Infrastructure Recovery Assessment
Source Material Inspected
docs/current/pre-reinstall-checklist.mddocs/current/clean-rebuild.mddocs/current/proxmox.mddocs/current/network.mddocs/current/containers.mddocs/current/docker.mddocs/current/backups.mddocs/current/dependencies.md- Service records for PostgreSQL, Forgejo, Vaultwarden, Adminer, Traefik, and DNS
- Redacted pfSense exports at the repository root
The repository contains documentation and redacted references, not the raw secret-bearing backup set. The disaster recovery scripts therefore use documented paths and backup archive names, but leave secrets and final hostnames as operator-supplied values.
Existing Infrastructure Components
| Component | Evidence | Recovery relevance |
|---|---|---|
Proxmox VE host pve02 |
docs/current/proxmox.md |
Reinstall target and control plane |
pfSense VM 110 |
docs/current/pfsense.md and redacted XML |
Routing, firewall, NAT, DHCP, VPN |
Docker LXC 100 proxy |
docs/current/containers.md, docs/current/docker.md |
Existing container platform to be replaced |
DNS LXC 107 dns |
docs/current/containers.md, DNS docs |
Pi-hole and Cloudflared dependency |
Docker networks aproxy, backend |
docs/current/docker.md |
Required for Traefik and data services |
| Traefik | docs/services/platform/traefik.md |
Reverse proxy for web applications |
| PostgreSQL | docs/services/data/postgresql.md |
Database for Forgejo, Vaultwarden, Homebox, and other clients |
| Forgejo and runner | docs/services/platform/forgejo.md |
Source control and CI automation |
| Vaultwarden | docs/services/applications/vaultwarden.md |
Critical password vault |
| Adminer | docs/services/data/adminer.md |
Database administration UI |
Historical Network Configuration
The original recovery assessment below was centered on pfSense and older
addressing. It is historical context, not the current OPNsense source of truth.
On July 1, 2026, 192.168.100.1 identified as Starlink and
192.168.100.250 did not respond from pve; do not use the old
192.168.100.0/24 LAN entries for new route or firewall design without a fresh
OPNsense export/UI validation. The user confirmed Starlink bridge mode caused a
conflict with the old internal .100 subnet, which is why that internal range
was deprecated.
The historical documented network was:
| Segment | CIDR | Gateway | Notes |
|---|---|---|---|
| WAN1 | 10.0.0.0/24 |
10.0.0.1 |
pfSense wan, VM NIC on vmbr1 |
| WAN2 | 192.168.1.0/24 |
192.168.1.1 |
pfSense opt1, VM NIC on vmbr2 |
| LAN | 192.168.100.0/24 |
192.168.100.1 |
Client/admin network |
| DMZ | 192.168.2.0/24 |
192.168.2.1 |
Proxmox, DNS, Docker, published services |
Known addresses:
- Proxmox
pve02:192.168.2.10/24 - Existing Docker host
proxy:192.168.2.20/24 - DNS LXC
dns:192.168.2.2/24 - pfSense DMZ:
192.168.2.1/24
The requested target Docker LXC is CT 101 with hostname docker-host.
Documentation says the old production Docker host was CT 100 proxy. DHCP is
acceptable for the new LXC unless the restored environment must preserve
192.168.2.20; that reservation must be handled in pfSense or DHCP.
Proxmox Configuration
Documented host state:
- Hostname:
pve02 - Version at audit: Proxmox VE
8.4.19, kernel6.8.12-23-pve - Standalone node, not a cluster
- Bridges:
vmbr0onenp0s31f6, VLAN-aware, management onvmbr0.2vmbr1onenp1s0f0vmbr2onenp1s0f1- Storage:
localat/var/lib/vzlocal-lvmDIR01at/mnt/pve/DIR01network-backup-synCIFS backup targetmediaCIFS share
Startup order is documented as pfSense first, DNS second, Docker third.
LXC Containers
| CT | State | Purpose | Recovery decision |
|---|---|---|---|
100 proxy |
Running at audit | Docker host | Replace with fresh requested CT 101 docker-host |
107 dns |
Running at audit | Pi-hole and Cloudflared | Rebuild separately from Teleporter and token |
101 gam |
Stopped at audit | Unknown | Requested CT 101 conflicts with retired/unknown ID; confirm old CT is removed before creation |
105 down |
Stopped, damaged filesystem | Unknown data | Protect image before wipe |
106 rdhost |
Stopped | RustDesk | Preserve identity files if retaining |
Docker Containers and Storage
The Docker host used /root/<project> historically. The rebuild target is:
- Compose definitions:
/opt/docker/compose - Persistent data:
/opt/docker/volumes
Documented Docker networks:
aproxy, subnet172.18.0.0/16, Traefik ingressbackend, subnet172.19.0.0/16, databases and private service traffic
Docker should not be restored from /var/lib/docker. The documented recovery
boundary is compose files, .env files, bind-mounted data, named volume data
where applicable, and logical database exports.
Reverse Proxy Configuration
Traefik is the documented reverse proxy:
- Image:
traefik:v3.7.0 - Host ports: TCP
80and443 - Docker provider reads labels through the Docker socket
- Routes containers attached to
aproxy - Persistent configuration under historical
/root/traefik/data
Adminer has a documented route: dbgui.kh3group.com. Forgejo and Vaultwarden
routes are not explicitly documented in the inspected service files, so the
recovery scripts use environment-controlled defaults that must be confirmed
against the captured compose files, DNS, and Traefik labels.
Service Dependencies
Critical dependency order:
- Proxmox host networking and storage
- pfSense VM, including DMZ and routing
- DNS LXC
- Docker LXC and Docker Engine
- Docker networks
- PostgreSQL
- Forgejo and Vaultwarden
- Adminer
- Traefik routes and external access validation
Forgejo and Vaultwarden require PostgreSQL. Adminer requires the backend
network and database credentials entered by the operator at login.
Backup and Restore Requirements
Required backup material for the requested services:
| Item | Required artifact |
|---|---|
| PostgreSQL roles | databases/postgresql/globals.sql |
| PostgreSQL databases | databases/postgresql/gitea.dump, vaultwarden.dump, and any retained active database dumps |
| Forgejo | applications/forgejo.tar.gz plus PostgreSQL gitea dump |
| Vaultwarden | applications/vaultwarden.tar.gz plus PostgreSQL vaultwarden dump |
| Adminer | Compose only; no persistent state |
| Traefik | applications/traefik.tar.gz if HTTPS routes must be restored immediately |
| Secrets | Raw .env files from restricted backup and approved password manager |
The redacted repository files are not enough for full service recovery.