Skip to content

Roadmap: bring the home UniFi network under declarative managementΒ #2

Description

@devantler

πŸ€– Generated by the Daily AI Assistant

Roadmap: bring the home UniFi network under declarative management

Reconciled 2026-06-22: the two autonomously-shippable hardening children are delivered β€”
T2 CI guard (#3 β†’ PR #5) and T4 runbook/service-account doc (#4 β†’ PR #6), both merged. The platform
tenant is now live (platform #2042 merged
2026-06-19 β€” tofu-controller reconciles this repo), so T1's tenant gate is cleared; the remaining T1
gate is credential (the UniFi service-account key in the platform variables-cluster, held by the
maintainer). The repo's agent-instructions are now consolidated on AGENTS.md (the separate
.github/copilot-instructions.md was retired in PR #7).

Where the product is. devantler-tech/unifi is a well-scaffolded platform tenant β€” plain
OpenTofu/Terraform with the filipowm/unifi
provider (~> 1.0, lockfile committed), reconciled continuously by tofu-controller on the
platform (live since platform
#2042, merged 2026-06-19);
CI runs tofu fmt -check/init/validate; the import-first golden rule, no-backend/no-committed-state,
and no-committed-secrets discipline are all documented (README.md/AGENTS.md). But the configuration
ships empty β€” main.tf is the import-first preamble plus commented examples, so tofu plan
reports "No changes". The real network is not yet under management, which is the whole point of the
repo.

Where it should be. The home network's desired state β€” L3 networks/VLANs, WLANs, firewall rules,
port-forwards, DNS records β€” brought under management import-first so it is reproducible,
drift-corrected, and reviewable, with CI that keeps reconciles safe, and a clear path to the
steady-state Crossplane provider.

This epic is the roadmap of record for the repo. It grounds a small set of independently-shippable
children; the network-onboarding themes (T1) are decomposed into concrete import PRs once the tenant is
live and as each resource category is ready.

Themes

T1 β€” Onboard the live network, import-first (the core mission).
Phase by resource category, each an independent PR that writes the resource, imports it
(import {} block / tofu import), and confirms tofu plan is a no-op before any edit:
core L3 networks/VLANs β†’ WLANs/SSIDs (passphrases via platform variables, never committed) β†’ firewall
rules + port-forwards β†’ DNS records. Gating: the platform tenant is now live (platform
#2042 merged 2026-06-19 β€” tofu-controller
reconciles this repo), so the tenant gate is cleared; the remaining gate is credential β€” authoring
imports needs live controller API access (the UniFi service-account key in the platform's
variables-cluster, held by the maintainer). So these phases stay credential-gated; decompose into
issues per resource category once the key is wired and access is confirmed.

T2 β€” Safe reconcile & CI quality.
The import-first rule was doc-only; the static guard + tflint lint gate that mechanically catch a
resource added without a matching import {} block are now in CI (#3 β†’ PR #5). A controller-backed
tofu plan preview (drift/no-op signal) is the remaining T2 piece, blocked on wired creds. β†’ child below.

T3 β€” Provider currency & the Crossplane steady-state.
Keep filipowm/unifi current (Dependabot is configured; provider majors can change resource schemas
β€” review the changelog and re-import
). The steady-state goal is a real-CRD Crossplane
provider-upjet-unifi replacing this interim, already tracked at
monorepo #1860; this repo's job is to define
the migration criteria (feature-parity, import continuity) when that provider exists.

T4 β€” Documentation & operability.
The "adding a resource" import runbook and the service-account (Limited Admin, Local Access Only)
setup + key-rotation steps are delivered (#4 β†’ PR #6), so onboarding a resource is a checklist, not
tribal knowledge.

Checklist

Problem β†’ direction β†’ rough size per child. Children that move the network's real desired state are
the highest-value work but are credential-gated; the two autonomously-shippable children (CI guard,
docs runbook) are delivered and have hardened the repo for that onboarding.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions