From 848288af7a18b3390379d666275e2581af46493c Mon Sep 17 00:00:00 2001
From: Claude Code <noreply@anthropic.com>
Date: Sun, 22 Mar 2026 01:28:57 -0500
Subject: [PATCH] =?UTF-8?q?Fix=20Traefik=20dashboard=20link=20=E2=80=94=20?=
 =?UTF-8?q?point=20to=20:8080/dashboard/=20not=20catchall=20404?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/intranet/intranet.yaml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/apps/intranet/intranet.yaml b/apps/intranet/intranet.yaml
index ce89da1..ecf9367 100644
--- a/apps/intranet/intranet.yaml
+++ b/apps/intranet/intranet.yaml
@@ -21,18 +21,18 @@ data:
     >copy</button> (double NAT intentional)</td></tr>\n<tr><td>Public /28 Block</td><td><span class=\"ip\">74.40.140.16/28</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.16/28')\">copy</button></td></tr>\n<tr><td>Gateway</td><td><span class=\"ip\">74.40.140.30</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.30')\">copy</button></td></tr>\n<tr><td>Usable Range</td><td><span class=\"ip\">74.40.140.17 &ndash; 74.40.140.29</span> (13 IPs)</td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>ISP /28 Routing: FULLY OPERATIONAL.</strong> Public subnet (74.40.140.16/28) is live. 13 VIPs on WAN (ix3), 12 hybrid outbound NAT rules, 28 port forwards. Cloudflare DNS with 28+ A records pointing to /28 IPs. DDNS: gateway.iamwork.in updates pfSense WAN DHCP IP via Cloudflare API.</div>\n<h3>Modem Static Routes</h3>\n<table>\n<thead><tr><th>Name</th><th>Destination</th><th>Gateway</th><th>Interface</th></tr></thead>\n<tbody>\n<tr><td>pfSense-Public-28</td><td><span class=\"ip\">74.40.140.16/28</span></td><td><span class=\"ip\">192.168.254.122</span></td><td>LAN</td></tr>\n<tr><td>pfSense-Private-Subnets</td><td><span class=\"ip\">10.0.0.0/8</span></td><td><span class=\"ip\">192.168.254.122</span></td><td>LAN</td></tr>\n</tbody>\n</table>\n<h3>Public IP Allocation (13 usable)</h3>\n<table>\n<thead><tr><th>IP</th><th>Full Address</th><th>Assignment</th><th>VLAN(s)</th><th>Services</th></tr></thead>\n<tbody>\n<tr><td>.16</td><td><span class=\"ip\">74.40.140.16</span></td><td><em>Network address</em></td><td>&mdash;</td><td>Unusable</td></tr>\n<tr><td>.17</td><td><span class=\"ip\">74.40.140.17</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.17')\">copy</button></td><td>ANDREW + VPN</td><td>60</td><td>Andrew tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.18</td><td><span class=\"ip\">74.40.140.18</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.18')\">copy</button></td><td>ANDREW #2</td><td>60</td><td>Andrew secondary</td></tr>\n<tr><td>.19</td><td><span class=\"ip\">74.40.140.19</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.19')\">copy</button></td><td>MATT + VPN</td><td>61</td><td>Matt tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.20</td><td><span class=\"ip\">74.40.140.20</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.20')\">copy</button></td><td>MATT #2</td><td>61</td><td>Matt secondary</td></tr>\n<tr><td>.21</td><td><span class=\"ip\">74.40.140.21</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.21')\">copy</button></td><td>DUSTIN + VPN</td><td>62</td><td>Dustin tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.22</td><td><span class=\"ip\">74.40.140.22</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.22')\">copy</button></td><td>SIERRA (Dustin #2)</td><td>62</td><td>Dustin secondary</td></tr>\n<tr><td>.23</td><td><span class=\"ip\">74.40.140.23</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.23')\">copy</button></td><td>ERIK + VPN</td><td>63</td><td>Erik tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.24</td><td><span class=\"ip\">74.40.140.24</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.24')\">copy</button></td><td>PROD</td><td>57</td><td>K8s web + mail (flowercore.io, SMTP)</td></tr>\n<tr><td>.25</td><td><span class=\"ip\">74.40.140.25</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.25')\">copy</button></td><td>FIT + VPN</td><td>69</td><td>FIT tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.26</td><td><span class=\"ip\">74.40.140.26</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.26')\">copy</button></td><td>FIT #2</td><td>69</td><td>FIT secondary</td></tr>\n<tr><td>.27</td><td><span class=\"ip\">74.40.140.27</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.27')\">copy</button></td><td>COMMS</td><td>57</td><td>TeamSpeak, IRC, Matrix</td></tr>\n<tr><td>.28</td><td><span class=\"ip\">74.40.140.28</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.28')\">copy</button></td><td>SHARED</td><td>59,64,65,66,67</td><td>WORK+SCHOOL+GUEST+VOIP+EMPLOYEE outbound</td></tr>\n<tr><td>.29</td><td><span class=\"ip\">74.40.140.29</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.29')\">copy</button></td><td>HOME</td><td>58</td><td>Home traffic + Nintendo Switch static port NAT</td></tr>\n<tr><td>.30</td><td><span class=\"ip\">74.40.140.30</span></td><td><em>Gateway (Frontier)</em></td><td>&mdash;</td><td>ISP router</td></tr>\n<tr><td>.31</td><td><span class=\"ip\">74.40.140.31</span></td><td><em>Broadcast</em></td><td>&mdash;</td><td>Unusable</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: PFSENSE ===== -->\n<div id=\"tab-pfsense\" class=\"tab-content\">\n<h2>pfSense Firewall</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Netgate 4100</div>\n    <ul>\n      <li><strong>Web:</strong> <a href=\"https://pfsense.iamworkin.lan\" target=\"_blank\">https://pfsense.iamworkin.lan</a> <button class=\"copy-btn\" onclick=\"copyText('pfsense.iamworkin.lan')\">copy</button></li>\n      <li><strong>Credentials:</strong> <code>admin</code> / <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=kmmt7bckcm6hpvy5ajxgpodv5q\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 pfSense Firewall</span></a></li>\n      <li><strong>SSH:</strong> <code>admin@pfsense.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh admin@pfsense.iamworkin.lan')\">copy</button></li>\n      <li><strong>Hardware:</strong> 2x SFP+, 4x 2.5GbE (igc0-3)</li>\n      <li><strong>WAN:</strong> ix3 &mdash; LAN: igc0 (802.1Q trunk)</li>\n      <li><strong>Domain:</strong> iamworkin.lan</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Firewall Stats</div>\n    <ul>\n      <li><strong>Aliases:</strong> 36 (16 port, 5 host, 15 network)</li>\n      <li><strong>Rules:</strong> 90 active</li>\n      <li><strong>Policy:</strong> Air-gapped default &mdash; deny all, explicit allow</li>\n      <li><strong>SNMP:</strong> community <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=7qias4wucncvleievorxda5pym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 SNMP Community</span></a></li>\n      <li><strong>SNMP Modules:</strong> mibII, netgraph, pf, hostres, bridge</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Services</div>\n    <ul>\n      <li><strong>DNS:</strong> Unbound (DNSSEC, WAN-only outgoing, prefetch)</li>\n      <li><strong>DHCP:</strong> dhcpd on all 12 VLAN interfaces (.100-.199)</li>\n      <li><strong>NTP:</strong> ntpd on all VLAN interfaces, DHCP option 42</li>\n      <li><strong>Traffic Shaper:</strong> 24 dummynet pipes, fq_codel</li>\n    </ul>\n  </div>\n</div>\n<h3>VLAN Configuration (13 VLANs)</h3>\n<table>\n<thead><tr><th>VLAN</th><th>Name</th><th>Subnet</th><th>DHCP Range</th><th>Down/Up (Mbps)</th><th>Priority</th><th>Public IP</th></tr></thead>\n<tbody>\n<tr><td>56</td><td><span class=\"b b-mgmt\">MGMT</span></td><td><span class=\"ip\">10.0.56.0/24</span></td><td>.100-.199</td><td>500 / 500</td><td>5</td><td>WAN DHCP</td></tr>\n<tr><td>57</td><td><span class=\"b b-prod\">PROD</span></td><td><span class=\"ip\">10.0.57.0/24</span></td><td>.100-.199</td><td>500 / 500</td><td>5</td><td>.24</td></tr>\n<tr><td>58</td><td><span class=\"b b-home\">HOME</span></td><td><span class=\"ip\">10.0.58.0/24</span></td><td>.100-.199</td><td>800 / 800</td><td>3</td><td>.29</td></tr>\n<tr><td>59</td><td><span class=\"b b-wifi\">EMPLOYEE</span></td><td><span class=\"ip\">10.0.59.0/24</span></td><td>.100-.199</td><td>500 / 500</td><td>3</td><td>.28 (shared)</td></tr>\n<tr><td>60</td><td><span class=\"b b-tenant\">ANDREW</span></td><td><span class=\"ip\">10.0.60.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.17</td></tr>\n<tr><td>61</td><td><span class=\"b b-tenant\">MATT</span></td><td><span class=\"ip\">10.0.61.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.19</td></tr>\n<tr><td>62</td><td><span class=\"b b-tenant\">DUSTIN</span></td><td><span class=\"ip\">10.0.62.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.21</td></tr>\n<tr><td>63</td><td><span class=\"b b-tenant\">ERIK</span></td><td><span class=\"ip\">10.0.63.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.23</td></tr>\n<tr><td>64</td><td><span class=\"b b-wifi\">WORK</span></td><td><span class=\"ip\">10.0.64.0/24</span></td><td>.100-.199</td><td>500 / 500</td><td>3</td><td>.28 (shared)</td></tr>\n<tr><td>65</td><td><span class=\"b b-wifi\">SCHOOL</span></td><td><span class=\"ip\">10.0.65.0/24</span></td><td>.100-.199</td><td>200 / 200</td><td>1</td><td>.28 (shared)</td></tr>\n<tr><td>66</td><td><span class=\"b b-spare\">GUEST</span></td><td><span class=\"ip\">10.0.66.0/24</span></td><td>.100-.199</td><td>100 / 50</td><td>1</td><td>.28 (shared)</td></tr>\n<tr><td>67</td><td><span class=\"b b-voip\">VOIP</span></td><td><span class=\"ip\">10.0.67.0/24</span></td><td>.100-.199</td><td>100 / 100</td><td>7</td><td>.28 (shared)</td></tr>\n<tr><td>69</td><td><span class=\"b b-tenant\">FIT</span></td><td><span class=\"ip\">10.0.69.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.25</td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>Firewall Policy:</strong> MGMT has full access. HOME/WORK/SCHOOL get general internet. GUEST isolated except PROD web. Tenants fully isolated from each other &mdash; only PROD, DNS, NAS, and internet. VOIP is SIP-only outbound.</div>\n</div>\n\n<!-- ===== TAB: SWITCHING & WIFI ===== -->\n<div id=\"tab-switching\" class=\"tab-content\">\n<h2>Switching &amp; WiFi</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"\
     card-title\"><span class=\"dot dot-green\"></span>UniFi Switch USW-Lite-16-PoE</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">switch.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('switch.iamworkin.lan')\">copy</button></li>\n      <li><strong>MAC:</strong> 74:ac:b9:e3:93:ba</li>\n      <li><strong>SSH:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=sqozg7dicrzxzyj2p47hnxn7di\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 UniFi Switch</span></a></li>\n      <li><strong>SSH Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=sqozg7dicrzxzyj2p47hnxn7di\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 UniFi Switch</span></a></li>\n      <li><strong>Firmware:</strong> 7.2.123.16565</li>\n      <li><strong>CLI:</strong> Type <code>cli</code> for Realtek switch CLI</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>UniFi Cloud Key G2</div>\n    <ul>\n      <li><strong>Web:</strong> <a href=\"https://unifi.iamworkin.lan\" target=\"_blank\">https://unifi.iamworkin.lan</a> <button class=\"copy-btn\" onclick=\"copyText('unifi.iamworkin.lan')\">copy</button></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=sqozg7dicrzxzyj2p47hnxn7di\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 UniFi Cloud Key</span></a></li>\n      <li><strong>SSH:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=sqozg7dicrzxzyj2p47hnxn7di\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 UniFi Cloud Key</span></a></li>\n      <li><strong>Network Version:</strong> 7.1.61</li>\n      <li><strong>MongoDB:</strong> port 27117 (database <code>ace</code>)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Synology RT6600AX (AP Mode)</div>\n    <ul>\n      <li><strong>Web:</strong> <a href=\"http://wifi.iamworkin.lan:8000\" target=\"_blank\">http://wifi.iamworkin.lan:8000</a> <button class=\"copy-btn\" onclick=\"copyText('wifi.iamworkin.lan')\">copy</button></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=hlys5gwgnfa2a2nclrr52dr6gu\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Synology WiFi Router</span></a></li>\n      <li><strong>SSH:</strong> <code>bluejay@wifi.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh bluejay@wifi.iamworkin.lan')\">copy</button></li>\n      <li><strong>MAC:</strong> 90:09:d0:3d:64:ae</li>\n      <li><strong>Mode:</strong> AP (bridge), all trunk ports enabled</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>BlueJayNAS (Synology DS1621+)</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">nas.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('nas.iamworkin.lan')\">copy</button> (HOME VLAN 58)</li>\n      <li><strong>DSM:</strong> <a href=\"https://nas.iamworkin.lan:5001\" target=\"_blank\">https://nas.iamworkin.lan:5001</a></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cbxfibct4j6jfm6ccsogpayjuy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJayNAS</span></a></li>\n      <li><strong>Storage:</strong> 9.1 TB Btrfs (RAID)</li>\n      <li><strong>NFS Exports:</strong> Longhorn backup, shared media, ISO library</li>\n      <li><strong>SNMP:</strong> Enabled (Zabbix monitored)</li>\n      <li><strong>Zabbix:</strong> Host monitored via SNMP v2c</li>\n      <li><strong>Switch Port:</strong> 14 (Access, VLAN 58)</li>\n    </ul>\n  </div>\n</div>\n<h3>Switch Port Assignments</h3>\n<table>\n<thead><tr><th>Port</th><th>Device</th><th>Mode</th><th>VLAN</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>1</td><td>pfSense Uplink</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>2</td><td>rke2-agent2</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>3</td><td>WiFi Uplink (Synology)</td><td>Trunk, native 58</td><td>57-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>4</td><td>rke2-agent1</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>5</td><td>Cloud Key G2</td><td>Access</td><td>56 (MGMT)</td><td><span class=\"dot dot-green\"></span>UP (PoE)</td></tr>\n<tr><td>6</td><td>rke2-server</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>7</td><td><em>Available</em></td><td>&mdash;</td><td>&mdash;</td><td><span class=\"dot dot-gray\"></span>Down</td></tr>\n<tr><td>8</td><td>noc1</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>9</td><td>Workstation</td><td>Access</td><td>56 (MGMT)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>10</td><td><em>Available</em></td><td>&mdash;</td><td>&mdash;</td><td><span class=\"dot dot-gray\"></span>Down</td></tr>\n<tr><td>11</td><td>edge2 (Pi 4)</td><td>Access</td><td>57 (PROD)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>12</td><td><em>Available</em></td><td>&mdash;</td><td>&mdash;</td><td><span class=\"dot dot-gray\"></span>Down</td></tr>\n<tr><td>13</td><td>edge1 (Pi 5)</td><td>Access</td><td>57 (PROD)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>14</td><td>Synology NAS</td><td>Access</td><td>58 (HOME)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>15</td><td><em>Available</em></td><td>&mdash;</td><td>&mdash;</td><td><span class=\"dot dot-gray\"></span>Down</td></tr>\n<tr><td>16</td><td>Synology 2</td><td>Access</td><td>58 (HOME)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n</tbody>\n</table>\n<h3>WiFi SSIDs</h3>\n<table>\n<thead><tr><th>SSID</th><th>Bridge</th><th>VLAN</th><th>Type</th><th>Password</th></tr></thead>\n<tbody>\n<tr><td><strong>BlueJay-Home</strong></td><td>br0</td><td>untagged (58)</td><td>Primary</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=vetpnvuxyfdcvkjr2cqhuaqekq\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJay-Home WiFi</span></a></td></tr>\n<tr><td><strong>BlueJay-Employee</strong></td><td>br2</td><td>59</td><td>Custom</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=g36whfbi5zwcvsr6itowe67jjm\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJay-Employee WiFi</span></a></td></tr>\n<tr><td><strong>BlueJay-Work</strong></td><td>br3</td><td>64</td><td>Custom</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=4omsv5ybqoyk4tvqrqww7kv3yu\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJay-Work WiFi</span></a></td></tr>\n<tr><td><strong>BlueJay-School</strong></td><td>br4</td><td>65</td><td>Custom</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=jnl2dodsrbli2y5rhwirvcywzy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJay-School WiFi</span></a></td></tr>\n<tr><td><strong>BlueJay-Guest</strong></td><td>gbr0</td><td>66</td><td>Guest (isolation+NAT)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=2nepku5kumcguwciiyhiiaifne\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJay-Guest WiFi</span></a></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: DNS ===== -->\n<div id=\"tab-dns\" class=\"tab-content\">\n<h2>DNS Directory</h2>\n<div class=\"note\">All entries are pfSense Unbound host overrides under <code>iamworkin.lan</code>. 