tudattr/homelab-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
40fa132e0dbaaa4f5cf1321d7293fa54665c88a4
homelab-docs/docs/networking.md
Tuan-Dat Tran 40fa132e0d abstract qbittorrent to generic download client
2026-04-28 18:56:33 +02:00

2.4 KiB
Raw Blame History

Networking

IP layout

Segment Range Purpose
LAN 192.168.20.0/24 All VMs — flat layer 2
MetalLB pool Reserved /28 within LAN LoadBalancer services in Kubernetes
K8s service CIDR 10.43.0.0/16 In-cluster service IPs
K8s pod CIDR 10.42.0.0/16 Pod networking (Flannel)
WireGuard 10.133.7.0/24 VPN tunnel: cluster ↔ edge VPS

Traffic flows

Public services (Cloudflare tunnel)

User → Cloudflare (CDN + DDoS) → Cloudflared pod (×2, in-cluster) → Traefik → Service

Cloudflare handles CDN and TLS termination. No ports are forwarded on the home router.

VPS-proxied services (Pangolin tunnel)

User → Edge VPS → Traefik (VPS) → Pangolin server → Newt client (in-cluster) → Traefik → Service

Used for services that need HTTP(S) proxying without Cloudflare in front.

Remote admin (WireGuard VPN)

Admin → WireGuard client → Edge VPS (WireGuard server)
      → wg-gateway pod (10.133.7.4)
      → K8s service CIDR (10.43.0.0/16)

The mii-wireguard pod is the WireGuard client inside the cluster. It masquerades the K8s service CIDR so all cluster services are reachable over the VPN without split-DNS.

Gitea → ArgoCD webhook

Gitea (docker-host11) → push webhook → ArgoCD (in-cluster) → reconcile manifests

ArgoCD polls on a schedule and also receives webhooks on git push.

ArgoCD Image Updater → Gitea

Image Updater detects new tag in registry
  → commits updated annotation to Gitea repo
  → ArgoCD detects commit → re-syncs Deployment

Keeps image versions in Git without a human in the loop.

Media stack

Prowlarr (indexer aggregator)
  → Sonarr / Radarr (request management)
  → download client + Gluetun sidecar (VPN-isolated)
  → Unpackarr (extract archives)
  → NFS share on aya01
  → Jellyfin (on docker-host11, hardware transcoding via Intel QuickSync)

Certificate management

Cert-Manager handles all TLS automatically via Let's Encrypt DNS-01 using the Cloudflare API. DNS-01 works for internal-only domains and wildcard certs without exposing any HTTP endpoint.

The edge VPS uses the Netcup DNS API for its own certs.

Service mesh

Istio runs in Ambient mode — no sidecars. The ztunnel DaemonSet runs on every node and handles transparent L4 proxying for all pods in the mesh. Waypoint proxies (L7) are not yet deployed.

Reference in New Issue View Git Blame Copy Permalink