GL.iNet 4.8.1 기본 설정에서 fw3 tailscale0 zone에 masq 옵션이
누락되어 LAN→tailnet forward 시 SNAT가 안 되는 문제와, dnsmasq
ts.net split-forward 미설정으로 MagicDNS 동작 안 하는 문제를
정리. 영구 UCI 설정과 Mac 측 /etc/resolver/ts.net + search domain
보정까지 포함.
- infra/domain-boundaries.md 신규 — 두 영역 자산/계정/책임 분리 + cyclic 데이터 흐름 + 자산 매핑 + 추적 시 주의사항
- infra/_index.md에 도메인 경계 절 추가
- 기존 정본들(services/netbis, infra/security/crowdsec-safeline, services/bunnycdn-security 등)이 흩어져 갖던 cross-domain 정보의 단일 진입점
핵심 사실:
- netbis CF account != kappa CF account (별개)
- NPM 6대 origin은 netbis 자산, vl/CrowdSec/netbis-cf-firewall은 ironclad 인프라
- zlambda는 양 영역 다리 (Tailscale + Linode public IP 보유)
- netbis-cf-firewall은 ironclad 컨테이너 동거하지만 netbis CF API token으로 push
- profile.yaml is ban-only — captcha/throttle decision은 emit 안 됨
- Hub 분산 DDoS 시나리오 (http-ddos-by-ASN/cn) 도입 시 profile 분기 필수
- cs-cf-worker-bouncer: default_action captcha (Turnstile)
- netbis-cf-firewall: default_action managed_challenge (6 zone)
- 두 bouncer 모두 LAPI decision type 무관하게 캡챠 페이지로 응답
Switched Bunny iron-kr-nowaf origin from :443 (Traefik) to :9443 (APISIX,
no SafeLine plugin) since APISIX plugins are per-route. Used existing
:9443 path (juiceshop already there) instead of opening a new OpenWrt
port. Outline route managed via ApisixTls + ApisixRoute CRDs because
admin-API direct PUTs get swept by apisix-ingress-controller as orphans.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Created new Bunny pull zone iron-kr-nowaf (ID 5720695) without Shield to
host outline.inouter.com exclusively. Uploaded *.inouter.com wildcard cert
from cert-manager since Bunny LE auto-provision kept returning invalid.
Restored 7 CRS rules (942100,932230/235/260/370/380,933160) on iron-kr
Shield so vault/n8n/telegram-webhook/jarvis regain protection.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Ties the existing /etc/rancher/k3s/config.yaml kubelet-arg (system-reserved=8Gi,
eviction-hard<2Gi) to the 2026-04-19 OOM freeze incident so it won't be
flagged as mystery asymmetry in future audits. Closes item 6 of 2026-04-20
K3s improvements.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- crowdsecurity/whitelists 파서 설치 (192.168.9.1 false positive 해결)
- custom/tailscale-whitelist 추가 (100.64.0.0/10)
- custom/apisix-logs 파서 추가 (서울 APISIX 비표준 nginx 포맷)
- crowdsecurity/traefik collection 설치
- 버전 v1.7.7 확인
Verified removed across all 3 sites:
- K3s APISIX: no http-logger plugin in global_rules/routes/services/plugin_configs
- CrowdSec: no apisix-logs HTTP acquisition file, :8085 not listening
- Osaka APISIX: http-logger exists but targets VictoriaLogs (vector.inouter.com), not legacy
Runtime verification via cs_parser_hits metrics: only source is
https://vl.inouter.com/ (victorialogs type).
Split detailed findings to history/2026-04-15-apisix-http-logger-removal.md.
- infra/vault.md MCP 서버 섹션 전체 재작성: K3s Deployment 아니라 Pod 없는 리버스 프록시 파사드, 세 접근 경로 모두 jp1 Incus vault 컨테이너(10.253.101.58)로 수렴
- 과거 오류 정정 callout 추가: vault-active.vault.svc.cluster.local 경로 실존 안 함, hcv/mcp URL은 Vault UI로 307 (올바른 MCP 경로는 vault-mcp.inouter.com/mcp)
- history/2026-04-15-vault-mcp-duplicate-investigation.md 인시던트 기록
근거: Heimdall 조사 (Outline 5b6ddffa) + kappa 로컬 확인 (jp1 systemd active + 활성 트래픽)
