[release] Bump to 0.179.48 — 0mcp migration, uptime-kuma provisioning, status bare-root fix (#19)

* [domain] Migrate platform domain from 0mpc.com to 0mcp.com

0mcp.com (Model Context Protocol) is the live registered domain with
Hetzner Robot NS already propagated. 0mpc.com had stuck NS propagation
at expirationwarning.net; 0mcp.com is fully functional.

Changes:
- .local/identity.yml: platform_domain, hetzner_dns_zone_name, cert overrides
- Generated configs: dns-declarations.yaml, nginx-upstreams, sso-clients, platform_tls_certs.yml
- Templates, RELEASE.md, changelog, platform-manifest.json, workstreams

Keycloak realm stays named '0mpc' (live Keycloak config, requires
separate migration step via Ansible converge).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(uptime-kuma): add uptime_kuma_provision role and fix status-page bare-root proxy

Add the lv3.platform.uptime_kuma_provision role (monitors + public status
page) wired into playbooks/uptime-kuma.yml behind a new
provision-uptime-kuma Make target.

Fix the bare-root https://status.<domain>/ 404: the edge proxy's
root_proxy_path was a stale literal (/status/lv3-platform). Derive it the
same way the role derives uptime_kuma_provision_status_slug
("<domain-first-label>-platform") so it tracks platform_domain instead of
drifting. Updated in host_vars source of truth and the regenerated
platform.yml + subdomain-exposure-registry.json.

Regenerated platform.yml also reflects the 0mcp.com domain migration and the
current mail DNS source state; generate_platform_vars.py now computes
mail_platform_dkim_dns_value so DKIM/DNS records resolve at generation time.

* [release] Bump to 0.179.48 — complete 0mcp migration, uptime-kuma provisioning, status bare-root fix

Release artifacts for the 0mpc.com -> 0mcp.com migration completion, the new
lv3.platform.uptime_kuma_provision role, and the status-page bare-root proxy
fix. Regenerated release notes, platform manifest, and ADR index.

