tudattr/homelab-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
homelab-docs/docs/networking.md
Tuan-Dat Tran 40fa132e0d abstract qbittorrent to generic download client
2026-04-28 18:56:33 +02:00

85 lines
2.4 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Networking
## IP layout
| Segment | Range | Purpose |
|---------|-------|---------|
| LAN | `192.168.20.0/24` | All VMs — flat layer 2 |
| MetalLB pool | Reserved /28 within LAN | LoadBalancer services in Kubernetes |
| K8s service CIDR | `10.43.0.0/16` | In-cluster service IPs |
| K8s pod CIDR | `10.42.0.0/16` | Pod networking (Flannel) |
| WireGuard | `10.133.7.0/24` | VPN tunnel: cluster ↔ edge VPS |
---
## Traffic flows
### Public services (Cloudflare tunnel)
```
User → Cloudflare (CDN + DDoS) → Cloudflared pod (×2, in-cluster) → Traefik → Service
```
Cloudflare handles CDN and TLS termination. No ports are forwarded on the home router.
### VPS-proxied services (Pangolin tunnel)
```
User → Edge VPS → Traefik (VPS) → Pangolin server → Newt client (in-cluster) → Traefik → Service
```
Used for services that need HTTP(S) proxying without Cloudflare in front.
### Remote admin (WireGuard VPN)
```
Admin → WireGuard client → Edge VPS (WireGuard server)
→ wg-gateway pod (10.133.7.4)
→ K8s service CIDR (10.43.0.0/16)
```
The `mii-wireguard` pod is the WireGuard client inside the cluster. It masquerades the K8s service CIDR so all cluster services are reachable over the VPN without split-DNS.
### Gitea → ArgoCD webhook
```
Gitea (docker-host11) → push webhook → ArgoCD (in-cluster) → reconcile manifests
```
ArgoCD polls on a schedule and also receives webhooks on git push.
### ArgoCD Image Updater → Gitea
```
Image Updater detects new tag in registry
→ commits updated annotation to Gitea repo
→ ArgoCD detects commit → re-syncs Deployment
```
Keeps image versions in Git without a human in the loop.
### Media stack
```
Prowlarr (indexer aggregator)
→ Sonarr / Radarr (request management)
→ download client + Gluetun sidecar (VPN-isolated)
→ Unpackarr (extract archives)
→ NFS share on aya01
→ Jellyfin (on docker-host11, hardware transcoding via Intel QuickSync)
```
---
## Certificate management
Cert-Manager handles all TLS automatically via Let's Encrypt DNS-01 using the Cloudflare API. DNS-01 works for internal-only domains and wildcard certs without exposing any HTTP endpoint.
The edge VPS uses the Netcup DNS API for its own certs.
---
## Service mesh
Istio runs in Ambient mode — no sidecars. The `ztunnel` DaemonSet runs on every node and handles transparent L4 proxying for all pods in the mesh. Waypoint proxies (L7) are not yet deployed.
Reference in New Issue View Git Blame Copy Permalink