52+ host overrides configured, plus 4 tenant wildcard redirect zones (*.bluejay.lan, *.timefortaco.lan, *.erik.lan, *.flowerinsider.lan &rarr; 10.0.56.200 Traefik).</div>\n<h3>Management Devices</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>pfsense.iamworkin.lan</td><td><span class=\"ip\">pfsense.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('pfsense.iamworkin.lan')\">copy</button></td><td>pfSense firewall</td></tr>\n<tr><td>switch.iamworkin.lan</td><td><span class=\"ip\">switch.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('switch.iamworkin.lan')\">copy</button></td><td>UniFi PoE Switch</td></tr>\n<tr><td>unifi.iamworkin.lan</td><td><span class=\"ip\">unifi.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('unifi.iamworkin.lan')\">copy</button></td><td>UniFi Cloud Key G2</td></tr>\n<tr><td>wifi.iamworkin.lan</td><td><span class=\"ip\">wifi.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('wifi.iamworkin.lan')\">copy</button></td><td>Synology WiFi Router (AP)</td></tr>\n<tr><td>nas.iamworkin.lan</td><td><span class=\"ip\">nas.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('nas.iamworkin.lan')\">copy</button></td><td>Synology NAS</td></tr>\n</tbody>\n</table>\n<h3>RKE2 Bare-Metal Cluster</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>rke2-server.iamworkin.lan</td><td><span class=\"ip\">rke2-server.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('rke2-server.iamworkin.lan')\"\
     >copy</button></td><td>RKE2 control plane (bare-metal, openSUSE Leap 16)</td></tr>\n<tr><td>rke2-agent1.iamworkin.lan</td><td><span class=\"ip\">rke2-agent1.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('rke2-agent1.iamworkin.lan')\">copy</button></td><td>RKE2 worker node 1 (bare-metal, openSUSE Leap 16)</td></tr>\n<tr><td>rke2-agent2.iamworkin.lan</td><td><span class=\"ip\">rke2-agent2.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('rke2-agent2.iamworkin.lan')\">copy</button></td><td>RKE2 worker node 2 (bare-metal, openSUSE Leap 16)</td></tr>\n</tbody>\n</table>\n<h3>NOC Services (noc1)</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>noc1.iamworkin.lan</td><td><span class=\"ip\">noc1.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('noc1.iamworkin.lan')\">copy</button></td><td>NOC management node (K3s)</td></tr>\n<tr><td>acme.iamworkin.lan</td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>step-ca ACME CA</td></tr>\n<tr><td>pki.iamworkin.lan</td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>PKI cert/CRL distribution</td></tr>\n<tr><td>guac.iamworkin.lan</td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>Apache Guacamole</td></tr>\n<tr><td>grafana.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Grafana monitoring (monitoring ns, noc1 Podman stopped 2026-03-18, K8s only)</td></tr>\n<tr><td>prometheus.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Prometheus metrics (monitoring ns, noc1 Podman stopped 2026-03-18, K8s only)</td></tr>\n<tr><td>cockpit.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Cockpit web console (noc-proxy ns &rarr; noc1:9090)</td></tr>\n<tr><td>traefik.iamworkin.lan</td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>Traefik dashboard (K3s, legacy)</td></tr>\n<tr><td>op-connect.iamworkin.lan</td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>1Password Connect API (:8180)</td></tr>\n</tbody>\n</table>\n<h3>RKE2 Services (via Traefik at traefik.iamworkin.lan)</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>rke2.iamworkin.lan</td><td><span class=\"ip\">rke2-server.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('rke2-server.iamworkin.lan')\">copy</button></td><td>RKE2 API server (bare-metal control plane)</td></tr>\n<tr><td>rke2-traefik.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('traefik.iamworkin.lan')\">copy</button></td><td>Traefik LoadBalancer (MetalLB)</td></tr>\n<tr><td>argocd.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>ArgoCD GitOps (22 apps, all Healthy)</td></tr>\n<tr><td>gitea.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Gitea Git hosting (SSH at MetalLB .201)</td></tr>\n<tr><td>zabbix.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Zabbix monitoring (10 hosts, trapper at .203)</td></tr>\n<tr><td>guac.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Apache Guacamole (17 connections)</td></tr>\n<tr><td>irc.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>UnrealIRCd + Anope (ports 6667/6697/8067)</td></tr>\n<tr><td>matrix.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Matrix Synapse homeserver</td></tr>\n<tr><td>element.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Element Web (Matrix client)</td></tr>\n<tr><td>intranet.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Lab intranet dashboard</td></tr>\n<tr><td>pki.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>PKI cert/CRL distribution</td></tr>\n<tr><td>mail.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>docker-mailserver (SMTP at MetalLB .202)</td></tr>\n<tr><td>telephony.iamwork.in</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>FlowerCore.Telephony (:5100, Cloudflare origin cert)</td></tr>\n<tr><td>telephony.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>FlowerCore.Telephony (internal, step-ca cert)</td></tr>\n<tr><td>grafana.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Grafana (monitoring ns, noc1 Podman stopped 2026-03-18, K8s only)</td></tr>\n<tr><td>prometheus.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Prometheus (monitoring ns, noc1 Podman stopped 2026-03-18, K8s only)</td></tr>\n<tr><td>cockpit.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Cockpit (noc-proxy ns &rarr; noc1:9090)</td></tr>\n</tbody>\n</table>\n<h3>RKE2 MetalLB Service IPs</h3>\n<table>\n<thead><tr><th>IP</th><th>Service</th><th>Ports</th></tr></thead>\n<tbody>\n<tr><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Traefik Ingress</td><td>80, 443, 8080, 6667, 6697</td></tr>\n<tr><td><span class=\"ip\">gitea-ssh.iamworkin.lan</span></td><td>Gitea SSH</td><td>22</td></tr>\n<tr><td><span class=\"ip\">mail.iamworkin.lan</span></td><td>Mail SMTP</td><td>25, 465, 587</td></tr>\n<tr><td><span class=\"ip\">zabbix-trapper.iamworkin.lan</span></td><td>Zabbix Trapper</td><td>10051</td></tr>\n<tr><td><span class=\"ip\">ts.iamworkin.lan</span></td><td>TeamSpeak</td><td>9987/UDP, 30033, 10011</td></tr>\n</tbody>\n</table>\n<h3>Production / Edge Nodes</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>macmini.iamworkin.lan</td><td><span class=\"ip\">macmini.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('macmini.iamworkin.lan')\">copy</button></td><td>Mac Mini build node (Xcode)</td></tr>\n<tr><td>edge1.iamworkin.lan</td><td><span class=\"ip\">edge1.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('edge1.iamworkin.lan')\">copy</button></td><td>Pi 5 + Hailo AI HAT+ 2</td></tr>\n<tr><td>edge2.iamworkin.lan</td><td><span class=\"ip\">edge2.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('edge2.iamworkin.lan')\">copy</button></td><td>Pi 4 (Argon ONE, CI runner)</td></tr>\n<tr><td>piez.iamworkin.lan</td><td><span class=\"ip\">piez.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('piez.iamworkin.lan')\">copy</button></td><td>Pi 4 + EZ Connect (PiManager :5000, GPIO/I2C/SPI)</td></tr>\n<tr><td>pirelay.iamworkin.lan</td><td><span class=\"ip\">pirelay.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('pirelay.iamworkin.lan')\">copy</button></td><td>Pi 3 + 4-ch Relay (PiManager :5100, KS0212)</td></tr>\n</tbody>\n</table>\n<h3>Planned / Windows (pre-registered)</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>dc1.iamworkin.lan</td><td><span class=\"ip\">10.0.56.20</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.20')\">copy</button></td><td>AD Domain Controller (planned)</td></tr>\n<tr><td>wac1.iamworkin.lan</td><td><span class=\"ip\">10.0.56.21</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.21')\">copy</button></td><td>Windows Admin Center (planned)</td></tr>\n<tr><td>rds1.iamworkin.lan</td><td><span class=\"ip\">10.0.57.20</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.57.20')\">copy</button></td><td>Remote Desktop Services (planned)</td></tr>\n<tr><td>iis1.iamworkin.lan</td><td><span class=\"ip\">10.0.57.21</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.57.21')\">copy</button></td><td>IIS Web Server (planned)</td></tr>\n<tr><td>proxy.iamworkin.lan</td><td><span class=\"ip\">10.0.56.22</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.22')\">copy</button></td><td>Squid Authenticated Proxy (planned)</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: KUBERNETES ===== -->\n<div id=\"tab-k8s\" class=\"tab-content\">\n<h2>Kubernetes Clusters</h2>\n<h3>K3s (noc1 &mdash; Emergency Fallback, Scaled to 0)</h3>\n<div class=\"card-grid\">\n  <div class=\"card\" style=\"opacity:0.6;\">\n    <div class=\"card-title\"><span class=\"dot dot-yellow\"></span>K3s on noc1 (Standby)</div>\n    <ul>\n      <li><strong>Node:</strong> <span class=\"ip\">noc1.iamworkin.lan</span> (single-node)</li>\n      <li><strong>Version:</strong> K3s v1.34.5</li>\n      <li><strong>Status:</strong> Scaled to 0 &mdash; emergency fallback only</li>\n      <li><strong>Migration:</strong> All workloads moved to RKE2 (2026-03-09)</li>\n      <li><strong>Tools:</strong> kubectl v1.35.2, helm v3.20.0</li>\n    </ul>\n  </div>\n</div>\n<h3>Harvester HCI (DECOMMISSIONED 2026-03-09)</h3>\n<div class=\"card-grid\">\n  <div class=\"card\" style=\"opacity:0.5;border-color:var(--red-border);\">\n    <div class=\"card-title\"><span class=\"dot dot-red\"></span>Harvester Cluster &mdash; Decommissioned</div>\n    <ul>\n      <li><strong>Status:</strong> <span class=\"b b-offline\">Decommissioned</span> &mdash; replaced by bare-metal RKE2</li>\n      <li><strong>Reason:</strong> 6 K8s control planes caused 100&deg;C thermal throttling</li>\n      <li><strong>Migration:</strong> All 3 NUCs reformatted to openSUSE Leap 16, bare-metal RKE2</li>\n      <li><strong>Result:</strong> Temps 44-71&deg;C, 1 control plane instead of 6</li>\n    </ul>\n  </div>\n</div>\n<h3>RKE2 (Bare-Metal Cluster)</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>RKE2 Cluster</div>\n    <ul>\n      <li><strong>Version:</strong> RKE2 v1.34.5+rke2r1</li>\n      <li><strong>OS:</strong> openSUSE Leap 16.0 (bare-metal)</li>\n      <li><strong>CNI:</strong> Calico (VXLAN mode)</li>\n      <li><strong>Pod CIDR:</strong> <span class=\"ip\">10.42.0.0/16</span></li>\n      <li><strong>Service CIDR:</strong>\
-    \ <span class=\"ip\">10.43.0.0/16</span></li>\n      <li><strong>Kubeconfig:</strong> <code>/root/.kube/rke2.yaml</code> on noc1 or WSL</li>\n      <li><strong>SSH:</strong> ed25519 key auth (root)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">RKE2 Nodes (Bare-Metal)</div>\n    <ul>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-server:</strong> <span class=\"ip\">rke2-server.iamworkin.lan</span> (i7-1260P / 64GB, control plane)</li>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-agent1:</strong> <span class=\"ip\">rke2-agent1.iamworkin.lan</span> (i7-1260P / 64GB, worker)</li>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-agent2:</strong> <span class=\"ip\">rke2-agent2.iamworkin.lan</span> (i5-1340P / 64GB, worker)</li>\n      <li><strong>SSH:</strong> <code>root@10.0.56.{11,12,13}</code> (ed25519 key)</li>\n      <li><strong>Puppet:</strong> profile::kubernetes::rke2 on all nodes</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">RKE2 Infrastructure</div>\n    <ul>\n      <li><span class=\"dot dot-green\"></span><strong>MetalLB:</strong> L2 mode, pool <span class=\"ip\">10.0.56.200-220</span></li>\n      <li><span class=\"dot dot-green\"></span><strong>Traefik:</strong> v3.3.4, 2 replicas, LB <span class=\"ip\">traefik.iamworkin.lan</span></li>\n      <li><span class=\"dot dot-green\"></span><strong>Longhorn:</strong> Default StorageClass (iSCSI), NAS backup integration</li>\n      <li><strong>Namespaces (33):</strong> fc-system, fc-tenant-{andrew,matt,dustin,erik,fit}, tenant-{andrew,dustin,erik,fit,flowercore}, traefik-system, metallb-system, argocd, irc, mail, matrix, zabbix, guacamole, gitea, teamspeak, onepassword-system, cert-manager, telephony, monitoring, selenium, agent-zero, intranet, pki, noc-proxy, longhorn-system, kube-system, calico-system, tigera-operator</li>\n      <li><strong>IngressRoutes:</strong> 44 Traefik routes (internal + Cloudflare public)</li>\n      <li><strong>PVCs:</strong> 17 persistent volumes, ~69 Gi total (Longhorn iSCSI, NAS backup)</li>\n      <li><strong>ArgoCD:</strong> 22 apps via bluejay-infra ApplicationSet (all Healthy &mdash; includes agent-zero, asterisk, monitoring, voice, 5 tenant landing pages, guacamole, mail, matrix, IRC, telephony, Gitea, Zabbix, PKI, intranet, noc-services)</li>\n      <li><strong>1Password:</strong> Operator v1.11.0 in onepassword-system, 7 CRDs syncing</li>\n      <li><strong>Cloudflare Origin Certs:</strong> *.flowercore.io + *.iamwork.in (15-year RSA) deployed across 8 namespaces</li>\n    </ul>\n  </div>\n</div>\n<h3>Cluster Resource Usage (2026-03-21)</h3>\n<table>\n<thead><tr><th>Node</th><th>CPU</th><th>Memory</th><th>Pods</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>rke2-server</td><td>866m (5%)</td><td>19,293 Mi (30%)</td><td>~40</td><td>Control plane + worker</td></tr>\n<tr><td>rke2-agent1</td><td>616m (3%)</td><td>20,905 Mi (32%)</td><td>~40</td><td>Worker</td></tr>\n<tr><td>rke2-agent2</td><td>1,430m (8%)</td><td>17,517 Mi (27%)</td><td>~40</td><td>Worker (Selenium + telephony)</td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>Capacity:</strong> 192 GB total RAM (64 GB/node), ~30% utilized. Selenium Grid (4 pods) + ArgoCD (7 pods) + Longhorn (29 pods) are the biggest consumers. Prometheus at 10 Gi retention (90 days). All stateful workloads backed up to BlueJayNAS via Longhorn NFS.