docs: mark auth01, ca, and sops-nix removal as complete
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
- auth01 host and services (authelia, lldap) already removed - ca host and services already removed (PKI migrated to OpenBao) - sops-nix fully removed (secrets/, .sops.yaml gone) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -25,7 +25,8 @@ Hosts to migrate:
|
||||
| jelly01 | Stateful | Jellyfin metadata, watch history, config |
|
||||
| pgdb1 | Stateful | PostgreSQL databases |
|
||||
| ~~jump~~ | ~~Decommission~~ | ✓ Complete |
|
||||
| ca | Deferred | Pending Phase 4c PKI migration to OpenBao |
|
||||
| ~~auth01~~ | ~~Decommission~~ | ✓ Complete |
|
||||
| ~~ca~~ | ~~Deferred~~ | ✓ Complete |
|
||||
|
||||
## Phase 1: Backup Preparation
|
||||
|
||||
@@ -181,36 +182,41 @@ through before starting Zigbee2MQTT on the new host.
|
||||
|
||||
Host was already removed from flake.nix and VM destroyed. Configuration cleaned up in ba9f47f.
|
||||
|
||||
### auth01
|
||||
1. Remove host configuration from `hosts/auth01/`
|
||||
2. Remove from `flake.nix`
|
||||
3. Remove any secrets in `secrets/auth01/`
|
||||
4. Remove from `.sops.yaml`
|
||||
5. Remove `services/authelia/` and `services/lldap/` (only used by auth01)
|
||||
6. Destroy the VM in Proxmox
|
||||
7. Commit cleanup
|
||||
### auth01 ✓ COMPLETE
|
||||
|
||||
## Phase 6: Decommission ca Host (Deferred)
|
||||
~~1. Remove host configuration from `hosts/auth01/`~~
|
||||
~~2. Remove from `flake.nix`~~
|
||||
~~3. Remove any secrets in `secrets/auth01/`~~
|
||||
~~4. Remove from `.sops.yaml`~~
|
||||
~~5. Remove `services/authelia/` and `services/lldap/` (only used by auth01)~~
|
||||
~~6. Destroy the VM in Proxmox~~
|
||||
~~7. Commit cleanup~~
|
||||
|
||||
Deferred until Phase 4c (PKI migration to OpenBao) is complete. Once all hosts use the
|
||||
Host configuration, services, and VM already removed.
|
||||
|
||||
## Phase 6: Decommission ca Host ✓ COMPLETE
|
||||
|
||||
~~Deferred until Phase 4c (PKI migration to OpenBao) is complete. Once all hosts use the
|
||||
OpenBao ACME endpoint for certificates, the step-ca host can be decommissioned following
|
||||
the same cleanup steps as the jump host.
|
||||
the same cleanup steps as the jump host.~~
|
||||
|
||||
## Phase 7: Remove sops-nix
|
||||
PKI migration to OpenBao complete. Host configuration, `services/ca/`, and VM removed.
|
||||
|
||||
Once `ca` is decommissioned (Phase 6), `sops-nix` is no longer used by any host. Remove
|
||||
all remnants:
|
||||
- `sops-nix` input from `flake.nix` and `flake.lock`
|
||||
- `sops-nix.nixosModules.sops` from all host module lists in `flake.nix`
|
||||
- `inherit sops-nix` from all specialArgs in `flake.nix`
|
||||
- `system/sops.nix` and its import in `system/default.nix`
|
||||
- `.sops.yaml`
|
||||
- `secrets/` directory
|
||||
- All `sops.secrets.*` declarations in `services/ca/`, `services/authelia/`, `services/lldap/`
|
||||
- Template scripts that generate age keys for sops (`hosts/template/scripts.nix`,
|
||||
`hosts/template2/scripts.nix`)
|
||||
## Phase 7: Remove sops-nix ✓ COMPLETE
|
||||
|
||||
See `docs/plans/completed/sops-to-openbao-migration.md` for full context.
|
||||
~~Once `ca` is decommissioned (Phase 6), `sops-nix` is no longer used by any host. Remove
|
||||
all remnants:~~
|
||||
~~- `sops-nix` input from `flake.nix` and `flake.lock`~~
|
||||
~~- `sops-nix.nixosModules.sops` from all host module lists in `flake.nix`~~
|
||||
~~- `inherit sops-nix` from all specialArgs in `flake.nix`~~
|
||||
~~- `system/sops.nix` and its import in `system/default.nix`~~
|
||||
~~- `.sops.yaml`~~
|
||||
~~- `secrets/` directory~~
|
||||
~~- All `sops.secrets.*` declarations in `services/ca/`, `services/authelia/`, `services/lldap/`~~
|
||||
~~- Template scripts that generate age keys for sops (`hosts/template/scripts.nix`,
|
||||
`hosts/template2/scripts.nix`)~~
|
||||
|
||||
All sops-nix remnants removed. See `docs/plans/completed/sops-to-openbao-migration.md` for context.
|
||||
|
||||
## Notes
|
||||
|
||||
@@ -219,7 +225,7 @@ See `docs/plans/completed/sops-to-openbao-migration.md` for full context.
|
||||
- The old VMs use IPs that the new VMs need, so the old VM must be shut down before
|
||||
the new one is provisioned (or use a temporary IP and swap after verification)
|
||||
- Stateful migrations should be done during low-usage windows
|
||||
- After all migrations are complete, the only hosts not in OpenTofu will be ca (deferred)
|
||||
- After all migrations are complete, all decommissioned hosts (jump, auth01, ca) have been removed
|
||||
- Since many hosts are being recreated, this is a good opportunity to establish consistent
|
||||
hostname naming conventions before provisioning the new VMs. Current naming is inconsistent
|
||||
(e.g. `ns1` vs `nix-cache01`, `ha1` vs `auth01`, `pgdb1` vs `http-proxy`). Decide on a
|
||||
|
||||
Reference in New Issue
Block a user