Fabric

The fabric is the connective tissue of the homelab — the network layer between physical hardware and the Kubernetes platform. Three sites stitched together by a NetBird mesh, with VLAN segmentation inside the on-prem site and the home network.

This page is the high-level map. Drill-down pages cover individual layers:

• NetBird — the mesh overlay (peers, ACLs, DNS)
• UniFi — home LAN gear, VLANs, firewall

The source of truth for everything below is tofu/environment/{edge,production,home,netbird}; this page is a derived snapshot.

Three sites, one mesh

Three environments — edge (Hetzner Cloud), production (on-prem Proxmox cluster), and home (UniFi LAN) — stitched together by a NetBird overlay.

Topology Overview

                       ┌──────────────────────────────────────┐
                       │           NetBird Overlay            │
                       │   api.netbird.io · sys.kueber.eu     │
                       └───┬─────────────────┬─────────────┬──┘
                           │                 │             │
              ┌────────────┘                 │             └────────────┐
              │                              │                          │
       ┌──────▼──────┐               ┌───────▼────────┐         ┌───────▼──────┐
       │    EDGE     │               │   PRODUCTION   │         │     HOME     │
       │  Hetzner    │               │    Proxmox     │         │    UniFi     │
       │   nbg1      │               │  3-node cluster│         │              │
       └─────────────┘               └────────────────┘         └──────────────┘
        edge_peers                    production_peers           home_peers
        (routing                      (3× LXC NetBird            (routing peer
        peer on cp-1)                 connectors)                on local box)

Each environment has its own NetBird network with one or more resources (subnets) and a routing peer group. Admin access to all three is granted by an Admin <env> Policy bound to the administrators group.

---

Edge — Hetzner Cloud

Single-node Talos cluster in nbg1, fronted by a Hetzner-managed VPC.

Subnets

Subnet	CIDR	Notes
edge	172.30.0.0/16	Hetzner Cloud network, delete-protected
k8s	172.30.0.0/24	Cloud subnet in eu-central, source of all intra-cluster firewall rules

Hosts

Host	Private IP	Public	Role
control-plane-1	172.30.0.11	Primary edge-1 + floating IP	Talos control-plane (cx33)

Firewall (Hetzner, label-selected)

Firewall	Targets (label)	Ingress	Sources
talos-control	talos_control=true	50000/tcp (apid), 6443/tcp (kube-api), 2379-2380/tcp (etcd)	172.30.0.0/24
talos-internal	talos=true	50001 (trustd), 51871/udp (Cilium WG), 4240/4244/4245/4250 (Cilium/Hubble), 9962-9964 (metrics), 10250 (kubelet)	172.30.0.0/24
allow-http	http=true	80, 443	0.0.0.0/0
allow-ssh	ssh=true	22	0.0.0.0/0

NetBird

• Network: edge → resource edge Management Subnet = 172.30.0.0/24
• Groups: edge, edge_peers (routers), edge_sidecar_envoy
• Routing peer: any peer in edge_peers (e.g. control-plane-1 running NetBird), metric=9999, masquerade
• Cross-network policy: edge_sidecar_envoy ↔ production public subnet (192.168.105.0/24)

---

Production — Proxmox Cluster

Three Proxmox nodes (proxmox1/2/3) trunked through UniFi. VLANs are tagged by UniFi, except VLAN 100 which is the native/untagged management VLAN — VMs on it set no vlan_id.

A FritzBox sits upstream of the UniFi router as the WAN gateway. It also hosts its own LAN (192.168.178.0/24, the energy network) for utility / smart-meter devices that need to talk directly to the ISP-managed router. The UniFi router double-NATs out through it.

Router / gateway layout

                            Internet
                                │
                          ┌─────▼──────┐
                          │  FritzBox  │   192.168.178.1
                          │  (WAN GW)  │
                          └─┬────────┬─┘
                            │        │
              energy LAN    │        │ uplink
        192.168.178.0/24 ───┘        └──┐
        (smart meter,                   │
         energy devices,                ▼
         routed via                ┌──────────┐
         NetBird only)             │  UniFi   │   192.168.1.1 / .100.1 / …
                                   │  router  │
                                   └────┬─────┘
                                        │ trunk
                                ┌───────┴────────┐
                              vmbr0 on proxmox1/2/3
                                ├─ VLAN 1   default
                                ├─ VLAN 100 management (untagged)
                                ├─ VLAN 104 storage
                                └─ VLAN 105 public

Reachability between the UniFi side and the energy LAN is asymmetric: hosts behind UniFi can reach 192.168.178.0/24 through the FritzBox uplink, but smart-meter devices on the FritzBox LAN cannot route back into the UniFi VLANs. NetBird is the only path that exposes 192.168.178.0/24 to the rest of the overlay.