</div>\n\n<h3>pfSense Static Routes (K8s)</h3>\n<table>\n<thead><tr><th>Destination</th><th>Gateway</th><th>Purpose</th></tr></thead>\n<tbody>\n<tr><td><span class=\"ip\">10.42.0.0/16</span></td><td><span class=\"ip\">rke2-server.iamworkin.lan</span> (rke2-server)</td><td>Pod CIDR routing</td></tr>\n<tr><td><span class=\"ip\">10.43.0.0/16</span></td><td><span class=\"ip\">rke2-server.iamworkin.lan</span> (rke2-server)</td><td>Service CIDR routing</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: NOC SERVICES ===== -->\n<div id=\"tab-noc\" class=\"tab-content\">\n<h2>NOC Services (noc1)</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>noc1 Host</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">noc1.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('noc1.iamworkin.lan')\">copy</button></li>\n      <li><strong>SSH:</strong> <code>root@pfsense.iamworkin.lan0</code> <button class=\"copy-btn\" onclick=\"copyText('ssh root@pfsense.iamworkin.lan0')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=gjb3da3jepm2xzr5mef3afzws4\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 noc1</span></a></li>\n      <li><strong>OS:</strong> openSUSE Leap Micro 6.2 (immutable)</li>\n      <li><strong>CPU:</strong> Intel Celeron N5105 (4C/4T)</li>\n      <li><strong>RAM:</strong> 32 GB</li>\n      <li><strong>Disk:</strong> 1TB NVMe (929GB free)</li>\n      <li><strong>Runtimes:</strong> Podman 5.4.2, K3s v1.34.5</li>\n    </ul>\n  </div>\n</div>\n<h3>Service Directory</h3>\n<table>\n<thead><tr><th>Service</th><th>URL</th><th>Port</th><th>Credentials</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>Cockpit</td><td><a href=\"https://cockpit.iamworkin.lan\" target=\"_blank\">https://cockpit.iamworkin.lan</a></td><td>443 (Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=gjb3da3jepm2xzr5mef3afzws4\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 noc1</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Prometheus</td><td><a href=\"https://prometheus.iamworkin.lan\" target=\"_blank\">https://prometheus.iamworkin.lan</a> <br/><small>Also: <a href=\"https://prometheus.iamworkin.lan\" target=\"_blank\">https://prometheus.iamworkin.lan</a> (noc1 direct)</small></td><td>443 (Traefik)</td><td><em>No auth</em> (90-day retention, 11 targets)</td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Grafana</td><td><a href=\"https://grafana.iamworkin.lan\" target=\"_blank\">https://grafana.iamworkin.lan</a> <br/><small>Also: <a href=\"https://grafana.iamworkin.lan\" target=\"_blank\">https://grafana.iamworkin.lan</a> (noc1 direct)</small></td><td>443 (Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=l2ld4i2m47keuyxrzmj5jm56nu\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Grafana</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Node Exporter</td><td>http://noc1.iamworkin.lan:9100</td><td>9100</td><td><em>Metrics only</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>SNMP Exporter</td><td>http://noc1.iamworkin.lan:9116</td><td>9116</td><td><em>pfSense + NAS + Switch + Printer SNMP scraper</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>step-ca ACME</td><td><a href=\"https://acme.iamworkin.lan:9443\" target=\"_blank\">https://acme.iamworkin.lan:9443</a></td><td>9443</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cg6ufz7vditglpqag2dyppi24q\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 step-ca</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>1Password Connect</td><td>http://op-connect.iamworkin.lan:8180</td><td>8180/8181</td><td><em>API token auth</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Puppet Server</td><td>noc1:8140</td><td>8140</td><td><em>OpenVox Server 8.12 (Podman)</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n</tbody>\n</table>\n<h3>RKE2 Services (22 ArgoCD Apps &mdash; All Healthy)</h3>\n<table>\n<thead><tr><th>Service</th><th>URL</th><th>MetalLB / Port</th><th>Credentials</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>ArgoCD</td><td><a href=\"https://argocd.iamworkin.lan\" target=\"_blank\">https://argocd.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cmin4ocvddco3vshzozgjbupva\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 ArgoCD</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Traefik</td><td><a href=\"https://rke2-traefik.iamworkin.lan\" target=\"_blank\">https://rke2-traefik.iamworkin.lan</a></td><td>.200 &mdash; 80/443/8080/6667/6697</td><td><em>Dashboard: :8080</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Gitea</td><td><a href=\"https://gitea.iamworkin.lan\" target=\"_blank\">https://gitea.iamworkin.lan</a></td><td>.201 SSH:22 &mdash; HTTPS via Traefik</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=h5q3v77rtaek4jifdqbjc7vqzi\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Gitea</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Guacamole</td><td><a href=\"https://guac.iamworkin.lan\" target=\"_blank\">https://guac.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=j7p2jalf5pcltawrx3c6o54yga\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Apache Guacamole</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>UnrealIRCd + Anope</td><td>irc.iamworkin.lan:6697 (TLS)</td><td>.200 &mdash; 6667/6697/8067</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=3kxdh2gkmczv5thiestcmlkb3m\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 IRC Services</span></a></td><td><span class=\"\
-    b b-online\">Online</span></td></tr>\n<tr><td>Zabbix</td><td><a href=\"https://zabbix.iamworkin.lan\" target=\"_blank\">https://zabbix.iamworkin.lan</a></td><td>.203 trapper &mdash; Web via Traefik</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=mtazpqfrqltylsfzb25ejmmqdy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Zabbix Monitoring</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Mail (docker-mailserver)</td><td>mail.iamworkin.lan</td><td>.202 &mdash; SMTP 25/465/587</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=f6bdif4rxzgh6fi6lfirrtriaq\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Mail Server</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Matrix Synapse</td><td><a href=\"https://matrix.iamworkin.lan\" target=\"_blank\">https://matrix.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=hd75oppaq6dvf6hnmyntnth2ey\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Matrix Synapse</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Element Web</td><td><a href=\"https://element.iamworkin.lan\" target=\"_blank\">https://element.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><em>Uses Matrix account</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>TeamSpeak</td><td>ts.iamworkin.lan</td><td>.205 &mdash; 9987/UDP, 30033, 10011</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=736u546ufij75d36socv5lhop4\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 TeamSpeak</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>FlowerCore Landing</td><td>flowercore.io</td><td>443 (via Traefik, Cloudflare)</td><td><em>Static page</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>PKI Web</td><td><a href=\"https://pki.iamworkin.lan\" target=\"_blank\">https://pki.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><em>Public (CRL/certs)</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Intranet</td><td><a href=\"https://intranet.iamworkin.lan\" target=\"_blank\">https://intranet.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><em>Static page</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Snappymail</td><td><a href=\"https://mail-web.iamworkin.lan\" target=\"_blank\">https://mail-web.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=k5otwlgch366ozyc4yvrwohjya\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Snappymail</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Telephony</td><td><a href=\"https://telephony.iamworkin.lan\" target=\"_blank\">https://telephony.iamworkin.lan</a></td><td>5100 (via Traefik + Cloudflare)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=uo5kuszy6pjijrxrkuugpdnsrq\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Telephony</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Asterisk PBX</td><td>asterisk.iamworkin.lan:5060</td><td>.207 &mdash; SIP 5060/UDP, RTP 10000-20000</td><td><em>4 PJSIP ext, Twilio trunk</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Agent Zero</td><td><a href=\"https://agent-zero.iamworkin.lan\" target=\"_blank\">https://agent-zero.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=uo5kuszy6pjijrxrkuugpdnsrq\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Agent Zero</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>1Password Operator</td><td><em>In-cluster only</em></td><td>onepassword-system</td><td><em>Connect token</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Selenium Grid</td><td><a href=\"https://selenium.iamworkin.lan\" target=\"_blank\">https://selenium.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><em>Hub + 2 Chrome + 1 Firefox</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>FlowerCore.Print.Web</td><td><a href=\"http://print.iamworkin.lan:5200\" target=\"_blank\">http://print.iamworkin.lan:5200</a></td><td>5200 (edge2 direct)</td><td><em>12 pages, 9 symbologies, 10 MCP</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>PiManager (piez)</td><td><a href=\"http://piez.iamworkin.lan:5000\" target=\"_blank\">http://piez.iamworkin.lan:5000</a></td><td>5000 (piez direct)</td><td><em>GPIO, I2C, SPI, 20 MCP</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>PiManager (pirelay)</td><td><a href=\"http://pirelay.iamworkin.lan:5100\" target=\"_blank\">http://pirelay.iamworkin.lan:5100</a></td><td>5100 (pirelay direct)</td><td><em>4-ch relay, scheduling</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Frigate NVR</td><td><a href=\"http://edge1.iamworkin.lan:5000\" target=\"_blank\">http://edge1.iamworkin.lan:5000</a></td><td>5000 (edge1 direct)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Frigate</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n</tbody>\n</table>\n<h3>Monitoring</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">Prometheus (noc1)</div>\n    <ul>\n      <li><strong>Targets:</strong> 15 scrape jobs (node-exporter: noc1 + 3 RKE2 + 2 edge + piez + pirelay, SNMP: pfSense + Cloud Key + Switch + NAS + Printer, Blackbox: 4 AI stack probes, self)</li>\n      <li><strong>Alert Rules:</strong> 8 (NodeDown, PfSenseDown, HighCPU, HighMemory, DiskSpaceLow, +3)</li>\n      <li><strong>Config:</strong> <code>/opt/monitoring/prometheus/prometheus.yml</code></li>\n      <li><strong>Reload:</strong> <code>podman kill -s SIGHUP prometheus</code></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Grafana (noc1:3000)</div>\n    <ul>\n      <li><strong>Version:</strong> v12.4.0</li>\n      <li><strong>Dashboards:</strong> BlueJay Network Overview, Node Exporter Full (#1860), BlueJay Edge Nodes, BlueJay Operations (Prometheus+Zabbix unified) &mdash; all in BlueJay folder</li>\n      <li><strong>Datasources:</strong> Prometheus (http://localhost:9090), Zabbix (alexanderzobnin-zabbix-datasource v6.2.1)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Zabbix (RKE2) &mdash; 13 Hosts</div>\n    <ul>\n      <li><strong>Agent Hosts (8):</strong> noc1, rke2-server, rke2-agent1, rke2-agent2, edge1, edge2, piez, pirelay</li>\n      <li><strong>SNMP Hosts (3):</strong> pfSense, UniFi Switch, BlueJayNAS (DS1621+)</li>\n      <li><strong>SNMP Host (1):</strong> Epson ET-3750 EcoTank</li>\n      <li><strong>Local (1):</strong> Zabbix server self-check</li>\n      <li><strong>Agent Version:</strong> Zabbix Agent 2 v7.0.22&ndash;7.2.15 on all 8 Linux nodes</li>\n      <li><strong>Passive checks:</strong> Server= includes MetalLB VIP + RKE2 node IPs + pod CIDR</li>\n      <li><strong>Note:</strong> Mac Mini (macOS) pending Zabbix agent setup</li>\n    </ul>\n  </div>\n</div>\n<h3>Pi Fleet Services (FlowerCore.PiManager)</h3>\n<table>\n<thead><tr><th>Device</th><th>URL</th><th>Port</th><th>Capabilities</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>piez (Pi 4)</td><td><a href=\"http://piez.iamworkin.lan:5000\" target=\"_blank\">http://piez.iamworkin.lan:5000</a></td><td>5000</td><td>GPIO, I2C, SPI, Expanders (MCP23017/PCF8574/74HC595) &mdash; 10 pages, 35 API, 20 MCP</td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>pirelay (Pi 3)</td><td><a href=\"http://pirelay.iamworkin.lan:5100\" target=\"_blank\">http://pirelay.iamworkin.lan:5100</a></td><td>5100</td><td>4-ch relay (KS0212, active-LOW), scheduling, usage tracking &mdash; 8 pages, relay API</td><td><span class=\"b b-online\">Online</span></td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>PiManager:</strong> Unified .NET 10 service deployed to both Pi nodes with different <code>ASPNETCORE_ENVIRONMENT</code> overlays. Config-driven capabilities &mdash; same binary, different features per device. Supports relay presets: ks0212-4ch, walfront-16ch, sainsmart-8ch. API docs at <code>/scalar/v1</code> on each node.</div>\n\n<h3>Guacamole Connection Groups (14 connections)</h3>\n<table>\n<thead><tr><th>Group</th><th>Connections</th><th>Protocol</th></tr></thead>\n<tbody>\n<tr><td><strong>Kubernetes</strong> (3)</td><td>rke2-server, rke2-agent1, rke2-agent2</td><td>SSH</td></tr>\n<tr><td><strong>Network Devices</strong> (4)</td><td>pfSense, UniFi Cloud Key, Synology WiFi (SRM), BlueJayNAS</td><td>SSH</td></tr>\n<tr><td><strong>Servers</strong> (3)</td><td>noc1, Mac Mini (SSH), Mac Mini (VNC)</td><td>SSH/VNC</td></tr>\n<tr><td><strong>Edge Nodes</strong> (4)</td><td>edge1 (Pi 5 + AI), edge2 (Pi 4), piez (Pi 4 + EZ Connect), pirelay (Pi 3 + Relay)</td><td>SSH</td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>Guacamole credentials:</strong> All connection passwords are stored in the Guacamole MySQL database (synced from 1Password). Access at <a href=\"https://guac.iamworkin.lan\" target=\"_blank\">https://guac.iamworkin.lan</a> &mdash; <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=j7p2jalf5pcltawrx3c6o54yga\"\
