Skip to main content
Status: PlannedCategory: Application Layer

Objective

Migrate all services from v2 docker-host to v3 docker-host. Run v2 and v3 in parallel until v3 is validated, then cut over DNS and decommission v2.

Entry Criteria

Phase 3 complete — docker-prod-01 VM running with NFS mounts verified

Migration Strategy

Parallel Operationv2 services stay untouched while v3 is built. Services run in parallel until v3 is validated. DNS rewrites flip from v2 IPs to v3 IPs per-service. No big-bang cutover.
Migrate in waves. Infra first, then media stack, then books stack. Each wave is validated before the next begins.

Migration Waves

Wave 1 — Infrastructure Stack

1

Deploy Traefik

  • Deploy Traefik with Cloudflare DNS-01 wildcard cert (*.giohosted.com)
  • Verify Traefik is serving HTTPS internally before migrating any other service
2

Deploy Authentik

  • Deploy Authentik on auth-prod-01 VM (restore from backup)
  • Verify OIDC integrations working
3

Deploy Infrastructure Services

  • Deploy cloudflared (CF Tunnel) — keep pointed at v2 until all services migrated
  • Deploy adguardhome-sync
  • Create dns-prod-02 LXC on pve-prod-02 — verify adguardhome-sync propagating correctly
  • Deploy Dockman
  • Deploy Homarr (restore config from backup)
  • Deploy Beszel + agents on all hosts
4

Update DNS Rewrites

Update AdGuard DNS rewrite: *.giohosted.com → Traefik IP (192.168.30.11, not NPM)
5

Validate

Validate: internal HTTPS access to all infra services via Traefik

Cutover

1

Update Cloudflare Tunnel

Update Cloudflare Tunnel to point at v3 services:
  • docker-prod-01 for media stack
  • auth-prod-01 for Authentik
  • immich-prod-01 for Immich
2

Update Plex Port Forward

Update Plex port forward to point at nas-prod-01
3

Verify External Access

Verify all externally exposed services working
4

Monitor

Monitor for 48 hours
5

Decommission v2

Decommission v2 Proxmox host — power down, keep for 2 weeks before wiping

Service Inventory

ServiceStackv3 StatusNotes
TraefikinfraNew (replaces NPM)Reverse proxy + wildcard TLS
AuthentikinfraCarry forwardIdP — OIDC for all SSO apps. Runs on auth-prod-01 VM.
cloudflaredinfraCarry forwardCF Tunnel — ABS, Shelfmark, Seerr, Authentik
AdGuard Home (LXC)lxcCarry forwardPrimary DNS + ad-blocking
adguardhome-syncinfraCarry forwardSyncs dns-prod-01 to dns-prod-02
HomarrinfraCarry forwardOperations dashboard
BeszelmonitoringCarry forwardHost/VM metrics. Agents on all hosts.
Plexunraid-dockerMove to Unraid native DockerQuickSync via i5-13400 iGPU
Sonarr (TV)arrCarry forwardTV show automation
Sonarr (Anime)arrNew instanceAnime automation — separate instance
Radarr (1080p)arrCarry forward1080p WebDL automation
Radarr (4K)arrNew instance4K WebDL automation
ProwlarrarrCarry forwardIndexer management
BazarrarrCarry forwardSubtitle automation
qBittorrenttorrentCarry forwardMust stay containerized with Gluetun killswitch
GluetuntorrentCarry forwardProtonVPN WireGuard killswitch
qBitrrtorrentNew (replaces qbit-automation)Manages all 4 ARR instances. Web UI for management.
ImmichphotosMove to immich-prod-01 VMDedicated VM — isolated for ML worker resource tuning
AudiobookshelfbooksCarry forwardAudiobook server with OIDC
Calibre-Web-AutomatedbooksCarry forwardEbook library manager
ShelfmarkbooksCarry forwardEbook/audiobook request frontend
DockmaninfraCarry forwardDocker compose management

Exit Criteria

  • All Wave 1-5 services deployed and accessible
  • No services remaining on v2 docker-host
  • Audiobookshelf accessible externally
  • Shelfmark accessible externally
  • Seerr accessible externally
  • Authentik accessible externally
  • Immich accessible externally
  • Backup jobs configured for all VMs
  • Test restore successful
  • backup-docker.sh running nightly
  • backup-plex-db.sh running nightly
  • Healthchecks.io showing all heartbeats green

Next Phase

Phase 5 — Operational Hardening

Validate backups, monitoring, and tighten security

Build docs developers (and LLMs) love

Get started for freeTalk to us