Skip to content

Infrastructure Recovery Assessment

Source Material Inspected

  • docs/current/pre-reinstall-checklist.md
  • docs/current/clean-rebuild.md
  • docs/current/proxmox.md
  • docs/current/network.md
  • docs/current/containers.md
  • docs/current/docker.md
  • docs/current/backups.md
  • docs/current/dependencies.md
  • Service records for PostgreSQL, Forgejo, Vaultwarden, Adminer, Traefik, and DNS
  • Redacted pfSense exports at the repository root

The repository contains documentation and redacted references, not the raw secret-bearing backup set. The disaster recovery scripts therefore use documented paths and backup archive names, but leave secrets and final hostnames as operator-supplied values.

Existing Infrastructure Components

Component Evidence Recovery relevance
Proxmox VE host pve02 docs/current/proxmox.md Reinstall target and control plane
pfSense VM 110 docs/current/pfsense.md and redacted XML Routing, firewall, NAT, DHCP, VPN
Docker LXC 100 proxy docs/current/containers.md, docs/current/docker.md Existing container platform to be replaced
DNS LXC 107 dns docs/current/containers.md, DNS docs Pi-hole and Cloudflared dependency
Docker networks aproxy, backend docs/current/docker.md Required for Traefik and data services
Traefik docs/services/platform/traefik.md Reverse proxy for web applications
PostgreSQL docs/services/data/postgresql.md Database for Forgejo, Vaultwarden, Homebox, and other clients
Forgejo and runner docs/services/platform/forgejo.md Source control and CI automation
Vaultwarden docs/services/applications/vaultwarden.md Critical password vault
Adminer docs/services/data/adminer.md Database administration UI

Historical Network Configuration

The original recovery assessment below was centered on pfSense and older addressing. It is historical context, not the current OPNsense source of truth. On July 1, 2026, 192.168.100.1 identified as Starlink and 192.168.100.250 did not respond from pve; do not use the old 192.168.100.0/24 LAN entries for new route or firewall design without a fresh OPNsense export/UI validation. The user confirmed Starlink bridge mode caused a conflict with the old internal .100 subnet, which is why that internal range was deprecated.

The historical documented network was:

Segment CIDR Gateway Notes
WAN1 10.0.0.0/24 10.0.0.1 pfSense wan, VM NIC on vmbr1
WAN2 192.168.1.0/24 192.168.1.1 pfSense opt1, VM NIC on vmbr2
LAN 192.168.100.0/24 192.168.100.1 Client/admin network
DMZ 192.168.2.0/24 192.168.2.1 Proxmox, DNS, Docker, published services

Known addresses:

  • Proxmox pve02: 192.168.2.10/24
  • Existing Docker host proxy: 192.168.2.20/24
  • DNS LXC dns: 192.168.2.2/24
  • pfSense DMZ: 192.168.2.1/24

The requested target Docker LXC is CT 101 with hostname docker-host. Documentation says the old production Docker host was CT 100 proxy. DHCP is acceptable for the new LXC unless the restored environment must preserve 192.168.2.20; that reservation must be handled in pfSense or DHCP.

Proxmox Configuration

Documented host state:

  • Hostname: pve02
  • Version at audit: Proxmox VE 8.4.19, kernel 6.8.12-23-pve
  • Standalone node, not a cluster
  • Bridges:
  • vmbr0 on enp0s31f6, VLAN-aware, management on vmbr0.2
  • vmbr1 on enp1s0f0
  • vmbr2 on enp1s0f1
  • Storage:
  • local at /var/lib/vz
  • local-lvm
  • DIR01 at /mnt/pve/DIR01
  • network-backup-syn CIFS backup target
  • media CIFS share

Startup order is documented as pfSense first, DNS second, Docker third.

LXC Containers

CT State Purpose Recovery decision
100 proxy Running at audit Docker host Replace with fresh requested CT 101 docker-host
107 dns Running at audit Pi-hole and Cloudflared Rebuild separately from Teleporter and token
101 gam Stopped at audit Unknown Requested CT 101 conflicts with retired/unknown ID; confirm old CT is removed before creation
105 down Stopped, damaged filesystem Unknown data Protect image before wipe
106 rdhost Stopped RustDesk Preserve identity files if retaining

Docker Containers and Storage

The Docker host used /root/<project> historically. The rebuild target is:

  • Compose definitions: /opt/docker/compose
  • Persistent data: /opt/docker/volumes

Documented Docker networks:

  • aproxy, subnet 172.18.0.0/16, Traefik ingress
  • backend, subnet 172.19.0.0/16, databases and private service traffic

Docker should not be restored from /var/lib/docker. The documented recovery boundary is compose files, .env files, bind-mounted data, named volume data where applicable, and logical database exports.

Reverse Proxy Configuration

Traefik is the documented reverse proxy:

  • Image: traefik:v3.7.0
  • Host ports: TCP 80 and 443
  • Docker provider reads labels through the Docker socket
  • Routes containers attached to aproxy
  • Persistent configuration under historical /root/traefik/data

Adminer has a documented route: dbgui.kh3group.com. Forgejo and Vaultwarden routes are not explicitly documented in the inspected service files, so the recovery scripts use environment-controlled defaults that must be confirmed against the captured compose files, DNS, and Traefik labels.

Service Dependencies

Critical dependency order:

  1. Proxmox host networking and storage
  2. pfSense VM, including DMZ and routing
  3. DNS LXC
  4. Docker LXC and Docker Engine
  5. Docker networks
  6. PostgreSQL
  7. Forgejo and Vaultwarden
  8. Adminer
  9. Traefik routes and external access validation

Forgejo and Vaultwarden require PostgreSQL. Adminer requires the backend network and database credentials entered by the operator at login.

Backup and Restore Requirements

Required backup material for the requested services:

Item Required artifact
PostgreSQL roles databases/postgresql/globals.sql
PostgreSQL databases databases/postgresql/gitea.dump, vaultwarden.dump, and any retained active database dumps
Forgejo applications/forgejo.tar.gz plus PostgreSQL gitea dump
Vaultwarden applications/vaultwarden.tar.gz plus PostgreSQL vaultwarden dump
Adminer Compose only; no persistent state
Traefik applications/traefik.tar.gz if HTTPS routes must be restored immediately
Secrets Raw .env files from restricted backup and approved password manager

The redacted repository files are not enough for full service recovery.