lazorgurl/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Switch from homelab.local to coreworlds.io with split-horizon DNS and LAN-only access controls

Browse Source 
- Migrate all ingress hostnames from *.homelab.local to *.coreworlds.io
- Remove broken Traefik certresolver config (cert-manager handles TLS)
- Add internal-only IP allowlist middleware for platform services
- Add IngressRoutes for ArgoCD, Grafana, Longhorn (LAN-only via middleware)
- Seal and add Cloudflare API token for cert-manager DNS-01 challenges
- Update cert-manager ClusterIssuers with real email
- Update k3s TLS SAN to k3s.coreworlds.io
- Rewrite Ubiquiti docs for single-node topology and split-horizon DNS
- Fix seal-secret.sh controller name to match Helm release
- Add UCG DNS setup script using API key auth
This commit is contained in:
Julia McGhee
2026-03-20 19:21:46 +00:00
parent 4135d2102e
commit 71442a0405
18 changed files with 292 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
infra/ubiquiti/network-diagram.md
View File

@@ -1,37 +1,66 @@
# Network Diagram
```
┌──────────────┐
│ Internet │
└──────┬───────┘
┌──────┴───────┐
│ UCG │
│ 10.0.1.1 │
└──────┬───────┘
┌────────────┼────────────┐
│ │ │
┌──────┴───┐ ┌─────┴────┐ ┌────┴──────┐
│ VLAN 10 │ │ VLAN 20 │ │ VLAN 99 │
│ Servers │ │ IoT │ │ Guest │
└──────┬───┘ └──────────┘ └───────────┘
┌────────────┼────────────┐
│ │ │
┌────┴────┐ ┌────┴────┐ ┌────┴────┐
│ nuc01 │ │ nuc02 │ │ nuc03 │
│ .10.11 │ │ .10.12 │ │ .10.13 │
│ server │ │ agent │ │ agent │
└─────────┘ └─────────┘ └─────────┘
## External Traffic Flow
Services on k3s cluster:
┌─────────────────────────────────────┐
│ Traefik (Ingress) ← :80/:443
│ ArgoCD ← :8080 │
│ Grafana ← :3001
PostgreSQL (CNPG) ← :5432 │
│ Valkey ← :6379
Longhorn UI ← :8000
└─────────────────────────────────────┘
```
──────────────┐
│ Internet
└──────┬───────┘
┌────────┴────────┐
Cloudflare DNS
│ coreworlds.io
│ → public IP │
└────────┬────────┘
┌──────┴───────┐
│ UCG │
│ WAN :443 │
└──────┬───────┘
│ port-forward
┌──────┴───────┐
│ catherby │
│ 192.168.1.50 │
│ Traefik │
└──────┬───────┘
┌─────────────┼─────────────┐
│ │ │
coreworlds.io api.coreworlds.io ...
(web app) (api server)
```
## LAN Traffic Flow (Split-Horizon DNS)
```
┌──────────────┐
│ LAN Client │
└──────┬───────┘
│ DNS query: argocd.coreworlds.io
┌──────┴───────┐
│ UCG DNS │
│ *.coreworlds │
│ → 192.168.1 │
│ .50 │
└──────┬───────┘
│ direct (no hairpin NAT)
┌──────┴───────┐
│ catherby │
│ 192.168.1.50 │
│ Traefik │
└──────────────┘
```
## Service Routing
```
Traefik (192.168.1.50:443)
├── coreworlds.io → web (public)
├── api.coreworlds.io → api (public)
├── preview.coreworlds.io → web (public, preview ns)
├── api-preview.coreworlds.io → api (public, preview ns)
├── argocd.coreworlds.io → argocd (LAN only — internal-only middleware)
├── grafana.coreworlds.io → grafana (LAN only — internal-only middleware)
└── longhorn.coreworlds.io → longhorn (LAN only — internal-only middleware)
```