# Networking ## IP layout | Segment | Range | Purpose | |---------|-------|---------| | LAN | `192.168.20.0/24` | All VMs — flat layer 2 | | MetalLB pool | Reserved /28 within LAN | LoadBalancer services in Kubernetes | | K8s service CIDR | `10.43.0.0/16` | In-cluster service IPs | | K8s pod CIDR | `10.42.0.0/16` | Pod networking (Flannel) | | WireGuard | `10.133.7.0/24` | VPN tunnel: cluster ↔ edge VPS | --- ## Traffic flows ### Public services (Cloudflare tunnel) ``` User → Cloudflare (CDN + DDoS) → Cloudflared pod (×2, in-cluster) → Traefik → Service ``` Cloudflare handles CDN and TLS termination. No ports are forwarded on the home router. ### VPS-proxied services (Pangolin tunnel) ``` User → Edge VPS → Traefik (VPS) → Pangolin server → Newt client (in-cluster) → Traefik → Service ``` Used for services that need HTTP(S) proxying without Cloudflare in front. ### Remote admin (WireGuard VPN) ``` Admin → WireGuard client → Edge VPS (WireGuard server) → wg-gateway pod (10.133.7.4) → K8s service CIDR (10.43.0.0/16) ``` The `mii-wireguard` pod is the WireGuard client inside the cluster. It masquerades the K8s service CIDR so all cluster services are reachable over the VPN without split-DNS. ### Gitea → ArgoCD webhook ``` Gitea (docker-host11) → push webhook → ArgoCD (in-cluster) → reconcile manifests ``` ArgoCD polls on a schedule and also receives webhooks on git push. ### ArgoCD Image Updater → Gitea ``` Image Updater detects new tag in registry → commits updated annotation to Gitea repo → ArgoCD detects commit → re-syncs Deployment ``` Keeps image versions in Git without a human in the loop. ### Media stack ``` Prowlarr (indexer aggregator) → Sonarr / Radarr (request management) → download client + Gluetun sidecar (VPN-isolated) → Unpackarr (extract archives) → NFS share on aya01 → Jellyfin (on docker-host11, hardware transcoding via Intel QuickSync) ``` --- ## Certificate management Cert-Manager handles all TLS automatically via Let's Encrypt DNS-01 using the Cloudflare API. DNS-01 works for internal-only domains and wildcard certs without exposing any HTTP endpoint. The edge VPS uses the Netcup DNS API for its own certs. --- ## Service mesh Istio runs in Ambient mode — no sidecars. The `ztunnel` DaemonSet runs on every node and handles transparent L4 proxying for all pods in the mesh. Waypoint proxies (L7) are not yet deployed.