Triage — Headless conversion + monitoring validation

Date: Feb 11, 2026

Summary

Converted the Mini back to a server-class posture (headless boot) while confirming the Docker monitoring stack restarts cleanly and remains reachable over Tailscale-only bindings.

Goal: Remove GUI/LightDM noise and reduce “workstation drift” on the monitoring host.
Result: Headless default target set, LightDM inactive, all containers running normally.
Security posture: Grafana/Prometheus exposed only on the Tailscale interface (not localhost/LAN).

Evidence

Commands and observed output used during triage.

systemctl get-default
→ multi-user.target

systemctl is-active lightdm
→ inactive

docker ps --format "table {{.Names}}\t{{.Status}}"
→ prometheus / grafana / cadvisor / node_exporter / alertmanager / lab-nginx all Up

docker ps --format "table {{.Names}}\t{{.Ports}}"
→ grafana      Tailscale-IP:3000->3000/tcp
→ prometheus   Tailscale-IP:9095->9090/tcp
→ node_exporter Tailscale-IP:9100->9100/tcp
→ alertmanager Tailscale-IP:9093->9093/tcp
→ lab-nginx    127.0.0.1:8080->80/tcp

curl -I http://localhost:3000
→ failed (expected: grafana not bound to localhost)

curl -I http://Tailscale-IP:3000
→ HTTP/1.1 200 OK

curl -I http://Tailscale-IP:9095/-/healthy
→ HTTP/1.1 200 OK

Change implemented

Minimal-risk changes made after verifying Docker restart policies.

# verify (all services)
docker ps -q | xargs -I {} docker inspect --format '{{.Name}} -> {{.HostConfig.RestartPolicy.Name}}' {}
→ all unless-stopped

systemctl is-enabled docker
→ enabled

# change
sudo systemctl set-default multi-user.target
sudo systemctl disable --now lightdm

Notes / Follow-ups

Optional: enable VT-x in BIOS if virtualization (KVM) is needed later.
Optional: remove XFCE/LightDM packages after confirming no GUI dependency remains.
Document identity cleanup: unintended dashboard user and sudoers expectations.

← Back to Docs