eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/infrastructure/unifi.md
Erich Blume db0512b5d4 Doc review: 5 stalest cards; scale back ai-docs rule; document heph CLI (#373) 
## Doc review (5 stalest, all never-reviewed)

Each card was verified against live state (ArgoCD app list/health, manifests, 1Password item fields, Mealie API probe) and stamped `last-reviewed: 2026-06-09`.

| Card | Findings fixed |
|------|----------------|
| `reference/services/argocd.md` | Added Authentik SSO (public PKCE client, `--sso` login, admins→role:admin RBAC); documented dual-cluster management (minikube + ringtail k3s at `ringtail.tail8d86e.ts.net:6443`); corrected sync policy — the `apps` root is **manual**, not automated |
| `reference/services/authentik.md` | Blueprint list grown from 5 to 10 files; OIDC client table now lists all 8 clients with types; secrets table updated to `postgresql-*` fields and per-client secrets |
| `reference/services/grafana.md` | TeslaMate datasource moved to `pg.ops.eblu.me:5434` (ringtail); dashboard inventory refreshed (20 provisioned ConfigMaps); TeslaMate dashboards documented as init-container fetch from forge mirror at pinned tag; SSO role mapping wording corrected (Admin only for `admins` group) |
| `reference/infrastructure/unifi.md` | UnPoller image is now locally built (`registry.ops.eblu.me/blumeops/unpoller`); verified namespace/port |
| `how-to/mealie/plan-a-meal.md` | Procedure verified; **found the stored API token (`op://blumeops/mealie/credential`) returns 401** — operational fix in progress, doc content unchanged |

## AGENTS.md

- **Scaled back the ai-docs rule** (per discussion): agents now start by finding and reading relevant docs; `mise run ai-docs` (~130K tokens now) and `ai-sources` become opt-in bulk loads. `agent-change-process.md` updated to match. The `ai-docs` mise task itself is kept for now — happy to retire it in a follow-up if desired.
- **Documented the heph CLI** task workflow (list/show/context/log read paths; done/drop/skip/log/edit/task write paths) so future sessions can read and manipulate Blumeops tasks without rediscovery.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #373
2026-06-09 16:05:01 -07:00

3 KiB
Raw Blame History

title modified last-reviewed tags
UniFi 2026-06-09 2026-06-09
infrastructure
networking

UniFi

Home WiFi router and network controller, managed via the UX7 web UI.

Quick Reference

Property Value
Model UniFi Express 7 (UX7)
LAN IP 192.168.1.1
Management URL https://192.168.1.1
Management Web UI only (no IaC)
Power Battery-backed via UPS (see power)

What It Does

The UX7 is the home WiFi access point and network gateway. It provides:

  • WiFi (main, guest, IoT networks)
  • DHCP for all network subnets
  • Built-in UniFi controller for managing adopted devices (switches)
  • Zone-based firewall and traffic management

Networks

Network VLAN Subnet Purpose
Main 1 (default) 192.168.1.0/24 Trusted devices (indri, sifaka, gilbert, mouse)
Guest 2 192.168.2.0/24 Visitors, internet-only
IoT 3 192.168.3.0/24 Smart devices (Frame TV, appliances)

Three-network segmentation configured manually via UX7 web UI (Feb 2026).

Network Topology

ISP Modem
  └── UniFi Express 7 [WAN]
       └── [LAN port] ──→ Switch A (by router/sifaka)
            ├── sifaka (Synology NAS)
            └── ~12ft Cat6 ──→ Switch B (on desk)
                                 ├── indri (Mac Mini, primary server)
                                 └── gilbert (USB-C adapter)

All wired devices share the default VLAN (192.168.1.0/24). The two daisy-chained UniFi Switch Flex Minis provide enough ports for all devices while using the UX7's single LAN port.

Operations

Task Method
Manage networks/WiFi/firewall https://192.168.1.1 web UI
Backup configuration Settings → System → Backup
Restore from backup Settings → System → Backup → Restore

Authentication

Local admin account on the UX7. Credentials stored in 1Password (vault blumeops). WiFi passphrase stored in 1Password item "Radio New Vegas" (Wireless Router type) in vault blumeops.

Why Not IaC?

Attempted Feb 2026 with the ubiquiti-community/unifi Terraform provider via Pulumi. A "no-op" update on the default LAN network reset undeclared properties, bricking the network and requiring a factory reset. The provider ecosystem is too immature for single-device infrastructure.

Monitoring

UniFi metrics are exported to Prometheus via UnPoller, running as a k8s deployment in the monitoring namespace on indri's minikube (argocd/manifests/unpoller/, locally-built image registry.ops.eblu.me/blumeops/unpoller). UnPoller polls the UX7 controller API using an API key and exposes metrics on port 9130.

  • Prometheus job: unpoller
  • Metrics prefix: unifi_
  • Credentials: 1Password item unpoller (vault blumeops, API key)

Related

  • hosts — Device inventory
  • power — UPS power chain
  • indri — Primary server (wired connection)
  • tailscale — Tailnet networking