# Networking ## IP Layout | Segment | Range | Purpose | |---------|-------|---------| | LAN | `192.168.20.0/24` | All VMs — flat layer 2 | | MetalLB pool | Reserved /28 within LAN | LoadBalancer services in Kubernetes | | K8s service CIDR | `10.43.0.0/16` | In-cluster service IPs | | K8s pod CIDR | `10.42.0.0/16` | Pod networking (Flannel) | | WireGuard | `10.133.7.0/24` | VPN tunnel: cluster ↔ edge VPS | --- ## Traffic Flows ### Public services (Cloudflare tunnel) ``` User → Cloudflare (CDN + DDoS) → Cloudflared pod (×2, in-cluster) → Traefik → Service ``` Cloudflare acts as both CDN and the TLS termination point for public services. No ports are forwarded on the home router. ### VPS-proxied services (Pangolin tunnel) ``` User → Edge VPS → Traefik (VPS) → Pangolin server → Newt client (in-cluster) → Traefik → Service ``` Used for services that need HTTP(S) proxying without Cloudflare in front. ### Remote admin (WireGuard VPN) ``` Admin → WireGuard client → Edge VPS (WireGuard server) → wg-gateway pod (10.133.7.4) → K8s service CIDR (10.43.0.0/16) ``` The `mii-wireguard` pod acts as the WireGuard client inside the cluster. It masquerades the K8s service CIDR so all cluster services are reachable over the VPN — no split-DNS required. ### Gitea → ArgoCD webhook ``` Gitea (docker-host11) → push webhook → ArgoCD (in-cluster) → reconcile manifests ``` ArgoCD polls on a schedule and also receives webhooks from the self-hosted Gitea instance on git push. ### ArgoCD Image Updater → Gitea ``` Image Updater detects new tag in registry → commits updated annotation to Gitea repo → ArgoCD detects commit → re-syncs Deployment ``` Keeps image versions in Git without a human in the loop. ### Media stack ``` Prowlarr (indexer aggregator) → Sonarr / Radarr (request management) → qBittorrent + Gluetun sidecar (download over ProtonVPN) → Unpackarr (extract archives) → NFS share on aya01 → Jellyfin (on docker-host11, hardware transcoding via Intel QuickSync) ``` --- ## Certificate Management Cert-Manager handles all TLS automatically via **Let's Encrypt DNS-01** using the Cloudflare API. No HTTP-01 challenges — DNS-01 works for internal-only domains and wildcard certs. The edge VPS (Traefik) uses Netcup DNS API for its own certs. --- ## Service Mesh Istio runs in **Ambient mode** (no sidecars). The `ztunnel` DaemonSet runs on every node and handles transparent L4 proxying for all pods in the mesh. Waypoint proxies (L7) are not yet deployed.