docs(public): populate phase 2 content

Full public/ directory — services, network, decisions, security, inventory, rebuild sequence, and per-LXC setup guides. Sourced from wiki. No secrets or WAN IPs included.
2026-04-17 21:23:59 -04:00
parent b3104df54d
commit cd454b2926
17 changed files with 2053 additions and 20 deletions
@@ -0,0 +1,60 @@
+# Rebuild
+
+Ordered recovery sequence from scratch or after catastrophic failure. **Nothing works until the thing before it works.** For step-by-step setup, see individual service [setup guides](setup/).
+
+## Phase 1 — Network Foundation
+
+1. **pfSense** — restore `config.xml`; verify WAN gets public IP (IP Passthrough active on BGW320); verify all VLAN interfaces up + DHCP serving; verify firewall rules loaded
+2. **Omada Switch** — restore controller backup; verify port VLANs match [Network](docs/NETWORK.md) topology; verify trunk port carrying all VLANs tagged
+3. **Access points** — auto-adopt into Omada Controller; verify SSIDs on correct VLANs
+
+**Gate:** LAN device gets IP and reaches internet.
+
+## Phase 2 — DNS
+
+4. **Pi-hole LXC** — restore from PBS snapshot (or fresh deploy); restore Teleporter backup; verify all local DNS records → 10.2.0.20 (Caddy); verify ad blocking active
+5. **pfSense DNS Resolver** — auto-configured from `config.xml`; verify Pi-hole is upstream for all VLANs
+
+**Gate:** `nslookup outline.lerkolabs.com` returns 10.2.0.20 from LAN.
+
+## Phase 3 — Reverse Proxy + TLS
+
+6. **Infra LXC (Caddy)** — restore from PBS (or fresh deploy); verify Cloudflare API token valid; start Caddy — certs auto-issue (allow 2–3 min); add Pi-hole DNS record: `*.lerkolabs.com → 10.2.0.20`
+
+**Gate:** `curl -I https://pihole.lerkolabs.com` returns HTTP/2 200.
+
+## Phase 4 — Auth
+
+7. **Auth LXC (Authentik)** — restore from PBS; verify admin accessible at `https://auth.lerkolabs.com`; verify OIDC apps configured (Outline, Gitea, Vikunja); verify forward auth flows
+
+## Phase 5 — Secrets
+
+8. **Vault LXC (Vaultwarden)** — restore from PBS; verify accessible at `https://vault.lerkolabs.com`; confirm all credentials accessible before proceeding
+
+## Phase 6 — Core Services
+
+9. **Apps LXC** — restore from PBS (or fresh deploy); start shared Postgres + Redis first; bring up services one by one: Outline → Gitea → Vikunja → Ghostfolio → Hoarder → Grist → Glance → Actual → FreshRSS → Memos → Traggo → Baikal → Filebrowser → Bytestash
+10. **Monitor LXC** — restore from PBS; verify Grafana dashboards loading; verify Beszel agents reporting from all LXCs; verify Victoria Metrics receiving metrics
+
+## Phase 7 — VMs
+
+11. **Servarr VM** — restore from PBS; verify Plex/Jellyfin accessible; verify arr stack healthy; verify Gluetun VPN tunnel active for qBittorrent
+12. **Home Assistant OS VM** — restore from PBS (or HAOS backup); verify integrations reconnect
+
+## Phase 8 — VPN
+
+13. **WireGuard** — restored with `config.xml`; verify peer configs valid; test from cellular; if keys rotated, distribute new configs
+
+## Post-Rebuild Checklist
+
+- [ ] Internet works from LAN devices
+- [ ] DNS resolves internal and external names
+- [ ] All `*.lerkolabs.com` reachable via HTTPS
+- [ ] Authentik SSO working (log into Outline via Authentik)
+- [ ] WireGuard connects from external network
+- [ ] Vaultwarden accessible and credentials intact
+- [ ] All Docker containers healthy in Beszel
+- [ ] PBS scheduled backups running
+- [ ] Pi-hole blocking ads
+- [ ] Home Assistant automations running
+- [ ] Media stack healthy (Plex/Jellyfin playback works)