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: baditaflorin

Makefile

@@ -166,8 +166,8 @@ ANSIBLE_TRACE_ARGS := -e platform_trace_id=$(PLATFORM_TRACE_ID) $(if $(PLATFORM_
 .PHONY: backup-coverage-ledger dr-runbook runbook-executor post-merge-gate integration-tests nightly-integration-tests scheduler-watchdog-loop intent-queue-dispatcher platform-observation-loop fault-injection triage-alert triage-calibration search-index-rebuild scan-published-artifacts setup preflight syntax-check syntax-check-monitoring syntax-check-ntfy syntax-check-ntopng syntax-check-falco syntax-check-api-gateway syntax-check-ops-portal syntax-check-dify syntax-check-gitea syntax-check-browser-runner syntax-check-guest-network-policy syntax-check-docker-runtime syntax-check-backup-vm syntax-check-artifact-cache-vm syntax-check-control-plane-recovery syntax-check-uptime-kuma syntax-check-mail-platform syntax-check-mailpit syntax-check-livekit syntax-check-paperless syntax-check-redpanda syntax-check-openbao syntax-check-openfga syntax-check-step-ca syntax-check-temporal syntax-check-headscale syntax-check-semaphore syntax-check-woodpecker syntax-check-windmill syntax-check-restic-config-backup syntax-check-keycloak syntax-check-langfuse syntax-check-glitchtip syntax-check-minio syntax-check-netbox syntax-check-searxng syntax-check-typesense syntax-check-flagsmith syntax-check-crawl4ai
 .PHONY: syntax-check-ollama syntax-check-piper syntax-check-n8n syntax-check-mattermost syntax-check-portainer syntax-check-vaultwarden syntax-check-rag-context syntax-check-secret-rotation syntax-check-dozzle syntax-check-excalidraw collection-sync collection-build collection-publish collection-install check-platform-drift drift-report subdomain-exposure-audit list-services diff-services list-service-deployments security-posture-report security-headers-audit public-surface-security-scan open-maintenance-window close-maintenance-window ensure-resource-lock-registry resource-locks resource-lock-acquire resource-lock-release resource-lock-heartbeat operator-onboard operator-offboard sync-operators quarterly-access-review install-proxmox configure-network configure-staging-bridge configure-ingress configure-edge-publication configure-tailscale configure-host-control-loops provision-guests
 .PHONY: harden-access harden-guest-access harden-security provision-api-access converge-all-services converge-site-parallel converge-guest-network-policy converge-monitoring converge-ntfy converge-ntopng converge-falco converge-identity-core-watchdog converge-api-gateway converge-ops-portal converge-repo-intake converge-dify converge-gitea converge-browser-runner converge-docker-runtime converge-postgres-vm converge-mail-platform converge-mailpit converge-livekit converge-neko converge-paperless converge-redpanda converge-openbao converge-openfga converge-step-ca converge-temporal converge-headscale converge-semaphore converge-woodpecker converge-windmill converge-restic-config-backup converge-control-plane-recovery converge-keycloak converge-langfuse converge-glitchtip converge-minio converge-netbox converge-searxng converge-typesense converge-crawl4ai converge-ollama converge-piper converge-label-studio converge-n8n converge-mattermost converge-portainer converge-vaultwarden converge-rag-context converge-dozzle converge-excalidraw converge-flagsmith rotate-secret token-inventory-audit token-exposure-response rotate-keycloak-client-secret
-.PHONY: rotate-windmill-token rotate-grafana-service-token rotate-platform-cli-token deploy-uptime-kuma uptime-kuma-manage uptime-robot-manage portainer-manage semaphore-manage woodpecker-manage configure-backups configure-backup-vm configure-artifact-cache-vm database-dns route-dns-assertion-ledger provision-subdomain start-workstream capacity-report weekly-capacity-report disk-space-monitor k6-smoke k6-load k6-soak immutable-guest-replacement-plan synthetic-transaction-replay check-nats-streams apply-nats-streams promote live-apply-group live-apply-service live-apply-site live-apply-waves live-apply-train-status live-apply-train-queue live-apply-train-plan live-apply-train-bundle live-apply-train-run live-apply-train-rollback build-check-runners push-check-runners run-checks warm-cache cache-status fixture-up fixture-down fixture-list fixture-pool-status restic-config-backup restic-config-restore-verify
-.PHONY: rotate-windmill-token rotate-grafana-service-token rotate-platform-cli-token deploy-uptime-kuma uptime-kuma-manage uptime-robot-manage portainer-manage semaphore-manage woodpecker-manage configure-backups configure-backup-vm configure-artifact-cache-vm database-dns route-dns-assertion-ledger provision-subdomain start-workstream capacity-report weekly-capacity-report disk-space-monitor k6-smoke k6-load k6-soak immutable-guest-replacement-plan synthetic-transaction-replay check-nats-streams apply-nats-streams promote live-apply-group live-apply-service live-apply-site live-apply-waves live-apply-train-status live-apply-train-queue live-apply-train-plan live-apply-train-bundle live-apply-train-run live-apply-train-rollback build-check-runners push-check-runners run-checks warm-cache cache-status fixture-up fixture-down fixture-list fixture-pool-status restic-config-backup restic-config-restore-verify
+.PHONY: rotate-windmill-token rotate-grafana-service-token rotate-platform-cli-token deploy-uptime-kuma provision-uptime-kuma uptime-kuma-manage uptime-robot-manage portainer-manage semaphore-manage woodpecker-manage configure-backups configure-backup-vm configure-artifact-cache-vm database-dns route-dns-assertion-ledger provision-subdomain start-workstream capacity-report weekly-capacity-report disk-space-monitor k6-smoke k6-load k6-soak immutable-guest-replacement-plan synthetic-transaction-replay check-nats-streams apply-nats-streams promote live-apply-group live-apply-service live-apply-site live-apply-waves live-apply-train-status live-apply-train-queue live-apply-train-plan live-apply-train-bundle live-apply-train-run live-apply-train-rollback build-check-runners push-check-runners run-checks warm-cache cache-status fixture-up fixture-down fixture-list fixture-pool-status restic-config-backup restic-config-restore-verify
+.PHONY: rotate-windmill-token rotate-grafana-service-token rotate-platform-cli-token deploy-uptime-kuma provision-uptime-kuma uptime-kuma-manage uptime-robot-manage portainer-manage semaphore-manage woodpecker-manage configure-backups configure-backup-vm configure-artifact-cache-vm database-dns route-dns-assertion-ledger provision-subdomain start-workstream capacity-report weekly-capacity-report disk-space-monitor k6-smoke k6-load k6-soak immutable-guest-replacement-plan synthetic-transaction-replay check-nats-streams apply-nats-streams promote live-apply-group live-apply-service live-apply-site live-apply-waves live-apply-train-status live-apply-train-queue live-apply-train-plan live-apply-train-bundle live-apply-train-run live-apply-train-rollback build-check-runners push-check-runners run-checks warm-cache cache-status fixture-up fixture-down fixture-list fixture-pool-status restic-config-backup restic-config-restore-verify
 .PHONY: validate-certificates fixture-pool-reconcile fixture-reaper install-cli update-cli validate-packer remote-packer-validate packer-template-rebuild remote-tofu-plan remote-tofu-apply tofu-drift tofu-import syntax-check-matrix-synapse converge-matrix-synapse syntax-check-nomad converge-nomad remote-lint remote-validate remote-pre-push remote-packer-build remote-image-build remote-exec check-build-server apply-gate-tools syntax-check-changedetection converge-changedetection syntax-check-gotenberg converge-gotenberg
 .PHONY: syntax-check-tika converge-tika syntax-check-directus converge-directus syntax-check-label-studio converge-label-studio syntax-check-superset converge-superset syntax-check-sftpgo converge-sftpgo syntax-check-neko
 .PHONY: syntax-check-tesseract-ocr converge-tesseract-ocr
@@ -1733,6 +1733,10 @@ deploy-uptime-kuma:
 	HETZNER_DNS_API_TOKEN=$${HETZNER_DNS_API_TOKEN:?set HETZNER_DNS_API_TOKEN} \
 	ANSIBLE_HOST_KEY_CHECKING=False $(ANSIBLE_ENV) $(ANSIBLE_SCOPED_RUN) --playbook $(REPO_ROOT)/playbooks/uptime-kuma.yml --env $(env) -- --private-key $(BOOTSTRAP_KEY) -e proxmox_guest_ssh_connection_mode=proxmox_host_jump
 
