Check-in — 2026-06-19¶
Post–Phase 7 milestone: DNS authoritative on AdGuard, Tailscale on four core nodes, ACL GitOps green, full documentation audit with validation evidence.
Evidence bundle: 2026-06-19-documentation-validation.md
TL;DR¶
Phase 7 core is done except PiHole soak/decom and optional manual Tailscale hosts (haos, recordurbate, ubuncap). Documentation was stale across README Owner TODO, Phase 7 runbook progress tables, DNS architecture pages, and SEC-007 — corrected in this pass. Eighteen host pages remain inventory stubs by design.
Phase status¶
| Phase | Theme | Status | Notes |
|---|---|---|---|
| 7 | Network + ACLs + DNS | Core done | ZBF, WiFi, DSM/Tailscale, AdGuard cutover, ACL sync |
| 7R | ZBF remediation | Partial | Printer ✅; HomePod AirPlay ❌; WiFi moves ⏸ |
| 6 | Backup & DR | In progress | B2 + creds; backup-client deploy open |
| 8+ | SIEM, consolidation | Not started | — |
What changed since 2026-06-17 check-in¶
DNS¶
- UDM WAN + VLAN DHCP →
192.168.6.17(AdGuard) - Rewrites + Unbound upstream working; verified from saltierpoop and off-LAN subnet route
- PiHole (
192.168.6.80, LXC 104) still running — owner waiting on comfortable soak before destroy
Tailscale¶
| Host | Status |
|---|---|
| infra-services | Subnet router 192.168.6.0/24 approved |
| prox | proxbox-cube @ 100.97.134.65 |
| saltierpoop | Online |
| whrrr | DSM; off-LAN DSM test passed |
| haos / recordurbate / ubuncap | Not deployed (optional) |
ACL GitOps¶
- GitHub secrets + workflow fix (
action: apply, no"comment"inacl.json) - Run 27811413868 succeeded
Documentation¶
- Full audit; validation evidence committed
- Repeatable procedure: documentation-validation.md
Live stack (unchanged spine)¶
GitOps on infra-services, Komodo polling, Traefik ingress, monitoring stack,
mkdocs → Cloudflare Pages. See 2026-06-17 check-in for
phase 0–6 detail.
Open owner actions¶
| Priority | Task | Reference |
|---|---|---|
| 1 | PiHole LXC 104 decom after soak | Phase 7 — decommission PiHole |
| 2 | Phase 6 backup-client converge | README Owner TODO |
| 3 | Phase 7R HomePod AirPlay (Allow Personal → IoT) |
phase-7r-zbf-remediation.md |
| 4 | Optional: Tailscale on haos / customer-app VMs | Phase 7 §5e–5g |
| 5 | Optional: prox ansible-pull bootstrap | prox host page |
Next check-in¶
After PiHole decom or Phase 6 backup green — whichever lands first.