# Ticket: OPNsense management access

## Metadata
- Type: Ticket
- Status: Inbox
- Project: Homelab Operations / Network
- Created: 2026-06-07
- Updated: 2026-06-07
- Priority: High

## Goal

Enable Nimrod to safely manage the existing OPNsense instance for DNS, DHCP, firewall, and network-service integration tasks.

## Why

DNS, transparent Pi-hole, Tailscale routing, VLANs, and firewall policies may require OPNsense changes. Nimrod needs controlled, auditable access rather than ad hoc credential handling.

## Scope

Included:
- Inventory OPNsense host/VM placement, IP, version, access paths, and backup/export procedure.
- Define least-privilege management approach where practical.
- Store credentials/API keys in Vaultwarden with approved assistant access model.
- Document backup-before-change and rollback procedures.
- Add SSH/API aliases if approved.

Not included:
- Destructive firewall/DHCP/DNS changes without explicit confirmation.
- Public exposure of management UI.

## Acceptance Criteria

This ticket is done when:
- [x] OPNsense inventory is documented — host `opn.dropcutstud.io` at `192.168.0.1`, OPNsense 25.7.11_9, interfaces `vtnet0` (LAN) and `vtnet1` (WAN), DNSmasq for DHCP/DNS.
- [x] Safe management access method is selected — API key with limited privileges; some endpoints accessible.
- [ ] Configuration backup/export procedure is documented and tested.
- [x] Nimrod can perform read-only/status checks — diagnostics, interfaces, routes, firmware info accessible via API.
- [ ] Change/rollback process is documented.

## Progress

2026-06-07:
- OPNsense IP and hostname documented: `opn.dropcutstud.io` → `192.168.0.1`.
- API key created; diagnostics and Unbound API accessible.
- DHCP DNS successfully switched to Unbound `192.168.0.124`.
- Remaining: backup/export procedure, full API privilege expansion, change/rollback process.