-    \ target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Apache Guacamole</span></a></div>\n</div>\n\n<!-- ===== TAB: VPN & SECURITY ===== -->\n<div id=\"tab-vpn\" class=\"tab-content\">\n<h2>VPN &amp; Security</h2>\n<div class=\"note\"><strong>OpenVPN Status:</strong> 8 servers configured and operational. Bound to tenant VIPs (.17, .19, .21, .23, .25). Each tenant has TUN (L3 routed) and TAP (L2 bridged) instances on ports 1194/1195 UDP.</div>\n<h3>OpenVPN Configuration</h3>\n<table>\n<thead><tr><th>Tenant</th><th>VIP</th><th>TUN Port</th><th>TAP Port</th><th>Tunnel (TUN)</th><th>Tunnel (TAP)</th><th>VLAN</th></tr></thead>\n<tbody>\n<tr><td><span class=\"b b-tenant\">ANDREW</span></td><td><span class=\"ip\">.17</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.0/27</span></td><td><span class=\"ip\">10.0.68.128/27</span></td><td>60</td></tr>\n<tr><td><span class=\"b b-tenant\">MATT</span></td><td><span class=\"ip\">.19</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.32/27</span></td><td><span class=\"ip\">10.0.68.160/27</span></td><td>61</td></tr>\n<tr><td><span class=\"b b-tenant\">DUSTIN</span></td><td><span class=\"ip\">.21</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.64/27</span></td><td><span class=\"ip\">10.0.68.192/27</span></td><td>62</td></tr>\n<tr><td><span class=\"b b-tenant\">ERIK</span></td><td><span class=\"ip\">.23</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.96/27</span></td><td><span class=\"ip\">10.0.68.224/27</span></td><td>63</td></tr>\n<tr><td><span class=\"b b-tenant\">FIT</span></td><td><span class=\"ip\">.25</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.69.0/27</span></td><td><span class=\"ip\">10.0.69.128/27</span></td><td>69</td></tr>\n</tbody>\n</table>\n<h3>VPN Certificate Infrastructure</h3>\n<table>\n<thead><tr><th>Component</th><th>Details</th></tr></thead>\n<tbody>\n<tr><td>CA</td><td>BlueJay VPN CA (4096-bit RSA, SHA-256, 10-year)</td></tr>\n<tr><td>Server Certs</td><td>8 (one per VPN instance, 2048-bit RSA)</td></tr>\n<tr><td>Client Certs</td><td>4 (one per tenant, 2048-bit RSA)</td></tr>\n<tr><td>TLS Auth</td><td>Shared HMAC key across all servers</td></tr>\n<tr><td>Data Ciphers</td><td>AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305</td></tr>\n</tbody>\n</table>\n<h3>IPsec Site-to-Site (Planned)</h3>\n<table>\n<thead><tr><th>Tunnel</th><th>Local</th><th>Remote</th><th>Phase 1</th><th>Phase 2 SAs</th></tr></thead>\n<tbody>\n<tr><td>Matt</td><td>.29 (pfSense WAN)</td><td>Matt's public IP</td><td>IKEv2, AES-256-GCM, DH 14+</td><td>MATT (10.0.61.0/24) + PROD (10.0.57.0/24)</td></tr>\n<tr><td>Dustin</td><td>.29 (pfSense WAN)</td><td>Dustin's public IP</td><td>IKEv2, AES-256-GCM, DH 14+</td><td>DUSTIN (10.0.62.0/24) + PROD (10.0.57.0/24)</td></tr>\n</tbody>\n</table>\n<h3>Security Policies</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">Cloudflare Protection</div>\n    <ul>\n      <li><strong>SSL Mode:</strong> Full (strict) on all 6 zones</li>\n      <li><strong>Origin Certs:</strong> *.flowercore.io + *.iamwork.in (15-year RSA), deployed across 8 K8s namespaces</li>\n      <li><strong>HSTS:</strong> Enabled on all zones</li>\n      <li><strong>Min TLS:</strong> 1.2</li>\n      <li><strong>Anti-spoofing:</strong> null MX, SPF -all, DMARC reject on non-email domains</li>\n      <li><strong>Cloudflare-only inbound:</strong> Port forwards for 80/443 restrict source to Cloudflare IP ranges</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">SSH Key Policy</div>\n    <ul>\n      <li><strong>Key Type:</strong> ed25519 (deployed to all 9 physical nodes)</li>\n      <li><strong>WSL Key:</strong> <code>stoltz@IAMWORKIN-WS</code> &mdash; deployed to noc1, rke2-server, rke2-agent1, rke2-agent2, edge1, edge2, piez, pirelay, Mac Mini</li>\n      <li><strong>noc1 Key:</strong> <code>noc1-root</code> + <code>rke2@bluejay</code> &mdash; management keys for remote nodes</li>\n      <li><strong>Root Login:</strong> Key-only (PermitRootLogin without-password)</li>\n      <li><strong>RKE2 Nodes:</strong> SELinux enforcing, <code>chcon -t ssh_home_t</code> on authorized_keys</li>\n      <li><strong>Last verified:</strong> 2026-03-21 (all 9 nodes confirmed)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Network Security Rules</div>\n    <ul>\n      <li><strong>Forced DNS:</strong> HOME/WORK/SCHOOL/GUEST block port 53 except to gateway</li>\n      <li><strong>Blocked SMTP:</strong> Outbound 25/465/587 on HOME/WORK/SCHOOL/GUEST</li>\n      <li><strong>Firewall Policy:</strong> Deny-all default, explicit allow per VLAN</li>\n      <li><strong>Tenant Isolation:</strong> Tenants fully isolated from each other, only PROD + DNS + NAS + internet</li>\n    </ul>\n  </div>\n</div>\n<h3>PKI Hierarchy</h3>\n<table>\n<thead><tr><th>CA</th><th>Status</th><th>Purpose</th></tr></thead>\n<tbody>\n<tr><td>Root CA (IAmWorkin ACME CA)</td><td><span class=\"b b-online\">Operational</span></td><td>Trust anchor, ECDSA P-256, expires 2036</td></tr>\n<tr><td>ACME CA (step-ca on noc1)</td><td><span class=\"b b-online\">Operational</span></td><td>Automated cert issuance via ACME protocol</td></tr>\n<tr><td>Network CA</td><td><span class=\"b b-planned\">Planned</span></td><td>Switch, AP, pfSense device certs</td></tr>\n<tr><td>Windows AD CS CA</td><td><span class=\"b b-planned\">Planned</span></td><td>Domain-joined machine/user certs</td></tr>\n<tr><td>Internal Services CA</td><td><span class=\"b b-planned\">Planned</span></td><td>K8s service mesh, inter-service mTLS</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: REMOTE ACCESS ===== -->\n<div id=\"tab-remote\" class=\"tab-content\">\n<h2>Remote Access &mdash; Blue Jay Gateway</h2>\n<div class=\"note\">Apache Guacamole with Blue Jay branding, 1Password vault integration, K8s exec, and embedded panels. All credentials resolved from 1Password at connection time &mdash; no passwords stored in Guacamole.</div>\n\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Guacamole Web UI</div>\n    <ul>\n      <li><strong>URL:</strong> <a href=\"https://guac.iamworkin.lan/\" target=\"_blank\">guac.iamworkin.lan</a> <button class=\"copy-btn\" onclick=\"copyText('https://guac.iamworkin.lan/')\">copy</button></li>\n      <li><strong>Version:</strong> 1.6.0 + Blue Jay branding</li>\n      <li><strong>Admin:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">Guacamole</span></a></li>\n      <li><strong>K8s:</strong> <code>guacamole</code> namespace</li>\n      <li><strong>Ingress:</strong> Traefik &rarr; guacamole:8080 (WebSocket)</li>\n      <li><strong>ArgoCD:</strong> <code>infra-guacamole</code></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Extensions</div>\n    <ul>\n      <li><strong>Blue Jay Branding</strong> &mdash; Full dark theme, custom login, logo</li>\n      <li><strong>1Password Vault</strong> &mdash; <code>${VAULT_PASSWORD}</code> token resolution</li>\n      <li><strong>TOTP MFA</strong> &mdash; Required for all users</li>\n      <li><strong>Auth Ban</strong> &mdash; 5 failures = 5min IP ban</li>\n      <li><strong>JSON Auth</strong> &mdash; Signed tokens for embedded panels</li>\n      <li><strong>Time Restrict</strong> &mdash; Per-connection time windows</li>\n      <li><strong>Recording Storage</strong> &mdash; NFS (Synology) playback</li>\n      <li><strong>Display Statistics</strong> &mdash; Performance metrics</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>1Password Integration</div>\n    <ul>\n      <li><strong>Connect URL:</strong> <code>onepassword-connect:8080</code> (K8s internal)</li>\n      <li><strong>Vault:</strong> IAmWorkin (<code>qaphopopkryhbg353ukzhhuqoq</code>)</li>\n      <li><strong>Token:</strong> Via <code>OnePasswordItem</code> CRD</li>\n      <li><strong>Rotation:</strong> Automatic &mdash; change in 1Password, Guacamole picks up on next connect</li>\n      <li><strong>Cache TTL:</strong> 5 minutes</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Session Recording</div>\n    <ul>\n      <li><strong>Storage:</strong> NFS on Synology (<code>/volume1/guacamole/recordings</code>)</li>\n      <li><strong>PVC:</strong> <code>guacamole-recordings-pvc</code> (50 Gi)</li>\n      <li><strong>Format:</strong> Guacamole native (playable in browser)</li>\n      <li><strong>Retention:</strong> Linked to connection history</li>\n    </ul>\n  </div>\n</div>\n\n<h3 style=\"margin-top:1.5rem;\">Connection Inventory (${VAULT_*} tokens &mdash; no hardcoded passwords)</h3>\n<table>\n<thead><tr><th>Connection</th><th>Protocol</th><th>Host</th><th>VLAN</th><th>1Password Item</th></tr></thead>\n<tbody>\n<tr style=\"background:var(--surface2);\"><td colspan=\"5\" style=\"font-weight:600;color:var(--gold);\">MGMT (VLAN 56) &mdash; Infrastructure</td></tr>\n<tr><td>pfSense &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">pfsense.iamworkin.lan</span></td><td>56</td><td>pfSense Admin</td></tr>\n<tr><td>Cloud Key &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">unifi.iamworkin.lan</span></td><td>56</td><td>UniFi CloudKey</td></tr>\n<tr><td>UniFi Switch &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">switch.iamworkin.lan</span></td><td>56</td><td>UniFi CloudKey</td></tr>\n<tr><td>noc1 &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\"\
-    >SSH</span></td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>56</td><td>noc1 Root SSH</td></tr>\n<tr><td>rke2-server &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">rke2-server.iamworkin.lan</span></td><td>56</td><td>RKE2 Server</td></tr>\n<tr><td>rke2-agent1 &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">rke2-agent1.iamworkin.lan</span></td><td>56</td><td>RKE2 Agent 1</td></tr>\n<tr><td>rke2-agent2 &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">rke2-agent2.iamworkin.lan</span></td><td>56</td><td>RKE2 Agent 2</td></tr>\n\n<tr style=\"background:var(--surface2);\"><td colspan=\"5\" style=\"font-weight:600;color:var(--accent);\">PROD (VLAN 57) &mdash; Production</td></tr>\n<tr><td>edge1 (Pi 5) &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">edge1.iamworkin.lan</span></td><td>57</td><td>Edge1 Pi5 SSH</td></tr>\n<tr><td>edge2 (Pi 4) &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">edge2.iamworkin.lan</span></td><td>57</td><td>Edge2 Pi4 SSH</td></tr>\n<tr><td>Mac Mini &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">macmini.iamworkin.lan</span></td><td>57</td><td>Mac Mini</td></tr>\n<tr><td>Mac Mini &mdash; VNC</td><td><span class=\"b b-warn\" style=\"font-size:0.75em;\">VNC</span></td><td><span class=\"ip\">macmini.iamworkin.lan</span></td><td>57</td><td>Mac Mini</td></tr>\n\n<tr style=\"background:var(--surface2);\"><td colspan=\"5\" style=\"font-weight:600;color:var(--green);\">HOME (VLAN 58) &mdash; Home Network</td></tr>\n<tr><td>Synology NAS &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">nas.iamworkin.lan</span></td><td>58</td><td>Synology NAS</td></tr>\n<tr><td>Synology WiFi &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">wifi.iamworkin.lan</span></td><td>58</td><td>Synology SRM</td></tr>\n<tr><td>piez (Pi 4) &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">piez.iamworkin.lan</span></td><td>58</td><td>PiEZ SSH</td></tr>\n<tr><td>pirelay (Pi 3) &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">pirelay.iamworkin.lan</span></td><td>58</td><td>PiRelay SSH</td></tr>\n\n<tr style=\"background:var(--surface2);\"><td colspan=\"5\" style=\"font-weight:600;color:var(--cyan);\">Kubernetes &mdash; Pod Exec (auto-synced every 2min)</td></tr>\n<tr><td>argocd-server</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>gitea-0</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>asterisk</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>zabbix-server</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>synapse</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>unrealircd</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n</tbody>\n</table>\n\n<h3 style=\"margin-top:1.5rem;\">Embedded Panel (Quick SSH)</h3>\n<div class=\"note\">The embedded panel below uses <code>guacamole-common-js</code> to connect directly to Guacamole's tunnel servlet. Requires authentication to <a href=\"https://guac.iamworkin.lan/\" target=\"_blank\">guac.iamworkin.lan</a> first.</div>\n<div class=\"card\" style=\"padding:0;overflow:hidden;\">\n  <div class=\"guac-embed\" id=\"panel-noc1\" data-connection=\"noc1 &mdash; SSH\" data-width=\"100%\" data-height=\"400\" style=\"width:100%;\">\n    <div style=\"display:flex;align-items:center;gap:8px;padding:8px 12px;background:var(--surface2);border-bottom:1px solid var(--border);\">\n      <span style=\"width:8px;height:8px;border-radius:50%;background:var(--text-muted);\" id=\"guac-status-dot\"></span>\n      <span style=\"color:var(--text-heading);font-weight:600;flex:1;\">noc1 &mdash; SSH Terminal</span>\n      <a href=\"https://guac.iamworkin.lan/#/client/bm9jMS1zc2g\" target=\"_blank\" style=\"color:var(--accent);text-decoration:none;font-size:0.85em;\">Open in Guacamole &rarr;</a>\n    </div>\n    <div style=\"height:400px;background:#000;display:flex;align-items:center;justify-content:center;color:var(--text-muted);font-family:var(--font-mono, monospace);\">\n      <p>Connect via <a href=\"https://guac.iamworkin.lan/\" target=\"_blank\" style=\"color:var(--accent);\">Blue Jay Remote Access</a> to use the embedded terminal.<br>\n      <span style=\"font-size:0.85em;opacity:0.7;\">Requires <code>bluejay-guac-embed.js</code> and <code>guacamole-common-js</code></span></p>\n    </div>\n  </div>\n</div>\n\n<h3 style=\"margin-top:1.5rem;\">Deployment Details</h3>\n<table>\n<thead><tr><th>Component</th><th>Image</th><th>Replicas</th><th>Resources</th></tr></thead>\n<tbody>\n<tr><td>guacamole (Tomcat)</td><td><code>fc-guacamole:1.6.0-bluejay</code></td><td>1</td><td>200m-1 CPU, 512Mi-1Gi</td></tr>\n<tr><td>guacd (C proxy)</td><td><code>guacamole/guacd:1.6.0</code></td><td>1</td><td>200m-2 CPU, 256Mi-1Gi</td></tr>\n<tr><td>MySQL 8</td><td><code>mysql:8.0</code></td><td>1 (StatefulSet)</td><td>100m-500m CPU, 256-512Mi</td></tr>\n<tr><td>K8s Sync CronJob</td><td><code>bitnami/kubectl:1.34</code></td><td>every 2min</td><td>minimal</td></tr>\n</tbody>\n</table>\n\n<h3 style=\"margin-top:1.5rem;\">Files Reference</h3>\n<table>\n<thead><tr><th>Artifact</th><th>Path</th></tr></thead>\n<tbody>\n<tr><td>Design plan</td><td><code>docs/infrastructure/guacamole-customization-plan.md</code></td></tr>\n<tr><td>K8s manifests</td><td><code>k8s/guacamole/*.yaml</code></td></tr>\n<tr><td>Branding extension</td><td><code>k8s/guacamole/extensions/bluejay-branding/</code></td></tr>\n<tr><td>1Password vault extension</td><td><code>k8s/guacamole/extensions/1password-vault/</code></td></tr>\n<tr><td>Embed library</td><td><code>k8s/guacamole/scripts/bluejay-guac-embed.js</code></td></tr>\n<tr><td>Dockerfile</td><td><code>k8s/guacamole/Dockerfile</code></td></tr>\n<tr><td>Bootstrap script</td><td><code>k8s/guacamole/scripts/bootstrap-connections.sh</code></td></tr>\n<tr><td>Build/deploy script</td><td><code>k8s/guacamole/scripts/build-image.sh</code></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: EDGE NODES ===== -->\n<div id=\"tab-edge\" class=\"tab-content\">\n<h2>Edge Nodes</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>edge1 &mdash; Raspberry Pi 5 + Hailo AI</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">edge1.