Network Topology
Traffic Flow
mermaid
graph LR
Internet -->|HTTPS| Caddy[Caddy WAF<br>bastion 38.19.202.151]
Caddy -->|WireGuard| Traefik[Traefik<br>K8s Ingress]
Traefik --> Pods[Application Pods]
subgraph WireGuard Mesh
Caddy <-->|10.10.0.1| K8s[K8s Nodes<br>10.10.1.x]
Caddy <-->|10.10.0.1| ED[EliteDesk<br>10.10.0.150]
Caddy <-->|10.10.0.1| TC[ThinkCentre<br>10.10.0.50]
ED -->|NAT| SigNoz[SigNoz LXC<br>10.0.0.201]
TC -->|NAT| OneUptime[OneUptime LXC<br>10.0.0.51]
endOTel Telemetry Flow
mermaid
graph LR
OTEL_K8S[K8s OTel DaemonSet<br>3 pods] -->|OTLP| RELAY[Bastion Relay<br>10.10.0.1:4317]
OTEL_B[Bastion OTel Collector] -->|OTLP| SIGNOZ[SigNoz<br>10.0.0.201:4317]
RELAY -->|OTLP| SIGNOZK8s nodes cannot reach 10.0.0.x directly (no route). The bastion acts as an OTel relay: the K8s DaemonSet sends to 10.10.0.1:4317, and the bastion forwards to SigNoz at 10.0.0.201:4317.
WireGuard Subnet Layout
| Subnet | Purpose | Hosts |
|---|---|---|
| 10.10.0.0/24 | Management | bastion (.1), Mac (.10), ER706W (.20), EliteDesk (.150), ThinkCentre (.50) |
| 10.10.1.0/24 | K8s nodes | Control plane (.1), Worker 1 (.2), Worker 2 (.3) |
| 10.0.0.0/24 | Home LAN | SigNoz (.201), OneUptime (.51) |
DNS Records
| Domain | Type | Target |
|---|---|---|
| carzying.es | A | 38.19.202.151 |
| www.carzying.es | A | 38.19.202.151 |
| content.carzying.es | A | 38.19.202.151 |
| argocd.quinza.dev | CNAME | Cloudflare proxied |
| dogs.quinza.dev | CNAME | Cloudflare Tunnel |
| ops.quinza.dev | CNAME | Cloudflare Tunnel |