Check-in — 2026-06-20¶
Catch-up after PiHole decom, Phase 7R printer/AirPlay fixes, saltierpoop UFW/JD2 work, and owner decision on Aqara placement.
Prior snapshot: 2026-06-19 check-in (superseded for open-actions list).
TL;DR¶
Phase 7 done. Phase 7R mostly done — printer and Personal → IoT Allow live; Aqara hub cannot move to enterprise SSIDs and stays on GenPop WPA2-PSK. TP-Link plug moves still open. JD2 + Gluetun on saltierpoop deployed (MyJDownloader pairing in progress). Backups on infra-services running; not the current focus.
Phase status¶
| Phase | Theme | Status | Notes |
|---|---|---|---|
| 7 | Network + ACLs + DNS | Done | PiHole LXC 104 destroyed; AdGuard authoritative |
| 7R | ZBF remediation | Mostly done | Printer ✅; Personal → IoT ✅; Aqara stays GenPop; TP-Link ⏸ |
| 6 | Backup & DR | Deployed | Restic timers active on infra-services; not in current cohort |
| 8+ | SIEM, consolidation | Not started | — |
What changed since 2026-06-19¶
DNS / PiHole¶
- LXC 104 (
blocktopus,192.168.6.80) destroyed on prox (PR #7, 2026-06-17) blocktopusretired in inventory; DNS rewrites generator skips retired hosts
saltierpoop¶
- UFW:
common_manage_firewall: falsemerged (PR #9) soansible-pulldoes not re-enable UFW - Gluetun + Mullvad + sandbox-jdownloader2 deployed; VPN egress verified for JD2 container
- MyJDownloader: owner pairing via inventory env vars or web UI
Phase 7R — Aqara decision¶
- Cannot move Aqara Hub M2 to IoT / Personal / Appliances WiFi — those SSIDs use
WPA2-EAP; hub only supports WPA2-PSK (
The LAN Before Time→ GenPop) - Hub stays
192.168.1.82on GenPop; docs and README Owner TODO updated - If HA integration still stuck: likely needs Servers (HA) → GenPop allow — see phase-7r-zbf-remediation § WiFi moves
Tailscale / ACL¶
- No change since 2026-06-19 — four core nodes online; ACL GitOps green
Open owner actions¶
| Priority | Task | Reference |
|---|---|---|
| 1 | TP-Link EP10 plugs → IoT or Appliances WiFi; re-pair in HA | phase-7r-zbf-remediation |
| 2 | Aqara in HA — re-add hub if needed after Servers → GenPop rule | Same runbook, Aqara section |
| 3 | MyJDownloader pairing for saltierpoop JD2 | jdownloader2-vpn-saltbox |
| 4 | Optional: Tailscale on haos / customer-app VMs | Phase 7 §5e–5g |
Next check-in¶
After TP-Link WiFi moves or when Phase 7R HA integrations are all green.