From 5a32dd46d3b77de4cd34a5100be3babf1a645257 Mon Sep 17 00:00:00 2001 From: sjat Date: Fri, 5 Jun 2026 11:47:03 +0200 Subject: [PATCH] ADR-007: retire VLAN-99 WireGuard for the NetBird mesh (ADR-016) --- docs/decisions/007-network.md | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/docs/decisions/007-network.md b/docs/decisions/007-network.md index c798918..dd3b577 100644 --- a/docs/decisions/007-network.md +++ b/docs/decisions/007-network.md @@ -47,7 +47,7 @@ ISP | 30 | `lan` | `10.30.0.0/24` | Trusted home devices. DHCP. Access to selected `srv` services via OPNsense. | | 40 | `iot` | `10.40.0.0/24` | Smart home, cameras, printers. DHCP. Internet egress only + HA exception. | | 50 | `guest` | `10.50.0.0/24` | Guest WiFi. DHCP. Internet only, fully isolated. | -| 99 | `vpn` | `10.99.0.0/24` | WireGuard peers. `askari` (Hetzner) + road-warrior clients. | +| 99 | `vpn` | _(retired)_ | **Replaced by the NetBird mesh (ADR-016).** Remote access for `ubongo`, `askari`, and road-warrior clients rides a self-hosted NetBird overlay, not an OPNsense WireGuard subnet. `10.99.0.0/24` is freed. | --- @@ -102,13 +102,14 @@ Assigned infrastructure addresses: | `10.50.0.1` | OPNsense gateway | | `10.50.0.100`–`.249` | DHCP pool | -### VLAN 99 — vpn (10.99.0.0/24) — WireGuard +### VLAN 99 — vpn — retired -| Address | Host | -|---|---| -| `10.99.0.1` | OPNsense (WireGuard endpoint) | -| `10.99.0.2` | `askari` (Hetzner VPS) | -| `10.99.0.10`+ | Road-warrior clients | +The OPNsense WireGuard VPN (`10.99.0.0/24`) is **replaced by the NetBird mesh** +(ADR-016). Remote access for `ubongo`, `askari`, and road-warrior clients rides a +self-hosted NetBird overlay — data plane peer-to-peer WireGuard, control plane +NetBird self-hosted on `askari`. NetBird manages its own overlay addressing +(default `100.64.0.0/10`); no boma VLAN/subnet is allocated for it, and +`10.99.0.0/24` is freed. ### Corosync ring (172.16.0.0/24) — not on managed switch @@ -132,8 +133,8 @@ Assigned infrastructure addresses: | `iot` | internet | allow egress only | | `iot` | `srv` (HA IP only) | allow on integration ports | | `guest` | internet | allow, isolated from all internal | -| `vpn` | `srv` (metrics ports) | allow (monitoring) | -| `vpn` | `mgmt` | allow (administration from askari) | +| mesh peers | `srv` (metrics ports) | allow (monitoring) — enforced by NetBird ACLs, not OPNsense (ADR-016) | +| mesh peers | `mgmt` | allow (administration) — enforced by NetBird ACLs (ADR-016) | **Home Assistant ↔ IoT**: HA VM at `10.20.0.13` can reach IoT VLAN on required ports. OPNsense Avahi (mDNS reflector) bridges `srv` ↔ `iot` for device discovery. @@ -176,11 +177,12 @@ All other queries go upstream (e.g., `1.1.1.1`, `9.9.9.9`). ## External monitoring — askari -`askari` (Hetzner VPS) connects via WireGuard to OPNsense (`10.99.0.1`). -Its peer address is `10.99.0.2`. OPNsense routes `10.99.0.0/24` into the VPN -tunnel and allows `askari` narrow access to `srv` metrics endpoints and `mgmt` -for administration. +`askari` (Hetzner VPS) is a peer on the **NetBird mesh** (ADR-016) and also **hosts +the self-hosted NetBird coordinator** (management/signal/relay). It reaches `srv` +metrics endpoints and `mgmt` for administration over the mesh, scoped by NetBird +ACLs — no OPNsense WireGuard tunnel and no `10.99.0.0/24` routing. -`askari` is provisioned and managed independently of the Proxmox cluster — it -must be reachable even when the homelab is down (its entire purpose). +`askari` is provisioned and managed independently of the Proxmox cluster — it must +be reachable even when the homelab is down (its entire purpose), which is also why +the mesh coordinator lives here: an off-site control plane survives a homelab outage. FQDN: `askari.baobab.band`.