Diagram
Here’s a text-based network diagram for your Alpine Linux-based k3s cluster with NFS storage, IPv6 disabled, and self-hosted apps:
Network Diagram
+---------------------------------------------------------------------------------------------------+
| Home Lab Network |
| (IPv4-only, e.g., 192.168.1.0/24) |
| |
| +-----------------------------+ +-----------------------------+ |
| | Physical Machine 1 | | Physical Machine 2 | |
| | +-------------------------+ | | +-------------------------+ | |
| | | NFS Server | | | | | | |
| | | - IP: 192.168.1.5 | | | | VM2 (Worker Node) | | |
| | | - Exports: /mnt/nfs | | | | - IP: 192.168.1.11 | | |
| | | (NFS v4, RW access) | | | | - k3s Agent | | |
| | +------------|-------------+ | | | - Apps: | | |
| | | | | | - Vaultwarden | | |
| | +------------|-------------+ | | | - Paperless-ngx | | |
| | | VM1 (Master Node) | | | +------------|-------------+ | |
| | | - IP: 192.168.1.10 | | +---------------|--------------+ |
| | | - k3s Control Plane | | | |
| | | - kube-apiserver | | | |
| | | - etcd (embedded) | | | |
| | | - MetalLB Controller | | | |
| | | - Nginx Ingress | | | |
| | +------------|-------------+ | | |
| +--------------|---------------+ | |
| | | |
| | | |
| | Router/Gateway | |
| | (e.g., 192.168.1.1) | |
| +---------------------+-------------------------------+ |
+---------------------------------------------------------------------------------------------------+Key Components & Connections
-
Physical Machines:
- Machine 1: Hosts the NFS Server (
192.168.1.5) and VM1 (Master Node,192.168.1.10). - Machine 2: Hosts VM2 (Worker Node,
192.168.1.11).
- Machine 1: Hosts the NFS Server (
-
k3s Cluster:
- Master Node (VM1):
- Runs
kube-apiserver,etcd, andk3s-server. - Hosts MetalLB Controller and Nginx Ingress.
- Runs
- Worker Node (VM2):
- Runs apps (
Nextcloud,Vaultwarden, etc.) as pods. - Connects to the NFS server for persistent storage.
- Runs apps (
- Master Node (VM1):
-
NFS Storage:
- Shared directory
/mnt/nfsmounted by pods viaPersistentVolumeClaim. - Accessible to all nodes over port
2049.
- Shared directory
-
Networking:
- Flannel: Pod-to-pod communication over UDP port
8472. - MetalLB: Assigns external IPs (e.g.,
192.168.1.200-192.168.1.250) toLoadBalancerservices. - Nginx Ingress: Routes HTTP/HTTPS traffic to apps (port
80/443).
- Flannel: Pod-to-pod communication over UDP port
-
Traffic Flow:
External User → MetalLB VIP (e.g., 192.168.1.200) → Nginx Ingress → App Pod (Worker Node) → NFS Storage
Critical Ports
| Component | Port | Protocol | Purpose |
|---|---|---|---|
| k3s API Server | 6443 | TCP | Cluster management |
| Flannel | 8472 | UDP | VXLAN overlay networking |
| NFS Server | 2049 | TCP | Shared storage access |
| MetalLB | 7946 | TCP/UDP | Memberlist (L2 mode) |
| Nginx Ingress | 80/443 | TCP | HTTP/HTTPS routing to apps |
App Deployment Flow
+----------------+ +----------------+ +----------------+ +----------------+ +----------------+
| External User | --> | MetalLB VIP | --> | Nginx Ingress | --> | App Pod | --> | NFS Storage |
+----------------+ +----------------+ +----------------+ +----------------+ +----------------+Security Notes
- IPv6 Disabled: Configured via
sysctlon all nodes. - Firewall Rules:
- Allow traffic on
6443,8472,2049,80/443. - Block all other ports unless explicitly required.
- Allow traffic on
- NFS Security: Restrict exports to the cluster’s subnet (e.g.,
192.168.1.0/24).
Visualization Tools
For an actual diagram, use:
- Draw.io (recommended for clarity)
- Excalidraw (for a hand-drawn style)
- Lucidchart
Let me know if you need help creating a visual version with specific tools!