viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

dns: pfSense forward-zone for viktorbarzin.me, nodes fully stock [ci skip]

Browse source 
Round 3 of the forgejo-pull hairpin fix (per Viktor: no per-node
customization — split-brain lives in the DNS infra):

- pfSense Unbound domain override viktorbarzin.me -> Technitium
  10.0.20.201 (applied via php write_config, backup on-box). Every
  Unbound client on every VLAN now gets the internal split-horizon
  answers (live Traefik IP via apex CNAME) with zero per-host config.
- CoreDNS carve-out (TF, applied): dedicated viktorbarzin.me:53 block —
  forgejo pinned to Traefik ClusterIP via data source (pods cannot reach
  the ETP=Local LB IP pfSense now returns), all other .me names kept on
  public resolvers (pods' pre-existing behavior). Replaces the .:53
  forgejo rewrite.
- Removed the same-day resolved routing-domain drop-ins from all 7 nodes;
  node5/6 link DNS repointed Technitium -> pfSense (netplan + qm 205/206)
  for fleet parity; cloud-init no longer writes any DNS drop-ins.
- Docs: dns.md, pfsense-unbound runbook (override + rollback), registry
  bullet, post-mortem final-architecture addendum.

Verified: nodes resolve forgejo -> .203 via pfSense, crictl pull OK,
pods resolve forgejo -> ClusterIP / others -> public, mail record works,
.lan zone unaffected.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-10 08:32:34 +00:00
parent 1ee1bf0817
commit 2b8c0def30
8 changed files with 182 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

6
modules/create-template-vm/k8s-node-containerd-setup.sh
View file

@ -54,9 +54,9 @@ GHCR
# Host/SNI and 404s the mirror's bare-IP requests, and the registry's
# Bearer auth realm is the absolute https://forgejo.viktorbarzin.me/v2/token
# URL fetched outside the mirror). What actually keeps forgejo pulls
# internal is the systemd-resolved routing domain ~viktorbarzin.me ->
# Technitium (viktorbarzin.conf, written by cloud_init.yaml), which
# resolves forgejo to the live Traefik LB via the split-horizon zone.
# internal is the pfSense Unbound domain override forwarding
# viktorbarzin.me -> Technitium, whose split-horizon zone serves the live
# Traefik LB IP (no node-side DNS config at all).
# Kept for config uniformity; harmless. See
# docs/post-mortems/2026-06-10-tuya-bridge-forgejo-pull-hairpin.md.
mkdir -p /etc/containerd/certs.d/forgejo.viktorbarzin.me