TopherMayor/hermes-ice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e4d91aadf968847e84a84f31c806d8f408ac4488
hermes-ice/homelab/docs/unifi-host-migration-checklist.md
Hermes Agent e4d91aadf9 Initial commit: homelab infrastructure wiki 
- Full Obsidian vault content
- Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte)
- Media stack documentation
- Traefik HA setup
- Automation scripts
- Bachelor party planning
2026-05-24 16:08:40 -07:00

112 lines
5.1 KiB
Markdown
Raw Blame History

---
project:
name: UniFi Host Migration Checklist
status: planning
category: infrastructure
source: homelabagentroot
created: 2026-03-17
updated: 2026-03-17
description: Host-by-host checklist for aligning live UniFi placement with authoritative host repo intent
goals:
- Normalize infrastructure hosts to intended network zones
- Reduce accidental dual-homing and cross-zone ambiguity
- Preserve app reachability during staged network changes
priority: high
tags: [unifi, migration, hosts, checklist, planning]
---
# UniFi Host Migration Checklist
## Overview
This checklist breaks the UniFi optimization work into host-specific actions. It is written to support staged execution and validation.
## Shared Pre-Checks
- [ ] Export current UniFi networks, zones, and firewall policies
- [ ] Confirm DHCP reservations for all infrastructure hosts
- [ ] Confirm DNS records that point at `ubuntu`, `grizzley`, `ice`, `proxmox`, `truenas`, `panda`, and `traefik-lxc`
- [ ] Confirm out-of-band or fallback admin access for each host before moving network placement
- [ ] Enable logging on critical deny and edge allow rules before major topology changes
## Current Staged-Cutover Status
- [x] `Family of D.` moved from `Management` to `Internal`
- [x] `Management` reduced to `Default` only
- [x] Staged DHCP reservation enabled for `grizzley` Wi-Fi path at `192.168.10.145`
- [x] Staged DHCP reservations enabled for `ice` at `192.168.10.178` and `192.168.50.197`
- [x] Staged DHCP reservation enabled for `homeassistant` app plane at `192.168.30.196`
- [x] `ubuntu` reservation normalized to its current live `Default` network address `192.168.1.61`
- [x] `proxmox` reservation refreshed and validated through UniFi at `192.168.1.11`
- [x] `truenas` primary reservation confirmed at `192.168.1.12`
Follow-up findings:
- `ubuntu` and `proxmox` accepted the legacy fixed-IP update format and now reflect their current live `Default` network addresses correctly in UniFi.
- `truenas` already had a valid primary reservation at `192.168.1.12` plus a second physical-NIC reservation at `192.168.1.145`.
- The `truenas` update conflict came from the second NIC record, not from the active primary reservation itself.
## Ubuntu
Current intent: primary Docker host and public/internal app edge on `192.168.50.61`
- [ ] Confirm whether `ubuntu` should live only on `Production` or stay dual-homed during migration
- [ ] If moving, create or verify reservation for `192.168.50.61`
- [ ] Ensure Traefik, Authentik, Gitea, Vaultwarden, and OpenCode URLs resolve to the correct server-side path
- [ ] Verify inbound `HTTPS` routes after network normalization
- [ ] Remove stale `Default`-side assumptions from firewall rules after validation
## Grizzley
Current intent: edge ingress on `192.168.50.84`
- [ ] Verify whether the current `192.168.10.145` presence is intentional or drift
- [ ] Confirm the desired primary address remains `192.168.50.84`
- [ ] Keep Traefik and admin access in `Servers` and `Management`, not `Internal`
- [ ] Remove any unintended trusted-client or Wi-Fi placement once validated
## Ice
Current intent: control-plane infrastructure on `192.168.50.197`
- [ ] Verify whether `192.168.10.178` is an intentional secondary path
- [ ] Keep control-plane traffic anchored to `Production`
- [ ] Limit any secondary management path to a documented admin-only use case
- [ ] Remove broad `Internal`-side reachability if the extra placement is not required
## Proxmox
Current intent: infrastructure-only hypervisor on `192.168.50.11`
- [ ] Confirm the hypervisor should not remain on `192.168.1.11`
- [ ] Verify management-only access to the hypervisor UI and SSH
- [ ] Confirm `traefik-lxc` (`192.168.50.115`) and other LXC workloads remain server-side only
- [ ] Review whether any user networks directly reach Proxmox today and remove that access if unnecessary
## TrueNAS
Current intent: storage-only host on `192.168.50.12`
- [ ] Confirm whether `192.168.1.12` is a legacy path, active secondary interface, or stale observation
- [ ] Keep storage admin access on `Management` and selected server workflows only
- [ ] Confirm mounts and NFS exports still resolve correctly after address normalization
- [ ] Document the final intended interface model explicitly
## Panda / Home Assistant
Current intent: app endpoint on `192.168.30.196`, SSH/admin endpoint on `192.168.50.196`
- [ ] Preserve the split app/admin model unless there is a strong reason to collapse it
- [ ] Confirm Home Assistant app access remains available from intended `Internal`, `Management`, and selected `IoT` clients
- [ ] Restrict admin SSH path to `Management` and approved VPN clients
- [ ] Keep Home Assistant runtime state out of Git-tracked locations
## Post-Migration Validation
- [ ] Confirm all host DHCP reservations and names resolve correctly
- [ ] Confirm reverse proxy paths for public and internal apps
- [ ] Confirm Home Assistant, Jellyfin, Gitea, Vaultwarden, and Authentik remain reachable from intended zones
- [ ] Confirm guests have internet-only access
- [ ] Confirm IoT devices can reach only their approved service exceptions
- [ ] Confirm VPN access is least-privilege and still sufficient for admin work
Reference in New Issue View Git Blame Copy Permalink