Migration: consolidate Echo6 docs to cortex with full infrastructure cleanup sync

- Documents recent infrastructure cleanup (8 CTs destroyed, 35 DNS records removed, Headscale cleanup)
- Adds 24 new runbooks covering Authentik, PeerTube, Meshtastic, RECON, Proxmox, Mailcow, Internet Archive, GPU routing
- Adds project documentation for headscale, vaultwarden, peertube, matrix, mmud, advbbs, arr stack
- Updates services.md, environment.md, caddy.md, authentik.md to match live infrastructure
- Removes 4 deprecated runbook duplicates (canonical versions live in projects/)
- Adds .gitignore for binary archives and editor temp files

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/hardware/environment.md

@@ -4,17 +4,32 @@
 
 Five nodes running Proxmox VE:
 
-| Node | Local IP | Tailscale | Hardware | Purpose |
-|------|----------|-----------|----------|---------|
-| data | 192.168.1.240 | 100.64.0.6 | Mini PC | Database services |
-| utility | 192.168.1.241 | 100.64.0.5 | Mini PC | Utility services, monitoring |
-| cloud | 192.168.1.242 | 100.64.0.4 | Mini PC | Cloud storage, personal services |
-| media | 192.168.1.243 | 100.64.0.3 | Mini PC | Media server, *arr stack |
-| toc | 192.168.1.244 | 100.64.0.13 | Workstation | GPU compute, AI/ML workloads |
+| Node | Local IP | Tailscale | Hardware | RAM | Purpose |
+|------|----------|-----------|----------|-----|---------|
+| data | 192.168.1.240 | 100.64.0.6 | AMD Ryzen 7 PRO 5750GE, 1TB NVMe + 1TB SATA SSD | 32GB DDR4-3200 | Database services |
+| utility | 192.168.1.241 | 100.64.0.5 | AMD Ryzen 7 PRO 5750GE, 512GB NVMe | 32GB DDR4-3200 | Utility services, monitoring |
+| cloud | 192.168.1.242 | 100.64.0.4 | Intel i7-12700T, 512GB NVMe | 32GB DDR4-3200 | Cloud storage, personal services |
+| media | 192.168.1.243 | 100.64.0.3 | Intel i7-14700T, 2x 512GB NVMe | 32GB DDR5-5600 | Media server, *arr stack |
+| toc | 192.168.1.244 | 100.64.0.13 | Workstation (i9-10900X) | 64GB DDR4 | GPU compute, AI/ML workloads |
+
+### Node Storage Details
+
+| Node | Primary Disk | Secondary Disk |
+|------|-------------|----------------|
+| data | Samsung SSD 980 1TB (NVMe) | SanDisk SDSSDH3 1TB (SATA SSD) |
+| utility | WD PC SN740 512GB (NVMe) | — |
+| cloud | SK Hynix HFS512GEJ9X164N 512GB (NVMe) | — |
+| media | 2x Intel SSDPEKNU512GZH 512GB (NVMe) | — |
+| toc | 512GB NVMe | — |
+
+### Network Notes
+
+- **media NIC:** Original Intel e1000e NIC crashes under sustained NFS load — replaced with USB Realtek RTL8153 GbE adapter on vmbr0
+- **Tailscale DNS bootstrap:** All LXC containers with Tailscale have a systemd drop-in (`/etc/systemd/system/tailscaled.service.d/dns-bootstrap.conf`) that ensures fallback DNS exists before tailscaled starts, preventing chicken-and-egg DNS resolution failures on reboot
 
 ### TOC Node Details
 
-- **Hardware:** Intel i9-10900X (20 threads), 48GB RAM, 512GB NVMe, RTX A4000
+- **Hardware:** Intel i9-10900X (20 threads), 64GB RAM (4×8GB + 2×16GB DDR4), 512GB NVMe, RTX A4000
 - **GPU:** Passed through via VFIO to VM 150 (cortex), not used on host
 - **VMID ranges:** 100-149 (LXC), 150-199 (VMs)
 - **Presave backup:** `/home/zvx/toc-presave/` on Contabo (1.8G) — contains old Ubuntu config
@@ -23,7 +38,8 @@ Five nodes running Proxmox VE:
 
 | VM | Host | VMID | Local IP | Tailscale | Purpose |
 |----|------|------|----------|-----------|---------|
-| cortex | toc | 150 | 192.168.1.150 | 100.64.0.14 | GPU compute — LLMs, ARGUS, Aurora, model training |
+| cortex | toc | 150 | 192.168.1.150 | 100.64.0.14 | GPU compute — Open WebUI, Ollama, Qdrant, TEI, Claude Code |
+| arr | media | 105 | 192.168.1.160 | 100.64.0.18 | ARR media automation stack (Jellyfin, Sonarr, Radarr, etc.) |
 
