TopherMayor/hermes-ice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hermes-ice/homelab/docs/unifi-live-drift-table.md
Hermes Agent e4d91aadf9 Initial commit: homelab infrastructure wiki 
- Full Obsidian vault content
- Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte)
- Media stack documentation
- Traefik HA setup
- Automation scripts
- Bachelor party planning
2026-05-24 16:08:40 -07:00

4.9 KiB
Raw Permalink Blame History

project
project
name status category source created updated description goals priority tags
UniFi Live Drift Table planning infrastructure homelabagentroot 2026-03-17 2026-03-17 Drift table comparing live UniFi observations to authoritative host repo and catalog intent
Identify address and zone drift for infrastructure hosts
Separate intentional split-plane designs from accidental placement
Provide a decision aid before firewall cleanup execution
high
unifi
drift
hosts
planning
audit

UniFi Live Drift Table

Summary

This table compares live UniFi observations from 2026-03-17 with the latest pulled host repos and homelab catalogs.

Host / Asset Authoritative Intent Live UniFi Observation Drift Level Decision Needed
ubuntu 192.168.50.61, primary Docker/app edge host now routes and serves from 192.168.50.61; UniFi currently reports the MAC on another VLAN-side address Low Refresh controller/client state so UniFi reflects the completed host-side removal
grizzley 192.168.50.84, edge ingress/control node host now routes from 192.168.50.84; UniFi may still show stale/disconnected Wi-Fi history for 192.168.10.145 Low Confirm whether any residual Wi-Fi client state ages out cleanly
ice 192.168.50.197, control-plane host host now routes from 192.168.50.197; UniFi may still show stale/disconnected Wi-Fi history for 192.168.10.178 Low Confirm residual Wi-Fi client state ages out cleanly
proxmox 192.168.50.11, infra-only hypervisor 192.168.50.11; legacy 192.168.1.11 removed Low Keep monitoring hosted service paths
truenas 192.168.50.12, storage-only host 192.168.50.12; default route prefers 192.168.50.1 Low Keep monitoring storage-path behavior
panda app plane 192.168.30.196 192.168.30.196 Low Keep
panda admin plane 192.168.50.196 SSH endpoint not shown in current client list Low Keep and validate by access test, not client inventory alone
traefik-lxc 192.168.50.115 not queried directly in client output Medium Validate server-segment reachability and access scope
alpine-adguard 192.168.50.157 not queried directly in client output Medium Validate DNS/admin access scope

Staged-Cutover Notes

  • grizzley Wi-Fi path now has a staged reservation for 192.168.10.145
  • ice now has staged reservations for both 192.168.10.178 and 192.168.50.197
  • homeassistant now has an active staged reservation for 192.168.30.196
  • ubuntu and proxmox were corrected by switching to the legacy fixed-IP update format accepted by the classic UniFi endpoint
  • truenas conflict was traced to a second NIC record that had reserved 192.168.1.145; that stale fixed-IP reservation has been cleared, while the active primary reservation at 192.168.1.12 remains valid
  • truenas host egress now prefers 192.168.50.1, and the legacy 192.168.1.12 address has been removed
  • grizzley and ice Wi-Fi reservations were cleared after host-side Wi-Fi removal, but UniFi may still report the disconnected records until controller state refreshes
  • ubuntu host-side removal of 192.168.1.61 is complete, but UniFi currently reports the MAC on another VLAN-side address, which appears to be a controller observation artifact for a multi-VLAN host
  • staging-side host addresses were removed from truenas, grizzley, and ice, and the two explicit staging firewall policies were disabled

Interpretation

  • High drift means live UniFi placement materially conflicts with the intended trust boundary in the authoritative repos.
  • Medium drift means the placement may be legitimate, but it still needs explicit documentation and tighter firewall policy.
  • Low drift means the live state matches the intended design closely enough for now.

Most Important Drift Items

  1. ubuntu carries your primary public and internal app edge, so its current Default-side visibility has the biggest security impact.
  2. proxmox and truenas should not sit in a broadly reachable user or legacy management segment unless there is a deliberate operational reason.
  3. grizzley and ice appearing on Family of D. weakens the intended separation between user devices and infrastructure nodes.
  4. panda is the cleanest example of an intentional split-plane design and can be used as a model for how to document exceptions.

Remaining 192.168.30.x Assessment

  • ubuntu, proxmox, grizzley, and ice still expose 192.168.30.x addresses
  • Those addresses were retained intentionally in this cleanup wave because they are more likely to back IoT-side service access than the removed legacy 192.168.1.x or staging 192.168.40.x paths
  • Removing them should be a per-service maintenance task, not a bulk cleanup operation
Reference in New Issue View Git Blame Copy Permalink