--- project: name: UniFi Host Migration Runbook status: planning category: infrastructure source: homelabagentroot created: 2026-03-17 updated: 2026-03-17 description: One-host-at-a-time runbook for moving infrastructure from 192.168.1.x drift toward documented 192.168.50.x placement goals: - Migrate infrastructure hosts without lockout - Validate services and routing after each host move - Preserve rollback options at every step priority: high tags: [unifi, migration, runbook, infrastructure] --- # UniFi Host Migration Runbook ## Strategy Use a staged maintenance-window approach. Move one host at a time, verify service reachability, then continue. ## Pre-Migration Rules - Keep working SSH access before changing a host address - Keep DHCP reservation and target network prepared before host cutover - Verify DNS, reverse proxy, and firewall reachability after each move - Roll back immediately if the management path or primary app path fails ## Recommended Order 1. `truenas` 2. `proxmox` 3. `ubuntu` 4. `grizzley` 5. `ice` This order reduces blast radius by moving storage and hypervisor access before the primary public app edge. ## Host Steps ### TrueNAS Target intent: normalize around `192.168.50.12` - Confirm which NICs are intentionally active - Confirm whether `192.168.1.12` remains required during transition - Confirm NFS/SMB exports remain reachable from `ubuntu` and other consumers - Remove stale or duplicate UniFi client records only after confirming the active interface map - Cut over management and storage clients to the server-side address Rollback: - Re-enable the previous interface/gateway path - Restore the old fixed IP if needed ### Proxmox Target intent: normalize around `192.168.50.11` - Verify direct shell access before change - Confirm access to hosted services such as `traefik-lxc` and `adguard` - Move the management path and validate web UI, SSH, and LXC/VM operations Rollback: - Restore previous interface config and reservation ### Ubuntu Target intent: normalize around `192.168.50.61` - Verify SSH access and Docker service health before cutover - Confirm Traefik, Authentik, Gitea, Vaultwarden, OpenCode, Jellyfin, and other critical apps are healthy - Update reverse proxy assumptions if any services still reference the old `192.168.1.61` path - Validate external and internal HTTPS after the move Rollback: - Restore `192.168.1.61` - Re-test `gitea.tophermayor.com`, `opencode.tophermayor.com`, and other critical ingress routes ### Grizzley Target intent: normalize around `192.168.50.84` - Decide whether the `192.168.10.145` Wi-Fi presence is temporary or required - Preserve edge ingress management access during any move ### Ice Target intent: normalize around `192.168.50.197` - Decide whether the `192.168.10.178` Wi-Fi path is still required - Preserve OpenCode control-plane access during any move ## Post-Step Validation - SSH works from management - DNS resolves correctly - Reverse proxy paths work where expected - Firewall logs show expected zone flows only - No new unexpected east-west traffic appears ## Notes From Current State - `Family of D.` is now in `Internal`, not `Management` - `ubuntu` and `proxmox` reservations are aligned to current live `Default` addresses - `truenas` still has multiple NIC/client records and should be cleaned up carefully before a move - `grizzley`, `ice`, and `homeassistant` staged reservations are already in place for their current live paths ## Executed Migration State Executed on 2026-03-17: - `truenas` secondary stale reservation at `192.168.1.145` was cleared - `truenas` management and egress preference was shifted to `Production` by changing the host default gateway from `192.168.1.1` to `192.168.50.1` - `truenas` DNS was normalized to prefer `192.168.50.157` with `1.1.1.1` as secondary - `proxmox` default route was moved from `192.168.1.1` on `vmbr0` to `192.168.50.1` on `vmbr0.50`, and `/etc/network/interfaces` was updated accordingly - `ubuntu` default route was moved from `192.168.1.1` on `enp6s18` to `192.168.50.1` on `vlan50`, and `/etc/netplan/50-cloud-init.yaml` was updated to persist the server-side route and DNS preference - `proxmox` legacy `192.168.1.11` address was removed from `vmbr0`; the host now remains reachable only on `192.168.50.11`, `192.168.40.11`, and `192.168.30.11` - `ubuntu` legacy `192.168.1.61` address was removed from `enp6s18`; the host now remains reachable on `192.168.50.61` and `192.168.30.61` - `truenas` legacy `192.168.1.12` address was removed from `enp6s17` using the TrueNAS interface rollback/checkin workflow; the host now remains reachable on `192.168.50.12` and `192.168.40.12` - `grizzley` Wi-Fi config was removed, leaving wired server-side operation on `192.168.50.84` plus its VLAN-side service addresses - `ice` Wi-Fi config was removed, leaving wired server-side operation on `192.168.50.197` plus its VLAN-side service addresses - `truenas`, `grizzley`, and `ice` staging-side `192.168.40.x` addresses were removed Verification after the change: - SSH remained reachable on both `192.168.50.12` and `192.168.1.12` - Default route now points to `192.168.50.1` on `enp6s19` - Internet egress test to `1.1.1.1` succeeded - `proxmox` remained reachable on both `192.168.50.11` and `192.168.1.11` - `ubuntu` remained reachable on both `192.168.50.61` and `192.168.1.61` - `gitea.tophermayor.com` and `opencode.tophermayor.com` continued returning `HTTP 200` - after the Proxmox legacy-address removal, SSH remained reachable on `192.168.50.11` and no longer responded on `192.168.1.11` - after the Ubuntu legacy-address removal, SSH remained reachable on `192.168.50.61`, critical app endpoints continued returning `HTTP 200`, and the old `192.168.1.61` SSH path stopped responding - after the TrueNAS legacy-address removal, SSH remained reachable on `192.168.50.12`, the old `192.168.1.12` path stopped responding, and interface changes were checked in successfully - after the `grizzley` and `ice` Wi-Fi removals, SSH remained reachable on `192.168.50.84` and `192.168.50.197`, while the old Wi-Fi IPs no longer responded from the management host Still pending for full TrueNAS normalization: - no host-side `192.168.40.12` path remains Still pending for full Proxmox and Ubuntu normalization: - update stale controller/client observations so UniFi no longer shows the old `192.168.1.61` path as active after the host-side removal Still pending for full Grizzley and Ice normalization: - allow UniFi client state to age out or refresh, since disconnected Wi-Fi client observations may remain visible briefly after host-side removal - decide whether their additional VLAN-side service addresses on `192.168.30.x` remain intentional long-term