 ### cortex VM Details
 
@@ -31,24 +47,48 @@ Five nodes running Proxmox VE:
 - **Resources:** 16 threads, 32GB RAM, 300GB disk
 - **GPU:** RTX A4000 (passthrough), NVIDIA driver 580.126.09, CUDA 13.0
 - **Software:** Docker 29.2.1 + nvidia-container-toolkit 1.18.2, Node.js 22.22.0, Python 3.12.3
+- **Docker containers:** open-webui (8080), ollama (11434 w/ GPU), qdrant (6333), tei (8090)
 - **User:** zvx (sudo, SSH keys from cluster)
-- **Claude Code:** v2.1.34 installed
+- **Claude Code:** installed
+
+### arr VM Details
+
+- **OS:** Ubuntu 24.04 (cloud-init)
+- **Resources:** 4 cores, 8GB RAM, 30GB disk on local-lvm
+- **Software:** Docker 29.2.1, Tailscale, NFS client, sshpass, qemu-guest-agent
+- **User:** zvx (sudo, SSH key from cortex)
+- **NFS:** pi-nas:/export/arr → /mnt/arr (22TB, movies/tv/downloads)
+- **Docker containers:** jellyfin (8096), jellyseer (5055), sonarr (8989), radarr (7878), prowlarr (9696), sabnzbd (8080), lidarr (8686/6595), navidrome (4533)
+- **Docker network:** arr-net (bridge)
+- **Config dirs:** /opt/arr/{jellyfin,jellyseer,sonarr,radarr,prowlarr,sabnzbd,lidarr}
 
 ## Key Servers
 
 | Server | Local IP | Tailscale | Purpose |
 |--------|----------|-----------|---------|
-| aida-nebra | 192.168.1.253 | 100.64.0.9 | Meshtastic node (meshtasticd on Pi) |
-| matt-desktop | — | 100.64.0.10 | Personal workstation |
-| Contabo Server | 5.189.158.149 | 100.64.0.1 | External VPS: Mail, Authentik, Headscale, Forge |
+| aida-nebra | 192.168.1.253 | 100.64.0.9 | AIDA-N2(RPT,LLM) — meshtasticd node !27780c47, Nebra 2W hat, port 4403. MeshAI (CT 108) connects here via TCP |
+| mt-isr | 192.168.1.141 | 100.100.0.5 (IdahoMesh) | Meshtastic sidecar Pi (G2 WiFi bridge, meshtasticd, CLI) |
+| mt-burleybutte | 192.168.1.185 | — | Meshtastic node (meshtasticd, Nebra 2W hat, IdahoMesh VPN) |
+| pi-nas | 192.168.1.245 | 100.64.0.21 | Raspberry Pi NAS |
+| matt-desktop | 192.168.1.111 | 100.64.0.10 | Personal workstation (Windows, your PC) |
+| Contabo Server | 5.189.158.149 | 100.64.0.1 | External VPS: Mail, Authentik, Headscale, Forge, Matrix |
 
 ## LXC Containers
 
 | Container | Host | Local IP | Tailscale | Purpose |
 |-----------|------|----------|-----------|---------|
-| meshmonitor | utility (CT 100) | 192.168.1.100 | 100.64.0.7 | Meshtastic mesh monitoring |
+| meshmonitor | utility (CT 100) | 192.168.1.100 | 100.64.0.7 | Meshtastic mesh monitoring (zvx-echo6/meshmonitor fork, multi-channel) |
 | caddy | utility (CT 101) | 192.168.1.101 | 100.64.0.8 | Home reverse proxy |
-| searxng | utility (CT 102) | 192.168.1.102 | 100.64.0.15 | SearXNG metasearch engine |
+| searxng | utility (CT 102) | 192.168.1.102 | 100.64.0.15 | Echo6 Search homepage (SearXNG, echo6.co) |
+| advbbs | utility (CT 103) | 192.168.1.103 | 100.64.0.31 | Meshtastic sim node (ADVBBS) |
+| immich | cloud (CT 120) | 192.168.1.182 | 100.64.0.2 | Immich photo management |
+| nextcloud | cloud (CT 121) | 192.168.1.183 | 100.64.0.11 | Nextcloud AIO |
+| meshtastic-hs | utility (CT 106) | 192.168.1.106 | — | IdahoMesh Headscale VPN coordination |
+| mesh-bridge | utility (CT 107) | 192.168.1.107 | 100.64.0.22 | Dual-tailscaled bridge (echo6 ↔ idahomesh) |
+| meshai | utility (CT 108) | 192.168.1.144 | 100.64.0.32 | MeshAI - LLM-powered Meshtastic assistant |
+| archivist | utility (CT 118) | 192.168.1.118 | — | Archivist knowledge pipeline |
+| peertube | media (CT 110) | 192.168.1.170 | 100.64.0.23 | PeerTube video streaming |
+| recon | data (CT 130) | 192.168.1.130 | 100.64.0.24 | RECON knowledge extraction pipeline |
 
