--- project: name: UniFi Host Migration Checklist status: planning category: infrastructure source: homelabagentroot created: 2026-03-17 updated: 2026-03-17 description: Host-by-host checklist for aligning live UniFi placement with authoritative host repo intent goals: - Normalize infrastructure hosts to intended network zones - Reduce accidental dual-homing and cross-zone ambiguity - Preserve app reachability during staged network changes priority: high tags: [unifi, migration, hosts, checklist, planning] --- # UniFi Host Migration Checklist ## Overview This checklist breaks the UniFi optimization work into host-specific actions. It is written to support staged execution and validation. ## Shared Pre-Checks - [ ] Export current UniFi networks, zones, and firewall policies - [ ] Confirm DHCP reservations for all infrastructure hosts - [ ] Confirm DNS records that point at `ubuntu`, `grizzley`, `ice`, `proxmox`, `truenas`, `panda`, and `traefik-lxc` - [ ] Confirm out-of-band or fallback admin access for each host before moving network placement - [ ] Enable logging on critical deny and edge allow rules before major topology changes ## Current Staged-Cutover Status - [x] `Family of D.` moved from `Management` to `Internal` - [x] `Management` reduced to `Default` only - [x] Staged DHCP reservation enabled for `grizzley` Wi-Fi path at `192.168.10.145` - [x] Staged DHCP reservations enabled for `ice` at `192.168.10.178` and `192.168.50.197` - [x] Staged DHCP reservation enabled for `homeassistant` app plane at `192.168.30.196` - [x] `ubuntu` reservation normalized to its current live `Default` network address `192.168.1.61` - [x] `proxmox` reservation refreshed and validated through UniFi at `192.168.1.11` - [x] `truenas` primary reservation confirmed at `192.168.1.12` Follow-up findings: - `ubuntu` and `proxmox` accepted the legacy fixed-IP update format and now reflect their current live `Default` network addresses correctly in UniFi. - `truenas` already had a valid primary reservation at `192.168.1.12` plus a second physical-NIC reservation at `192.168.1.145`. - The `truenas` update conflict came from the second NIC record, not from the active primary reservation itself. ## Ubuntu Current intent: primary Docker host and public/internal app edge on `192.168.50.61` - [ ] Confirm whether `ubuntu` should live only on `Production` or stay dual-homed during migration - [ ] If moving, create or verify reservation for `192.168.50.61` - [ ] Ensure Traefik, Authentik, Gitea, Vaultwarden, and OpenCode URLs resolve to the correct server-side path - [ ] Verify inbound `HTTPS` routes after network normalization - [ ] Remove stale `Default`-side assumptions from firewall rules after validation ## Grizzley Current intent: edge ingress on `192.168.50.84` - [ ] Verify whether the current `192.168.10.145` presence is intentional or drift - [ ] Confirm the desired primary address remains `192.168.50.84` - [ ] Keep Traefik and admin access in `Servers` and `Management`, not `Internal` - [ ] Remove any unintended trusted-client or Wi-Fi placement once validated ## Ice Current intent: control-plane infrastructure on `192.168.50.197` - [ ] Verify whether `192.168.10.178` is an intentional secondary path - [ ] Keep control-plane traffic anchored to `Production` - [ ] Limit any secondary management path to a documented admin-only use case - [ ] Remove broad `Internal`-side reachability if the extra placement is not required ## Proxmox Current intent: infrastructure-only hypervisor on `192.168.50.11` - [ ] Confirm the hypervisor should not remain on `192.168.1.11` - [ ] Verify management-only access to the hypervisor UI and SSH - [ ] Confirm `traefik-lxc` (`192.168.50.115`) and other LXC workloads remain server-side only - [ ] Review whether any user networks directly reach Proxmox today and remove that access if unnecessary ## TrueNAS Current intent: storage-only host on `192.168.50.12` - [ ] Confirm whether `192.168.1.12` is a legacy path, active secondary interface, or stale observation - [ ] Keep storage admin access on `Management` and selected server workflows only - [ ] Confirm mounts and NFS exports still resolve correctly after address normalization - [ ] Document the final intended interface model explicitly ## Panda / Home Assistant Current intent: app endpoint on `192.168.30.196`, SSH/admin endpoint on `192.168.50.196` - [ ] Preserve the split app/admin model unless there is a strong reason to collapse it - [ ] Confirm Home Assistant app access remains available from intended `Internal`, `Management`, and selected `IoT` clients - [ ] Restrict admin SSH path to `Management` and approved VPN clients - [ ] Keep Home Assistant runtime state out of Git-tracked locations ## Post-Migration Validation - [ ] Confirm all host DHCP reservations and names resolve correctly - [ ] Confirm reverse proxy paths for public and internal apps - [ ] Confirm Home Assistant, Jellyfin, Gitea, Vaultwarden, and Authentik remain reachable from intended zones - [ ] Confirm guests have internet-only access - [ ] Confirm IoT devices can reach only their approved service exceptions - [ ] Confirm VPN access is least-privilege and still sufficient for admin work