be < 10 for reliable servers
   ! Lower stratum = more accurate
   ```
 3. **Increase number of NTP servers:**
   ```cisco
   ! Use at least 3 servers for best accuracy
   ! NTP uses voting algorithm with multiple sources
   ```
 4. **Check for upstream NTP issues:**
   ```cisco
   show ntp peer-status
   ! Verify your NTP servers are synchronized
   ```
 ### Issue: Authentication Failures
 **Symptoms:**
 - Peers show as unreachable despite network connectivity
 - Authentication errors in logs
 **Troubleshooting Steps:**
 1. **Verify authentication is configured on both ends:**
   ```cisco
   show ntp authentication-status
   ```
 2. **Check key ID and values match:**
   ```cisco
   show ntp authentication-keys
   ! Key number and MD5 hash must match server
   ```
 3. **Verify trusted keys are configured:**
   ```cisco
   show running-config | include "ntp trusted-key"
   ```
 4. **Temporarily disable authentication to test:**
   ```cisco
   configure terminal
   no ntp authenticate
   ! Test connectivity
   ! Re-enable after testing:
   ntp authenticate
   ```
 ### Issue: NTP Working but Time Still Wrong
 **Symptoms:**
 - `show ntp status` shows synchronized
 - Clock shows incorrect time
 **Troubleshooting Steps:**
 1. **Verify timezone configuration:**
   ```cisco
   show running-config | include clock
   ! Ensure timezone matches your location
   ```
 2. **Check daylight saving time settings:**
   ```cisco
   show clock detail
   ! Verify DST is configured if applicable
   ```
 3. **Confirm NTP server time is correct:**
   ```cisco
   show ntp peers
   ! Check offset - should be small (< 100ms typically)
   ```
 ### Issue: Cannot Add NTP Server
 **Symptoms:**
 - Configuration commands rejected
 - "Invalid VRF" error
 **Troubleshooting Steps:**
 1. **Verify VRF exists:**
   ```cisco
   show vrf
   ! Common VRFs: management, default
   ```
 2. **Check if management interface is configured:**
   ```cisco
   show running-config interface mgmt0
   ! Ensure IP address and VRF are configured
   ```
 3. **Verify source interface exists:**
   ```cisco
   show interface mgmt0 brief
   ```
 ---
 ## Best Practices
 ### Redundancy
 - Configure at least **3 NTP servers** for optimal accuracy and redundancy
 - Use diverse network paths to NTP servers when possible
 - Consider using both internal and external NTP sources
 ### Security
 - **Always use NTP authentication** in production environments
 - Implement access control lists to limit NTP queries
 - Use `use-vrf management` to isolate NTP traffic
 - Monitor NTP logs for unusual activity
 ### Performance
 - Use `prefer` keyword on the most reliable/accurate server
 - Choose NTP servers with low stratum (2-4 is ideal)
 - Select geographically close servers to minimize latency
 - Avoid using stratum 1 servers directly (use stratum 2)
 ### Maintenance
 - Regularly verify NTP synchronization status
 - Monitor offset and jitter values
 - Update authentication keys periodically
 - Document your NTP server hierarchy
 ### Time Initialization
 - When first configuring, manually set clock to within 1000 seconds of actual time
 - NTP will refuse to sync if offset is too large initially
 - Use `clock set` command before enabling NTP on new switches
 ---
 ## Monitoring and Logging
 ### Regular Health Checks
 ```cisco
 ! Daily verification
 show ntp status | include "Clock is"
 show ntp peers | include "\*"