 ## IP Allocation Scheme
 
@@ -65,11 +105,12 @@ Full details: `/home/zvx/projects/utility/ip-allocation.md`
 
 ## Headscale Node List
 
-Current registered nodes (12 total):
+Current registered nodes (25 total):
 
 | Node | Tailscale IP | Type |
 |------|-------------|------|
 | contabo | 100.64.0.1 | VPS |
+| immich | 100.64.0.2 | LXC |
 | media | 100.64.0.3 | Proxmox |
 | cloud | 100.64.0.4 | Proxmox |
 | utility | 100.64.0.5 | Proxmox |
@@ -78,17 +119,42 @@ Current registered nodes (12 total):
 | caddy | 100.64.0.8 | LXC |
 | aida-nebra | 100.64.0.9 | Pi |
 | matt-desktop | 100.64.0.10 | Desktop |
+| nextcloud | 100.64.0.11 | LXC |
 | toc | 100.64.0.13 | Proxmox |
 | cortex | 100.64.0.14 | VM |
 | searxng | 100.64.0.15 | LXC |
+| iphone-eud | 100.64.0.16 | Mobile |
+| arr | 100.64.0.18 | VM |
+| pi-nas | 100.64.0.21 | Pi |
+| mesh-bridge | 100.64.0.22 | LXC |
+| peertube | 100.64.0.23 | LXC |
+| recon | 100.64.0.24 | LXC |
+| meshmonitor-dev | 100.64.0.27 | LXC |
+| gl-a1300 | 100.64.0.29 | Router |
+| bluefin | 100.64.0.30 | Desktop |
+| advbbs | 100.64.0.31 | LXC |
+| meshai | 100.64.0.32 | LXC |
+
+## IdahoMesh Headscale Node List
+
+Separate Headscale instance on CT 106 (192.168.1.106), prefix 100.100.0.0/16.
+Reachable from echo6 tailnet via mesh-bridge (CT 107).
+
+| Node | Tailscale IP | User | Type |
+|------|-------------|------|------|
+| mesh-bridge | 100.100.0.3 | malice | LXC (bridge) |
+| burley-butte | 100.100.0.1 | nebra | Pi (offline) |
+| mt-isr | 100.100.0.5 | nebra | Pi Zero 2 W |
 
 ## SSH Access
 
 **Standard user:** `zvx`
 **Credentials:** Source from `/home/zvx/projects/.ref/credentials`
 
+Most servers use SSH key auth. Exceptions noted below.
+
 ```bash
-# SSH to any server
+# SSH to any server (key auth)
 ssh zvx@<ip-address>
 
 # Examples
@@ -99,6 +165,22 @@ ssh root@100.64.0.1    # Contabo (via Tailscale)
 ssh zvx@cortex         # cortex via Tailscale hostname
 ```
 
+### Password-auth hosts
+
+These require password authentication (no SSH keys installed):
+
+| Host | User | Password | Access |
+|------|------|----------|--------|
+| aida-nebra | zvx | 7redditGold | `sshpass -p '7redditGold' ssh zvx@aida-nebra` |
+| mt-isr | isr | UfPsfwyMIUIKb1 | `sshpass -p 'UfPsfwyMIUIKb1' ssh isr@192.168.1.141` |
+| mt-burleybutte | bb | (see credentials) | `sshpass -p '<pw>' ssh bb@192.168.1.185` |
+| matt-desktop | administrator | Qw1290opzx | `ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no administrator@192.168.1.111` |
+| toc | root | 7redditGold | `sshpass -p '7redditGold' ssh -o PubkeyAuthentication=no root@100.64.0.13` |
+
+Use the Tailscale hostname (`aida-nebra`) or local IP (`192.168.1.253`) — both work for aida-nebra.
+mt-isr is on IdahoMesh tailnet (100.100.0.5) — reachable from echo6 via bridge.
+matt-desktop is accessible via local IP (192.168.1.111) or Tailscale (100.64.0.10) — requires explicit password auth flags.
+
 ## Key External IPs
 
 | Purpose | IP |