+provision-uptime-kuma:
+	$(MAKE) preflight WORKFLOW=provision-uptime-kuma
+	ANSIBLE_HOST_KEY_CHECKING=False $(ANSIBLE_ENV) $(ANSIBLE_SCOPED_RUN) --playbook $(REPO_ROOT)/playbooks/uptime-kuma.yml --env $(env) --tags service-uptime-kuma-provision -- --private-key $(BOOTSTRAP_KEY) -e proxmox_guest_ssh_connection_mode=proxmox_host_jump
+
 uptime-kuma-manage:
 	$(MAKE) preflight WORKFLOW=uptime-kuma-manage
 	@test -n "$(ACTION)" || (echo "set ACTION=<bootstrap|ensure-monitors|ensure-status-page|list-monitors|list-maintenances>"; exit 1)

RELEASE.md

@@ -1,9 +1,12 @@
-# Release 0.179.47
+# Release 0.179.48
 
-- Date: 2026-05-21
+- Date: 2026-05-31
 
 ## Summary
-- Deploy Woodpecker CI (ci.0mpc.com): fix OpenBao remote address for docker-runtime, add port 3003 Proxmox firewall rule for docker-runtime → runtime-control, bootstrap Gitea OAuth and seed repository
+- Complete the 0mpc.com → 0mcp.com operator-apex migration: regenerate platform.yml and discovery artifacts against the renamed domain, update the sanitization BLOCKED list, and refresh the subdomain exposure registry
+- Add the `lv3.platform.uptime_kuma_provision` role (monitors + public status page) with a `provision-uptime-kuma` Make target and playbook wiring
+- Fix the bare-root `https://status.<domain>/` 404 by deriving the edge `root_proxy_path` status slug from `platform_domain` instead of a stale literal
+- Deploy Woodpecker CI (ci.0mcp.com): fix OpenBao remote address for docker-runtime, add port 3003 Proxmox firewall rule for docker-runtime → runtime-control, bootstrap Gitea OAuth and seed repository
 