VLANs / Subnets

VLAN	Name	CIDR	Gateway	Upstream	Purpose
1	default	192.168.1.0/24	192.168.1.1	UniFi	UniFi default LAN
100	management	192.168.100.0/24	192.168.100.1	UniFi	Proxmox hosts, Talos VMs, NetBird LXCs (untagged on vmbr0)
104	storage	192.168.104.0/24	192.168.104.1	UniFi	TrueNAS / iSCSI / NFS data path
105	public	192.168.105.0/24	192.168.105.1	UniFi	Workload-facing / public-routed services
—	energy	192.168.178.0/24	192.168.178.1	FritzBox	Energy / smart-meter devices on the FritzBox LAN; reachable from the cluster only via NetBird

Hosts (management VLAN, 192.168.100.0/24)

Host	IP	Notes
proxmox1	.51	Hypervisor
proxmox2	.52	Hypervisor
proxmox3	.53	Hypervisor
lxc-proxmox1-netbird	.71 / .104.71 / .105.71	NetBird connector LXC (mgmt + storage + public)
lxc-proxmox2-netbird	.72 / .104.72 / .105.72	NetBird connector LXC
lxc-proxmox3-netbird	.73 / .104.73 / .105.73	NetBird connector LXC
talos-cp-01	.101	Talos control-plane VM (proxmox1)
talos-cp-02	.102	Talos control-plane VM (proxmox2)
talos-cp-03	.103	Talos control-plane VM (proxmox3)
talos-worker-01	.111 (+ VLAN 104, 105)	Talos worker VM (proxmox1, GPU passthrough)
talos-worker-02	.112 (+ VLAN 104, 105)	Talos worker VM (proxmox2, GPU passthrough)
talos-worker-03	.113 (+ VLAN 104, 105)	Talos worker VM (proxmox3, GPU passthrough)
truenas	.200	NAS / Longhorn backups / media

Gateway for VLAN 100: 192.168.100.1.

Bridge layout per Proxmox node

        ┌───────── vmbr0 (trunk) ──────────┐
        │                                  │
   ┌────┴────────┐                  ┌──────┴────────┐
   │ untagged    │                  │ tagged 104    │
   │ VLAN 100    │                  │ VLAN 105      │
   │ (mgmt)      │                  │ (storage/pub) │
   └─────────────┘                  └───────────────┘
        │                                  │
   pve host + cp-VMs +              worker VMs (extra
   netbird LXC eth0 +               NICs) + netbird
   worker VM eth0                   LXC eth1 / eth2

NetBird

• Network: production with five resources: default, management, storage, public, energy
• Groups: production, production_peers (routers), sidecars, workload-talos-homepage, workload-talos-gatus
• Routing peers: the three lxc-proxmox*-netbird LXCs auto-join production + production_peers via per-LXC one-off setup keys. They egress to the energy subnet through their default route (UniFi → FritzBox), so no extra NIC is needed for 192.168.178.0/24.
• DNS (zone sys.kueber.eu): proxmox{1,2,3}.production.sys.kueber.eu, truenas.production.sys.kueber.eu

---

Home — UniFi LAN

The local site, also exposed into NetBird via a routing peer.

Subnets

Network	CIDR	Purpose
management	192.168.0.0/24	UniFi gateway, Synology NAS, infra
iot	192.168.2.0/24	IoT / Home Assistant devices
private	192.168.3.0/24	Trusted clients
guest	192.168.4.0/24	Guest network

Known hosts

Host	IP	DNS (*.home.sys.kueber.eu)
unifi-home	192.168.0.1	unifi-home.home.sys.kueber.eu
synology	192.168.0.5	synology.home.sys.kueber.eu
home-assistant	192.168.2.20	home-assistant.home.sys.kueber.eu

NetBird

• Network: home with resources for all four subnets (management, iot, private, guest)
• Routing peer: a single reusable setup key (routing-peers-home) joins home + home_peers

---

NetBird Overlay

Hosted at api.netbird.io. State for groups, users, tokens, and the shared DNS zone is in the dedicated netbird Tofu environment; each environment then consumes those via data lookups.

Cross-cutting groups

Group	Owner env	Purpose
administrators	netbird	Full bidirectional access to every environment
sidecars	netbird	Workload sidecars that need overlay membership

Per-environment networks

Env	Network	Resources (subnets)	Router peer group
edge	edge	172.30.0.0/24	edge_peers
production	production	192.168.1.0/24, 192.168.100.0/24, 192.168.104.0/24, 192.168.105.0/24, 192.168.178.0/24	production_peers
home	home	192.168.0.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24	home_peers

Policies

Policy	Source	Destination	Notes
Admin Edge Policy	administrators	edge	tcp, bidirectional
Admin Production Policy	administrators	production	all, bidirectional
Admin Home Policy	administrators	home	all, bidirectional
Sidecar Envoy Access Prod Public	edge_sidecar_envoy	production resource public	tcp, bidirectional

DNS — sys.kueber.eu

The zone is owned by the netbird environment; entries are added per-env via the modules/netbird/dns_record module.

Subdomain	Source env
*.production.sys.kueber.eu (proxmox1/2/3, truenas)	production
*.home.sys.kueber.eu (unifi-home, synology, home-assistant)	home

Tofu service users

Each environment authenticates to NetBird as its own service user (tofu_env_{netbird,production,home,edge}), provisioned in the netbird environment with one-year tokens.