# Session Summary / Handover: Homelab service bootstrap

Date: 2026-06-07
Host/session: Nimrod LXC `nimrod` at `/home/piagent/projects/nimrod`

## Current repo state

- Working tree was clean before this handover file.
- Recent commits:
  - `36d8159` Add Ansible managed update MVP
  - `eb9eda5` Deploy Homepage dashboard MVP
  - `b0007b6` Deploy standalone Unbound DNS MVP
  - `fa37b51` Deploy reverse proxy MVP and capture service roadmap
  - `e5d730f` Specify reverse proxy implementation slice
  - `e0469fd` Draft DNS and reverse proxy design
  - `c6d260c` Record Vaultwarden restore test success
  - `79dac93` Record Vaultwarden backup recovery key safety

## Major work completed

### Vaultwarden backup/recovery

- MVP encrypted backup implemented with `age`.
- User generated dedicated age recipient; backups now encrypt to that recipient.
- User confirmed private `AGE-SECRET-KEY-...` recovery material is safe outside Vaultwarden.
- Restore test passed using disposable CT 105, then CT 105 was destroyed.
- Relevant commits:
  - `1caf028` Implement Vaultwarden MVP encrypted backup
  - `a877189` Switch Vaultwarden backups to dedicated age key
  - `79dac93` Record Vaultwarden backup recovery key safety
  - `c6d260c` Record Vaultwarden restore test success
- Relevant runbooks:
  - `runbooks/vaultwarden-backup.md`
  - `runbooks/vaultwarden-restore-test.md`

### Reverse proxy MVP

- Deployed CT 105 `reverse-proxy`, IP `192.168.0.137`.
- Nginx routes with temporary self-signed TLS:
  - `search.dropcutstud.io` -> `http://192.168.0.133:8080`
  - `dashboard.dropcutstud.io` -> `http://192.168.0.241:3000`
- No public exposure.
- Snapshot(s): `post-searxng-proxy-mvp`, `post-dashboard-proxy-route`.
- Runbook: `runbooks/nginx-reverse-proxy.md`.

### Standalone Unbound DNS MVP

- Deployed CT 106 `unbound`, IP `192.168.0.124`.
- Standalone Unbound, not OPNsense plugin.
- Current direct-query records include:
  - `dns.dropcutstud.io` -> `192.168.0.124`
  - `unbound.dropcutstud.io` -> `192.168.0.124`
  - `proxy.dropcutstud.io` -> `192.168.0.137`
  - `dashboard.dropcutstud.io` -> `192.168.0.137`
  - `search.dropcutstud.io` -> `192.168.0.137`
  - `vw.dropcutstud.io` -> `192.168.0.238`
  - `nc.dropcutstud.io` -> `192.168.0.110`
- Router/DHCP/Tailscale are not yet pointed at this resolver.
- Snapshot(s): `post-unbound-internal-dns-mvp`, `post-dashboard-dns-record`.
- Runbook: `runbooks/unbound-internal-dns.md`.

### Homepage dashboard MVP

- Deployed CT 107 `homepage`, IP `192.168.0.241`.
- Homepage runs via Docker Compose under `/opt/homepage`.
- Config-as-code under `/opt/homepage/config`; Docker socket intentionally not mounted.
- URL via proxy: `https://dashboard.dropcutstud.io/` with self-signed warning expected.
- Direct fallback: `http://192.168.0.241:3000/`.
- Snapshot: `post-homepage-dashboard-mvp`.
- Runbook: `runbooks/homepage-dashboard.md`.

### Ansible update-management MVP

- Installed Ansible on Nimrod LXC.
- Added:
  - `ansible.cfg`
  - `ansible/inventories/homelab/hosts.yml`
  - `ansible/playbooks/preflight.yml`
  - `ansible/playbooks/check-updates.yml`
  - `ansible/playbooks/apt-upgrade.yml`
  - `runbooks/homelab-managed-updates.md`
- First non-critical trial target: `homepage-dashboard`.
- Trial succeeded:
  - initial check reported 56 upgradable packages
  - safe apt upgrade completed
  - no reboot required
  - post-check reported 0 upgradable packages
  - Homepage remained healthy

### Required-services roadmap

- Captured user-required services in `docs/homelab-required-services.md`.
- Created tickets for:
  - standalone Unbound
  - Pi-hole
  - Gluetun + Private Internet Access
  - OPNsense management access
  - multi-Proxmox access/inventory
  - service backup standard
- Created subagent file:
  - `.pi/agents/nimrod-devops-preflight.md`
- Note: subagent did not become available immediately in the same running session; fresh session should reload project agents.

## Latest verification before handover

Commands/results summarized:

- `git status --short` was clean before creating this handover file.
- `curl -k --resolve search.dropcutstud.io:443:192.168.0.137 https://search.dropcutstud.io/` returned HTTP `200`.
- `curl -k --resolve dashboard.dropcutstud.io:443:192.168.0.137 https://dashboard.dropcutstud.io/` returned HTTP `200`.
- `dig @192.168.0.124 search.dropcutstud.io +short` returned `192.168.0.137`.
- `dig @192.168.0.124 dashboard.dropcutstud.io +short` returned `192.168.0.137`.
- `ansible-inventory --graph` showed expected homelab groups and hosts.

## Important caveats / risks

- Proxmox `local-lvm` emitted warnings that thin volume virtual sizes exceed pool/free-space thresholds. Current small services deployed successfully, but storage policy/backups need attention.
- CT IPs are currently DHCP-observed, not confirmed reserved/static:
  - reverse proxy `192.168.0.137`
  - Unbound `192.168.0.124`
  - Homepage `192.168.0.241`
- Router/DHCP clients are not yet using Unbound.
- Tailscale DNS integration is not done.
- TLS is temporary self-signed for MVP. Need internal CA or Let's Encrypt DNS-01 decision before treating URLs as polished/trusted.
- Proxmox broad bootstrap token still needs reduction/rotation under secrets/access-management work.
- Vaultwarden assistant access model still needs implementation before storing/retrieving service secrets autonomously.
- `tmux` failed in this environment with `open terminal failed: not a terminal`; likely because current harness session is non-interactive/no TTY. Use Pi/TUI session features or allocate a real SSH terminal if tmux is needed.

## Recommended next actions

1. Commit this handover file if not already committed.
2. Fresh context should start by reading:
   - `AGENTS.md`
   - this file
   - `docs/homelab-required-services.md`
   - active ticket for the chosen next task
3. Next work likely needs user input/credentials or router-level changes:
   - OPNsense inventory/access and config backup path
   - DHCP/router change to advertise Unbound/Pi-hole
   - PIA credentials via Vaultwarden for Gluetun
   - access details for the other two Proxmox servers
   - TLS strategy: internal CA vs Let's Encrypt DNS-01
4. For service creation, user clarified new services do not require per-service approval, but Nimrod must first verify Proxmox resources and still ask for destructive/public/credential-sensitive changes.