Homelab — Week of 2026-05-05 → 2026-05-11

Highlights

Pinchflat is out, wytchr is in (Phase 4.9)

• Tore out Pinchflat. Shipped wytchr on top of ytdl-sub-api as the new UI for click-to-download and channel curation.
• wytchr layers free-form prefix:value tags, profile-driven "show only videos newer than X, cap at Y" windows (same source of truth as ytdl-sub's retention), a kanban-by-profile board with drag-or-click reassignment via popup drop slots (sections refuse drops — SortableJS biases "release into empty space"), /tags and /presets admin pages, four food-themed palettes.
• Upstream ytdl-sub-api cut three releases to support it: v2026.5.1 (POST /videos), v2026.5.2 (preset CRUD via ruamel atomic write, comments preserved), v2026.5.3 (Shape-2 channel DELETE fix). Pin lives in compose/ytdl-sub/.env.tpl.
• configs/ytdl-sub/config.yaml is mounted ro in the cron container and rw in the API container; preset CRUD only goes through the API.

Jay's Notes:

Service-status shim landed (Phase 4)

• Glance's "Systems" widget is now a composite (running + backed up + up-to-date). New compose/service-status/ Python shim fans out to update-shim + Prometheus (restic_last_success_timestamp_seconds) + per-service probes/collectors.
• Registry at configs/service-status/services.yml. Runbook at RUNBOOKS/phase-4-service-status.md.
• Backup signal is host-global today — restic snapshots /srv wholesale, so every row shares the same green/red. Per-service attribution deferred.
• Added a system-status Glance widget that consumes the shim.

Jay's Notes:

SearXNG is up (Phase 4.8)

• Self-hosted meta-search at searxng.kjaymiller.dev, tailnet-only behind Traefik. Limiter config in configs/searxng/limiter.toml. scripts/searxng/add-friend.sh for access handoff.

Jay's Notes:

1Password pilot (Phase 5)

• wytchr and ytdl-sub both moved to .env.tpl + just secrets-render, pulling from op://Private/wytcher/credential. Operator runs op locally.
• Runbook drafted at RUNBOOKS/phase-5-1password-migration.md. Broader rollout gated on the auth-model decision (single service account vs. per-service).

Jay's Notes:

Things that AI Forgot to include

Smaller wins

• justfile at the repo root — install dances collapse to one-liners; just secrets-render is the 1Password entry point.
• Restic prune: new restic-prune.service + restic-prune.timer and scripts/restic/prune.sh. Also fixed restic-backup to source the env file in-script instead of systemd's EnvironmentFile= — systemd doesn't expand $VAR inside values, and B2 creds with shell-special chars were silently truncating.
• glancectl helper under scripts/glancectl/ for poking Glance config without hand-editing widget files.
• all-my-favs compose stack started; nothing public yet.
• ytdl-sub circuit breaker now propagates SIGTERM correctly to the coprocess and caps at one video per run while the bot-gate threat model is hot.
• Grafana ytdl-sub dashboard hard-codes live datasource UIDs — provisioned dashboards were picking up a stale UUID after a Loki restart.
• AutoKuma got HTTP-monitor labels on every service in proxy_net. Monitors now check Traefik routing, not just host liveness.
• Glance widgets segmented one-per-file under configs/glance/widgets/, glued by $include.
• Tried splitting docs/ into Diátaxis-style reference/ and explanation/. Reverted the direction — note now in CLAUDE.md: "Decision is intentional; don't 'tidy' it."

In flight / next

• Papra and job-crawler still on the Phase 4 list, still not shipped.
• Zima-side exporters — Zima Blade is a black box to Prometheus.
• Immich proxy route under the same tailnet hostname pattern.
• 1Password auth-model decision before migrating the next service.
• Per-service restic attribution so service-status can name the unbacked service, not just the host.