Skip to content

Recovery Assumptions and Service Analysis

Global Assumptions

Assumption Evidence Action
New Docker host is CT 101 docker-host User request Confirm old stopped CT 101 gam can be retired or removed before creation
Docker deployment root changes from /root/<project> to /opt/docker User request Scripts map compose to /opt/docker/compose and data to /opt/docker/volumes
Docker networks remain aproxy and backend docs/current/docker.md Recreate with documented subnets
PostgreSQL database names are gitea and vaultwarden Backup checklist and service docs Restore these dumps if present
Secrets are unavailable in this repository Redacted docs only Operator must provide .env files or manually recreate values
Traefik already exists or will be restored separately Traefik docs and dependency map Service compose includes labels, but this script does not rebuild Traefik

PostgreSQL

Field Value
Container name postgresql
Image used postgres:alpine3.19
Compose location /opt/docker/compose/postgresql/compose.yml
Historical compose location /root/postgresql/docker-compose.yml
Volume mappings /opt/docker/volumes/postgresql/data:/var/lib/postgresql/data
Environment variables POSTGRES_PASSWORD; optional POSTGRES_USER, POSTGRES_DB, POSTGRES_INITDB_ARGS
Networks backend
Published ports Host TCP 5432 if enabled by recovery config
Reverse proxy None
Persistent data /opt/docker/volumes/postgresql/data plus logical dumps
Manual secrets PostgreSQL superuser password and application role passwords
Recovery confidence Medium-high

The historical docs mention overlapping mounts: /root/postgresql/data:/var/lib/postgresql and a Docker volume at /var/lib/postgresql/data. The recovery script deliberately normalizes this to one bind mount at PostgreSQL's canonical data path.

Forgejo

Field Value
Container name forgejo
Related container runner
Image used codeberg.org/forgejo/forgejo:11; runner image must be confirmed from backup
Compose location /opt/docker/compose/gitea/compose.yml
Historical compose location /root/gitea/docker-compose.yml
Volume mappings /opt/docker/volumes/gitea/data:/data, /opt/docker/volumes/gitea/runner-data:/data for runner
Environment variables Database host/name/user/password, USER_UID, USER_GID, OpenID/OAuth values if used
Networks aproxy, backend
Published ports Host TCP 2222 to container SSH 22
Reverse proxy Traefik on aproxy; exact HTTPS hostname must be confirmed
Persistent data Forgejo /data, runner config/state, PostgreSQL database gitea
Manual secrets DB password, OAuth/OpenID client secret, runner registration token if runner state is missing
Recovery confidence Medium

The archive applications/forgejo.tar.gz is expected to include gitea/docker-compose.yml, gitea/.env, gitea/data, gitea/runner-data/config.yml, and gitea/runner-data/.runner. Service logs and Actions logs should be excluded.

Vaultwarden

Field Value
Container name vaultwarden
Image used ghcr.io/dani-garcia/vaultwarden:latest-alpine
Compose location /opt/docker/compose/vaultwarden/compose.yml
Historical compose location /root/vaultwarden/docker-compose.yml
Volume mappings /opt/docker/volumes/vaultwarden/data:/data
Environment variables DATABASE_URL, ADMIN_TOKEN, SMTP settings, SSO/OIDC settings if configured
Networks aproxy, backend
Published ports None required when Traefik is used
Reverse proxy Traefik on aproxy; exact HTTPS hostname must be confirmed
Persistent data /data for keys/attachments plus PostgreSQL database vaultwarden
Manual secrets Admin token, SMTP password, SSO client secret, database password
Recovery confidence Medium-high

The docs identify Vaultwarden as critical. Do not deploy it with a newly generated admin token unless the operator has approved the credential change.

Adminer

Field Value
Container name adminer
Image used adminer:4.8.1
Compose location /opt/docker/compose/adminer/compose.yml
Historical compose location /root/adminer/docker-compose.yml
Volume mappings None
Environment variables Optional ADMINER_DEFAULT_SERVER=postgresql
Networks aproxy, backend
Published ports None required when Traefik is used
Reverse proxy Traefik route dbgui.kh3group.com
Persistent data None
Manual secrets None stored by Adminer; users enter DB credentials
Recovery confidence High

Adminer should be protected by Traefik middleware, firewall policy, or both. The route is sensitive because it exposes a database login surface.

Manual Actions Required

  • Recover or recreate all .env files from the encrypted backup or password manager.
  • Confirm Forgejo and Vaultwarden public hostnames.
  • Confirm OAuth/OpenID callback URLs after DNS and Traefik restoration.
  • Confirm the old CT 101 gam is retired before creating the requested CT 101.
  • Restore Traefik before relying on HTTPS validation.
  • Restore PostgreSQL logical dumps into an isolated test instance before declaring production recovery complete.