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('edge1.iamworkin.lan')\">copy</button> (PROD VLAN 57)</li>\n      <li><strong>SSH:</strong> <code>stoltz@edge1.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@edge1.iamworkin.lan')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Edge1 Pi5 SSH</span></a></li>\n      <li><strong>Hardware:</strong> Pi 5 16GB + Hailo-10H 40 TOPS (AI HAT+ 2)</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>PCIe:</strong> Gen 3 x1 (8.0 GT/s)</li>\n      <li><strong>Power:</strong> 27W USB-C</li>\n      <li><strong>.NET SDK:</strong> 10.0.103</li>\n      <li><strong>GitHub Runner:</strong> v2.332.0 (labels: pi5, hailo)</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Puppet:</strong> profile::edge_ai</li>\n      <li><strong>Zabbix Agent:</strong> v7.2.15 (passive, port 10050)</li>\n      <li><strong>Switch Port:</strong> 13</li>\n      <li><strong>Disk:</strong> 93% (2.0GB free)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>edge2 &mdash; Raspberry Pi 4 (Argon ONE)</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">edge2.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('edge2.iamworkin.lan')\">copy</button> (PROD VLAN 57)</li>\n      <li><strong>SSH:</strong> <code>stoltz@edge2.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@edge2.iamworkin.lan')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=kyeqfwy76msqb4cfdjueaq5uta\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Edge2 Pi4 SSH</span></a></li>\n      <li><strong>Hardware:</strong> Pi 4 Model B 4GB, Argon ONE case</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>Fan Control:</strong> argononed.service (55&deg;C=10%, 60&deg;C=55%, 65&deg;C=100%)</li>\n      <li><strong>.NET SDK:</strong> 10.0.103</li>\n      <li><strong>Print Service:</strong> <span class=\"b b-online\">LIVE</span> <a href=\"http://print.iamworkin.lan:5200\" target=\"_blank\">FlowerCore.Print.Web :5200</a> (12 pages, 9 symbologies, AI barcode)</li>\n      <li><strong>GitHub\
-    \ Runners:</strong> v2.332.0 &mdash; MySQL (edge2-mysql), PHP (edge2-php)</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Puppet:</strong> profile::edge_runner</li>\n      <li><strong>Zabbix Agent:</strong> v7.2.15 (passive, port 10050)</li>\n      <li><strong>Switch Port:</strong> 11</li>\n      <li><strong>Guacamole:</strong> SSH connection in Edge Nodes group</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>piez &mdash; Raspberry Pi 4 + EZ Connect</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">piez.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('piez.iamworkin.lan')\">copy</button> (HOME VLAN 58, WiFi)</li>\n      <li><strong>SSH:</strong> <code>stoltz@piez.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@piez.iamworkin.lan')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 piez SSH</span></a></li>\n      <li><strong>Hardware:</strong> Pi 4 Model B 4GB + Pi EZ Connect board</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>Role:</strong> GPIO prototyping, breadboard dev, I2C/SPI sensors</li>\n      <li><strong>.NET SDK:</strong> 10.0.201</li>\n      <li><strong>Web:</strong> <span class=\"b b-online\">LIVE</span> <a href=\"http://piez.iamworkin.lan:5000\" target=\"_blank\">FlowerCore.PiManager :5000</a> (10 pages, 35 API endpoints, 20 MCP tools)</li>\n      <li><strong>API Docs:</strong> <a href=\"http://piez.iamworkin.lan:5000/scalar/v1\" target=\"_blank\">Scalar :5000/scalar/v1</a></li>\n      <li><strong>Capabilities:</strong> GPIO, I2C, SPI, Expanders (MCP23017/PCF8574/74HC595)</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Zabbix Agent:</strong> v7.0.22 (passive, port 10050)</li>\n      <li><strong>Guacamole:</strong> SSH connection in Edge Nodes group</li>\n      <li><strong>Dashboard:</strong> <a href=\"piez-prototyping.html\">piez-prototyping.html</a></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>pirelay &mdash; Raspberry Pi 3 + 4-Ch Relay</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">pirelay.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('pirelay.iamworkin.lan')\">copy</button> (HOME VLAN 58)</li>\n      <li><strong>SSH:</strong> <code>stoltz@pirelay.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@pirelay.iamworkin.lan')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 pirelay SSH</span></a></li>\n      <li><strong>Hardware:</strong> Pi 3 Model B v1.2, 906 MB RAM + Keyestudio KS0212 4-channel relay shield</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>Role:</strong> Relay controller, home automation prototyping</li>\n      <li><strong>Web:</strong> <span class=\"b b-online\">LIVE</span> <a href=\"http://pirelay.iamworkin.lan:5100\" target=\"_blank\">FlowerCore.PiManager :5100</a> (relay preset: ks0212-4ch)</li>\n      <li><strong>API Docs:</strong> <a href=\"http://pirelay.iamworkin.lan:5100/scalar/v1\" target=\"_blank\">Scalar :5100/scalar/v1</a></li>\n      <li><strong>GPIO (BCM, active-LOW):</strong> CH1=GPIO4, CH2=GPIO22, CH3=GPIO6, CH4=GPIO26</li>\n      <li><strong>Relay Ratings:</strong> 10A @ 250VAC / 30VDC per channel</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Zabbix Agent:</strong> v7.0.22 (passive, port 10050)</li>\n      <li><strong>Guacamole:</strong> SSH connection in Edge Nodes group</li>\n      <li><strong>Dashboard:</strong> <a href=\"relay-controller.html\">relay-controller.html</a></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Mac Mini (Build/Test Node)</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">macmini.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('macmini.iamworkin.lan')\">copy</button> (PROD VLAN 57)</li>\n      <li><strong>SSH:</strong> <code>bluejay@macmini.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh bluejay@macmini.iamworkin.lan')\">copy</button></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=npkseg2zvbmxmtg7qrseredvym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Mac Mini</span></a></li>\n      <li><strong>VNC:</strong> <code>vnc://macmini.iamworkin.lan:5900</code> &mdash; <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=npkseg2zvbmxmtg7qrseredvym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Mac Mini</span></a></li>\n      <li><strong>Hardware:</strong> Apple M1, 16GB RAM, 926GB SSD</li>\n      <li><strong>OS:</strong> macOS 26.3.1 (Darwin 25.3.0)</li>\n      <li><strong>Role:</strong> Xcode builds, Selenium Grid node, automated browser/app testing</li>\n      <li><strong>Guacamole:</strong> SSH + VNC connections in Servers group</li>\n    </ul>\n  </div>\n</div>\n\n<h3>Edge2 &mdash; Print Service</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>FlowerCore.Print.Web</div>\n    <ul>\n      <li><strong>URL:</strong> <a href=\"http://print.iamworkin.lan:5200\" target=\"_blank\">http://print.iamworkin.lan:5200</a></li>\n      <li><strong>Pages:</strong> 12 Blazor pages (barcode gen, batch print, product cache, AI labels)</li>\n      <li><strong>Symbologies:</strong> 9 (Code128, EAN-13, QR, DataMatrix, ITF-14, UPC-A/E, Code39, Codabar)</li>\n      <li><strong>Features:</strong> Product cache DB, AI label generation (Ollama on Pi), batch barcodes, combo labels</li>\n      <li><strong>MCP Tools:</strong> 10 tools for programmatic barcode/label generation</li>\n      <li><strong>Thermal Printer:</strong> Connected Epson ET-3750 (<span class=\"ip\">printer.iamworkin.lan</span>)</li>\n      <li><strong>systemd:</strong> <code>flowercore-print.service</code> (auto-start)</li>\n    </ul>\n  </div>\n</div>\n\n<h3>Edge1 AI &amp; Speech Services</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Ollama (LLM Inference)</div>\n    <ul>\n      <li><strong>API:</strong> <span class=\"ip\">http://edge1.iamworkin.lan:11434</span> <button class=\"copy-btn\" onclick=\"copyText('http://edge1.iamworkin.lan:11434')\">copy</button></li>\n      <li><strong>Model:</strong> qwen2.5-coder:7b (4.7GB Q4_K_M)</li>\n      <li><strong>Managed by:</strong> profile::edge::ollama (Puppet)</li>\n      <li><strong>Firewall:</strong> nftables port 11434 from MGMT+PROD</li>\n      <li><strong>Note:</strong> SD card 95% full &mdash; one model max</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Piper TTS (Text-to-Speech)</div>\n    <ul>\n      <li><strong>Version:</strong> piper-tts 1.4.1 in ~/piper-env venv</li>\n      <li><strong>Voices:</strong> en_US-amy-low (16kHz) + en_US-amy-medium (22kHz)</li>\n      <li><strong>Performance:</strong> RTF 0.10 (10x real-time), 222ms latency (short)</li>\n      <li><strong>CPU Usage:</strong> 3/4 cores (271%)</li>\n      <li><strong>Note:</strong> 16kHz matches G.711 natively for telephony</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Hailo Whisper STT (Speech-to-Text)</div>\n    <ul>\n      <li><strong>Model:</strong> Whisper-Base HEF (131MB, v5.1.1)</li>\n      <li><strong>Path:</strong> /opt/hailo-models/Whisper-Base.hef</li>\n      <li><strong>Performance:</strong> RTF 0.05-0.11 (10-18x real-time)</li>\n      <li><strong>Model Load:</strong> 1.2s cold start</li>\n      <li><strong>Multi-process:</strong> VDevice for coexistence with Frigate</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Speech Pipeline Service</div>\n    <ul>\n      <li><strong>API:</strong> <span class=\"ip\">http://edge1.iamworkin.lan:8500</span> <button class=\"copy-btn\" onclick=\"copyText('http://edge1.iamworkin.lan:8500')\">copy</button></li>\n      <li><strong>Endpoints:</strong> POST /tts, POST /stt, GET /health</li>\n      <li><strong>User:</strong> <code>speech</code> in <code>hailo</code> group</li>\n      <li><strong>Managed by:</strong> profile::edge::speech_pipeline (Puppet)</li>\n      <li><strong>Firewall:</strong> nftables port 8500 from MGMT+PROD</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-yellow\"></span>Twilio Voice Bridge (PoC)</div>\n    <ul>\n      <li><strong>Location:</strong> /opt/twilio-bridge/ on edge1</li>\n      <li><strong>WebSocket:</strong> :8765 &bull; <strong>TwiML:</strong> :8766</li>\n      <li><strong>Cloudflare Tunnel:</strong> bluejay-voice (3ddfa567-b0a7-40cb-9c57-7f20f3ec3637)</li>\n      <li><strong>URLs:</strong> voice.bluejay.dev (TwiML), voice-ws.bluejay.dev (WS)</li>\n      <li><strong>Services:</strong> cloudflared-tunnel on noc1, twilio-bridge + twilio-twiml on edge1</li>\n      <li><strong>Status:</strong> <span class=\"b b-planned\">PoC</span> &mdash; STT fixed, TTS stream API mismatch</li>\n    </ul>\n  </div>\n</div>\n</div>\n\n<!-- ===== TAB: STORAGE ===== -->\n<div id=\"tab-storage\" class=\"tab-content\"\
-    >\n<h2>Storage</h2>\n<div class=\"card-grid\">\n  <div class=\"card\" style=\"border-top: 3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>BlueJayNAS &mdash; Synology DS1621+</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">nas.iamworkin.lan</span> (HOME VLAN 58, switch port 14)</li>\n      <li><strong>DNS:</strong> <code>nas.iamworkin.lan</code>, <code>synology.iamworkin.lan</code></li>\n      <li><strong>DSM:</strong> <a href=\"https://nas.iamworkin.lan:5001\" target=\"_blank\">https://nas.iamworkin.lan:5001</a> (v7.3.2-86009 Update 1)</li>\n      <li><strong>SSH:</strong> <code>bluejay@nas.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh bluejay@nas.iamworkin.lan')\">copy</button></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cbxfibct4j6jfm6ccsogpayjuy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJayNAS</span></a></li>\n      <li><strong>Model:</strong> DS1621+ (6-bay, AMD Ryzen V1500B)</li>\n      <li><strong>Storage:</strong> 9.1 TB Btrfs (RAID), ~7.8 TB free</li>\n      <li><strong>MAC:</strong> 00:11:32:f2:43:6b</li>\n      <li><strong>TLS Cert:</strong> ca.iamworkin.lan (step-ca ACME, expires 2026-06-03)</li>\n      <li><strong>NFS Domain:</strong> private.iamwork.in</li>\n      <li><strong>2FA:</strong> TOTP enabled on DSM</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--green);\">\n    <div class=\"card-title\">NFS Exports &amp; Services</div>\n    <ul>\n      <li><strong>Longhorn Backup:</strong> <code>nfs://nas.iamworkin.lan:/volume1/NetBackup/longhorn-backups</code></li>\n      <li><strong>Kubernetes Shared:</strong> <code>/volume1/kubernetes</code> (NFS mount for PVCs)</li>\n      <li><strong>Selenium Screenshots:</strong> <code>/volume1/selenium/screenshots</code> (AAT visual tests via PVC)</li>\n      <li><strong>Selenium Videos:</strong> <code>/volume1/selenium/videos</code> (test recordings)</li>\n      <li><strong>NFS Permissions:</strong> RKE2 nodes rke2-server/agent1/agent2 (MGMT VLAN cross-VLAN rule)</li>\n      <li><strong>Ports:</strong> NFS (2049), iSCSI (3260, no targets yet), DSM API (5001), SSH (22), SNMP (161)</li>\n      <li><strong>pfSense Rule:</strong> RKE2 &rarr; NAS on 2049/3260/5001</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--gold);\">\n    <div class=\"card-title\">Monitoring &amp; Security</div>\n    <ul>\n      <li><strong>SNMP:</strong> v2c community <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=7qias4wucncvleievorxda5pym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 SNMP</span></a></li>\n      <li><strong>Zabbix Host:</strong> BlueJayNAS (ID 10678) &mdash; Linux by SNMP template</li>\n      <li><strong>Prometheus:</strong> SNMP scrape via snmp-exporter (synology module)</li>\n      <li><strong>Auto Block:</strong> Enabled (brute-force protection)</li>\n      <li><strong>DSM Firewall:</strong> <span class=\"b b-offline\">DO NOT ENABLE</span> &mdash; synofirewall segfaults on 7.3.2, causes lockout</li>\n      <li><strong>admin account:</strong> <span class=\"b b-online\">ENABLED</span> &mdash; never disable (breaks all admin-group privileges)</li>\n      <li><strong>SSH:</strong> Keep <code>PasswordAuthentication yes</code> (disabling breaks sudo/PAM)</li>\n      <li><strong>Guacamole:</strong> SSH connection in Network Devices group</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--red);\">\n    <div class=\"card-title\">Recovery Notes</div>\n    <ul>\n      <li><strong>admin disabled recovery:</strong> Physical RESET button (4s hold, 1 beep) + power cycle</li>\n      <li><strong>Firewall lockout:</strong> Physical RESET (same procedure)</li>\n      <li><strong>Security hardening:</strong> Use pfSense cross-VLAN rules, NOT DSM-level firewall/SSH hardening</li>\n      <li><strong>CLI tools:</strong> <code>/usr/syno/bin/synopkg</code>, <code>/usr/syno/sbin/synouser</code>, <code>/usr/syno/sbin/synogroup</code></li>\n      <li><strong>DSM API:</strong> <code>https://nas.iamworkin.lan:5001/webapi/entry.cgi</code> &mdash; SYNO.API.Auth + otp_code for 2FA</li>\n    </ul>\n  </div>\n</div>\n\n<h3>Longhorn Persistent Volume Claims (17 PVCs, ~69 Gi)</h3>\n<div class=\"note\"><strong>Longhorn &rarr; NAS Backup:</strong> Longhorn is the default StorageClass on the RKE2 cluster (iSCSI). All 17 PVCs backed up to BlueJayNAS via NFS. Daily backups at 02:00 UTC (retain 14 days), hourly snapshots (retain 24).