tudattr/homelab-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4563ef83f1e331eb7b52e4df182e30b5c07299d5
homelab-docs/docs/networking.md
Tuan-Dat Tran 4563ef83f1 add networking, storage, and observability docs
2026-04-28 08:29:48 +02:00

2.5 KiB
Raw Blame History

Networking

IP Layout

Segment Range Purpose
LAN 192.168.20.0/24 All VMs — flat layer 2
MetalLB pool Reserved /28 within LAN LoadBalancer services in Kubernetes
K8s service CIDR 10.43.0.0/16 In-cluster service IPs
K8s pod CIDR 10.42.0.0/16 Pod networking (Flannel)
WireGuard 10.133.7.0/24 VPN tunnel: cluster ↔ edge VPS

Traffic Flows

Public services (Cloudflare tunnel)

User → Cloudflare (CDN + DDoS) → Cloudflared pod (×2, in-cluster) → Traefik → Service

Cloudflare acts as both CDN and the TLS termination point for public services. No ports are forwarded on the home router.

VPS-proxied services (Pangolin tunnel)

User → Edge VPS → Traefik (VPS) → Pangolin server → Newt client (in-cluster) → Traefik → Service

Used for services that need HTTP(S) proxying without Cloudflare in front.

Remote admin (WireGuard VPN)

Admin → WireGuard client → Edge VPS (WireGuard server)
      → wg-gateway pod (10.133.7.4)
      → K8s service CIDR (10.43.0.0/16)

The mii-wireguard pod acts as the WireGuard client inside the cluster. It masquerades the K8s service CIDR so all cluster services are reachable over the VPN — no split-DNS required.

Gitea → ArgoCD webhook

Gitea (docker-host11) → push webhook → ArgoCD (in-cluster) → reconcile manifests

ArgoCD polls on a schedule and also receives webhooks from the self-hosted Gitea instance on git push.

ArgoCD Image Updater → Gitea

Image Updater detects new tag in registry
  → commits updated annotation to Gitea repo
  → ArgoCD detects commit → re-syncs Deployment

Keeps image versions in Git without a human in the loop.

Media stack

Prowlarr (indexer aggregator)
  → Sonarr / Radarr (request management)
  → qBittorrent + Gluetun sidecar (download over ProtonVPN)
  → Unpackarr (extract archives)
  → NFS share on aya01
  → Jellyfin (on docker-host11, hardware transcoding via Intel QuickSync)

Certificate Management

Cert-Manager handles all TLS automatically via Let's Encrypt DNS-01 using the Cloudflare API. No HTTP-01 challenges — DNS-01 works for internal-only domains and wildcard certs.

The edge VPS (Traefik) uses Netcup DNS API for its own certs.

Service Mesh

Istio runs in Ambient mode (no sidecars). The ztunnel DaemonSet runs on every node and handles transparent L4 proxying for all pods in the mesh. Waypoint proxies (L7) are not yet deployed.

Reference in New Issue View Git Blame Copy Permalink