Access Workflows¶
Access Matrix¶
| Access Method | Source | Target | Authentication | Use Case |
|---|---|---|---|---|
| WireGuard + SSH | Home PC | Hub (all services) | Key + WireGuard key | Full management access |
| WireGuard + kubectl | Home PC | K3s API | Kubeconfig + WireGuard | Cluster operations |
| WireGuard + Browser | Home PC | Rancher/Grafana | WireGuard + Authelia TOTP | Dashboard access (home) |
| HTTPS + ttyd | Defence workstation | DMZ -> Hub | Authelia TOTP | Terminal access (Defence) |
| HTTPS + Browser | Defence workstation | Rancher/Grafana | Authelia TOTP | Dashboard access (Defence) |
| SSH (ProxyJump) | Home PC | Beast | Key + WireGuard + jump | Dev node access |
Claude Code Remote (Home)¶
The primary development workflow uses Claude Code on the home workstation, connected to the cluster via WireGuard.
sequenceDiagram
participant CC as Claude Code
participant Local as Local Terminal
participant WG as WireGuard Tunnel
participant Hub as Hub (10.0.2.1)
participant K3s as K3s API (6443)
CC->>Local: Execute command
Local->>WG: Route via tunnel
WG->>Hub: SSH / kubectl / helm
Hub->>K3s: Cluster operations
K3s-->>Hub: Response
Hub-->>WG: Return
WG-->>Local: Result
Local-->>CC: Output
Setup¶
- WireGuard active on home PC (
wg-quick up lron) - SSH config in
~/.ssh/configwith Hub, DMZ, Beast entries - Kubeconfig at
~/.kube/lron.yamlpointing to10.0.2.1:6443 - KUBECONFIG env var set or
--kubeconfigflag used
Available Operations¶
| Operation | Command | Via |
|---|---|---|
| SSH to Hub | ssh hub-wg |
WireGuard + SSH |
| SSH to DMZ | ssh dmz |
Direct (public IP) or WireGuard |
| SSH to Beast | ssh beast |
WireGuard + ProxyJump via Hub |
| kubectl | kubectl --kubeconfig=~/.kube/lron.yaml get pods |
WireGuard + K3s API |
| Helm | helm --kubeconfig=~/.kube/lron.yaml list -A |
WireGuard + K3s API |
| Rancher UI | Browser: https://rancher.vdhome.be |
WireGuard or HTTPS |
| Grafana | Browser: https://grafana.vdhome.be |
WireGuard or HTTPS |
| OpenTofu | cd tofu/ && tofu plan |
Hetzner API (direct) |
| Ansible | cd ansible/ && ansible-playbook site.yml |
WireGuard + SSH |
Defence Workstation via ttyd¶
Defence workstations are locked down -- no VPN client, no SSH client, only a web browser. Access is provided via ttyd (web terminal) behind Authelia authentication.
sequenceDiagram
participant DW as Defence Workstation
participant Browser as Browser
participant Caddy as Caddy (DMZ)
participant Auth as Authelia
participant Ttyd as ttyd (DMZ)
participant Tmux as tmux session
DW->>Browser: Navigate to ttyd.vdhome.be
Browser->>Caddy: HTTPS request
Caddy->>Auth: forward_auth check
Auth-->>Browser: Redirect to auth.vdhome.be
Browser->>Auth: Enter TOTP code
Auth-->>Caddy: Auth OK (set cookie)
Caddy->>Ttyd: Proxy WebSocket
Ttyd->>Tmux: Attach/create session
Tmux-->>Browser: Terminal in browser
Capabilities from Defence Workstation¶
| Capability | Available | How |
|---|---|---|
| Terminal access | Yes | ttyd -> tmux |
| kubectl | Yes | Via tmux session on DMZ, kubeconfig available |
| File editing | Yes | vim/nano in tmux |
| Git operations | Yes | git CLI in tmux |
| Grafana dashboards | Yes | Browser: grafana.vdhome.be |
| Rancher UI | Yes | Browser: rancher.vdhome.be |
| Helm operations | Yes | Via tmux |
| SSH to Hub | Yes | From tmux: ssh hub (private network) |
| SSH to Beast | Yes | From tmux: ssh beast (via Hub jump) |
Limitations¶
| Limitation | Reason | Workaround |
|---|---|---|
| No clipboard paste | ttyd security default | Type manually or use tmux buffer |
| No file upload | No SCP/SFTP from browser | git push/pull for file transfer |
| Session timeout | Authelia 1h inactivity | Re-authenticate with TOTP |
| Single session | tmux shared session | Intentional -- screen sharing |
SSH Configuration¶
# ~/.ssh/config (home workstation)
# Direct access via public IP
Host hub
HostName <hub-public-ip>
Port 2222
User deploy
IdentityFile ~/.ssh/lron_ed25519
# Access via WireGuard tunnel (preferred)
Host hub-wg
HostName 10.0.2.1
Port 2222
User deploy
IdentityFile ~/.ssh/lron_ed25519
Host dmz
HostName <dmz-public-ip>
Port 2222
User deploy
IdentityFile ~/.ssh/lron_ed25519
# Beast requires jump through Hub (no public IP)
Host beast
HostName 10.0.1.3
Port 2222
User deploy
IdentityFile ~/.ssh/lron_ed25519
ProxyJump hub-wg
Key management
A single ed25519 key pair is used for all VMs. The key is generated locally and distributed via Ansible. The private key never leaves the home workstation (and is backed up in Bitwarden).