</div>\n<table>\n<thead><tr><th>Namespace</th><th>PVC</th><th>Size</th><th>Purpose</th></tr></thead>\n<tbody>\n<tr><td>monitoring</td><td>prometheus-data + grafana-data</td><td>12 Gi</td><td>Prometheus TSDB (90-day retention) + Grafana dashboards/DB</td></tr>\n<tr><td>zabbix</td><td>zabbix-postgres-data</td><td>10 Gi</td><td>Zabbix PostgreSQL (13 hosts, history/trends)</td></tr>\n<tr><td>gitea</td><td>gitea-shared-storage</td><td>10 Gi</td><td>Git repositories, LFS objects, attachments</td></tr>\n<tr><td>telephony</td><td>asterisk-data + telephony-data</td><td>10 Gi</td><td>Asterisk PBX config + FlowerCore.Telephony DB</td></tr>\n<tr><td>matrix</td><td>matrix-postgres-data + synapse-data</td><td>7 Gi</td><td>Matrix Synapse PostgreSQL + media store</td></tr>\n<tr><td>mail</td><td>mail-data + mail-state</td><td>6 Gi</td><td>docker-mailserver (Postfix queues, Dovecot mail)</td></tr>\n<tr><td>agent-zero</td><td>agent-zero-data + knowledge</td><td>6 Gi</td><td>Agent Zero persistent data + FAISS knowledge base</td></tr>\n<tr><td>guacamole</td><td>guac-mysql-data</td><td>5 Gi</td><td>Guacamole MySQL (14 connections, session history)</td></tr>\n<tr><td>irc</td><td>anope-data + unrealircd-data</td><td>2 Gi</td><td>IRC services DB (channels, nicks) + UnrealIRCd config</td></tr>\n<tr><td>teamspeak</td><td>teamspeak-data</td><td>1 Gi</td><td>TeamSpeak virtual server config + file transfers</td></tr>\n</tbody>\n</table>\n<table>\n<thead><tr><th>Component</th><th>Detail</th></tr></thead>\n<tbody>\n<tr><td>Storage Backend</td><td>Longhorn (iSCSI, default StorageClass, 3 replicas per volume)</td></tr>\n<tr><td>Backup Target</td><td><code>nfs://nas.iamworkin.lan:/volume1/NetBackup/longhorn-backups</code></td></tr>\n<tr><td>Backup Schedule</td><td>Daily at 02:00 UTC (retain 14 days), hourly snapshots (retain 24)</td></tr>\n<tr><td>RKE2 Requirement</td><td>iscsid enabled on all nodes (<code>systemctl enable --now iscsid</code>)</td></tr>\n<tr><td>Managed by</td><td>Puppet profile::kubernetes::rke2 (prerequisites, kernel modules, sysctl)</td></tr>\n</tbody>\n</table>\n\n<h3>Synology CSI Driver (Pending)</h3>\n<div class=\"note note-warn\"><strong>Status:</strong> Helm repo added, deployment pending. Will enable dynamic PVC provisioning directly from Synology NFS/iSCSI.</div>\n<table>\n<thead><tr><th>Component</th><th>Detail</th></tr></thead>\n<tbody>\n<tr><td>Driver</td><td>SynologyOpenSource/synology-csi v1.2.1</td></tr>\n<tr><td>Helm Chart</td><td>christian-schlichtherle, v0.11.0</td></tr>\n<tr><td>Protocols</td><td>NFS, iSCSI, SMB</td></tr>\n<tr><td>Service Account</td><td><code>k8s-csi</code> (UID 1032) on BlueJayNAS</td></tr>\n<tr><td>1Password</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cbxfibct4j6jfm6ccsogpayjuy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Synology CSI creds</span></a></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: WIFI ===== -->\n<div id=\"tab-wifi\" class=\"tab-content\">\n<h2>WiFi Networks</h2>\n<div class=\"note\"><strong>Credentials:</strong> All WiFi passwords are stored in the <strong>IAmWorkin</strong> vault on 1Password. To connect a device, open the 1Password app, find the WiFi entry, and scan the QR code from there. Passwords are not stored in this page for security.</div>\n<div class=\"note note-warn\"><strong>QR Code Connection:</strong> Open 1Password &rarr; search for the SSID name &rarr; tap &ldquo;Show QR Code&rdquo; &rarr; scan with your device camera. The QR code encodes the full <code>WIFI:T:WPA;S:{SSID};P:{PASSWORD};;;</code> connection string.</div>\n\n<div class=\"wifi-grid\" id=\"wifiGrid\">\n  <!-- BlueJay-Home -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Home\" data-vlan=\"58\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--purple);\">\n      <div class=\"wifi-ssid\">BlueJay-Home</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-home\">HOME (VLAN 58)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Home</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"\
-    wifi-value\">58 (untagged on AP)</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=vetpnvuxyfdcvkjr2cqhuaqekq\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">\U0001F510 Open in 1Password</span></a></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Home network &mdash; personal / family use</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">800 / 800 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.29</span></span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-Employee -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Employee\" data-vlan=\"59\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--cyan);\">\n      <div class=\"wifi-ssid\">BlueJay-Employee</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-wifi\">EMPLOYEE (VLAN 59)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Employee</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">59</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=g36whfbi5zwcvsr6itowe67jjm\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">\U0001F510 Open in 1Password</span></a></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Employee network &mdash; staff device access</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">500 / 500 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-Work -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Work\" data-vlan=\"64\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--accent);\">\n      <div class=\"wifi-ssid\">BlueJay-Work</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-wifi\">WORK (VLAN 64)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Work</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">64</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=4omsv5ybqoyk4tvqrqww7kv3yu\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">\U0001F510 Open in 1Password</span></a></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Work network &mdash; business devices</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">500 / 500 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-School -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-School\" data-vlan=\"65\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--green);\">\n      <div class=\"wifi-ssid\">BlueJay-School</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-wifi\">SCHOOL (VLAN 65)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-School</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">65</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=jnl2dodsrbli2y5rhwirvcywzy\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">\U0001F510 Open in 1Password</span></a></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">School network &mdash; student devices</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">200 / 200 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-Guest -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Guest\" data-vlan=\"66\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--gold);\">\n      <div class=\"wifi-ssid\">BlueJay-Guest</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-spare\">GUEST (VLAN 66)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder wifi-qr-open\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"\
-    14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Open network &mdash; no password required</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Guest</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">66</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">Open / Captive Portal</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><span class=\"b b-online\">None (open)</span></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Guest WiFi &mdash; fully isolated, NAT only</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">100 / 50 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n</div>\n\n<h3>WiFi Access Point</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Synology RT6600AX (AP Mode)</div>\n    <ul>\n      <li><strong>Management:</strong> <a href=\"http://wifi.iamworkin.lan:8000\" target=\"_blank\">http://wifi.iamworkin.lan:8000</a></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=hlys5gwgnfa2a2nclrr52dr6gu\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Synology WiFi Router</span></a></li>\n      <li><strong>Mode:</strong> Access Point (bridge mode), all trunk ports enabled</li>\n      <li><strong>Bands:</strong> Wi-Fi 6E (2.4 GHz + 5 GHz + 6 GHz)</li>\n      <li><strong>Switch Port:</strong> 3 (trunk, native VLAN 58)</li>\n    </ul>\n  </div>\n</div>\n\n<div class=\"note\"><strong>Network Isolation:</strong> Each SSID maps to a separate VLAN with independent firewall rules and bandwidth limits. GUEST is fully isolated with NAT &mdash; no access to internal resources. EMPLOYEE, WORK, and SCHOOL share public IP .28 with traffic shaping.</div>\n</div>\n\n<!-- ===== TAB: CREDENTIALS ===== -->\n<div id=\"tab-credentials\" class=\"tab-content\">\n<h2>Credentials &amp; 1Password</h2>\n<div class=\"card-grid\">\n  <div class=\"card\" style=\"border-top: 3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>1Password Connect Server</div>\n    <ul>\n      <li><strong>API:</strong> <span class=\"ip\">http://op-connect.iamworkin.lan:8180</span> <button class=\"copy-btn\" onclick=\"copyText('http://op-connect.iamworkin.lan:8180')\">copy</button></li>\n      <li><strong>Sync:</strong> <span class=\"ip\">http://op-connect.iamworkin.lan:8181</span></li>\n      <li><strong>Host:</strong> noc1 (Podman containers)</li>\n      <li><strong>Status:</strong> <span class=\"b b-online\">Online</span></li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>1Password K8s Operator</div>\n    <ul>\n      <li><strong>Namespace:</strong> <code>onepassword-system</code></li>\n      <li><strong>Chart:</strong> 1password/connect v2.3.0</li>\n      <li><strong>Operator:</strong> v1.11.0</li>\n      <li><strong>Poll Interval:</strong> 600s</li>\n      <li><strong>Status:</strong> <span class=\"b b-online\">Online</span></li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--gold);\">\n    <div class=\"card-title\">IAmWorkin Vault</div>\n    <ul>\n      <li><strong>Vault Name:</strong> IAmWorkin</li>\n      <li><strong>Items:</strong> 45+ items (infra credentials + WiFi QR codes + Pi device passwords)</li>\n      <li><strong>Rotation:</strong> Quarterly (Jan/Apr/Jul/Oct)</li>\n      <li><strong>Script:</strong> <code>/opt/scripts/rotate-credentials.sh</code></li>\n      <li><strong>Timer:</strong> <code>credential-rotation.timer</code></li>\n    </ul>\n  </div>\n</div>\n\n<div class=\"note\"><strong>All infrastructure credentials are managed in 1Password.</strong> The IAmWorkin vault contains credentials for every service listed on this intranet. K8s workloads (Zabbix, Matrix, Guacamole, Mail, IRC, Gitea, ArgoCD) sync secrets automatically via OnePasswordItem CRDs. Credential rotation runs quarterly via systemd timer.</div>\n\n<h3>K8s Secret Sync (OnePasswordItem CRDs)</h3>\n<table>\n<thead><tr><th>Namespace</th><th>Secret Name</th><th>Source (1Password Item)</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>zabbix</td><td>zabbix-credentials</td><td>Zabbix Monitoring</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>matrix</td><td>matrix-credentials</td><td>Matrix Synapse</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>guacamole</td><td>guacamole-credentials</td><td>Apache Guacamole</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>mail</td><td>mail-credentials</td><td>Mail Server</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>irc</td><td>irc-credentials</td><td>IRC Services</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>gitea</td><td>gitea-credentials</td><td>Gitea</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>argocd</td><td>argocd-credentials</td><td>ArgoCD</td><td><span class=\"b b-online\">Synced</span></td></tr>\n</tbody>\n</table>\n\n<h3>Pi Fleet &amp; Edge Node Credentials</h3>\n<table>\n<thead><tr><th>Device</th><th>IP</th><th>User</th><th>1Password Item</th><th>Services</th></tr></thead>\n<tbody>\n<tr><td>edge1 (Pi 5)</td><td><span class=\"ip\">edge1.iamworkin.lan</span></td><td><code>stoltz</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Edge1 Pi5 SSH</span></a></td><td>Ollama, Piper TTS, Hailo STT, Frigate</td></tr>\n<tr><td>edge2 (Pi 4)</td><td><span class=\"ip\">edge2.iamworkin.lan</span></td><td><code>stoltz</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=kyeqfwy76msqb4cfdjueaq5uta\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Edge2 Pi4 SSH</span></a></td><td>GitHub Actions runners</td></tr>\n<tr><td>piez (Pi 4)</td><td><span class=\"ip\">piez.iamworkin.lan</span></td><td><code>stoltz</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 piez</span></a></td><td>PiManager :5000 (GPIO, I2C, SPI)</td></tr>\n<tr><td>pirelay (Pi 3)</td><td><span class=\"ip\">pirelay.iamworkin.lan</span></td><td><code>stoltz</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 pirelay</span></a></td><td>PiManager :5100 (4-ch relay)</td></tr>\n<tr><td>Mac Mini</td><td><span class=\"ip\">macmini.iamworkin.lan</span></td><td><code>bluejay</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=npkseg2zvbmxmtg7qrseredvym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Mac Mini</span></a></td><td>SSH + VNC :5900, Xcode builds</td></tr>\n</tbody>\n</table>\n\n<h3>Credential Rotation</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">Rotation Script</div>\n    <ul>\n      <li><strong>Path:</strong> <code>/opt/scripts/rotate-credentials.sh</code></li>\n      <li><strong>Usage:</strong> <code>rotate-credentials.sh {service|all} [--dry-run]</code></li>\n      <li><strong>Services:</strong> grafana, guacamole, zabbix, argocd, gitea, snappymail, traefik, matrix, harvester (17/17 complete, all XKCD-style)</li>\n      <li><strong>Schedule:</strong> Quarterly (1st of Jan/Apr/Jul/Oct at 03:00 UTC)</li>\n      <li><strong>Log:</strong> <code>/var/log/credential-rotation.log</code></li>\n    </ul>\n  </div>\n</div>\n</div>\n\n<!-- ===== TAB: PLANNED ===== -->\n<div id=\"tab-planned\" class=\"tab-content\">\n<h2>Planned Services</h2>\n<div class=\"note\">All previously planned services (Gitea, IRC, Zabbix, ArgoCD, 1Password, Mail, Matrix, TeamSpeak, Guacamole) are now <strong>live on RKE2</strong>. Remaining planned items are Windows Server VMs and authenticated proxy.</div>\n<table>\n<thead><tr><th>Service</th><th>IP</th><th>Host</th><th>Role</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>Windows DC1</td><td><span class=\"ip\">10.0.56.20</span></td><td>VM (hypervisor TBD)</td><td>AD Domain Controller (iamworkin.lan)</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Windows WAC1</td><td><span class=\"ip\">10.0.56.21</span></td><td>VM (hypervisor TBD)</td><td>Windows Admin Center</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Windows RDS1</td><td><span class=\"ip\">10.0.57.20</span></td><td>VM (hypervisor TBD)</td><td>Remote\
