- Changed library mount from /mnt/kavnas/Roms/roms to /mnt/kavnas/Roms
to match RomM's expected Structure A (/library/roms/<platform>/)
- Added docker volumes for romm_resources and romm_redis_data
- Documented docker-pm3 gateway (10.4.2.1) in netplan config
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Migrated from old KavNas config:
- ScreenScraper (kavren)
- RetroAchievements (kavren)
- SteamGridDB
- PlayMatch
Also added Emulationdrive exclusion to config.yml
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added ENABLE_SCHEDULED_RESCAN (daily at 3 AM)
- Added ENABLE_RESCAN_ON_FILESYSTEM_CHANGE (5 min delay)
- Updated docker-compose and documentation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Deployed RomM via Docker on VM 109 (docker-pm3)
- URL: http://10.4.2.202:8998
- ROM library mounted from KavNas:/volume1/Media/Roms
- MariaDB backend for metadata
- Added persistent NFS mount on docker-pm3
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixed outdated IP addresses across documentation and scripts.
Sonarr LXC 105 is at 10.4.2.20, not 10.4.2.15.
Jellyseerr LXC 115 is at 10.4.2.25, not 10.4.2.20.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
LXC 112 was using DHCP and got IP 10.4.2.177 instead of expected
10.4.2.37, causing Traefik routing to fail.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Installed Sunshine game streaming host for low-latency media streaming.
Configured UFW firewall rules for Trusted and LAN VLANs.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added *.kavcorp.com DNS entries pointing to Traefik (10.4.2.10)
- Internal clients can use https://jellyfin.kavcorp.com with valid certs
- Same URLs work internally and externally, no port numbers needed
- Also added Traefik internal entrypoint on :8080 for .kav HTTP access
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Root cause: OPNsense DHCP and firewall rules referenced 10.4.2.129
for Pi-hole DNS, but that IP doesn't exist. Pi-hole is at 10.4.2.11.
Updated all references in OPNsense config.xml and documentation.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- LXC 129 on pm2 with static IP 10.4.2.36
- Local DNS: rustdesk.kav
- Updated INFRASTRUCTURE.md and CHANGELOG.md
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed from HTTPS to SSH URL (gitea@git.kavcorp.com:kavren/proxmox-infra.git)
to fix authentication issues with auto-push.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added Gitea Integration section with server details
- Documented tea CLI as the tool for interacting with Gitea
- Added issue tracking workflow for enhancement management
- Included common tea commands reference
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Complete static IP migration for all containers
- Configure Pi-hole local DNS with .kav hostnames
- Add SSH provisioning script for all containers
- Create NETWORK-MAP.md with complete IP allocation
- Create network-map.sh for dynamic map generation
- Update INFRASTRUCTURE.md with new service map
- Add .kav TLD and SSH policy decisions to DECISIONS.md
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Both services use DHCP and IPs changed:
- Frigate: 10.4.2.8 → 10.4.2.176
- Home Assistant: 10.4.2.62 → 10.4.2.175
Traefik configs updated on LXC 104.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Radarr moved from 10.4.2.16 to 10.4.2.24 to resolve UniFi conflict
- UniFi, Immich, Gitea verified working through Traefik
- Updated current IP maps
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created IP-MIGRATION-PLAN.md with new allocation scheme
- Fixed all LXC gateways from 10.4.2.254 (Asus) to 10.4.2.1 (OPNsense)
- Set static IPs: UniFi (.16), Gitea (.17), Immich (.30)
- Migrated critical containers to local-lvm storage
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Root cause was Traefik using Asus (10.4.2.254) as gateway instead of OPNsense (10.4.2.1)
- Enabled NAT reflection in OPNsense for VLAN access via WAN IP
- Fixed NFS mount issues with KavNas
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Pure NAT mode doesn't work when clients/servers on same subnet
- Must use enablenatreflectionhelper for proper source NAT
- Added to Common Gotchas in DECISIONS.md
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Migrated all port forwards from Asus router to OPNsense
- Documented port range NAT syntax (local-port must be starting port only)
- Added Common Gotcha #4 for port range rules in DECISIONS.md
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- WireGuard configured on OPNsense (port 51820, 10.10.10.0/24)
- AT&T IP Passthrough enabled for public IP on OPNsense
- qemu-guest-agent and tailscale plugins installed
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document LAN→IoT firewall rule for HA/Frigate access
- Add OPNsense interface naming (opt1, not lan in config.xml)
- Document IPv6 rule fix that was blocking ruleset loading
- Add pfctl troubleshooting commands
- Mark network isolation tests complete
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated INFRASTRUCTURE.md with VLAN traffic path and required configs
- Updated CHANGELOG.md with WAN cutover and VLAN troubleshooting fixes
- Updated TASKS.md to reflect completed network work
- pm4 bridge VLAN config made persistent via post-up commands
- Pi-hole listeningMode changed to ALL for multi-subnet DNS
Key fixes:
- pm4 vmbr0 bridge-vlan-aware with VLANs 10,20,30 on eno1
- Pi-hole veth added to VLANs for routed traffic
- Pi-hole gateway set to OPNsense (10.4.2.1)
- OPNsense default route fixed to use WAN gateway
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated CHANGELOG with implemented VLAN config (VLANs 10, 20, 30)
- Updated DECISIONS with complete VLAN architecture and firewall rules
- Updated INFRASTRUCTURE with VLANs/subnets table and bridge configs
- Updated TASKS to mark VLAN/firewall work complete, add UniFi VLAN tasks
- Updated README last updated date
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document OPNsense WAN configuration (pm4 vmbr1 with USB NIC)
- Add DHCP-based isolation workaround for unmanaged Gigabyte switches
- Plan subnet scheme: LAN (10.4.2.0/24), IoT (10.4.10.0/24), Guest (10.4.20.0/24)
- Document planned OPNsense firewall rules for isolation
- Update tasks with OPNsense migration and isolation steps
- Fix Claude Code hooks settings (remove matcher from Stop hook)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- OPNsense VM 130 on pm4 (KavSense, 10.4.2.1)
- VLAN 10 configured (10.4.10.0/24) for future use
- pm4 vmbr0 now VLAN-aware
- UniFi SSIDs: Trusted, IOT, Guest
- VLAN testing paused until GiGaPlus switches arrive
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- pm1 uses 10G port (auto-negotiates 2.5G, no PoE needed)
- pm2, pm3, pm4, U6 Enterprise use 2.5G PoE ports
- All 6 ports utilized, no injector needed
- GS308EP dedicated to cameras
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- pm1, pm2, pm3 connect via GS308EP (1G managed PoE)
- GS308EP uplinks to GiGaPlus for 10G backhaul access
- pm4 connects directly to GiGaPlus at 2.5G (OPNsense host)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
