Initial commit: cleaned project structure

- Consolidated documentation from Ralph Loop iterations
- Archived 20+ outdated/superseded files to .archive/
- Kept essential docs: OIDC integration, mobile setup, quick start
- Added operational scripts for health monitoring and backup
- Research artifacts preserved in .tasks/artifacts/

Current state:
- 3 VPS sites (fry, proton, photon) ONLINE in Pangolin
- brn-home site pending for local services (Jellyfin, etc.)
- Mobile access configuration pending

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/backup-sso-infrastructure.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+# SSO Infrastructure Backup Script
+# Created by Ralph Loop Iteration 10
+# Backs up all three SSO platforms
+
+set -e
+
+BACKUP_DIR="/srv/backups/sso-$(date +%Y%m%d-%H%M%S)"
+mkdir -p "$BACKUP_DIR"
+
+echo "=========================================="
+echo "SSO Infrastructure Backup"
+echo "=========================================="
+echo "Backup location: $BACKUP_DIR"
+echo ""
+
+# Backup Authentik
+echo "Backing up Authentik..."
+cd /srv/docker/authentik
+sudo docker compose exec -T postgresql pg_dump -U authentik authentik | gzip > "$BACKUP_DIR/authentik-db.sql.gz"
+sudo cp -r ./media "$BACKUP_DIR/authentik-media" 2>/dev/null || echo "No media files"
+sudo cp .env docker-compose.yml "$BACKUP_DIR/"
+echo "✅ Authentik backed up"
+
+# Backup Pangolin
+echo "Backing up Pangolin..."
+cd /srv/docker/pangolin
+sudo docker compose exec -T postgres pg_dump -U pangolin pangolin | gzip > "$BACKUP_DIR/pangolin-db.sql.gz"
+sudo cp config/config.yml .env docker-compose.yml "$BACKUP_DIR/"
+echo "✅ Pangolin backed up"
+
+# Backup Guacamole
+echo "Backing up Guacamole..."
+cd /srv/docker/guacamole
+sudo docker compose exec -T postgres pg_dump -U guacamole guacamole | gzip > "$BACKUP_DIR/guacamole-db.sql.gz"
+sudo cp initdb/initdb.sql .env docker-compose.yml "$BACKUP_DIR/"
+echo "✅ Guacamole backed up"
+
+# Backup Traefik dynamic config
+echo "Backing up Traefik configuration..."
+sudo cp /srv/docker/traefik/traefik_dynamic.yaml "$BACKUP_DIR/"
+echo "✅ Traefik config backed up"
+
+# Create backup manifest
+cat > "$BACKUP_DIR/MANIFEST.txt" << EOF
+SSO Infrastructure Backup
+Created: $(date -Iseconds)
+Hostname: $(hostname)
+
+Contents:
+- authentik-db.sql.gz - Authentik PostgreSQL database
+- authentik-media/ - Authentik media files
+- pangolin-db.sql.gz - Pangolin PostgreSQL database
+- guacamole-db.sql.gz - Guacamole PostgreSQL database
+- config.yml - Pangolin configuration
+- docker-compose.yml files for all services
+- .env files (CONTAINS SECRETS - PROTECT THIS BACKUP)
+- traefik_dynamic.yaml - Traefik routing configuration
+
+Restoration:
+See: /home/olaf/pangolin/RESTORE-GUIDE.md
+EOF
+
+# Set permissions
+chmod 600 "$BACKUP_DIR"/*.env 2>/dev/null || true
+chmod -R 700 "$BACKUP_DIR"
+
+echo ""
+echo "=========================================="
+echo "Backup Complete!"
+echo "=========================================="
+echo "Location: $BACKUP_DIR"
+echo "Size: $(du -sh $BACKUP_DIR | cut -f1)"
+echo ""
+echo "⚠️  This backup contains secrets (.env files)"
+echo "   Store securely and encrypt if transmitted"
+echo ""
+echo "To restore: See /home/olaf/pangolin/RESTORE-GUIDE.md"

scripts/monitor-sso-health.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# SSO Infrastructure Health Monitor
+# Created by Ralph Loop Iteration 11
+
+echo "=========================================="
+echo "SSO Infrastructure Health Check"
+echo "Time: $(date -Iseconds)"
+echo "=========================================="
+echo ""
+
+# Check Authentik
+echo "📊 Authentik Status (sso.obr.sh):"
+cd /srv/docker/authentik
+sudo docker compose ps --format "  {{.Name}}: {{.Status}}" 2>/dev/null
+AUTHENTIK_HTTP=$(curl -s -o /dev/null -w "%{http_code}" -m 3 -k https://sso.obr.sh 2>/dev/null || echo "FAIL")
+echo "  HTTP Status: $AUTHENTIK_HTTP"
+echo ""
+
+# Check Pangolin
+echo "🦎 Pangolin Status (tunnel.obr.sh):"
+cd /srv/docker/pangolin
+sudo docker compose ps --format "  {{.Name}}: {{.Status}}" 2>/dev/null
+PANGOLIN_HTTP=$(curl -s -o /dev/null -w "%{http_code}" -m 3 -k https://tunnel.obr.sh 2>/dev/null || echo "FAIL")
+echo "  HTTP Status: $PANGOLIN_HTTP"
+PANGOLIN_TOKEN=$(sudo docker compose logs pangolin 2>/dev/null | grep "Token:" | tail -1 | awk '{print $2}')
+if [ -n "$PANGOLIN_TOKEN" ]; then
+    echo "  Setup Token: $PANGOLIN_TOKEN"
+fi
+echo ""
+
+# Check Guacamole
+echo "🖥️  Guacamole Status (remote.obr.sh):"
+cd /srv/docker/guacamole
+sudo docker compose ps --format "  {{.Name}}: {{.Status}}" 2>/dev/null
+GUAC_HTTP=$(curl -s -o /dev/null -w "%{http_code}" -m 3 -k https://remote.obr.sh/guacamole/ 2>/dev/null || echo "FAIL")
+echo "  HTTP Status: $GUAC_HTTP"
+echo ""
+
+# Check Network
+echo "🌐 Network Status:"
+echo "  LAN (br0): $(ip addr show br0 2>/dev/null | grep 'inet ' | awk '{print $2}' || echo 'ERROR')"
+echo "  WAN (enp131s0): $(ip addr show enp131s0 2>/dev/null | grep 'inet ' | head -1 | awk '{print $2}' || echo 'ERROR')"
+NAT_RULE=$(sudo nft list table ip nat 2>/dev/null | grep "10.50.0.0/24 masquerade" && echo "✅ ACTIVE" || echo "❌ MISSING")
+echo "  NAT Masquerade (10.50.0.0/24): $NAT_RULE"
+INTERNET=$(ping -c 1 -W 1 8.8.8.8 >/dev/null 2>&1 && echo "✅ WORKING" || echo "❌ FAILED")
+echo "  Internet Access: $INTERNET"
+echo ""
+
+# Overall Status
+echo "=========================================="
+if [[ "$AUTHENTIK_HTTP" == "302" || "$AUTHENTIK_HTTP" == "200" ]] && \
+   [[ "$PANGOLIN_HTTP" == "200" ]] && \
+   [[ "$GUAC_HTTP" == "200" ]] && \
+   [[ "$INTERNET" == "✅ WORKING" ]]; then
+    echo "✅ ALL SYSTEMS OPERATIONAL"
+else
+    echo "⚠️  SOME ISSUES DETECTED - Review above"
+fi
+echo "=========================================="