Initial commit: homelab infrastructure wiki

- Full Obsidian vault content
- Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte)
- Media stack documentation
- Traefik HA setup
- Automation scripts
- Bachelor party planning

homelab/docs/unifi-host-migration-checklist.md

@@ -0,0 +1,111 @@
+---
+project:
+  name: UniFi Host Migration Checklist
+  status: planning
+  category: infrastructure
+  source: homelabagentroot
+  created: 2026-03-17
+  updated: 2026-03-17
+  description: Host-by-host checklist for aligning live UniFi placement with authoritative host repo intent
+  goals:
+    - Normalize infrastructure hosts to intended network zones
+    - Reduce accidental dual-homing and cross-zone ambiguity
+    - Preserve app reachability during staged network changes
+  priority: high
+  tags: [unifi, migration, hosts, checklist, planning]
+---
+
+# UniFi Host Migration Checklist
+
+## Overview
+
+This checklist breaks the UniFi optimization work into host-specific actions. It is written to support staged execution and validation.
+
+## Shared Pre-Checks
+
+- [ ] Export current UniFi networks, zones, and firewall policies
+- [ ] Confirm DHCP reservations for all infrastructure hosts
+- [ ] Confirm DNS records that point at `ubuntu`, `grizzley`, `ice`, `proxmox`, `truenas`, `panda`, and `traefik-lxc`
+- [ ] Confirm out-of-band or fallback admin access for each host before moving network placement
+- [ ] Enable logging on critical deny and edge allow rules before major topology changes
+
+## Current Staged-Cutover Status
+
+- [x] `Family of D.` moved from `Management` to `Internal`
+- [x] `Management` reduced to `Default` only
+- [x] Staged DHCP reservation enabled for `grizzley` Wi-Fi path at `192.168.10.145`
+- [x] Staged DHCP reservations enabled for `ice` at `192.168.10.178` and `192.168.50.197`
+- [x] Staged DHCP reservation enabled for `homeassistant` app plane at `192.168.30.196`
+- [x] `ubuntu` reservation normalized to its current live `Default` network address `192.168.1.61`
+- [x] `proxmox` reservation refreshed and validated through UniFi at `192.168.1.11`
+- [x] `truenas` primary reservation confirmed at `192.168.1.12`
+
+Follow-up findings:
+
+- `ubuntu` and `proxmox` accepted the legacy fixed-IP update format and now reflect their current live `Default` network addresses correctly in UniFi.
+- `truenas` already had a valid primary reservation at `192.168.1.12` plus a second physical-NIC reservation at `192.168.1.145`.
+- The `truenas` update conflict came from the second NIC record, not from the active primary reservation itself.
+
+## Ubuntu
+
+Current intent: primary Docker host and public/internal app edge on `192.168.50.61`
+
+- [ ] Confirm whether `ubuntu` should live only on `Production` or stay dual-homed during migration
+- [ ] If moving, create or verify reservation for `192.168.50.61`
+- [ ] Ensure Traefik, Authentik, Gitea, Vaultwarden, and OpenCode URLs resolve to the correct server-side path
+- [ ] Verify inbound `HTTPS` routes after network normalization
+- [ ] Remove stale `Default`-side assumptions from firewall rules after validation
+
+## Grizzley
+
+Current intent: edge ingress on `192.168.50.84`
+
+- [ ] Verify whether the current `192.168.10.145` presence is intentional or drift
+- [ ] Confirm the desired primary address remains `192.168.50.84`
+- [ ] Keep Traefik and admin access in `Servers` and `Management`, not `Internal`
+- [ ] Remove any unintended trusted-client or Wi-Fi placement once validated
+
+## Ice
+
+Current intent: control-plane infrastructure on `192.168.50.197`
+
+- [ ] Verify whether `192.168.10.178` is an intentional secondary path
+- [ ] Keep control-plane traffic anchored to `Production`
+- [ ] Limit any secondary management path to a documented admin-only use case
+- [ ] Remove broad `Internal`-side reachability if the extra placement is not required
+
+## Proxmox
+
+Current intent: infrastructure-only hypervisor on `192.168.50.11`
+
+- [ ] Confirm the hypervisor should not remain on `192.168.1.11`
+- [ ] Verify management-only access to the hypervisor UI and SSH
+- [ ] Confirm `traefik-lxc` (`192.168.50.115`) and other LXC workloads remain server-side only
+- [ ] Review whether any user networks directly reach Proxmox today and remove that access if unnecessary
+
+## TrueNAS
+
+Current intent: storage-only host on `192.168.50.12`
+
+- [ ] Confirm whether `192.168.1.12` is a legacy path, active secondary interface, or stale observation
+- [ ] Keep storage admin access on `Management` and selected server workflows only
+- [ ] Confirm mounts and NFS exports still resolve correctly after address normalization
+- [ ] Document the final intended interface model explicitly
+
+## Panda / Home Assistant
+
+Current intent: app endpoint on `192.168.30.196`, SSH/admin endpoint on `192.168.50.196`
+
+- [ ] Preserve the split app/admin model unless there is a strong reason to collapse it
+- [ ] Confirm Home Assistant app access remains available from intended `Internal`, `Management`, and selected `IoT` clients
+- [ ] Restrict admin SSH path to `Management` and approved VPN clients
+- [ ] Keep Home Assistant runtime state out of Git-tracked locations
+
+## Post-Migration Validation
+
+- [ ] Confirm all host DHCP reservations and names resolve correctly
+- [ ] Confirm reverse proxy paths for public and internal apps
+- [ ] Confirm Home Assistant, Jellyfin, Gitea, Vaultwarden, and Authentik remain reachable from intended zones
+- [ ] Confirm guests have internet-only access
+- [ ] Confirm IoT devices can reach only their approved service exceptions
+- [ ] Confirm VPN access is least-privilege and still sufficient for admin work