Operations
Last updated
Day-2 operator reference. For day-1 install see installation.md.
Standard daily / weekly cadence
| When | Action |
|---|---|
| Daily | Review /jabali-admin/security → CrowdSec → Decisions. Spot any allowlist additions you need to make. |
| Daily | Review /jabali-admin/notifications (or the bell) for cert_renew failed, backup_failed, service_down. |
| Weekly | jabali update, pulls latest fixes; auto-applies migrations. |
| Weekly | Inspect /jabali-admin/server-status → trends. Spot disks filling up before quota alarms fire. |
| Monthly | Verify a restore round-trip from at least one backup destination. |
Common operator tasks
Lock out a panel user
jabali user disable <email|username>
(Domain stays up; user can’t log in to the panel UI.)
Force-reset a user’s password / 2FA
jabali user password <email> # generates new password, prints once
jabali user 2fa-reset <email> # strip TOTP + recovery codes (CLI escape hatch)
Recover access to an admin account
jabali user --link <admin-email> # emits a Kratos recovery URL
jabali user password <admin-email> # set a new password directly
jabali user 2fa-reset <admin-email> # strip TOTP + recovery codes
Useful when 2FA on an admin account is locked out or the install-time one-time URL was lost. --link requires auth.kratos.admin_url configured (default: local Kratos admin socket; installer wires it up). The historical jabali admin one-time-login command was removed by M20 when the panel moved to Kratos.
Rotate the DB root password
/jabali-admin/settings → Database → Root Password → Rotate.
Or CLI:
jabali admin db root-password rotate
Audited (success + failure), announced via M14.
Move a domain between users
Not a first-class operation in the UI. The supported path:
- Backup the old user’s
account_full. - Restore into the new user under a fresh domain name (or temp domain).
- Adjust DNS.
(Or: contact upstream, this is on the roadmap.)
Add a new IPv4 to the pool
- Bring the IP up on the host (
ip addr add <ip>/<prefix> dev <iface>). /jabali-admin/ips→ Add.- Assign per-domain via Domains → Edit → Listen IP.
Add a new PHP version
apt install php8.x-fpm php8.x-cli php8.x-mbstring …- The panel detects it on the next reconciler tick; appears in
/jabali-admin/php-pools. - Domains can pick it under Edit → PHP Version.
Common failures
| Symptom | First thing to check |
|---|---|
| Panel UI says “502 Bad Gateway” | systemctl status jabali-panel; journalctl -u jabali-panel -f |
| Cert never issues | jabali ssl list → see the row’s last error; journalctl -u jabali-agent -f while you toggle SSL again |
Dirty database version N on boot | A failed migration. jabali migrate up to retry; if it’s deterministic, file an issue with the journal output. |
nginx -t fails after a domain edit | Missing FastCGI cache keyzone (if you enabled cache before jabali update landed the keyzone conf). Run jabali update once. |
| Mail accounts work in IMAP but not SMTP submission | Bulwark may be down. systemctl status bulwark; check :587 listener. |
| User app suddenly can’t reach external API | Per-user egress firewall may have dropped the destination. Users → Edit → Egress. |
Repair
jabali repair --diagnose # default: report only
jabali repair --auto # safe auto-fixes (perms, drop-in regen, no destructive)
jabali repair --all --yes # destructive (wipes nginx tmp, regen pool sockets) — only when --diagnose tells you to
jabali repair covers 7 detectors (M33-era), grouped by destructiveness. ADR-0077.
Migration cleanup
After a successful cPanel / DA / Hestia restore: jabali domain orphan-prune --dry-run then --apply to clean any source-side orphans the importer missed.
Diag bundle
/jabali-admin/support → encrypted bundle, mailto: send. See support.md.