TopherMayor/hermes-ice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hermes-ice/homelab/docs/unifi-host-migration-runbook.md
Hermes Agent e4d91aadf9 Initial commit: homelab infrastructure wiki 
- Full Obsidian vault content
- Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte)
- Media stack documentation
- Traefik HA setup
- Automation scripts
- Bachelor party planning
2026-05-24 16:08:40 -07:00

154 lines
6.6 KiB
Markdown
Raw Permalink Blame History

---
project:
name: UniFi Host Migration Runbook
status: planning
category: infrastructure
source: homelabagentroot
created: 2026-03-17
updated: 2026-03-17
description: One-host-at-a-time runbook for moving infrastructure from 192.168.1.x drift toward documented 192.168.50.x placement
goals:
- Migrate infrastructure hosts without lockout
- Validate services and routing after each host move
- Preserve rollback options at every step
priority: high
tags: [unifi, migration, runbook, infrastructure]
---
# UniFi Host Migration Runbook
## Strategy
Use a staged maintenance-window approach. Move one host at a time, verify service reachability, then continue.
## Pre-Migration Rules
- Keep working SSH access before changing a host address
- Keep DHCP reservation and target network prepared before host cutover
- Verify DNS, reverse proxy, and firewall reachability after each move
- Roll back immediately if the management path or primary app path fails
## Recommended Order
1. `truenas`
2. `proxmox`
3. `ubuntu`
4. `grizzley`
5. `ice`
This order reduces blast radius by moving storage and hypervisor access before the primary public app edge.
## Host Steps
### TrueNAS
Target intent: normalize around `192.168.50.12`
- Confirm which NICs are intentionally active
- Confirm whether `192.168.1.12` remains required during transition
- Confirm NFS/SMB exports remain reachable from `ubuntu` and other consumers
- Remove stale or duplicate UniFi client records only after confirming the active interface map
- Cut over management and storage clients to the server-side address
Rollback:
- Re-enable the previous interface/gateway path
- Restore the old fixed IP if needed
### Proxmox
Target intent: normalize around `192.168.50.11`
- Verify direct shell access before change
- Confirm access to hosted services such as `traefik-lxc` and `adguard`
- Move the management path and validate web UI, SSH, and LXC/VM operations
Rollback:
- Restore previous interface config and reservation
### Ubuntu
Target intent: normalize around `192.168.50.61`
- Verify SSH access and Docker service health before cutover
- Confirm Traefik, Authentik, Gitea, Vaultwarden, OpenCode, Jellyfin, and other critical apps are healthy
- Update reverse proxy assumptions if any services still reference the old `192.168.1.61` path
- Validate external and internal HTTPS after the move
Rollback:
- Restore `192.168.1.61`
- Re-test `gitea.tophermayor.com`, `opencode.tophermayor.com`, and other critical ingress routes
### Grizzley
Target intent: normalize around `192.168.50.84`
- Decide whether the `192.168.10.145` Wi-Fi presence is temporary or required
- Preserve edge ingress management access during any move
### Ice
Target intent: normalize around `192.168.50.197`
- Decide whether the `192.168.10.178` Wi-Fi path is still required
- Preserve OpenCode control-plane access during any move
## Post-Step Validation
- SSH works from management
- DNS resolves correctly
- Reverse proxy paths work where expected
- Firewall logs show expected zone flows only
- No new unexpected east-west traffic appears
## Notes From Current State
- `Family of D.` is now in `Internal`, not `Management`
- `ubuntu` and `proxmox` reservations are aligned to current live `Default` addresses
- `truenas` still has multiple NIC/client records and should be cleaned up carefully before a move
- `grizzley`, `ice`, and `homeassistant` staged reservations are already in place for their current live paths
## Executed Migration State
Executed on 2026-03-17:
- `truenas` secondary stale reservation at `192.168.1.145` was cleared
- `truenas` management and egress preference was shifted to `Production` by changing the host default gateway from `192.168.1.1` to `192.168.50.1`
- `truenas` DNS was normalized to prefer `192.168.50.157` with `1.1.1.1` as secondary
- `proxmox` default route was moved from `192.168.1.1` on `vmbr0` to `192.168.50.1` on `vmbr0.50`, and `/etc/network/interfaces` was updated accordingly
- `ubuntu` default route was moved from `192.168.1.1` on `enp6s18` to `192.168.50.1` on `vlan50`, and `/etc/netplan/50-cloud-init.yaml` was updated to persist the server-side route and DNS preference
- `proxmox` legacy `192.168.1.11` address was removed from `vmbr0`; the host now remains reachable only on `192.168.50.11`, `192.168.40.11`, and `192.168.30.11`
- `ubuntu` legacy `192.168.1.61` address was removed from `enp6s18`; the host now remains reachable on `192.168.50.61` and `192.168.30.61`
- `truenas` legacy `192.168.1.12` address was removed from `enp6s17` using the TrueNAS interface rollback/checkin workflow; the host now remains reachable on `192.168.50.12` and `192.168.40.12`
- `grizzley` Wi-Fi config was removed, leaving wired server-side operation on `192.168.50.84` plus its VLAN-side service addresses
- `ice` Wi-Fi config was removed, leaving wired server-side operation on `192.168.50.197` plus its VLAN-side service addresses
- `truenas`, `grizzley`, and `ice` staging-side `192.168.40.x` addresses were removed
Verification after the change:
- SSH remained reachable on both `192.168.50.12` and `192.168.1.12`
- Default route now points to `192.168.50.1` on `enp6s19`
- Internet egress test to `1.1.1.1` succeeded
- `proxmox` remained reachable on both `192.168.50.11` and `192.168.1.11`
- `ubuntu` remained reachable on both `192.168.50.61` and `192.168.1.61`
- `gitea.tophermayor.com` and `opencode.tophermayor.com` continued returning `HTTP 200`
- after the Proxmox legacy-address removal, SSH remained reachable on `192.168.50.11` and no longer responded on `192.168.1.11`
- after the Ubuntu legacy-address removal, SSH remained reachable on `192.168.50.61`, critical app endpoints continued returning `HTTP 200`, and the old `192.168.1.61` SSH path stopped responding
- after the TrueNAS legacy-address removal, SSH remained reachable on `192.168.50.12`, the old `192.168.1.12` path stopped responding, and interface changes were checked in successfully
- after the `grizzley` and `ice` Wi-Fi removals, SSH remained reachable on `192.168.50.84` and `192.168.50.197`, while the old Wi-Fi IPs no longer responded from the management host
Still pending for full TrueNAS normalization:
- no host-side `192.168.40.12` path remains
Still pending for full Proxmox and Ubuntu normalization:
- update stale controller/client observations so UniFi no longer shows the old `192.168.1.61` path as active after the host-side removal
Still pending for full Grizzley and Ice normalization:
- allow UniFi client state to age out or refresh, since disconnected Wi-Fi client observations may remain visible briefly after host-side removal
- decide whether their additional VLAN-side service addresses on `192.168.30.x` remain intentional long-term
Reference in New Issue View Git Blame Copy Permalink