 ! Weekly detailed check
 show ntp peer-status
 show clock detail
 ```
 ### Enable SNMP Monitoring
 ```cisco
 configure terminal
 ! Enable SNMP for NTP monitoring
 snmp-server enable traps ntp
 ! Configure SNMP trap receiver
 snmp-server host 10.1.1.100 traps version 2c YourCommunity
 copy running-config startup-config
 ```
 ### Syslog Monitoring
 ```cisco
 configure terminal
 ! Ensure NTP logging is enabled
 ntp logging
 ! Configure syslog server
 logging server 10.1.1.50 6 use-vrf management
 ! Set appropriate logging level
 logging level ntp 6
 copy running-config startup-config
 ```
 ---
 ## Quick Reference Commands
 | Command | Purpose |
 |---------|---------|
 | `show ntp status` | Display synchronization status |
 | `show ntp peers` | List all NTP peers and sync status |
 | `show ntp peer-status` | Detailed peer statistics |
 | `show clock detail` | Current time and configuration |
 | `show feature \| include ntp` | Verify NTP feature enabled |
 | `show running-config \| include ntp` | Display NTP configuration |
 | `show ntp authentication-keys` | List configured auth keys |
 | `clear ntp statistics` | Reset NTP statistics |
 ---
 ## Appendix: Public NTP Servers
 ### NIST (US Government)
 - `129.6.15.28` - NIST, Gaithersburg, Maryland
 - `132.163.96.1` - NIST, Boulder, Colorado
 ### US Naval Observatory
 - `192.5.41.40` - tick.usno.navy.mil
 - `192.5.41.41` - tock.usno.navy.mil
 ### NTP Pool Project
 - `0.pool.ntp.org`
 - `1.pool.ntp.org`
 - `2.pool.ntp.org`
 - `3.pool.ntp.org`
 **Note:** For production use, deploy internal NTP servers synchronized to external sources rather than having all infrastructure devices query public servers directly.
 ---
 ## Document Information
 **Target Platform:** Cisco Nexus 93180  
 **NX-OS Versions:** 7.x, 9.x, 10.x  
 **Last Updated:** March 2026  
 **Document Purpose:** Configuration reference and troubleshooting guide
 For Cisco NX-OS command reference, consult the official Cisco documentation for your specific software version.
--- a/Work/Ducky/ess9300_upgrade.md
+++ b/Work/Ducky/ess9300_upgrade.md
@ -2,7 +2,7 @@
 title: Voyager SW10GG Upgrade
 description: Cisco ESS 9300
 published: true
-date: 2026-03-19T15:24:41.320Z
+date: 2026-03-19T15:24:35.613Z
 tags: 
 editor: markdown
 dateCreated: 2026-03-19T15:24:35.613Z
--- a/Work/Ducky/ess_3300.md
+++ b/Work/Ducky/ess_3300.md
@ -2,7 +2,7 @@
 title: Voyager SW26G Upgrade
 description: Cisco ESS 3300 Upgrade
 published: true
-date: 2026-03-19T15:46:20.810Z
+date: 2026-03-19T15:46:15.200Z
 tags: 
 editor: markdown
 dateCreated: 2026-03-19T15:46:15.200Z
--- a/Work/Nexus-upgrade.md
+++ b/Work/Nexus-upgrade.md
@ -2,7 +2,7 @@
 title: Nexus Upgrade
 description: 
 published: true
-date: 2026-02-19T20:37:41.384Z
+date: 2026-02-19T20:37:32.957Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-19T20:37:32.957Z
--- a/Work/Nexus_1_Build.md
+++ b/Work/Nexus_1_Build.md
@ -2,7 +2,7 @@
 title: C9300GX-1 Build
 description: 
 published: true
-date: 2026-02-19T20:47:10.482Z
+date: 2026-02-19T20:46:00.149Z
 tags: 
 editor: markdown
 dateCreated: 2026-02-19T20:45:10.926Z
--- a/home.md
+++ b/home.md
@ -2,7 +2,7 @@
 title: Netgrimoire
 description: 
 published: true
-date: 2026-02-25T21:48:26.231Z
+date: 2026-02-25T21:48:20.699Z
 tags: 
 editor: markdown
 dateCreated: 2026-01-21T13:19:48.685Z
--- a/netgrimoire_gremlin.png
+++ b/netgrimoire_gremlin.png