Hardware & Network Topology¶
Physical Layout¶
graph TB
subgraph WAN["WAN / Internet"]
ext["External Clients"]
onu["FTTH ONU\n192.168.11.1"]
end
subgraph edge["Edge"]
bpir4["BPI-R4 Router\nOpenWrt 25.12-tillo\nWAN: 31.3.128.50/58"]
end
subgraph lan["LAN — 192.168.1.0/24"]
subgraph jump["Jump Host"]
mbt["mbptillo\n192.168.1.246\nsslh :4443\nmosh-server :443\nOpenVPN tun10"]
end
subgraph k8s["mdapi-prod — Harvester HCI / RKE2"]
qui["qui — bare metal\niLO 192.168.1.170"]
quo["quo — bare metal\niLO 192.168.1.181"]
qua["qua — bare metal\niLO 192.168.1.182"]
ingress["ingress-nginx\nPureLB 192.168.1.191"]
gitlab_ing["GitLab nginx\nPureLB 192.168.1.197"]
end
subgraph nas["NAS / Object Storage"]
salt["salt — TrueNAS CORE\nNFS + iSCSI\n(democratic-csi backend)"]
pepper["pepper — TrueNAS"]
santillo["santillo — Synology"]
nastillo["nastillo — Synology"]
minio["MinIO :30000\nS3-compatible"]
end
subgraph mgmt["Management Plane"]
rancher["Rancher\nrancher.home.tillo.ch"]
cm["CipherTrust Manager\ncm.home.tillo.ch\n+ Akeyless Gateway"]
end
end
ext --> onu --> bpir4
bpir4 -->|"DNAT → :4443"| mbt
mbt -->|"TLS/SSH/VPN demux"| k8s
k8s --> salt & minio
rancher -->|"Fleet GitOps"| k8s
cm -->|"ExternalSecrets"| k8sIP Address Map¶
| Device | IP / Host | Role |
|---|---|---|
| FTTH ONU | 192.168.11.1 | Fiber modem |
| BPI-R4 LAN | 192.168.1.1 | Router / firewall |
| BPI-R4 WAN | 31.3.128.50 / 31.3.128.58 | External IPs (web services / VPN) |
| mbptillo | 192.168.1.246 | Jump host / mosh / OpenVPN |
| qui iLO | 192.168.1.170 | BMC — node 1 |
| quo iLO | 192.168.1.181 | BMC — node 2 |
| qua iLO | 192.168.1.182 | BMC — node 3 |
| ingress-nginx (PureLB) | 192.168.1.191 | HTTPS for all *.mdapi.ch |
| GitLab nginx (PureLB) | 192.168.1.197 | GitLab-dedicated ingress |
| salt (TrueNAS) | salt |
NFS + iSCSI backend |
| MinIO | minio.home.tillo.ch:30000 | S3 object store |
PureLB LoadBalancer VIP Pool (192.168.1.40–99)¶
PureLB provides bare-metal LoadBalancer services by advertising IPs via ARP/NDP on the LAN. Each service gets a stable VIP from the pool.
| VIP | Namespace | Service |
|---|---|---|
| 192.168.1.40 | mqtt |
Eclipse Mosquitto (MQTT broker) |
| 192.168.1.41 | tv |
Plex Media Server |
| 192.168.1.42 | tv |
Rsync |
| 192.168.1.43 | honeypot |
Trapeye (honeypot) |
| 192.168.1.44 | envuassu |
Nextcloud AIO Apache |
| 192.168.1.45 | envuassu |
Nextcloud AIO Talk |
| 192.168.1.46 | mirror |
Package mirror |
| 192.168.1.47 | mail |
docker-mailserver |
| 192.168.1.48 | ntppool |
Chrony NTP (GPS stratum-1) |
| 192.168.1.49 | opennic |
OpenNIC tier-2 resolver |
| 192.168.1.50 | squid |
HTTP/S proxy |
| 192.168.1.51 | znc |
ZNC IRC bouncer |
| 192.168.1.52 | openldap |
OpenLDAP |
| 192.168.1.53 | nameserver |
BIND9 authoritative DNS |
| 192.168.1.191 | kube-system |
ingress-nginx (all *.mdapi.ch) |
| 192.168.1.197 | bootstrap |
GitLab nginx ingress |
Why Bare Metal + Harvester?¶
Harvester HCI runs RKE2 with KubeVirt integrated, providing both container workloads and VM-based workloads (like the CipherTrust Manager appliance) on the same cluster. iLO access on each node enables remote power management and out-of-band console access — useful when a bad kernel patch or misconfigured network makes SSH inaccessible.
The three-node setup (qui, quo, qua) provides a quorum for the RKE2 control plane (etcd) and allows Longhorn to replicate volumes across two nodes while a third can be taken offline for maintenance.