Phase 0: read the house before you renovate

The first phase of the rebuild makes zero changes. It only reads: the hypervisor, the network controller, the live Docker host, the IPAM. Then it rewrites the plan to match reality. Because the plan was written by me, hopefully, and reality doesn’t care about my hopes.

The map is not the territory

The draft plan confidently named hosts that already existed, assumed a node name that was wrong, a network bridge that was wrong, and an IP for the new identity box that collided with a host already living there. Several “new” machines in the plan were running services right now. Discovery caught all of it — on paper, before a single apply.

Read-only is a feature, not a limitation

Everything in this phase went through read-only credentials and API GETs, dumped to JSON I could diff. No write token even existed yet. That constraint is the point: you cannot fat-finger a host you have no permission to change. The output is a discovery report and a “plan delta” — every place the live estate disagreed with the document, with a proposed fix.

If your first infrastructure phase can break something, it isn’t discovery — it’s an outage waiting for a trigger.

The reconciliation

Then the unglamorous work: rewrite the plan’s host tables, network ranges, and storage targets to the real values, and gate the corrections behind a human review before anything proceeds. Tedious. Also the reason the later phases didn’t detonate.

Discovery is the phase everyone wants to skip and nobody regrets doing. Next: Phase 1 — a golden VM template, and a fight with firmware I didn’t expect to have.