From e937c68965ad00458e153f3c88c47a7915c0c904 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Sat, 7 Feb 2026 22:33:18 +0100 Subject: [PATCH] docs: mark auth01, ca, and sops-nix removal as complete - auth01 host and services (authelia, lldap) already removed - ca host and services already removed (PKI migrated to OpenBao) - sops-nix fully removed (secrets/, .sops.yaml gone) Co-Authored-By: Claude Opus 4.5 --- docs/plans/host-migration-to-opentofu.md | 58 +++++++++++++----------- 1 file changed, 32 insertions(+), 26 deletions(-) diff --git a/docs/plans/host-migration-to-opentofu.md b/docs/plans/host-migration-to-opentofu.md index ade4154..5e7e9f8 100644 --- a/docs/plans/host-migration-to-opentofu.md +++ b/docs/plans/host-migration-to-opentofu.md @@ -25,7 +25,8 @@ Hosts to migrate: | jelly01 | Stateful | Jellyfin metadata, watch history, config | | pgdb1 | Stateful | PostgreSQL databases | | ~~jump~~ | ~~Decommission~~ | ✓ Complete | -| ca | Deferred | Pending Phase 4c PKI migration to OpenBao | +| ~~auth01~~ | ~~Decommission~~ | ✓ Complete | +| ~~ca~~ | ~~Deferred~~ | ✓ Complete | ## Phase 1: Backup Preparation @@ -181,36 +182,41 @@ through before starting Zigbee2MQTT on the new host. Host was already removed from flake.nix and VM destroyed. Configuration cleaned up in ba9f47f. -### auth01 -1. Remove host configuration from `hosts/auth01/` -2. Remove from `flake.nix` -3. Remove any secrets in `secrets/auth01/` -4. Remove from `.sops.yaml` -5. Remove `services/authelia/` and `services/lldap/` (only used by auth01) -6. Destroy the VM in Proxmox -7. Commit cleanup +### auth01 ✓ COMPLETE -## Phase 6: Decommission ca Host (Deferred) +~~1. Remove host configuration from `hosts/auth01/`~~ +~~2. Remove from `flake.nix`~~ +~~3. Remove any secrets in `secrets/auth01/`~~ +~~4. Remove from `.sops.yaml`~~ +~~5. Remove `services/authelia/` and `services/lldap/` (only used by auth01)~~ +~~6. Destroy the VM in Proxmox~~ +~~7. Commit cleanup~~ -Deferred until Phase 4c (PKI migration to OpenBao) is complete. Once all hosts use the +Host configuration, services, and VM already removed. + +## Phase 6: Decommission ca Host ✓ COMPLETE + +~~Deferred until Phase 4c (PKI migration to OpenBao) is complete. Once all hosts use the OpenBao ACME endpoint for certificates, the step-ca host can be decommissioned following -the same cleanup steps as the jump host. +the same cleanup steps as the jump host.~~ -## Phase 7: Remove sops-nix +PKI migration to OpenBao complete. Host configuration, `services/ca/`, and VM removed. -Once `ca` is decommissioned (Phase 6), `sops-nix` is no longer used by any host. Remove -all remnants: -- `sops-nix` input from `flake.nix` and `flake.lock` -- `sops-nix.nixosModules.sops` from all host module lists in `flake.nix` -- `inherit sops-nix` from all specialArgs in `flake.nix` -- `system/sops.nix` and its import in `system/default.nix` -- `.sops.yaml` -- `secrets/` directory -- All `sops.secrets.*` declarations in `services/ca/`, `services/authelia/`, `services/lldap/` -- Template scripts that generate age keys for sops (`hosts/template/scripts.nix`, - `hosts/template2/scripts.nix`) +## Phase 7: Remove sops-nix ✓ COMPLETE -See `docs/plans/completed/sops-to-openbao-migration.md` for full context. +~~Once `ca` is decommissioned (Phase 6), `sops-nix` is no longer used by any host. Remove +all remnants:~~ +~~- `sops-nix` input from `flake.nix` and `flake.lock`~~ +~~- `sops-nix.nixosModules.sops` from all host module lists in `flake.nix`~~ +~~- `inherit sops-nix` from all specialArgs in `flake.nix`~~ +~~- `system/sops.nix` and its import in `system/default.nix`~~ +~~- `.sops.yaml`~~ +~~- `secrets/` directory~~ +~~- All `sops.secrets.*` declarations in `services/ca/`, `services/authelia/`, `services/lldap/`~~ +~~- Template scripts that generate age keys for sops (`hosts/template/scripts.nix`, + `hosts/template2/scripts.nix`)~~ + +All sops-nix remnants removed. See `docs/plans/completed/sops-to-openbao-migration.md` for context. ## Notes @@ -219,7 +225,7 @@ See `docs/plans/completed/sops-to-openbao-migration.md` for full context. - The old VMs use IPs that the new VMs need, so the old VM must be shut down before the new one is provisioned (or use a temporary IP and swap after verification) - Stateful migrations should be done during low-usage windows -- After all migrations are complete, the only hosts not in OpenTofu will be ca (deferred) +- After all migrations are complete, all decommissioned hosts (jump, auth01, ca) have been removed - Since many hosts are being recreated, this is a good opportunity to establish consistent hostname naming conventions before provisioning the new VMs. Current naming is inconsistent (e.g. `ns1` vs `nix-cache01`, `ha1` vs `auth01`, `pgdb1` vs `http-proxy`). Decide on a