ADR-007: retire VLAN-99 WireGuard for the NetBird mesh (ADR-016)

This commit is contained in:
sjat 2026-06-05 11:47:03 +02:00
parent ff796c64ca
commit 5a32dd46d3

View file

@ -47,7 +47,7 @@ ISP
| 30 | `lan` | `10.30.0.0/24` | Trusted home devices. DHCP. Access to selected `srv` services via OPNsense. | | 30 | `lan` | `10.30.0.0/24` | Trusted home devices. DHCP. Access to selected `srv` services via OPNsense. |
| 40 | `iot` | `10.40.0.0/24` | Smart home, cameras, printers. DHCP. Internet egress only + HA exception. | | 40 | `iot` | `10.40.0.0/24` | Smart home, cameras, printers. DHCP. Internet egress only + HA exception. |
| 50 | `guest` | `10.50.0.0/24` | Guest WiFi. DHCP. Internet only, fully isolated. | | 50 | `guest` | `10.50.0.0/24` | Guest WiFi. DHCP. Internet only, fully isolated. |
| 99 | `vpn` | `10.99.0.0/24` | WireGuard peers. `askari` (Hetzner) + road-warrior clients. | | 99 | `vpn` | _(retired)_ | **Replaced by the NetBird mesh (ADR-016).** Remote access for `ubongo`, `askari`, and road-warrior clients rides a self-hosted NetBird overlay, not an OPNsense WireGuard subnet. `10.99.0.0/24` is freed. |
--- ---
@ -102,13 +102,14 @@ Assigned infrastructure addresses:
| `10.50.0.1` | OPNsense gateway | | `10.50.0.1` | OPNsense gateway |
| `10.50.0.100``.249` | DHCP pool | | `10.50.0.100``.249` | DHCP pool |
### VLAN 99 — vpn (10.99.0.0/24) — WireGuard ### VLAN 99 — vpn — retired
| Address | Host | The OPNsense WireGuard VPN (`10.99.0.0/24`) is **replaced by the NetBird mesh**
|---|---| (ADR-016). Remote access for `ubongo`, `askari`, and road-warrior clients rides a
| `10.99.0.1` | OPNsense (WireGuard endpoint) | self-hosted NetBird overlay — data plane peer-to-peer WireGuard, control plane
| `10.99.0.2` | `askari` (Hetzner VPS) | NetBird self-hosted on `askari`. NetBird manages its own overlay addressing
| `10.99.0.10`+ | Road-warrior clients | (default `100.64.0.0/10`); no boma VLAN/subnet is allocated for it, and
`10.99.0.0/24` is freed.
### Corosync ring (172.16.0.0/24) — not on managed switch ### Corosync ring (172.16.0.0/24) — not on managed switch
@ -132,8 +133,8 @@ Assigned infrastructure addresses:
| `iot` | internet | allow egress only | | `iot` | internet | allow egress only |
| `iot` | `srv` (HA IP only) | allow on integration ports | | `iot` | `srv` (HA IP only) | allow on integration ports |
| `guest` | internet | allow, isolated from all internal | | `guest` | internet | allow, isolated from all internal |
| `vpn` | `srv` (metrics ports) | allow (monitoring) | | mesh peers | `srv` (metrics ports) | allow (monitoring) — enforced by NetBird ACLs, not OPNsense (ADR-016) |
| `vpn` | `mgmt` | allow (administration from askari) | | mesh peers | `mgmt` | allow (administration) — enforced by NetBird ACLs (ADR-016) |
**Home Assistant ↔ IoT**: HA VM at `10.20.0.13` can reach IoT VLAN on required **Home Assistant ↔ IoT**: HA VM at `10.20.0.13` can reach IoT VLAN on required
ports. OPNsense Avahi (mDNS reflector) bridges `srv``iot` for device discovery. ports. OPNsense Avahi (mDNS reflector) bridges `srv``iot` for device discovery.
@ -176,11 +177,12 @@ All other queries go upstream (e.g., `1.1.1.1`, `9.9.9.9`).
## External monitoring — askari ## External monitoring — askari
`askari` (Hetzner VPS) connects via WireGuard to OPNsense (`10.99.0.1`). `askari` (Hetzner VPS) is a peer on the **NetBird mesh** (ADR-016) and also **hosts
Its peer address is `10.99.0.2`. OPNsense routes `10.99.0.0/24` into the VPN the self-hosted NetBird coordinator** (management/signal/relay). It reaches `srv`
tunnel and allows `askari` narrow access to `srv` metrics endpoints and `mgmt` metrics endpoints and `mgmt` for administration over the mesh, scoped by NetBird
for administration. ACLs — no OPNsense WireGuard tunnel and no `10.99.0.0/24` routing.
`askari` is provisioned and managed independently of the Proxmox cluster — it `askari` is provisioned and managed independently of the Proxmox cluster — it must
must be reachable even when the homelab is down (its entire purpose). be reachable even when the homelab is down (its entire purpose), which is also why
the mesh coordinator lives here: an off-site control plane survives a homelab outage.
FQDN: `askari.baobab.band`. FQDN: `askari.baobab.band`.