Release nspawn-vault-v1.0.0-11
nspawn-vault v1.0.0-11
Adds email as a third dead-man's-switch alert channel, alongside the
existing Pushover and Slack alerts. Pushover/Slack stay exactly as they
were (one shared config for the whole vault); email adds per-source-host
recipients against a single shared SMTP relay, since a large fleet needs
different people notified about different source hosts, not one global
recipient list.
- New
SMTP_HOST/SMTP_PORT/SMTP_TLS_MODE/SMTP_USER/SMTP_PASS
/SMTP_FROMkeys innotify.conf(STARTTLS on 587 or implicit TLS on
465, both configurable). - New per-host recipients file:
/etc/nspawn-vault/<host>/notify-email,
one address per line. - New
usr/libexec/nspawn-vault/send-email.sh, a curl-based SMTP sender
shared bycheck-stale.shand nspawn-vault-web's new "send test email"
admin button. check-stale.shnow loops configured hosts/containers instead of
globbing state files directly - needed to know which host a container
belongs to (the state filename alone can't be split back into an
unambiguous host/container pair). Existing per-container Pushover/Slack
alerts are unchanged; email is batched one message per host listing
every problem container, instead of one email per container, to avoid
flooding recipients across a large fleet.
Why
Built for a fleet of roughly 200 source hosts. A single flat alert
recipient list stops working at that scale - different teams/people care
about different hosts, and email is the lowest common denominator every
admin can receive without extra setup.
Verified live
Ran the rewritten check-stale.sh against real production config and
state data on nspawn-vault.vpn.fhd.se (besten.alsike.minten.se,
knorrhane2.alsike.minten.se) - identical OK/ALERT results to before the
rewrite. Also live-tested the shell-quoting on the new SMTP_PASS field
with a $()/backtick injection payload (same class of protection as the
existing Pushover/Slack secrets) - confirmed inert.