 ## Platform Impact
 - no live platform version bump; this release updates repository automation, release metadata, and operator tooling only

VERSION

@@ -1 +1 @@
-0.179.47
+0.179.48

build/platform-manifest.json

@@ -1,14 +1,14 @@
 {
   "$schema": "docs/schema/platform-manifest.schema.json",
   "manifest_version": "1.0.0",
-  "repo_version": "0.179.47",
-  "platform_version": "0.179.46",
-  "generated_at": "2026-05-21T18:52:52Z",
-  "next_refresh_at": "2026-05-21T19:52:52Z",
+  "repo_version": "0.179.48",
+  "platform_version": "0.179.47",
+  "generated_at": "2026-05-31T11:46:00Z",
+  "next_refresh_at": "2026-05-31T12:46:00Z",
   "environment": "production",
   "identity": {
-    "platform_name": "0mpc.com",
-    "operator": "0mpc Operator",
+    "platform_name": "0mcp.com",
+    "operator": "0mcp Operator",
     "description": "Single-node Proxmox homelab with repository-managed agentic operations automation.",
     "host_id": "proxmox-host",
     "provider": "hetzner-dedicated"
@@ -6358,10 +6358,10 @@
     ]
   },
   "recent_changes": {
-    "last_version": "0.179.46",
-    "deployed_at": "2026-05-21",
-    "summary": "Deploy Woodpecker CI (ci.0mpc.com): fix OpenBao remote address for docker-runtime, add port 3003 Proxmox firewall rule for docker-runtime \u2192 runtime-control, bootstrap Gitea OAuth and seed repository",
-    "release_notes_url": "docs/release-notes/0.179.47.md"
+    "last_version": "0.179.47",
+    "deployed_at": "2026-05-31",
+    "summary": "Complete the 0mpc.com \u2192 0mcp.com operator-apex migration: regenerate platform.yml and discovery artifacts against the renamed domain, update the sanitization BLOCKED list, and refresh the subdomain exposure registry Add the `lv3.platform.uptime_kuma_provision` role (monitors + public status page) with a `provision-uptime-kuma` Make target and playbook wiring",
+    "release_notes_url": "docs/release-notes/0.179.48.md"
   },
   "agentic_architecture": {
     "overview": "Intent-driven repository automation with validation, approval, release metadata, and runtime convergence routed through governed workflows.",
@@ -6373,17 +6373,17 @@
       },
       {
         "component": "Ops portal",
-        "endpoint": "https://ops.0mpc.com",
+        "endpoint": "https://ops.0mcp.com",
         "adr": "0093"
       },
       {
         "component": "Windmill workflows",
-        "endpoint": "https://windmill.0mpc.com",
+        "endpoint": "https://windmill.0mcp.com",
         "adr": "0044"
       },
       {
         "component": "API gateway",
-        "endpoint": "https://api.0mpc.com",
+        "endpoint": "https://api.0mcp.com",
         "adr": "0092"
       }
     ],

changelog.md

@@ -12,14 +12,18 @@ Versioned release notes live under [docs/release-notes/README.md](docs/release-n
 
 ## Unreleased
 
-- Deploy Woodpecker CI (ci.0mpc.com): fix OpenBao remote address for docker-runtime, add port 3003 Proxmox firewall rule for docker-runtime → runtime-control, bootstrap Gitea OAuth and seed repository
+- Complete the 0mpc.com → 0mcp.com operator-apex migration: regenerate platform.yml and discovery artifacts against the renamed domain, update the sanitization BLOCKED list, and refresh the subdomain exposure registry
+- Add the `lv3.platform.uptime_kuma_provision` role (monitors + public status page) with a `provision-uptime-kuma` Make target and playbook wiring
+- Fix the bare-root `https://status.<domain>/` 404 by deriving the edge `root_proxy_path` status slug from `platform_domain` instead of a stale literal
+- Deploy Woodpecker CI (ci.0mcp.com): fix OpenBao remote address for docker-runtime, add port 3003 Proxmox firewall rule for docker-runtime → runtime-control, bootstrap Gitea OAuth and seed repository
 
 ## Latest Release
 
-- [0.179.47 release notes](docs/release-notes/0.179.47.md)
+- [0.179.48 release notes](docs/release-notes/0.179.48.md)
 
