TopherMayor/hermes-ice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hermes-ice/homelab/docs/unifi-host-migration-checklist.md
Hermes Agent e4d91aadf9 Initial commit: homelab infrastructure wiki 
- Full Obsidian vault content
- Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte)
- Media stack documentation
- Traefik HA setup
- Automation scripts
- Bachelor party planning
2026-05-24 16:08:40 -07:00

5.1 KiB
Raw Permalink Blame History

project
project
name status category source created updated description goals priority tags
UniFi Host Migration Checklist planning infrastructure homelabagentroot 2026-03-17 2026-03-17 Host-by-host checklist for aligning live UniFi placement with authoritative host repo intent
Normalize infrastructure hosts to intended network zones
Reduce accidental dual-homing and cross-zone ambiguity
Preserve app reachability during staged network changes
high
unifi
migration
hosts
checklist
planning

UniFi Host Migration Checklist

Overview

This checklist breaks the UniFi optimization work into host-specific actions. It is written to support staged execution and validation.

Shared Pre-Checks

  • Export current UniFi networks, zones, and firewall policies
  • Confirm DHCP reservations for all infrastructure hosts
  • Confirm DNS records that point at ubuntu, grizzley, ice, proxmox, truenas, panda, and traefik-lxc
  • Confirm out-of-band or fallback admin access for each host before moving network placement
  • Enable logging on critical deny and edge allow rules before major topology changes

Current Staged-Cutover Status

  • Family of D. moved from Management to Internal
  • Management reduced to Default only
  • Staged DHCP reservation enabled for grizzley Wi-Fi path at 192.168.10.145
  • Staged DHCP reservations enabled for ice at 192.168.10.178 and 192.168.50.197
  • Staged DHCP reservation enabled for homeassistant app plane at 192.168.30.196
  • ubuntu reservation normalized to its current live Default network address 192.168.1.61
  • proxmox reservation refreshed and validated through UniFi at 192.168.1.11
  • truenas primary reservation confirmed at 192.168.1.12

Follow-up findings:

  • ubuntu and proxmox accepted the legacy fixed-IP update format and now reflect their current live Default network addresses correctly in UniFi.
  • truenas already had a valid primary reservation at 192.168.1.12 plus a second physical-NIC reservation at 192.168.1.145.
  • The truenas update conflict came from the second NIC record, not from the active primary reservation itself.

Ubuntu

Current intent: primary Docker host and public/internal app edge on 192.168.50.61

  • Confirm whether ubuntu should live only on Production or stay dual-homed during migration
  • If moving, create or verify reservation for 192.168.50.61
  • Ensure Traefik, Authentik, Gitea, Vaultwarden, and OpenCode URLs resolve to the correct server-side path
  • Verify inbound HTTPS routes after network normalization
  • Remove stale Default-side assumptions from firewall rules after validation

Grizzley

Current intent: edge ingress on 192.168.50.84

  • Verify whether the current 192.168.10.145 presence is intentional or drift
  • Confirm the desired primary address remains 192.168.50.84
  • Keep Traefik and admin access in Servers and Management, not Internal
  • Remove any unintended trusted-client or Wi-Fi placement once validated

Ice

Current intent: control-plane infrastructure on 192.168.50.197

  • Verify whether 192.168.10.178 is an intentional secondary path
  • Keep control-plane traffic anchored to Production
  • Limit any secondary management path to a documented admin-only use case
  • Remove broad Internal-side reachability if the extra placement is not required

Proxmox

Current intent: infrastructure-only hypervisor on 192.168.50.11

  • Confirm the hypervisor should not remain on 192.168.1.11
  • Verify management-only access to the hypervisor UI and SSH
  • Confirm traefik-lxc (192.168.50.115) and other LXC workloads remain server-side only
  • Review whether any user networks directly reach Proxmox today and remove that access if unnecessary

TrueNAS

Current intent: storage-only host on 192.168.50.12

  • Confirm whether 192.168.1.12 is a legacy path, active secondary interface, or stale observation
  • Keep storage admin access on Management and selected server workflows only
  • Confirm mounts and NFS exports still resolve correctly after address normalization
  • Document the final intended interface model explicitly

Panda / Home Assistant

Current intent: app endpoint on 192.168.30.196, SSH/admin endpoint on 192.168.50.196

  • Preserve the split app/admin model unless there is a strong reason to collapse it
  • Confirm Home Assistant app access remains available from intended Internal, Management, and selected IoT clients
  • Restrict admin SSH path to Management and approved VPN clients
  • Keep Home Assistant runtime state out of Git-tracked locations

Post-Migration Validation

  • Confirm all host DHCP reservations and names resolve correctly
  • Confirm reverse proxy paths for public and internal apps
  • Confirm Home Assistant, Jellyfin, Gitea, Vaultwarden, and Authentik remain reachable from intended zones
  • Confirm guests have internet-only access
  • Confirm IoT devices can reach only their approved service exceptions
  • Confirm VPN access is least-privilege and still sufficient for admin work
Reference in New Issue View Git Blame Copy Permalink