viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

consolidate MetalLB IPs: 5 → 1 (10.0.20.200)

Browse source 
Migrate all 11 LoadBalancer services to share 10.0.20.200:
- Update annotations: metallb.universe.tf → metallb.io
- Pin all services to 10.0.20.200 with allow-shared-ip: shared
- Standardize externalTrafficPolicy to Cluster (required for IP sharing)
- Remove redundant port 80 (roundcube) from mailserver LB
- Update CoreDNS forward: 10.0.20.204 → 10.0.20.200
- Update cloudflared tunnel target: 10.0.20.202 → 10.0.20.200

Services consolidated: coturn, headscale, kms, qbittorrent, shadowsocks,
torrserver, wireguard, mailserver, traefik, xray, technitium
This commit is contained in:
Viktor Barzin 2026-03-24 18:35:43 +02:00
parent fc432197aa
commit c49e4561a3
18 changed files with 49 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

2
stacks/cloudflared/modules/cloudflared/cloudflare.tf
View file

@ -63,7 +63,7 @@ resource "cloudflare_zero_trust_tunnel_cloudflared_config" "sof" {
content { content {
hostname = ingress_rule.value == "viktorbarzin.me" ? ingress_rule.value : "${ingress_rule.value}.viktorbarzin.me" hostname = ingress_rule.value == "viktorbarzin.me" ? ingress_rule.value : "${ingress_rule.value}.viktorbarzin.me"
path = "/" path = "/"
service = "https://10.0.20.202:443" service = "https://10.0.20.200:443"
origin_request { origin_request {
no_tls_verify = true no_tls_verify = true
} }

4
stacks/coturn/main.tf
View file

@ -193,8 +193,8 @@ resource "kubernetes_service" "coturn" {
name = "coturn" name = "coturn"
namespace = kubernetes_namespace.coturn.metadata[0].name namespace = kubernetes_namespace.coturn.metadata[0].name
annotations = { annotations = {
"metallb.universe.tf/loadBalancerIPs" = "10.0.20.200" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.universe.tf/allow-shared-ip" = "shared" "metallb.io/allow-shared-ip" = "shared"
} }
} }

3
stacks/headscale/modules/headscale/main.tf
View file

@ -287,7 +287,8 @@ resource "kubernetes_service" "headscale-server" {
"app" = "headscale" "app" = "headscale"
} }
annotations = { annotations = {
"metallb.universe.tf/allow-shared-ip" : "shared" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
} }
} }

3
stacks/kms/main.tf
View file

@ -181,7 +181,8 @@ resource "kubernetes_service" "windows_kms" {
app = "kms-service" app = "kms-service"
} }
annotations = { annotations = {
"metallb.universe.tf/allow-shared-ip" = "shared" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
} }
} }

15
stacks/mailserver/modules/mailserver/main.tf
View file

@ -460,15 +460,14 @@ resource "kubernetes_service" "mailserver" {
} }
annotations = { annotations = {
"metallb.universe.tf/allow-shared-ip" = "shared" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
} }
} }
spec { spec {
type = "LoadBalancer" type = "LoadBalancer"
load_balancer_ip = "10.0.20.201" external_traffic_policy = "Cluster"
# external_traffic_policy = "Cluster"
external_traffic_policy = "Local"
selector = { selector = {
app = "mailserver" app = "mailserver"
} }
@ -500,12 +499,6 @@ resource "kubernetes_service" "mailserver" {
port = 993 port = 993
target_port = "imap-secure" target_port = "imap-secure"
} }
port {
name = "roundcube"
protocol = "TCP"
port = 80
}
} }
} }

2
stacks/platform/modules/cloudflared/cloudflare.tf
View file

@ -63,7 +63,7 @@ resource "cloudflare_zero_trust_tunnel_cloudflared_config" "sof" {
content { content {
hostname = ingress_rule.value == "viktorbarzin.me" ? ingress_rule.value : "${ingress_rule.value}.viktorbarzin.me" hostname = ingress_rule.value == "viktorbarzin.me" ? ingress_rule.value : "${ingress_rule.value}.viktorbarzin.me"
path = "/" path = "/"
service = "https://10.0.20.202:443" service = "https://10.0.20.200:443"
origin_request { origin_request {
no_tls_verify = true no_tls_verify = true
} }

3
stacks/platform/modules/headscale/main.tf
View file

@ -283,7 +283,8 @@ resource "kubernetes_service" "headscale-server" {
"app" = "headscale" "app" = "headscale"
} }
annotations = { annotations = {
"metallb.universe.tf/allow-shared-ip" : "shared" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
} }
} }

12
stacks/platform/modules/mailserver/main.tf
View file

@ -460,14 +460,14 @@ resource "kubernetes_service" "mailserver" {
} }
annotations = { annotations = {
"metallb.universe.tf/allow-shared-ip" = "shared" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
} }
} }
spec { spec {
type = "LoadBalancer" type = "LoadBalancer"
# external_traffic_policy = "Cluster" external_traffic_policy = "Cluster"
external_traffic_policy = "Local"
selector = { selector = {
app = "mailserver" app = "mailserver"
} }
@ -499,12 +499,6 @@ resource "kubernetes_service" "mailserver" {
port = 993 port = 993
target_port = "imap-secure" target_port = "imap-secure"
} }
port {
name = "roundcube"
protocol = "TCP"
port = 80
}
} }
} }

