# Atlantis Migration Guide

Moving Atlantis NAS and homelab-vm to a new location while Calypso stays.

## Overview

```
LOCATION A (Calypso stays)          LOCATION B (New location)
┌──────────────────────┐            ┌─────────────────────────────────┐
│  CALYPSO             │            │  ATLANTIS + HOMELAB-VM          │
│  ├── sso.vish.gg     │            │  ├── pw.vish.gg                 │
│  ├── git.vish.gg     │◄──Internet─┤  ├── gf.vish.gg                 │
│  ├── seafile         │            │  ├── meet.thevish.io            │
│  └── paperless       │            │  ├── mastodon.vish.gg           │
└──────────────────────┘            │  └── (all other services)       │
                                    └─────────────────────────────────┘
```

## Pre-Migration Checklist

### 1. Backup Everything
- [ ] Portainer stack configurations exported
- [ ] Docker volumes backed up
- [ ] Synology configuration backed up
- [ ] DNS records documented

### 2. Create Cloudflare Tunnels

#### Atlantis Tunnel
1. Go to [Cloudflare Zero Trust](https://one.dash.cloudflare.com/)
2. Navigate to: Networks → Tunnels → Create tunnel
3. Name: `atlantis-tunnel`
4. Copy the tunnel token
5. Add public hostnames:

| Public Hostname | Type | Service |
|-----------------|------|---------|
| pw.vish.gg | HTTP | localhost:4080 |
| cal.vish.gg | HTTP | localhost:12852 |
| meet.thevish.io | HTTPS | localhost:5443 |
| joplin.thevish.io | HTTP | localhost:22300 |
| mastodon.vish.gg | HTTP | 192.168.0.154:3000 |
| matrix.thevish.io | HTTP | 192.168.0.154:8081 |
| mx.vish.gg | HTTP | 192.168.0.154:8082 |
| mm.crista.love | HTTP | 192.168.0.154:8065 |

#### Homelab-VM Tunnel
1. Create another tunnel named `homelab-vm-tunnel`
2. Add public hostnames:

| Public Hostname | Type | Service |
|-----------------|------|---------|
| gf.vish.gg | HTTP | localhost:3300 |
| ntfy.vish.gg | HTTP | localhost:8081 |
| hoarder.thevish.io | HTTP | localhost:3000 |
| binterest.thevish.io | HTTP | localhost:21544 |

### 3. Deploy Tunnel Containers

Deploy `cloudflare-tunnel.yaml` on both:
- Atlantis: `hosts/synology/atlantis/cloudflare-tunnel.yaml`
- Homelab-VM: `hosts/vms/homelab-vm/cloudflare-tunnel.yaml`

Set the `TUNNEL_TOKEN` environment variable in Portainer.

### 4. Test Before Moving
- [ ] Verify tunnel shows "Healthy" in Cloudflare dashboard
- [ ] Test each service through tunnel (may conflict with current reverse proxy)

## Migration Day

### Step 1: Update Calypso Reverse Proxy
Remove entries that will be handled by tunnels:
- pw.vish.gg
- cal.vish.gg  
- meet.thevish.io
- joplin.thevish.io
- mastodon.vish.gg
- matrix.thevish.io
- mx.vish.gg
- mm.crista.love
- gf.vish.gg
- ntfy.vish.gg
- hoarder.thevish.io
- binterest.thevish.io

Keep only Calypso's local services:
- sso.vish.gg
- git.vish.gg
- sf.vishconcord.synology.me
- paperlessngx.vishconcord.synology.me
- actual.vishconcord.synology.me
- (other localhost services)

### Step 2: Update DDNS Configuration

**Calypso** (`dynamic_dns.yaml`):
Only update domains that Calypso serves directly:
- sso.vish.gg
- git.vish.gg
- (other Calypso services)

**Atlantis**: 
Disable or remove DDNS updater - tunnels don't need public IP.

### Step 3: Physical Move
1. Shut down Atlantis and homelab-vm gracefully
2. Transport equipment
3. Connect to new network
4. Power on and verify tunnel connectivity

### Step 4: Verify Services
- [ ] All tunneled services accessible
- [ ] Calypso services still working
- [ ] No DNS conflicts

## Post-Migration

### DNS Records After Migration

| Domain | Before | After |
|--------|--------|-------|
| pw.vish.gg | A record → home IP | CNAME → tunnel |
| gf.vish.gg | A record → home IP | CNAME → tunnel |
| sso.vish.gg | A record → home IP | A record → Calypso IP (unchanged) |
| git.vish.gg | A record → home IP | A record → Calypso IP (unchanged) |

### Benefits of Cloudflare Tunnel
- No port forwarding needed at new location
- Automatic SSL
- DDoS protection
- Works behind CGNAT
- Access policies via Cloudflare Access (optional)

## Rollback Plan

If issues occur:
1. Connect Atlantis back to original network
2. Re-enable Calypso reverse proxy entries
3. Disable tunnel containers
4. Services resume through Calypso

## Services by Location (Post-Migration)

### Location A - Calypso Only
| Service | Domain | Port |
|---------|--------|------|
| Authentik | sso.vish.gg | 9000 |
| Gitea | git.vish.gg | 3052 |
| Seafile | sf.vishconcord.synology.me | 8611 |
| Paperless | paperlessngx.vishconcord.synology.me | 8777 |
| Actual | actual.vishconcord.synology.me | 8304 |

### Location B - Via Cloudflare Tunnel
| Service | Domain | Host | Port |
|---------|--------|------|------|
| Vaultwarden | pw.vish.gg | Atlantis | 4080 |
| Grafana | gf.vish.gg | homelab-vm | 3300 |
| Jitsi | meet.thevish.io | Atlantis | 5443 |
| Mastodon | mastodon.vish.gg | Atlantis VM | 3000 |
| Ntfy | ntfy.vish.gg | homelab-vm | 8081 |
| Hoarder | hoarder.thevish.io | homelab-vm | 3000 |
| Binterest | binterest.thevish.io | homelab-vm | 21544 |
| Joplin | joplin.thevish.io | Atlantis | 22300 |
| Calendar | cal.vish.gg | Atlantis | 12852 |
| Matrix | matrix.thevish.io | Atlantis VM | 8081 |