Skip to content

Post-Recovery Validation Checklist

Host and LXC

  • Proxmox repositories are valid and package updates complete.
  • VM 100 router is running OPNsense; verify with ssh pvessh 'qm list | grep router'.
  • OPNsense management is reachable through the OPNsense UI or a verified SSH path. Do not assume a local ssh router alias exists.
  • CT 101 podman-lxc exists, is unprivileged, and starts at boot.
  • CT 101 has expected CPU and memory allocation.
  • CT 101 uses 192.168.2.20/24, gateway 192.168.2.1, and VLAN 2.
  • Rootless Podman runs as podsvc without user-service or networking errors.
  • /opt/podman/config, /opt/podman/env, and /opt/podman/volumes exist.

Rootless Podman Platform

  • podman info succeeds as podsvc.
  • Rootless Podman network kh3-backend exists.
  • No required container is in a restart loop.
  • No unexpected user systemd unit is failed.
  • Live-only services such as Dozzle and the Forgejo runner are either added to restore scripts or documented as manual post-restore steps.

PostgreSQL

  • postgres container reports healthy.
  • forgejo database exists after restore.
  • vaultwarden database exists after restore.
  • Application roles exist and do not use temporary passwords.
  • PostgreSQL is not published to the network unless a documented exception exists.

Forgejo

  • Forgejo container is healthy or running without restart loops.
  • Direct backend check succeeds at http://192.168.2.20:30080.
  • Web UI loads through Caddy at https://git.kh3group.com after Caddy is live.
  • Login succeeds with expected authentication method.
  • Repositories, LFS objects, attachments, and SSH keys are present.
  • Git over HTTPS succeeds.
  • Git over SSH on host port 2222 succeeds.
  • Forgejo Actions runner is online, or its failed/intentionally-disabled state is documented.
  • One known workflow runs successfully before Actions is declared restored.

Vaultwarden

  • Direct backend check succeeds at http://192.168.2.20:30081.
  • Vaultwarden loads through Caddy at https://pass.kh3group.com after Caddy is live.
  • Existing user login succeeds.
  • Vault unlock succeeds.
  • Attachments and sends are available.
  • SMTP test succeeds if SMTP has been deliberately reconfigured. If SMTP is disabled because the recovered env lacked SMTP_FROM, document that.
  • SSO/OIDC login succeeds if configured.
  • Admin interface is protected by the expected admin token.

Adminer

  • Direct backend check succeeds at http://192.168.2.20:30082.
  • dbgui.kh3group.com resolves to the Caddy route after Technitium is live.
  • Caddy serves Adminer over HTTPS with OIDC/admin policy.
  • Adminer can connect to PostgreSQL as a least-privilege test user.
  • Adminer is protected by firewall, VPN, or Caddy OIDC middleware.

Dozzle and Admin Consoles

  • Dozzle direct backend check succeeds at http://192.168.2.20:30083 if Dozzle remains in scope.
  • monitor.kh3group.com is protected by OIDC, VPN, or source-IP policy before normal use.
  • dns.kh3group.com is protected by OIDC, VPN, or source-IP policy before normal use.
  • Technitium web console on 192.168.2.2:5380 is blocked from unapproved client networks.

Network, DNS, and Proxy

  • OPNsense DMZ can reach CT 101.
  • Technitium answers dig @192.168.2.2 example.com.
  • Technitium resolves git.kh3group.com, pass.kh3group.com, and dbgui.kh3group.com.
  • Client VLAN DHCP hands out only 192.168.2.2 as DNS.
  • Client DNS to non-Technitium resolvers is redirected or blocked according to OPNsense policy.
  • Caddy proxies required hostnames to CT 101 high ports.
  • Database-backed services can reach PostgreSQL over kh3-backend.
  • Certificates are valid for all restored routes.

Backups

  • Fresh PostgreSQL globals and per-database dumps complete.
  • Fresh Forgejo and Vaultwarden file archives complete.
  • Restore test is performed from the new backup set.
  • Backup encryption key or passphrase is accessible while Proxmox is offline.

Risks and Manual Actions

  • Confirm all secrets were restored from approved sources, not regenerated silently.
  • Rotate any secret exposed during the rebuild.
  • Confirm old Docker host CT 100 remains offline until data parity is verified.
  • Keep encrypted pre-reinstall backups until at least one full restore test passes.
  • Preserve old Traefik and Pi-hole/Cloudflared data in restricted backup storage until Caddy and Technitium pass validation.
  • Update documentation with final CT IPs, hostnames, image versions, and service paths.