tudattr/homelab-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

humanize docs: fix bold abuse, title case, single-item lists, ProtonVPN ref

Browse Source
This commit is contained in:
Tuan-Dat Tran
2026-04-28 18:54:23 +02:00
parent 3ac7d91101
commit c48ced6207
3 changed files with 35 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
docs/networking.md
View File

@@ -1,6 +1,6 @@
# Networking
## IP Layout
## IP layout
| Segment | Range | Purpose |
|---------|-------|---------|
@@ -12,7 +12,7 @@
---
## Traffic Flows
## Traffic flows
### Public services (Cloudflare tunnel)
@@ -20,7 +20,7 @@
User → Cloudflare (CDN + DDoS) → Cloudflared pod (×2, in-cluster) → Traefik → Service
```
Cloudflare acts as both CDN and the TLS termination point for public services. No ports are forwarded on the home router.
Cloudflare handles CDN and TLS termination. No ports are forwarded on the home router.
### VPS-proxied services (Pangolin tunnel)
@@ -38,7 +38,7 @@ Admin → WireGuard client → Edge VPS (WireGuard server)
→ K8s service CIDR (10.43.0.0/16)
```
The `mii-wireguard` pod acts as the WireGuard client inside the cluster. It masquerades the K8s service CIDR so all cluster services are reachable over the VPN — no split-DNS required.
The `mii-wireguard` pod is the WireGuard client inside the cluster. It masquerades the K8s service CIDR so all cluster services are reachable over the VPN without split-DNS.
### Gitea → ArgoCD webhook
@@ -46,7 +46,7 @@ The `mii-wireguard` pod acts as the WireGuard client inside the cluster. It masq
Gitea (docker-host11) → push webhook → ArgoCD (in-cluster) → reconcile manifests
```
ArgoCD polls on a schedule and also receives webhooks from the self-hosted Gitea instance on git push.
ArgoCD polls on a schedule and also receives webhooks on git push.
### ArgoCD Image Updater → Gitea
@@ -63,7 +63,7 @@ Keeps image versions in Git without a human in the loop.
```
Prowlarr (indexer aggregator)
→ Sonarr / Radarr (request management)
→ qBittorrent + Gluetun sidecar (download over ProtonVPN)
→ qBittorrent + Gluetun sidecar (VPN-isolated download)
→ Unpackarr (extract archives)
→ NFS share on aya01
→ Jellyfin (on docker-host11, hardware transcoding via Intel QuickSync)
@@ -71,14 +71,14 @@ Prowlarr (indexer aggregator)
---
## Certificate Management
## Certificate management
Cert-Manager handles all TLS automatically via **Let's Encrypt DNS-01** using the Cloudflare API. No HTTP-01 challenges — DNS-01 works for internal-only domains and wildcard certs.
Cert-Manager handles all TLS automatically via Let's Encrypt DNS-01 using the Cloudflare API. DNS-01 works for internal-only domains and wildcard certs without exposing any HTTP endpoint.
The edge VPS (Traefik) uses Netcup DNS API for its own certs.
The edge VPS uses the Netcup DNS API for its own certs.
---
## Service Mesh
## Service mesh
Istio runs in **Ambient mode** (no sidecars). The `ztunnel` DaemonSet runs on every node and handles transparent L4 proxying for all pods in the mesh. Waypoint proxies (L7) are not yet deployed.
Istio runs in Ambient modeno sidecars. The `ztunnel` DaemonSet runs on every node and handles transparent L4 proxying for all pods in the mesh. Waypoint proxies (L7) are not yet deployed.