Post-Recovery Validation Checklist
Host and LXC
- Proxmox repositories are valid and package updates complete.
- VM
100 routeris running OPNsense; verify withssh pvessh 'qm list | grep router'. - OPNsense management is reachable through the OPNsense UI or a verified
SSH path. Do not assume a local
ssh routeralias exists. - CT
101 podman-lxcexists, is unprivileged, and starts at boot. - CT
101has expected CPU and memory allocation. - CT
101uses192.168.2.20/24, gateway192.168.2.1, and VLAN2. - Rootless Podman runs as
podsvcwithout user-service or networking errors. -
/opt/podman/config,/opt/podman/env, and/opt/podman/volumesexist.
Rootless Podman Platform
-
podman infosucceeds aspodsvc. - Rootless Podman network
kh3-backendexists. - No required container is in a restart loop.
- No unexpected user systemd unit is failed.
- Live-only services such as Dozzle and the Forgejo runner are either added to restore scripts or documented as manual post-restore steps.
PostgreSQL
-
postgrescontainer reports healthy. -
forgejodatabase exists after restore. -
vaultwardendatabase exists after restore. - Application roles exist and do not use temporary passwords.
- PostgreSQL is not published to the network unless a documented exception exists.
Forgejo
- Forgejo container is healthy or running without restart loops.
- Direct backend check succeeds at
http://192.168.2.20:30080. - Web UI loads through Caddy at
https://git.kh3group.comafter Caddy is live. - Login succeeds with expected authentication method.
- Repositories, LFS objects, attachments, and SSH keys are present.
- Git over HTTPS succeeds.
- Git over SSH on host port
2222succeeds. - Forgejo Actions runner is online, or its failed/intentionally-disabled state is documented.
- One known workflow runs successfully before Actions is declared restored.
Vaultwarden
- Direct backend check succeeds at
http://192.168.2.20:30081. - Vaultwarden loads through Caddy at
https://pass.kh3group.comafter Caddy is live. - Existing user login succeeds.
- Vault unlock succeeds.
- Attachments and sends are available.
- SMTP test succeeds if SMTP has been deliberately reconfigured. If SMTP is
disabled because the recovered env lacked
SMTP_FROM, document that. - SSO/OIDC login succeeds if configured.
- Admin interface is protected by the expected admin token.
Adminer
- Direct backend check succeeds at
http://192.168.2.20:30082. -
dbgui.kh3group.comresolves to the Caddy route after Technitium is live. - Caddy serves Adminer over HTTPS with OIDC/admin policy.
- Adminer can connect to PostgreSQL as a least-privilege test user.
- Adminer is protected by firewall, VPN, or Caddy OIDC middleware.
Dozzle and Admin Consoles
- Dozzle direct backend check succeeds at
http://192.168.2.20:30083if Dozzle remains in scope. -
monitor.kh3group.comis protected by OIDC, VPN, or source-IP policy before normal use. -
dns.kh3group.comis protected by OIDC, VPN, or source-IP policy before normal use. - Technitium web console on
192.168.2.2:5380is blocked from unapproved client networks.
Network, DNS, and Proxy
- OPNsense DMZ can reach CT
101. - Technitium answers
dig @192.168.2.2 example.com. - Technitium resolves
git.kh3group.com,pass.kh3group.com, anddbgui.kh3group.com. - Client VLAN DHCP hands out only
192.168.2.2as DNS. - Client DNS to non-Technitium resolvers is redirected or blocked according to OPNsense policy.
- Caddy proxies required hostnames to CT
101high ports. - Database-backed services can reach PostgreSQL over
kh3-backend. - Certificates are valid for all restored routes.
Backups
- Fresh PostgreSQL globals and per-database dumps complete.
- Fresh Forgejo and Vaultwarden file archives complete.
- Restore test is performed from the new backup set.
- Backup encryption key or passphrase is accessible while Proxmox is offline.
Risks and Manual Actions
- Confirm all secrets were restored from approved sources, not regenerated silently.
- Rotate any secret exposed during the rebuild.
- Confirm old Docker host CT
100remains offline until data parity is verified. - Keep encrypted pre-reinstall backups until at least one full restore test passes.
- Preserve old Traefik and Pi-hole/Cloudflared data in restricted backup storage until Caddy and Technitium pass validation.
- Update documentation with final CT IPs, hostnames, image versions, and service paths.