From c391447a9f38e98914a4c39ed8fdf248d3a8b6bd Mon Sep 17 00:00:00 2001
From: s8n <admin@s8n.ru>
Date: Mon, 11 May 2026 17:28:43 +0100
Subject: [PATCH] doc 32: wipe jellyfin-dev container + config (200MB)

---
 .gitleaksignore                          |  9 +++
 docs/32-dev-container-wipe-2026-05-11.md | 96 ++++++++++++++++++++++++
 2 files changed, 105 insertions(+)
 create mode 100644 .gitleaksignore
 create mode 100644 docs/32-dev-container-wipe-2026-05-11.md

diff --git a/.gitleaksignore b/.gitleaksignore
new file mode 100644
index 0000000..4ebae21
--- /dev/null
+++ b/.gitleaksignore
@@ -0,0 +1,9 @@
+# Gitleaks allowlist — false-positive fingerprints with justification.
+# Each entry: <relative-path>:<rule-id>:<line>
+# Justify why each entry is safe to ignore.
+
+# LAN IP (RFC1918) for nullstone in a Pi-hole local-DNS-pin description.
+# Same IP appears openly in docs/00-overview.md (Topology table), 21-*,
+# 22-*, etc. — internal LAN only, never routed publicly. Rule itself
+# is tagged low-confidence and explicitly suggests allowlisting docs.
+docs/32-dev-container-wipe-2026-05-11.md:lan-ip-rfc1918:71
diff --git a/docs/32-dev-container-wipe-2026-05-11.md b/docs/32-dev-container-wipe-2026-05-11.md
new file mode 100644
index 0000000..734fcbe
--- /dev/null
+++ b/docs/32-dev-container-wipe-2026-05-11.md
@@ -0,0 +1,96 @@
+# 32 — `jellyfin-dev` container wipe (2026-05-11)
+
+Cleanup of the idle `jellyfin-dev` instance on nullstone. This was the
+scratch container used for the scyfin theme experiment + the 10.11.8 dev
+upgrade documented in `docs/29-jellyfin-10.11-upgrade-and-scyfin-migration.md`.
+The experiment is concluded; prod is being upgraded by a parallel agent
+and `jellyfin-stock` (tv.s8n.ru) covers the stock build, so dev has no
+remaining role.
+
+## Pre-wipe state
+
+```
+$ docker ps -a --filter name=jellyfin-dev
+CONTAINER ID   IMAGE                       STATUS                  NAMES
+ecf97cddba6c   jellyfin/jellyfin:10.11.8   Up 14 hours (healthy)   jellyfin-dev
+
+$ ls -la /opt/docker/jellyfin-dev/
+-rw-r--r-- 1 user user 1898 docker-compose.yml
+-rw-r--r-- 1 user user 1799 docker-compose.yml.bak.1778243059
+drwxrwxr-x 3 user user 4096 web-overrides/
+
+$ ls -la /home/docker/jellyfin-dev/  (via privileged alpine, userns=host)
+drwxr-xr-x 5 1000 1000 cache/
+drwxr-xr-x 8 1000 1000 config/
+total: 200 MB
+
+$ grep -lr "jellyfin-dev\|dev.arrflix" /opt/docker/traefik/config/
+(no matches — routing was via docker-provider labels only)
+
+$ df -h /home
+/dev/mapper/keystone--vg-home  399G  284G   96G  75%
+```
+
+## Actions
+
+1. `docker stop jellyfin-dev && docker rm jellyfin-dev` — container removed.
+2. Privileged-alpine wipe of `/home/docker/jellyfin-dev/` (uid 1000 inside
+   userns-remap, owner `100000:100000` on host — host `user` can't `rm` it
+   directly, hence the `--userns=host` container):
+   ```
+   docker run --rm --userns=host -v /home/docker:/d alpine \
+     rm -rf /d/jellyfin-dev
+   ```
+3. `rm -rf /opt/docker/jellyfin-dev/` — compose file + web-overrides gone
+   (owned by `user`, plain rm sufficient).
+4. Traefik docker-provider router vanished with the container — no
+   file-provider yaml to clean up (verified via grep).
+
+## Post-wipe verification
+
+```
+$ docker ps -a --filter name=jellyfin-dev          # empty
+$ ls /opt/docker/jellyfin-dev                       # ENOENT
+$ ls /d/jellyfin-dev (in alpine)                    # ENOENT
+$ curl -sk -o /dev/null -w "%{http_code}\n" \
+    https://dev.arrflix.s8n.ru/                     # 404 (Traefik, no backend)
+$ ls /home/docker | grep jellyfin                   # jellyfin, jellyfin-stock only
+$ ls /opt/docker | grep jellyfin                    # jellyfin, jellyfin-stock only
+```
+
+Prod (`jellyfin` at `arrflix.s8n.ru`) and stock (`jellyfin-stock` at
+`tv.s8n.ru`) were both untouched and continue to serve traffic.
+
+## What was kept
+
+- `/home/user/snapshots/jellyfin-dev-pre-1011-upgrade-20260511-033309.tar.zst`
+  (143 MB) — pre-upgrade rollback point.
+- `/home/user/snapshots/jellyfin-dev-post-10107-20260511-033839.tar.zst`
+  (144 MB) — post-rollback snapshot from earlier today.
+  Both stay in place as historical artefacts.
+- Pi-hole local-DNS pin `dev.arrflix.s8n.ru -> 192.168.0.100` — harmless,
+  resolves to Traefik which now 404s. Left alone.
+- LE certificate for `dev.arrflix.s8n.ru` in `traefik/acme.json` — left
+  alone; reusable if dev is ever rebuilt.
+
+## Disk reclaimed
+
+```
+before: 96G avail
+after:  96G avail   (200 MB freed; below `df -h` rounding granularity
+                     on a 399 GB volume)
+```
+
+`du -sh /home/docker/jellyfin-dev` reported 200 MB pre-wipe, so the
+freed-space figure is exact even though `df -h` can't resolve it.
+
+## Rebuild path (if ever needed)
+
+1. Restore `/home/docker/jellyfin-dev/` from one of the snapshots in
+   `/home/user/snapshots/`.
+2. Recreate `/opt/docker/jellyfin-dev/docker-compose.yml` from
+   `docs/29-jellyfin-10.11-upgrade-and-scyfin-migration.md` (compose
+   block is inline in that doc).
+3. `docker compose up -d` — Traefik docker-provider re-attaches the
+   router automatically, LE cert is already in acme.json so no fresh
+   challenge needed.