-    \ Desktop Services</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Windows IIS1</td><td><span class=\"ip\">10.0.57.21</span></td><td>VM (hypervisor TBD)</td><td>IIS Web Server</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Squid Proxy</td><td><span class=\"ip\">10.0.56.22</span></td><td>VM (hypervisor TBD)</td><td>Authenticated web proxy (Kerberos/LDAP)</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: TOPOLOGY ===== -->\n<div id=\"tab-topology\" class=\"tab-content\">\n<h2>Network Topology</h2>\n<div style=\"display:flex;flex-direction:column;align-items:center;gap:8px;padding:1.5rem;\">\n\n<div class=\"card\" style=\"text-align:center;max-width:280px;border-color:var(--text-muted);\"><div class=\"card-title\" style=\"justify-content:center;\">Internet</div></div>\n<div style=\"width:2px;height:16px;background:var(--border-accent);\"></div>\n<div class=\"card\" style=\"text-align:center;max-width:320px;\"><div class=\"card-title\" style=\"justify-content:center;\"><span class=\"dot dot-green\"></span>Frontier ONT + NVG468MQ Modem</div><p><span class=\"ip\">WAN: 74.32.185.184</span> &bull; <span class=\"ip\">/28: .17-.29</span></p><p style=\"font-size:0.78rem;\">192.168.254.254 &bull; DMZ to pfSense</p></div>\n<div style=\"width:2px;height:16px;background:var(--border-accent);\"></div>\n<div class=\"card\" style=\"text-align:center;max-width:360px;border-color:var(--accent);\"><div class=\"card-title\" style=\"justify-content:center;\"><span class=\"dot dot-green\"></span>pfSense Netgate 4100</div><p><span class=\"ip\">WAN: ix3 (.122)</span> &bull; <span class=\"ip\">LAN: igc0</span> (802.1Q trunk)</p><p style=\"font-size:0.78rem;\">13 VLANs &bull; 13 VIPs &bull; 28 port forwards &bull; DNS/DHCP/NTP/SNMP</p></div>\n<div style=\"width:2px;height:16px;background:var(--border-accent);\"></div>\n<div class=\"card\" style=\"text-align:center;max-width:340px;\"><div class=\"card-title\" style=\"justify-content:center;\"><span class=\"dot dot-green\"></span>UniFi USW-Lite-16-PoE Switch</div><p><span class=\"ip\">switch.iamworkin.lan</span> &bull; 16 ports &bull; VLANs 56-67</p></div>\n<div style=\"width:2px;height:8px;background:var(--border-accent);\"></div>\n\n<div style=\"display:grid;grid-template-columns:repeat(auto-fit,minmax(200px,1fr));gap:10px;width:100%;max-width:1200px;\">\n  <div class=\"card\" style=\"border-left:3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>noc1</div>\n    <p><span class=\"ip\">noc1.iamworkin.lan</span> <span class=\"b b-mgmt\">MGMT</span></p>\n    <p style=\"font-size:0.78rem;\">Celeron N5105 &bull; 32GB &bull; K3s + Podman</p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>Grafana :3000</li><li>Prometheus :9091</li>\n      <li>step-ca :9443</li><li>Cockpit :9090</li>\n      <li>Puppet :8140</li><li>1Password Connect :8180</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--green);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>RKE2 Bare-Metal Cluster</div>\n    <p><span class=\"ip\">Traefik: traefik.iamworkin.lan</span> <span class=\"b b-mgmt\">MGMT</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>rke2-server: <span class=\"ip\">.11</span> (i7-1260P/64GB, control plane)</li>\n      <li>rke2-agent1: <span class=\"ip\">.12</span> (i7-1260P/64GB, worker)</li>\n      <li>rke2-agent2: <span class=\"ip\">.13</span> (i5-1340P/64GB, worker)</li>\n    </ul>\n    <p style=\"font-size:0.78rem;\">RKE2 v1.34.5 &bull; Calico &bull; MetalLB &bull; Longhorn &bull; Traefik v3.3.4 &bull; ArgoCD &bull; 11 apps &bull; Asterisk PBX</p>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--cyan);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>WiFi (Synology RT6600AX)</div>\n    <p><span class=\"ip\">wifi.iamworkin.lan</span> <span class=\"b b-home\">HOME</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>BlueJay-Home (untagged)</li><li>BlueJay-Employee (VLAN 59)</li>\n      <li>BlueJay-Work (VLAN 64)</li><li>BlueJay-School (VLAN 65)</li>\n      <li>BlueJay-Guest (VLAN 66)</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--orange);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>PROD Nodes</div>\n    <p><span class=\"b b-prod\">PROD VLAN 57</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>Mac Mini: <span class=\"ip\">macmini.iamworkin.lan</span> (Xcode)</li>\n      <li>edge1 Pi5: <span class=\"ip\">edge1.iamworkin.lan</span> (Hailo AI)</li>\n      <li>edge2 Pi4: <span class=\"ip\">edge2.iamworkin.lan</span> (CI runner)</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--purple);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>HOME Pi Fleet</div>\n    <p><span class=\"b b-home\">HOME VLAN 58</span> &bull; FlowerCore.PiManager</p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>piez Pi4: <span class=\"ip\">piez.iamworkin.lan</span> (EZ Connect, GPIO/I2C/SPI) — <a href=\"http://piez.iamworkin.lan:5000\">:5000</a></li>\n      <li>pirelay Pi3: <span class=\"ip\">pirelay.iamworkin.lan</span> (KS0212 4-ch relay) — <a href=\"http://pirelay.iamworkin.lan:5100\">:5100</a></li>\n      <li style=\"font-size:0.72rem;color:var(--text-muted);\">Unified PiManager binary &bull; config-driven &bull; node-exporter &bull; Zabbix</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--gold);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Network Devices &amp; Storage</div>\n    <ul style=\"font-size:0.78rem;\">\n      <li>Cloud Key: <span class=\"ip\">unifi.iamworkin.lan</span></li>\n      <li>BlueJayNAS (DS1621+): <span class=\"ip\">nas.iamworkin.lan</span></li>\n      <li style=\"font-size:0.72rem;color:var(--text-muted);\">9.1TB Btrfs &bull; NFS &bull; Longhorn backup &bull; SNMP</li>\n      <li>Modem: <span class=\"ip\">192.168.254.254</span></li>\n    </ul>\n  </div>\n</div>\n</div>\n</div>\n\n<!-- ===== TAB: DOMAINS ===== -->\n<div id=\"tab-domains\" class=\"tab-content\">\n<h2>Domains</h2>\n<div class=\"summary-grid\">\n  <div class=\"summary-card\"><div class=\"summary-number\">17</div><div class=\"summary-label\">Registered Domains</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">1</div><div class=\"summary-label\">Internal Domain</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">1</div><div class=\"summary-label\">Blog Hosting (DreamHost)</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">18</div><div class=\"summary-label\">Total Domains</div></div>\n</div>\n\n<h3>FlowerCore Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>flowercore.io</strong></td><td><span class=\"b b-prod\">FlowerCore</span></td><td>Andrew</td><td>Production API</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>flowerinsider.xyz</strong></td><td><span class=\"b b-prod\">FlowerCore</span></td><td>Andrew</td><td>Dev/staging</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>flowerinsider.com</strong></td><td><span class=\"b b-prod\">FlowerCore Co</span></td><td>Andrew</td><td>Company site</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>flowerinsider.nl</strong></td><td><span class=\"b b-prod\">FlowerCore Co</span></td><td>Andrew</td><td>Dutch site</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Work Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>iamwork.in</strong></td><td><span class=\"b b-wifi\">Work</span></td><td>Andrew</td><td>Employee portal, IVR, Telephony</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>iamworkin.com</strong></td><td><span class=\"b b-wifi\">Work</span></td><td>Andrew</td><td>Redirect</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Personal &amp; Tenant Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>ackeroni.com</strong></td><td><span class=\"b b-tenant\">Erik</span></td><td>Erik</td><td>Personal</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>erckak.com</strong></td><td><span class=\"b b-tenant\">Erik</span></td><td>Erik</td><td>Personal</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>erckak.dev</strong></td><td><span class=\"b b-tenant\">Erik</span></td><td>Erik</td><td>Developer portfolio</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>digirido.com</strong></td><td><span class=\"b b-spare\">Random</span></td><td>Andrew</td><td>DigiKey testing</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>timeforta.co</strong></td><td><span class=\"b b-tenant\">Dustin</span></td><td>Dustin</td><td>Personal</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>shenanjia.com</strong></td><td><span class=\"b b-home\">Wife</span></td><td>Wife</td><td>Personal site</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>bluejay.api</strong></td><td><span class=\"b b-mgmt\">Personal Fun</span></td><td>Andrew</td><td>API experiments</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>bluejay.dev</strong></td><td><span class=\"b b-mgmt\">Personal Fun</span></td><td>Andrew</td><td>Dev projects, voice bridge</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>jayblue.dev</strong></td><td><span class=\"b b-mgmt\">Personal Fun</span></td><td>Andrew</td><td>Dev projects</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>z.orb</strong></td><td><span\
-    \ class=\"b b-spare\">Random</span></td><td>Andrew</td><td>Short URL</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Blog &amp; Content Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>pebbleandpeanut.com</strong></td><td><span class=\"b b-home\">Blog</span></td><td>Andrew</td><td>Personal blog</td><td>DreamHost</td><td>Namecheap</td></tr>\n<tr><td><strong>pebblesandpeanuts.com</strong></td><td><span class=\"b b-home\">Blog</span></td><td>Andrew</td><td>Alt redirect</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Internal Domain</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Notes</th></tr></thead>\n<tbody>\n<tr><td><strong>iamworkin.lan</strong></td><td><span class=\"b b-mgmt\">Internal</span></td><td>Andrew</td><td>Internal infrastructure, future AD DS</td><td>pfSense Unbound</td><td>52+ host overrides + 4 wildcard redirect zones, not publicly registered</td></tr>\n</tbody>\n</table>\n\n<h3>Cloudflare (6 Zones)</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Cloudflare Account</div>\n    <ul>\n      <li><strong>Account:</strong> Astoltz@iamwork.in</li>\n      <li><strong>Plan:</strong> Pro (planned)</li>\n      <li><strong>NS:</strong> dan.ns.cloudflare.com, frida.ns.cloudflare.com</li>\n      <li><strong>All Zones:</strong> SSL Full(strict), HSTS, min TLS 1.2</li>\n      <li><strong>API Tokens:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=mp5u2gxtq4xaz2wfsggxzm2a3e\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Cloudflare API Tokens</span></a></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Active Zones</div>\n    <ul>\n      <li><strong>flowercore.io</strong> &mdash; Production API, landing page</li>\n      <li><strong>iamwork.in</strong> &mdash; Employee portal, telephony, DDNS</li>\n      <li><strong>bluejay.dev</strong> &mdash; Dev projects, voice bridge</li>\n      <li><strong>erckak.dev</strong> &mdash; Erik developer portfolio</li>\n      <li><strong>timeforta.co</strong> &mdash; Dustin personal</li>\n      <li><strong>flowerinsider.xyz</strong> &mdash; Dev/staging</li>\n    </ul>\n  </div>\n</div>\n<h3>Namecheap API</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">API Configuration</div>\n    <ul>\n      <li><strong>Base URL:</strong> <code>https://api.namecheap.com/xml.response</code> <button class=\"copy-btn\" onclick=\"copyText('https://api.namecheap.com/xml.response')\">copy</button></li>\n      <li><strong>API User:</strong> <code>astoltz</code> <button class=\"copy-btn\" onclick=\"copyText('astoltz')\">copy</button></li>\n      <li><strong>API Key:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=wghrgst2tjer36istiwej43fcy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Namecheap API</span></a></li>\n      <li><strong>Sandbox URL:</strong> <code>https://api.sandbox.namecheap.com/xml.response</code> <button class=\"copy-btn\" onclick=\"copyText('https://api.sandbox.namecheap.com/xml.response')\">copy</button></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Dynamic DNS</div>\n    <ul>\n      <li><strong>Hostname:</strong> <code>gateway.iamwork.in</code> <button class=\"copy-btn\" onclick=\"copyText('gateway.iamwork.in')\">copy</button></li>\n      <li><strong>Points to:</strong> pfSense WAN IP (auto-updated)</li>\n      <li><strong>DDNS:</strong> gateway.iamwork.in &rarr; pfSense WAN DHCP IP (via Cloudflare API)</li>\n      <li><strong>Update Method:</strong> pfSense Dynamic DNS client (Cloudflare API token)</li>\n      <li><strong>Token:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=mp5u2gxtq4xaz2wfsggxzm2a3e\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Cloudflare pfSense Token</span></a></li>\n    </ul>\n  </div>\n</div>\n\n<h3>Internal DNS Architecture</h3>\n<div class=\"note\"><strong>Split-Horizon DNS (LIVE):</strong> External requests to flowercore.io resolve via Cloudflare to public IP .24 (PROD). Internal requests resolve via pfSense Unbound to K8s MetalLB VIP (10.0.56.200), avoiding NAT hairpin. All internal infrastructure uses iamworkin.lan zone. 4 tenant .lan wildcard redirect zones configured in Unbound (base64-encoded custom_options).