Den Migration

Opplet Development Plan: Den Migration Project

Version 1.0 · ACTIVE PROJECT · Tier 1 · part of Charter Release 2026.2 · effective 2026-06-02

You're reading the public edition of Den Migration. The working source — drafts, change discussion, and member resources — lives in the community library.

Join-Community:/

Project Nature

This document describes a time-bound migration from the current single-Contabo-VPS Den to the target two-VPS Hetzner Cloud Den specified in Hardware Manifest §1 and Software Stack Manifest §1.

Unlike the Constitution and the SOP — which describe ongoing operational reality — this document has a defined end state. When the migration completes, this document will be marked COMPLETE and archived (moved from active BookStack-Alpha shelves to the historical record). At that point the Hardware Manifest and Software Stack Manifest become the sole authoritative description of the Den.

Current State

As of 2026-06-02:

  • Single Contabo VPS running HestiaCP and Nextcloud.
  • Single-server architecture (no Gateway/Engine split).
  • No separate Tailscale mesh.
  • Phone number not yet ported to a SIP trunk.
  • No Authentik-Personal deployed.
  • Personal data (calendar, contacts, files) lives in Nextcloud.

Target State

Per Hardware Manifest §1 and Software Stack Manifest §1:

  • Two Hetzner Cloud VPSs: Gateway (CPX21) and Engine (CPX31).
  • Tailscale private mesh between them.
  • Gateway runs HestiaCP + FreePBX (life-critical traditionally-managed services).
  • Engine runs Docker stack: Authentik-Personal + Homarr + Actual Budget + Vikunja + Baikal + Seafile + Monica + n8n-Den + Vaultwarden.
  • Phone number ported to selected SIP trunk provider.
  • Hetzner Storage Box (1 TB) mounted to Engine for Seafile data.
  • Nextcloud decommissioned.

Migration Phases

Phase 1: Provision Infrastructure

  1. Rent Gateway VPS on Hetzner Cloud (CPX21). Install Ubuntu Server LTS.
  2. Install HestiaCP on Gateway.
  3. Rent Engine VPS on Hetzner Cloud (CPX31). Install Ubuntu Server LTS.
  4. Install Docker and Docker Compose on Engine.
  5. Provision Hetzner Storage Box (1 TB).
  6. Mount Storage Box to Engine via CIFS/SMB or sshfs.
  7. Install Tailscale on both VPSs.
  8. Establish private Tailscale mesh between Gateway and Engine.
  9. Verify Engine has no public-facing ports (firewall closed except Tailscale).

Phase 1 exit criteria: Both VPSs reachable, Tailscale mesh confirmed working, Storage Box mounted and writable from Engine.

Phase 2: Deploy Core Services (Engine)

  1. Deploy Authentik-Personal on Engine. Configure as the Den’s identity root.
  2. Deploy Homarr as the personal dashboard.
  3. Deploy Vaultwarden for credential management.
  4. Deploy n8n-Den for automation glue.
  5. Configure Gateway HestiaCP Nginx reverse proxy templates pointing to Engine via Tailscale IP.

Phase 2 exit criteria: Authentik-Personal SSO functional, all four services reachable via Gateway reverse proxy, no service exposed directly from Engine.

Phase 3: Migrate Data

  1. Deploy Baikal on Engine. Migrate calendar and contacts from Nextcloud CalDAV/CardDAV.
  2. Deploy Seafile on Engine with data directory on the mounted Storage Box. Migrate files from Nextcloud storage.
  3. Deploy Actual Budget on Engine. Begin fresh (no Nextcloud equivalent to migrate).
  4. Deploy Vikunja on Engine. Begin fresh or migrate tasks from Nextcloud Tasks if used.
  5. Validate all migrated data — calendar events present, contacts intact, files accessible.
  6. Decommission Nextcloud on the Contabo VPS (do not delete the Contabo VPS yet — kept as fallback until Phase 5 completes).

Phase 3 exit criteria: All personal data accessible from Engine services; Nextcloud no longer in active use.