8
stacks/platform/modules/technitium/main.tf
View file

@ -74,7 +74,7 @@ resource "kubernetes_config_map" "coredns" {
rcode NXDOMAIN rcode NXDOMAIN
fallthrough fallthrough
} }
forward . 10.0.20.204 # Technitium LoadBalancer forward . 10.0.20.200 # Technitium LoadBalancer
cache { cache {
success 10000 300 6 success 10000 300 6
denial 10000 300 60 denial 10000 300 60
@ -265,6 +265,10 @@ resource "kubernetes_service" "technitium-dns" {
labels = { labels = {
"app" = "technitium" "app" = "technitium"
} }
annotations = {
"metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
}
} }
spec { spec {
@ -274,7 +278,7 @@ resource "kubernetes_service" "technitium-dns" {
port = 53 port = 53
protocol = "UDP" protocol = "UDP"
} }
external_traffic_policy = "Local" external_traffic_policy = "Cluster"
selector = { selector = {
"dns-server" = "true" "dns-server" = "true"
} }

5
stacks/platform/modules/traefik/main.tf
View file

@ -144,10 +144,11 @@ resource "helm_release" "traefik" {
service = { service = {
type = "LoadBalancer" type = "LoadBalancer"
annotations = { annotations = {
"metallb.io/loadBalancerIPs" = "10.0.20.202" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
} }
spec = { spec = {
externalTrafficPolicy = "Local" externalTrafficPolicy = "Cluster"
} }
} }

3
stacks/platform/modules/wireguard/main.tf
View file

@ -209,7 +209,8 @@ resource "kubernetes_service" "wireguard" {
name = "wireguard" name = "wireguard"
namespace = kubernetes_namespace.wireguard.metadata[0].name namespace = kubernetes_namespace.wireguard.metadata[0].name
annotations = { annotations = {
"metallb.universe.tf/allow-shared-ip" = "shared" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
} }
labels = { labels = {
"app" = "wireguard" "app" = "wireguard"

3
stacks/servarr/qbittorrent/main.tf
View file

@ -146,7 +146,8 @@ resource "kubernetes_service" "qbittorrent-torrenting" {
} }
annotations = { annotations = {
"metallb.universe.tf/allow-shared-ip" = "shared" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
} }
} }

3
stacks/shadowsocks/main.tf
View file

@ -117,7 +117,8 @@ resource "kubernetes_service" "mailserver" { # rename me
app = "shadowsocks" app = "shadowsocks"
} }
annotations = { annotations = {
"metallb.universe.tf/allow-shared-ip" = "shared" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
} }
} }

9
stacks/technitium/modules/technitium/main.tf
View file

@ -74,7 +74,7 @@ resource "kubernetes_config_map" "coredns" {
rcode NXDOMAIN rcode NXDOMAIN
fallthrough fallthrough
} }
forward . 10.0.20.204 # Technitium LoadBalancer forward . 10.0.20.200 # Technitium LoadBalancer
cache { cache {
success 10000 300 6 success 10000 300 6
denial 10000 300 60 denial 10000 300 60
@ -265,7 +265,10 @@ resource "kubernetes_service" "technitium-dns" {
labels = { labels = {
"app" = "technitium" "app" = "technitium"
} }
annotations = {} annotations = {
"metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
}
} }
spec { spec {
@ -275,7 +278,7 @@ resource "kubernetes_service" "technitium-dns" {
port = 53 port = 53
protocol = "UDP" protocol = "UDP"
} }
external_traffic_policy = "Local" external_traffic_policy = "Cluster"
selector = { selector = {
"dns-server" = "true" "dns-server" = "true"
} }

3
stacks/tor-proxy/main.tf
View file

@ -242,7 +242,8 @@ resource "kubernetes_service" "torrserver-bt" {
app = "torrserver-bt" app = "torrserver-bt"
} }
annotations = { annotations = {
"metallb.universe.tf/allow-shared-ip" = "shared" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
} }
} }

5
stacks/traefik/modules/traefik/main.tf
View file

@ -144,10 +144,11 @@ resource "helm_release" "traefik" {
service = { service = {
type = "LoadBalancer" type = "LoadBalancer"
annotations = { annotations = {
"metallb.io/loadBalancerIPs" = "10.0.20.202" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
} }
spec = { spec = {
externalTrafficPolicy = "Local" externalTrafficPolicy = "Cluster"
} }
} }

3
stacks/wireguard/modules/wireguard/main.tf
View file

@ -209,7 +209,8 @@ resource "kubernetes_service" "wireguard" {
name = "wireguard" name = "wireguard"
namespace = kubernetes_namespace.wireguard.metadata[0].name namespace = kubernetes_namespace.wireguard.metadata[0].name
annotations = { annotations = {
"metallb.universe.tf/allow-shared-ip" = "shared" "metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
} }
labels = { labels = {
"app" = "wireguard" "app" = "wireguard"

4
stacks/xray/modules/xray/main.tf
View file

@ -189,6 +189,10 @@ resource "kubernetes_service" "xray-reality" {
labels = { labels = {
"app" = "xray" "app" = "xray"
} }
annotations = {
"metallb.io/loadBalancerIPs" = "10.0.20.200"
"metallb.io/allow-shared-ip" = "shared"
}
} }
spec { spec {