Skip to content

Architecture Overview

Purpose

LRON is a personal R&D cloud environment that applies HDCP (Defence Hybrid Datacenter Cloud Partnership) principles at hobby-lab scale. It provides:

  • A Rancher-managed K3s cluster for container workloads
  • A DMZ tier with authenticated web access to development tools
  • An ephemeral ARM dev node (Beast) for burst compute
  • Full-stack observability with metrics, logs, and alerting
  • WAN emulation capabilities for testing degraded network conditions

3-VM Topology

flowchart LR
    subgraph Management["Management Plane"]
        Hub["CX32 Hub<br/>K3s Server + Rancher<br/>Observability Stack"]
    end

    subgraph Public["Public-Facing Tier"]
        DMZ["CX22 DMZ<br/>K3s Agent<br/>Caddy + Authelia"]
    end

    subgraph Compute["Ephemeral Compute"]
        Beast["CAX31 Beast<br/>K3s Agent (ARM)<br/>Dev Workloads"]
    end

    Hub --- DMZ
    Hub --- Beast

    style Hub fill:#1a5276,stroke:#2980b9,color:#fff
    style DMZ fill:#7b241c,stroke:#c0392b,color:#fff
    style Beast fill:#1e8449,stroke:#27ae60,color:#fff
VM Role Always On K3s Role
CX32 Hub Cluster control plane, Rancher, observability Yes Server
CX22 DMZ Ingress, reverse proxy, authentication Yes Agent
CAX31 Beast ARM dev workloads, builds, experiments No (hourly) Agent

Rancher Cluster Layout

Rancher CE runs on the Hub node and manages the single K3s cluster (lron-local). Fleet provides GitOps-based deployment from the fleet/ directory in the repository.

flowchart TB
    Rancher["Rancher CE<br/>(Hub)"]
    Fleet["Fleet Controller"]
    GitLab["GitLab Repo<br/>fleet/ directory"]

    Rancher --> Fleet
    Fleet -->|"watches"| GitLab
    Fleet -->|"deploys to"| Cluster

    subgraph Cluster["lron-local K3s Cluster"]
        NS1["cattle-system"]
        NS2["ingress"]
        NS3["monitoring"]
        NS4["dev"]
    end

    style Rancher fill:#1a5276,stroke:#2980b9,color:#fff

Access Flows

From Home Workstation

sequenceDiagram
    participant Home as Home PC
    participant WG as WireGuard (Hub:51820)
    participant Hub as CX32 Hub
    participant K8s as K3s API

    Home->>WG: WireGuard tunnel connect
    WG->>Hub: Authenticated tunnel established
    Home->>Hub: SSH (port 2222, key-only)
    Home->>K8s: kubectl via kubeconfig (tunnel)
    Home->>Hub: Rancher UI (https, via tunnel)

From Defence Workstation

sequenceDiagram
    participant Def as Defence Workstation
    participant Caddy as Caddy (DMZ:443)
    participant Auth as Authelia
    participant Ttyd as ttyd

    Def->>Caddy: HTTPS to ttyd.vdhome.be
    Caddy->>Auth: Authentication check
    Auth->>Def: TOTP challenge
    Def->>Auth: TOTP response
    Auth->>Caddy: Authenticated
    Caddy->>Ttyd: Proxy to ttyd (forced command)
    Ttyd->>Def: Terminal session in browser

Why two access paths?

The home workstation has full tunnel access via WireGuard. The Defence workstation is restricted to a locked-down browser environment, so access is provided via ttyd (web terminal) behind Authelia TOTP -- no VPN client needed.