Phase 4: Telephony

  1. Select SIP trunk provider — Telnyx or JMP.chat. Document selection in Software Stack Manifest §9.
  2. Initiate phone number port from current carrier to selected SIP provider.
  3. Install FreePBX on Gateway VPS.
  4. Configure SIP trunk in FreePBX.
  5. Configure inbound routes (route to extensions, voicemail).
  6. Configure outbound routes (route through SIP trunk).
  7. Configure call recording.
  8. Deploy Monica on Engine VPS.
  9. Configure n8n-Den workflow: FreePBX call event → log to Monica.
  10. End-to-end test: inbound call → FreePBX → recording → Monica log entry visible.
  11. End-to-end test: outbound call from softphone via Gateway SIP.

Phase 4 exit criteria: Phone number ported, inbound and outbound calls working, call logging to Monica confirmed.

Phase 5: Cutover

  1. Update DNS for personal domain — migrate authoritative records from Contabo to Hetzner DNS (or registrar default).
  2. Update MX records to point to Gateway.
  3. Migrate any remaining email domains from Contabo HestiaCP to Hetzner Gateway HestiaCP.
  4. Verify all reverse proxy templates on Gateway correctly route to Engine Tailscale IPs.
  5. Validate all services via Uptime Kuma external monitoring (per SOP §2).
  6. Run 7-day soak period: monitor for issues, ensure no fallback to Contabo required.
  7. Decommission Contabo VPS after soak period concludes successfully.

Phase 5 exit criteria: Contabo VPS terminated, all Den services running exclusively on Hetzner, Uptime Kuma reporting healthy for 7 consecutive days.

Migration Risks and Mitigations

RiskLikelihoodMitigation
Phone number port delayMediumMaintain prepaid SIM fallback (per Hardware Manifest §1D) for emergency calls during port window
Email DNS propagation issuesLowLower TTLs 48h before cutover; maintain Contabo HestiaCP receivable until propagation confirmed
Calendar/contacts migration data lossLowExport full CalDAV/CardDAV dumps from Nextcloud before migration; retain dumps for 90 days post-migration
Tailscale mesh failureLowDocument fallback to direct SSH key-based access between VPSs in DR runbook
Storage Box performance issues for SeafileMediumBenchmark Storage Box throughput before committing Seafile to it; if insufficient, fall back to Engine local SSD (sacrifices capacity for speed)
Authentik-Personal misconfiguration locking out the SovereignMediumMaintain a Local Admin emergency-access account on Engine independent of Authentik-Personal until Phase 5 completes

Project Completion Procedure

When all five phases reach their exit criteria:

  1. Update this document’s status from ACTIVE PROJECT to COMPLETE.
  2. Update the Compatibility Block in the four primary documents (Constitution, SOP, Hardware Manifest, Software Stack Manifest) to reflect this document’s archived status.
  3. Move this document from active BookStack-Alpha shelves to the “Completed Projects” archive shelf.
  4. Bump Hardware Manifest version (no content change — just acknowledging that the Den described there is now reality, not aspiration).
  5. Note the migration completion in the SOP changelog as a historical milestone.

After completion, the Hardware Manifest §1 and Software Stack Manifest §1 are the authoritative description of the Den. This document is preserved only as historical record.

Changelog

v1.0 (2026-06-02)

  • Initial document, extracted from Constitution v9.3 §13 during the Charter Split refactor.
  • Procedural steps preserved verbatim from the Constitution.
  • Risks and Mitigations section (§“Migration Risks”) added as new content — previously implicit, now explicit.
  • Project Completion Procedure added — defines how this document is retired when migration finishes.

END OF DOCUMENT

All charter documents

Has anything clicked?

If reading this made you want to argue with it, extend it, or notice what's missing, that's the signal to show up.

You're invited to:

commit register to step into opplet partner advance or support the development sync chat or stay without committing deploy clone or fork opplet as your enclave
:/back-to-top