Deepthink R1
Here’s the revised network diagram with your specified IP addresses and gateway:
Network Diagram
+----------------------------------------------------------------------------------------------------+
| Home Lab Network |
| (IPv4-only, Subnet: 192.168.123.0/24) |
| |
| +-------------------------------+ +-------------------------------+ |
| | Physical Machine 1 | | Physical Machine 2 | |
| | IP: 192.168.123.100 | | IP: 192.168.123.230 | |
| | +-----------------------------+| | +-----------------------------+| |
| | | NFS Server || | | || |
| | | - Exports: /mnt/nfs_share || | | VM2 (Worker Node) || |
| | | - NFS Port: 2049/TCP || | | - IP: 192.168.123.222 || |
| | +-----------------------------+| | | - Apps: || |
| | || | | - Vaultwarden || |
| | +-----------------------------+| | | - Paperless-ngx || |
| | | VM1 (Master Node) || | +-----------------------------+| |
| | | - IP: 192.168.123.221 || +-------------------------------+ |
| | | - k3s Control Plane || |
| | | - kube-apiserver (6443) || |
| | | - etcd (embedded) || |
| | | - MetalLB Controller || |
| | | - Nginx Ingress || |
| | +-----------------------------+| |
| | || |
| | +-----------------------------+| |
| | | VM3 (Worker Node) || |
| | | - IP: 192.168.123.223 || |
| | | - Apps: || |
| | | - Nextcloud || |
| | | - Bookstack || |
| | +-----------------------------+| |
| +-------------------------------+ |
| | |
| | |
| | |
| +---------------------------------------------------------------------------------------------+ |
| | Default Gateway: 192.168.123.254 | |
| +---------------------------------------------------------------------------------------------+ |
+----------------------------------------------------------------------------------------------------+Key Components & IP Assignments
| Component | IP Address | Role |
|---|---|---|
| Physical Machine 1 | 192.168.123.100 |
Hosts NFS Server, VM1 (Master), VM3 (Worker) |
| Physical Machine 2 | 192.168.123.230 |
Hosts VM2 (Worker) |
| VM1 (Master Node) | 192.168.123.221 |
k3s Control Plane, MetalLB, Nginx Ingress |
| VM2 (Worker Node) | 192.168.123.222 |
Runs Vaultwarden, Paperless-ngx |
| VM3 (Worker Node) | 192.168.123.223 |
Runs Nextcloud, Bookstack |
| NFS Server | 192.168.123.100 |
Shared storage for all nodes |
| Gateway | 192.168.123.254 |
Router for external traffic |
Traffic Flow
-
External User Access:
User → MetalLB VIP (e.g., 192.168.123.200) → Nginx Ingress (VM1) → App Pod (VM2/VM3) → NFS Storage (192.168.123.100) -
Inter-Node Communication:
- k3s API: Workers (VM2/VM3) connect to Master (VM1) on
6443/TCP. - Flannel Networking: Pod-to-pod traffic over
8472/UDP. - NFS Access: All nodes mount
/mnt/nfs_sharefrom192.168.123.100:2049.
- k3s API: Workers (VM2/VM3) connect to Master (VM1) on
Critical Ports & Protocols
| Port | Protocol | Purpose | Direction |
|---|---|---|---|
6443 |
TCP | k3s API Server (Master) | Workers → Master |
8472 |
UDP | Flannel VXLAN (Pod Networking) | All Nodes ↔ All Nodes |
2049 |
TCP | NFS Storage Access | All Nodes → NFS Server |
80/443 |
TCP | Ingress (HTTP/HTTPS Traffic) | External → Nginx Ingress (VM1) |
App Deployment Strategy
- VM2 (192.168.123.222):
# vaultwarden.yaml (example) spec: nodeSelector: kubernetes.io/hostname: vm2 # Force scheduling on VM2 - VM3 (192.168.123.223):
# nextcloud.yaml (example) spec: nodeSelector: kubernetes.io/hostname: vm3 # Force scheduling on VM3
Security Configuration
-
Disable IPv6 (All Nodes):
echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.conf sysctl -p -
Firewall Rules (Alpine Linux):
# Allow essential traffic iptables -A INPUT -p tcp --dport 6443 -j ACCEPT # k3s API iptables -A INPUT -p udp --dport 8472 -j ACCEPT # Flannel iptables -A INPUT -p tcp --dport 2049 -j ACCEPT # NFS iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP iptables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS iptables-save > /etc/iptables/rules.v4 -
NFS Security: Restrict exports to the subnet in
/etc/exports:/mnt/nfs_share 192.168.123.0/24(rw,sync,no_root_squash)
Troubleshooting Connectivity
-
Verify NFS Access:
showmount -e 192.168.123.100 # From any node -
Check Node Communication:
ping 192.168.123.254 # Test gateway connectivity nc -zv 192.168.123.221 6443 # Test k3s API access from worker