Add Project Completion Checklist rule, update kernel and kocka-novinky gotchas

PROJECT_INSTRUCTIONS.md

@@ -115,6 +115,17 @@ When Spendlik asks for a deployment guide or a multi-step process:
 - **Always read a Gitea file before writing it** — writes replace the entire file; partial overwrites cause data loss
 - `homelab-overview.md` is the live state of the homelab — keep it current after any structural change (new CT, removed CT, IP change)
 
+### Project Completion Checklist
+
+When a project is completed, always do **all** of the following:
+
+1. **`obsidian-vault/Tasks.md`** — move project tasks to "Recently Completed" with date and brief context
+2. **`obsidian-vault/02 Projects/<ProjectName>.md`** — if a dedicated project file exists, check if it needs to be updated or archived to `06 Archive/`
+3. **`Claude_Homelab/00_index.md`** — update Active Projects table, mark done or remove
+4. **`Claude_Homelab/<deploy_guide>.md`** — create or update the relevant deploy guide with what was actually done
+
+> Always check the `obsidian-vault/02 Projects/` directory for a project file when completing work. If one exists, update or archive it.
+
 ---
 
 ## Critical Technical Gotchas
@@ -126,13 +137,14 @@ These are environment-specific — do not rely on general knowledge, always appl
 | **nginx + certbot** | Certbot corrupts configs on this setup. Always manually inspect after cert issuance. Check for: duplicate `server_name` directives, missing closing braces. Use a temporary HTTP-only config before adding SSL. |
 | **NFS mounts** | Use `soft,timeo=30,retrans=3` fstab options. Hard NFS mounts can freeze the entire Proxmox host if the NAS becomes unresponsive. |
 | **Gitea writes** | Always read current file content first. `gitea_write_file` replaces the entire file — no partial edits. |
-| **Proxmox kernel** | Stay on `6.14.11-5-pve`. Kernel 6.17.x is incompatible with NVIDIA 550 DKMS — do not upgrade the kernel without verifying NVIDIA support first. |
+| **Proxmox kernel** | PINNED to `6.14.11-5-pve` via `proxmox-boot-tool kernel pin`. 6.17.x and 7.0.x break NVIDIA 550 DKMS — do not upgrade or unpin without verifying NVIDIA support first. |
-| **WebSupport DNS** | Two separate management pages exist. Missing the second caused a service outage. Always update both. Record IDs are numeric, not domain strings. |
+| **WebSupport DNS** | Two separate management pages exist. Missing the second caused a service outage. Always update both. Record IDs are numeric, not domain strings. DNS A record must exist before certbot can verify. |
 | **DDNS cache** | `/tmp/ddns_last_ip` persists during runtime but clears on reboot — this is fine and expected. |
 | **Hairpin NAT** | Slovak Telekom router does not support hairpin NAT. Never test public domain access from inside the LAN. Always test from mobile data or an external connection. |
 | **OpenRGB** | Uninstalled. ADATA XPG GAMMIX D35 RAM uses an ENE SMBus controller unsupported on Linux. SMBus probing poses hardware risk — do not reinstall. |
 | **AppFlowy** | Abandoned after cascading Docker/PostgreSQL/pgvector issues. Do not suggest it. AFFiNE was the successful alternative (since replaced by Obsidian). |
 | **WebSupport API auth** | REST API v2 uses HMAC-SHA1 signed requests with `X-Date` header in ISO8601 basic format (`YYYYMMDDTHHmmSSZ`). Plain Basic Auth does not work. |
+| **kocka-novinky.sk** | Wordfence plugin blocks login — keep disabled. wp-config.php WP_SITEURL/WP_HOME hardcoded to www.kocka-novinky.sk (removes PHP warnings). Zen browser has Content-Encoding issue — use Firefox/Chrome for admin. |
 
 ---