Scheduled jobs
Pre-made catalog
| Name | Description | Default schedule |
|---|---|---|
audit-log-cleanup | Delete audit events older than the retention window (default 90 days) | 0 3 * * * |
query-history-cleanup | Keep last 500 results per user, 30-day max | 0 4 * * * |
file-repo-quota | Enforce per-user quota (soft 500MB / hard 1GB); prune oldest non-pinned | 0 5 * * 0 |
backup-rotation | Keep 7 daily + 4 weekly + 3 monthly snapshots | 0 2 * * * |
bind9-query-log-roll | Roll BIND9 query log to a 48-hour window | 0 * * * * |
pg-vacuum-analyze | VACUUM ANALYZE; reclaims dead tuples + refreshes planner stats | 0 1 * * * |
pg-reindex | REINDEX hot tables (audit_events, query_history, monitor_*) | 0 1 * * 0 |
celery-result-purge | Delete Celery result payloads older than 7 days | 0 3 * * * |
stale-session-cleanup | Revoke user sessions idle > 12 hours (API tokens unaffected) | 0 */6 * * * |
monitor-retention | Rotate monitor raw/5m/1h per retention policy | 0 2 * * * |
pcap-cleanup | Delete pcap files older than 14 days (pinned captures skipped) | 0 4 * * * |
db-full-backup | Compressed pg_dump to /var/lib/meridian/backups/full/ | 0 2 * * * |
db-wal-ship | Ship PG WAL to the archive for point-in-time recovery | */15 * * * * |
db-integrity-scan | Verify the HMAC hash chain; CRITICAL alert on mismatch | 0 5 * * * |
vuln-scan | OSV + NVD scan of installed OS + app deps | 0 2 * * * |
cert-expiry-check | Scan every monitored cert; alert at 30/14/7 days | 0 6 * * * |
cert-auto-renew | Renew auto-managed certs within their renew threshold | 0 2 * * * |
stale-ad-report | Weekly report of AD accounts inactive > 90 days | 0 7 * * 1 |
dhcp-utilization | Hourly scope-utilization snapshot for trend graphs | 15 * * * * |
ipam-conflict-scan | Compare live subnet sweep against IPAM records | 0 5 * * * |
oss-component-scan | Refresh oss_components; regenerate SBOM; alert on new copyleft | 0 4 * * * |
pre-update-snapshot | Fires before any auto-update; enables rollback | on-event |
feature-health-ping | Hourly ping of each enabled integration | 30 * * * * |
Editing a job
Admin → Scheduled Jobs → click any row. You can change:
- Cron expression (standard 5-field cron; Meridian validates before save)
- Retention values (days, count, bytes — whichever fields apply)
- Notification channels (which admins + channels receive the result)
- Enabled / disabled toggle
- Owner (the user whose permissions it runs under, for user-owned jobs)
All edits are audit-logged with the before/after config.
Creating a custom job
Click "+ Custom job" in the Scheduled Jobs tab. You'll pick a handler from the installed set, provide a cron, fill out the job-specific config, and save. Custom jobs appear alongside the pre-made ones.
Change-freeze (CAB) windows
In Admin → Scheduled Jobs → Settings you can declare CAB windows (start + end + blocked action list). Jobs in the respects_cab set (most write-ish jobs) will refuse to fire during a CAB window and log a deferral to the job-run table. They catch up on the next scheduled tick after the window ends.
Running a job on demand
- UI: "Run now" button in the Scheduled Jobs tab
- CLI:
sudo meridian-nip jobs run <job-name>
Run-now requests bypass CAB windows only for jobs without the respects_cab flag; write-ish jobs still honor the freeze.
Job history
Each job run inserts a row into job_runs: started, completed, status, output, stats JSON. The Scheduled Jobs tab shows the last run's result; for full history use the CLI:
sudo meridian-nip jobs history <job-name> --limit 50