 ## Previous Releases
 
+- [0.179.47 release notes](docs/release-notes/0.179.47.md)
 - [0.179.46 release notes](docs/release-notes/0.179.46.md)
 - [0.179.45 release notes](docs/release-notes/0.179.45.md)
 - [0.179.44 release notes](docs/release-notes/0.179.44.md)
@@ -31,7 +35,6 @@ Versioned release notes live under [docs/release-notes/README.md](docs/release-n
 - [0.179.38 release notes](docs/release-notes/0.179.38.md)
 - [0.179.37 release notes](docs/release-notes/0.179.37.md)
 - [0.179.36 release notes](docs/release-notes/0.179.36.md)
-- [0.179.35 release notes](docs/release-notes/0.179.35.md)
 - [0.179.31 release notes](docs/release-notes/0.179.31.md)
 - [0.179.30 release notes](docs/release-notes/0.179.30.md)
 - [0.179.29 release notes](docs/release-notes/0.179.29.md)
@@ -40,4 +43,4 @@ Versioned release notes live under [docs/release-notes/README.md](docs/release-n
 ## Release Archives
 
 - [Release note archives](docs/release-notes/index/README.md)
-- [2026 (558 releases)](docs/release-notes/index/2026.md)
+- [2026 (559 releases)](docs/release-notes/index/2026.md)

collections/ansible_collections/lv3/platform/roles/uptime_kuma_provision/README.md

@@ -0,0 +1,60 @@
+# uptime_kuma_provision
+
+Generic, registry-driven provisioning of Uptime Kuma **monitors** and the
+public **status page**. This role configures a *running* Uptime Kuma instance;
+the container itself is deployed by `uptime_kuma_runtime`.
+
+## Why this exists
+
+Deploying the Uptime Kuma container leaves it empty — no monitors, no status
+page, no admin account. The previous workflow required a manual
+`make uptime-kuma-manage ACTION=…` ritual run from the controller, which only
+works if the operator's machine can reach the instance (the public edge is
+behind oauth2-proxy/SSO, which blocks the socket.io API).
+
+This role makes provisioning a first-class, idempotent part of the converge.
+
+## How it is generic
+
+Nothing about the deployment is hardcoded:
+
+| Concern            | Source |
+|--------------------|--------|
+| API base URL       | `http://127.0.0.1:{{ internal_port }}` — port from `platform_service_registry`. The agent runs **on the VM**, so no IP and no SSH tunnel are needed. |
+| Which services     | Every service in `config/health-probe-catalog.json` with `uptime_kuma.enabled == true` becomes a monitor. Add a service to the catalog → it appears automatically. |
+| Monitor URLs       | The catalog's `example.com` / `lv3` placeholders are substituted with `platform_domain` and the Keycloak realm at runtime. |
+| Status page        | Auto-built: a single "Platform Services" group covering every monitor, titled and domained from `platform_domain` (`status.<domain>`). |
+
+## What it does (idempotent)
+
+1. Derives the internal port from the service registry.
+2. Installs a minimal venv (`requests`, `python-socketio`) on the VM.
+3. Copies a **self-contained** agent (`files/uptime_kuma_agent.py`) and the
+   health-probe catalog to the VM.
+4. Seeds the VM with any existing controller-side admin session so the stored
+   token is reused.
+5. Runs the agent's `provision` command: bootstrap the admin (first run only),
+   reconcile monitors, reconcile the status page.
+6. Fetches the admin session back to `.local/uptime-kuma/admin-session.json`.
+
+## Key variables
+
+See `defaults/main.yml`. Most are registry/identity-derived. The one you may
+need to override:
+
+- `uptime_kuma_provision_keycloak_realm` — defaults to `keycloak_realm_name`
+  (the domain's first label). If the **live** realm name differs (e.g. the
+  domain is `0mcp.com` but the realm is still named `0mpc`), override it:
+
+  ```
+  -e uptime_kuma_provision_keycloak_realm=0mpc
+  ```
+
+## Running it
+
+It runs automatically as the final play of `playbooks/uptime-kuma.yml`
+(`make deploy-uptime-kuma env=production`). To run only the provisioning step:
+
+```
+make provision-uptime-kuma env=production
+```