</div>\n\n<h3>Planned IPv6 (ULA)</h3>\n<table>\n<thead><tr><th>Prefix</th><th>Scheme</th><th>Method</th></tr></thead>\n<tbody>\n<tr><td><code>fdbc:56:XX::/64</code></td><td>XX = VLAN ID (e.g., fdbc:56:56::/64 for MGMT)</td><td>SLAAC + DHCPv6 (servers), SLAAC-only (clients)</td></tr>\n</tbody>\n</table>\n</div>\n\n<script>\n/* ===== QR Code Generator (inline, air-gap safe) ===== */\n/* Minimal QR code encoder — generates canvas-based QR codes. Based on public domain QR algorithms. */\nvar QRCode=(function(){\nvar PAD0=0xEC,PAD1=0x11;\nfunction QRCode(typeNumber,errorCorrectionLevel){this.typeNumber=typeNumber;this.errorCorrectionLevel=errorCorrectionLevel;this.modules=null;this.moduleCount=0;this.dataCache=null;this.dataList=[];}\nQRCode.prototype={addData:function(data){this.dataList.push(new QR8bitByte(data));this.dataCache=null;},make:function(){if(this.typeNumber<1){var tn=1;for(tn=1;tn<40;tn++){var rs=QRRSBlock.getRSBlocks(tn,this.errorCorrectionLevel);var buf=new QRBitBuffer();for(var i=0;i<this.dataList.length;i++){var d=this.dataList[i];buf.put(d.mode,4);buf.put(d.getLength(),QRUtil.getLengthInBits(d.mode,tn));d.write(buf);}var totalDataCount=0;for(i=0;i<rs.length;i++){totalDataCount+=rs[i].dataCount;}if(buf.getLengthInBits()<=totalDataCount*8)break;}this.typeNumber=tn;}this.makeImpl(false,this.getBestMaskPattern());},makeImpl:function(test,maskPattern){this.moduleCount=this.typeNumber*4+17;this.modules=new Array(this.moduleCount);for(var row=0;row<this.moduleCount;row++){this.modules[row]=new Array(this.moduleCount);for(var col=0;col<this.moduleCount;col++){this.modules[row][col]=null;}}this.setupPositionProbePattern(0,0);this.setupPositionProbePattern(this.moduleCount-7,0);this.setupPositionProbePattern(0,this.moduleCount-7);this.setupPositionAdjustPattern();this.setupTimingPattern();this.setupTypeInfo(test,maskPattern);if(this.typeNumber>=7){this.setupTypeNumber(test);}if(this.dataCache==null){this.dataCache=QRCode.createData(this.typeNumber,this.errorCorrectionLevel,this.dataList);}this.mapData(this.dataCache,maskPattern);},setupPositionProbePattern:function(row,col){for(var r=-1;r<=7;r++){if(row+r<=-1||this.moduleCount<=row+r)continue;for(var c=-1;c<=7;c++){if(col+c<=-1||this.moduleCount<=col+c)continue;if((0<=r&&r<=6&&(c==0||c==6))||(0<=c&&c<=6&&(r==0||r==6))||(2<=r&&r<=4&&2<=c&&c<=4)){this.modules[row+r][col+c]=true;}else{this.modules[row+r][col+c]=false;}}}},getBestMaskPattern:function(){var minLostPoint=0;var pattern=0;for(var i=0;i<8;i++){this.makeImpl(true,i);var lostPoint=QRUtil.getLostPoint(this);if(i==0||minLostPoint>lostPoint){minLostPoint=lostPoint;pattern=i;}}return pattern;},setupTimingPattern:function(){for(var r=8;r<this.moduleCount-8;r++){if(this.modules[r][6]!=null)continue;this.modules[r][6]=(r%2==0);}for(var c=8;c<this.moduleCount-8;c++){if(this.modules[6][c]!=null)continue;this.modules[6][c]=(c%2==0);}},setupPositionAdjustPattern:function(){var pos=QRUtil.getPatternPosition(this.typeNumber);for(var i=0;i<pos.length;i++){for(var j=0;j<pos.length;j++){var row=pos[i];var col=pos[j];if(this.modules[row][col]!=null)continue;for(var r=-2;r<=2;r++){for(var c=-2;c<=2;c++){if(r==-2||r==2||c==-2||c==2||(r==0&&c==0)){this.modules[row+r][col+c]=true;}else{this.modules[row+r][col+c]=false;}}}}}},setupTypeNumber:function(test){var bits=QRUtil.getBCHTypeNumber(this.typeNumber);for(var i=0;i<18;i++){var mod=(!test&&((bits>>i)&1)==1);this.modules[Math.floor(i/3)][i%3+this.moduleCount-8-3]=mod;}for(i=0;i<18;i++){mod=(!test&&((bits>>i)&1)==1);this.modules[i%3+this.moduleCount-8-3][Math.floor(i/3)]=mod;}},setupTypeInfo:function(test,maskPattern){var data=(this.errorCorrectionLevel<<3)|maskPattern;var bits=QRUtil.getBCHTypeInfo(data);for(var i=0;i<15;i++){var mod=(!test&&((bits>>i)&1)==1);if(i<6){this.modules[i][8]=mod;}else if(i<8){this.modules[i+1][8]=mod;}else{this.modules[this.moduleCount-15+i][8]=mod;}}for(i=0;i<15;i++){mod=(!test&&((bits>>i)&1)==1);if(i<8){this.modules[8][this.moduleCount-i-1]=mod;}else if(i<9){this.modules[8][15-i-1+1]=mod;}else{this.modules[8][15-i-1]=mod;}}this.modules[this.moduleCount-8][8]=(!test);},mapData:function(data,maskPattern){var inc=-1;var row=this.moduleCount-1;var bitIndex=7;var byteIndex=0;for(var col=this.moduleCount-1;col>0;col-=2){if(col==6)col--;while(true){for(var c=0;c<2;c++){if(this.modules[row][col-c]==null){var dark=false;if(byteIndex<data.length){dark=(((data[byteIndex]>>>bitIndex)&1)==1);}var mask=QRUtil.getMask(maskPattern,row,col-c);if(mask){dark=!dark;}this.modules[row][col-c]=dark;bitIndex--;if(bitIndex==-1){byteIndex++;bitIndex=7;}}}row+=inc;if(row<0||this.moduleCount<=row){row-=inc;inc=-inc;break;}}}}};\nQRCode.createData=function(typeNumber,errorCorrectionLevel,dataList){var rsBlocks=QRRSBlock.getRSBlocks(typeNumber,errorCorrectionLevel);var buffer=new QRBitBuffer();for(var i=0;i<dataList.length;i++){var data=dataList[i];buffer.put(data.mode,4);buffer.put(data.getLength(),QRUtil.getLengthInBits(data.mode,typeNumber));data.write(buffer);}var totalDataCount=0;for(i=0;i<rsBlocks.length;i++){totalDataCount+=rsBlocks[i].dataCount;}if(buffer.getLengthInBits()>totalDataCount*8){throw new Error('code length overflow. ('+buffer.getLengthInBits()+'>'+totalDataCount*8+')');}if(buffer.getLengthInBits()+4<=totalDataCount*8){buffer.put(0,4);}while(buffer.getLengthInBits()%8!=0){buffer.putBit(false);}while(true){if(buffer.getLengthInBits()>=totalDataCount*8)break;buffer.put(PAD0,8);if(buffer.getLengthInBits()>=totalDataCount*8)break;buffer.put(PAD1,8);}return\
-    \ QRCode.createBytes(buffer,rsBlocks);};\nQRCode.createBytes=function(buffer,rsBlocks){var offset=0;var maxDcCount=0;var maxEcCount=0;var dcdata=new Array(rsBlocks.length);var ecdata=new Array(rsBlocks.length);for(var r=0;r<rsBlocks.length;r++){var dcCount=rsBlocks[r].dataCount;var ecCount=rsBlocks[r].totalCount-dcCount;maxDcCount=Math.max(maxDcCount,dcCount);maxEcCount=Math.max(maxEcCount,ecCount);dcdata[r]=new Array(dcCount);for(var i=0;i<dcdata[r].length;i++){dcdata[r][i]=0xff&buffer.buffer[i+offset];}offset+=dcCount;var rsPoly=QRUtil.getErrorCorrectPolynomial(ecCount);var rawPoly=new QRPolynomial(dcdata[r],rsPoly.getLength()-1);var modPoly=rawPoly.mod(rsPoly);ecdata[r]=new Array(rsPoly.getLength()-1);for(i=0;i<ecdata[r].length;i++){var modIndex=i+modPoly.getLength()-ecdata[r].length;ecdata[r][i]=(modIndex>=0)?modPoly.get(modIndex):0;}}var totalCodeCount=0;for(i=0;i<rsBlocks.length;i++){totalCodeCount+=rsBlocks[i].totalCount;}var data=new Array(totalCodeCount);var index=0;for(i=0;i<maxDcCount;i++){for(r=0;r<rsBlocks.length;r++){if(i<dcdata[r].length){data[index++]=dcdata[r][i];}}}for(i=0;i<maxEcCount;i++){for(r=0;r<rsBlocks.length;r++){if(i<ecdata[r].length){data[index++]=ecdata[r][i];}}}return data;};\nfunction QR8bitByte(data){this.mode=4;this.data=data;}QR8bitByte.prototype={getLength:function(){return this.data.length;},write:function(buffer){for(var i=0;i<this.data.length;i++){buffer.put(this.data.charCodeAt(i),8);}}};\nvar QRUtil={PATTERN_POSITION_TABLE:[[],[6,18],[6,22],[6,26],[6,30],[6,34],[6,22,38],[6,24,42],[6,26,46],[6,28,50],[6,30,54],[6,32,58],[6,34,62],[6,26,46,66],[6,26,48,70],[6,26,50,74],[6,30,54,78],[6,30,56,82],[6,30,58,86],[6,34,62,90],[6,28,50,72,94],[6,26,50,74,98],[6,30,54,78,102],[6,28,54,80,106],[6,32,58,84,110],[6,30,58,86,114],[6,34,62,90,118],[6,26,50,74,98,122],[6,30,54,78,102,126],[6,26,52,78,104,130],[6,30,56,82,108,134],[6,34,60,86,112,138],[6,30,58,86,114,142],[6,34,62,90,118,146],[6,30,54,78,102,126,150],[6,24,50,76,102,128,154],[6,28,54,80,106,132,158],[6,32,58,84,110,136,162],[6,26,54,82,110,138,166],[6,30,58,86,114,142,170]],G15:(1<<10)|(1<<8)|(1<<5)|(1<<4)|(1<<2)|(1<<1)|(1<<0),G18:(1<<12)|(1<<11)|(1<<10)|(1<<9)|(1<<8)|(1<<5)|(1<<2)|(1<<0),G15_MASK:(1<<14)|(1<<12)|(1<<10)|(1<<4)|(1<<1),getBCHTypeInfo:function(data){var d=data<<10;while(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G15)>=0){d^=(QRUtil.G15<<(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G15)));}return((data<<10)|d)^QRUtil.G15_MASK;},getBCHTypeNumber:function(data){var d=data<<12;while(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G18)>=0){d^=(QRUtil.G18<<(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G18)));}return(data<<12)|d;},getBCHDigit:function(data){var digit=0;while(data!=0){digit++;data>>>=1;}return digit;},getPatternPosition:function(typeNumber){return QRUtil.PATTERN_POSITION_TABLE[typeNumber-1];},getMask:function(maskPattern,i,j){switch(maskPattern){case 0:return(i+j)%2==0;case 1:return i%2==0;case 2:return j%3==0;case 3:return(i+j)%3==0;case 4:return(Math.floor(i/2)+Math.floor(j/3))%2==0;case 5:return(i*j)%2+(i*j)%3==0;case 6:return((i*j)%2+(i*j)%3)%2==0;case 7:return((i*j)%3+(i+j)%2)%2==0;default:throw new Error('bad maskPattern:'+maskPattern);}},getErrorCorrectPolynomial:function(errorCorrectLength){var a=new QRPolynomial([1],0);for(var i=0;i<errorCorrectLength;i++){a=a.multiply(new QRPolynomial([1,QRMath.gexp(i)],0));}return a;},getLengthInBits:function(mode,type){if(1<=type&&type<10){return 8;}else if(type<27){return 16;}else if(type<41){return 16;}throw new Error('type:'+type);},getLostPoint:function(qrCode){var moduleCount=qrCode.moduleCount;var lostPoint=0;for(var row=0;row<moduleCount;row++){for(var col=0;col<moduleCount;col++){var sameCount=0;var dark=qrCode.modules[row][col];for(var r=-1;r<=1;r++){if(row+r<0||moduleCount<=row+r)continue;for(var c=-1;c<=1;c++){if(col+c<0||moduleCount<=col+c)continue;if(r==0&&c==0)continue;if(dark==qrCode.modules[row+r][col+c]){sameCount++;}}}if(sameCount>5){lostPoint+=(3+sameCount-5);}}}for(row=0;row<moduleCount-1;row++){for(col=0;col<moduleCount-1;col++){var count=0;if(qrCode.modules[row][col])count++;if(qrCode.modules[row+1][col])count++;if(qrCode.modules[row][col+1])count++;if(qrCode.modules[row+1][col+1])count++;if(count==0||count==4){lostPoint+=3;}}}for(row=0;row<moduleCount;row++){for(col=0;col<moduleCount-6;col++){if(qrCode.modules[row][col]&&!qrCode.modules[row][col+1]&&qrCode.modules[row][col+2]&&qrCode.modules[row][col+3]&&qrCode.modules[row][col+4]&&!qrCode.modules[row][col+5]&&qrCode.modules[row][col+6]){lostPoint+=40;}}}for(col=0;col<moduleCount;col++){for(row=0;row<moduleCount-6;row++){if(qrCode.modules[row][col]&&!qrCode.modules[row+1][col]&&qrCode.modules[row+2][col]&&qrCode.modules[row+3][col]&&qrCode.modules[row+4][col]&&!qrCode.modules[row+5][col]&&qrCode.modules[row+6][col]){lostPoint+=40;}}}var darkCount=0;for(col=0;col<moduleCount;col++){for(row=0;row<moduleCount;row++){if(qrCode.modules[row][col]){darkCount++;}}}var ratio=Math.abs(100*darkCount/moduleCount/moduleCount-50)/5;lostPoint+=ratio*10;return lostPoint;}};\nvar QRMath={glog:function(n){if(n<1)throw new Error('glog('+n+')');return QRMath.LOG_TABLE[n];},gexp:function(n){while(n<0){n+=255;}while(n>=256){n-=255;}return QRMath.EXP_TABLE[n];},EXP_TABLE:new Array(256),LOG_TABLE:new Array(256)};for(var i=0;i<8;i++){QRMath.EXP_TABLE[i]=1<<i;}for(i=8;i<256;i++){QRMath.EXP_TABLE[i]=QRMath.EXP_TABLE[i-4]^QRMath.EXP_TABLE[i-5]^QRMath.EXP_TABLE[i-6]^QRMath.EXP_TABLE[i-8];}for(i=0;i<255;i++){QRMath.LOG_TABLE[QRMath.EXP_TABLE[i]]=i;}\nfunction QRPolynomial(num,shift){if(num.length==undefined)throw new Error(num.length+'/'+shift);var offset=0;while(offset<num.length&&num[offset]==0){offset++;}this.num=new Array(num.length-offset+shift);for(var i=0;i<num.length-offset;i++){this.num[i]=num[i+offset];}}QRPolynomial.prototype={get:function(index){return this.num[index];},getLength:function(){return this.num.length;},multiply:function(e){var num=new Array(this.getLength()+e.getLength()-1);for(var i=0;i<this.getLength();i++){for(var j=0;j<e.getLength();j++){num[i+j]^=QRMath.gexp(QRMath.glog(this.get(i))+QRMath.glog(e.get(j)));}}return new QRPolynomial(num,0);},mod:function(e){if(this.getLength()-e.getLength()<0)return this;var ratio=QRMath.glog(this.get(0))-QRMath.glog(e.get(0));var num=new Array(this.getLength());for(var i=0;i<this.getLength();i++){num[i]=this.get(i);}for(i=0;i<e.getLength();i++){num[i]^=QRMath.gexp(QRMath.glog(e.get(i))+ratio);}return new QRPolynomial(num,0).mod(e);}};\nfunction QRRSBlock(totalCount,dataCount){this.totalCount=totalCount;this.dataCount=dataCount;}\nQRRSBlock.RS_BLOCK_TABLE=[[1,26,19],[1,26,16],[1,26,13],[1,26,9],[1,44,34],[1,44,28],[1,44,22],[1,44,16],[1,70,55],[1,70,44],[2,35,17],[2,35,13],[1,100,80],[2,50,32],[2,50,24],[4,25,9],[1,134,108],[2,67,43],[2,33,15,2,34,16],[2,33,11,2,34,12],[2,86,68],[4,43,27],[4,43,19],[4,43,15],[2,98,78],[4,49,31],[2,32,14,4,33,15],[4,39,13,1,40,14],[2,121,97],[2,60,38,2,61,39],[4,40,18,2,41,19],[4,40,14,2,41,15],[2,146,116],[3,58,36,2,59,37],[4,36,16,4,37,17],[4,36,12,4,37,13],[2,86,68,2,87,69],[4,69,43,1,70,44],[6,43,19,2,44,20],[6,43,15,2,44,16],[4,101,81],[1,80,50,4,81,51],[4,50,22,4,51,23],[3,36,12,8,37,13],[2,116,92,2,117,93],[6,58,36,2,59,37],[4,46,20,6,47,21],[7,42,14,4,43,15],[4,133,107],[8,59,37,1,60,38],[8,44,20,4,45,21],[12,33,11,4,34,12],[3,145,115,1,146,116],[4,64,40,5,65,41],[11,36,16,5,37,17],[11,36,12,5,37,13],[5,109,87,1,110,88],[5,65,41,5,66,42],[5,54,24,7,55,25],[11,36,12,7,37,13],[5,122,98,1,123,99],[7,73,45,3,74,46],[15,43,19,2,44,20],[3,45,15,13,46,16],[1,135,107,5,136,108],[10,74,46,1,75,47],[1,50,22,15,51,23],[2,42,14,17,43,15],[5,150,120,1,151,121],[9,69,43,4,70,44],[17,50,22,1,51,23],[2,42,14,19,43,15],[3,141,113,4,142,114],[3,70,44,11,71,45],[17,47,21,4,48,22],[9,39,13,16,40,14],[3,135,107,5,136,108],[3,67,41,13,68,42],[15,54,24,5,55,25],[15,43,15,10,44,16],[4,144,116,4,145,117],[17,68,42],[17,50,22,6,51,23],[19,46,16,6,47,17],[2,139,111,7,140,112],[17,74,46],[7,54,24,16,55,25],[34,37,13],[4,151,121,5,152,122],[4,75,47,14,76,48],[11,54,24,14,55,25],[16,45,15,14,46,16],[6,147,117,4,148,118],[6,73,45,14,74,46],[11,54,24,16,55,25],[30,46,16,2,47,17],[8,132,106,4,133,107],[8,75,47,13,76,48],[7,54,24,22,55,25],[22,45,15,13,46,16],[10,142,114,2,143,115],[19,74,46,4,75,47],[28,50,22,6,51,23],[33,46,16,4,47,17],[8,152,122,4,153,123],[22,73,45,3,74,46],[8,53,23,26,54,24],[12,45,15,28,46,16],[3,147,117,10,148,118],[3,73,45,23,74,46],[4,54,24,31,55,25],[11,45,15,31,46,16],[7,146,116,7,147,117],[21,73,45,7,74,46],[1,53,23,37,54,24],[19,45,15,26,46,16],[5,145,115,10,146,116],[19,75,47,10,76,48],[15,54,24,25,55,25],[23,45,15,25,46,16],[13,145,115,3,146,116],[2,74,46,29,75,47],[42,54,24,1,55,25],[23,45,15,28,46,16],[17,145,115],[10,74,46,23,75,47],[10,54,24,35,55,25],[19,45,15,35,46,16],[17,145,115,1,146,116],[14,74,46,21,75,47],[29,54,24,19,55,25],[11,45,15,46,46,16],[13,145,115,6,146,116],[14,74,46,23,75,47],[44,54,24,7,55,25],[59,46,16,1,47,17],[12,151,121,7,152,122],[12,75,47,26,76,48],[39,54,24,14,55,25],[22,45,15,41,46,16],[6,151,121,14,152,122],[6,75,47,34,76,48],[46,54,24,10,55,25],[2,45,15,64,46,16],[17,152,122,4,153,123],[29,74,46,14,75,47],[49,54,24,10,55,25],[24,45,15,46,46,16],[4,152,122,18,153,123],[13,74,46,32,75,47],[48,54,24,14,55,25],[42,45,15,32,46,16],[20,147,117,4,148,118],[40,75,47,7,76,48],[43,54,24,22,55,25],[10,45,15,67,46,16],[19,148,118,6,149,119],[18,75,47,31,76,48],[34,54,24,34,55,25],[20,45,15,61,46,16]];\nQRRSBlock.getRSBlocks=function(typeNumber,errorCorrectionLevel){var rsBlock=QRRSBlock.getRsBlockTable(typeNumber,errorCorrectionLevel);if(rsBlock==undefined){throw new Error('bad rs block @ typeNumber:'+typeNumber+'/errorCorrectionLevel:'+errorCorrectionLevel);}var length=rsBlock.length/3;var list=[];for(var i=0;i<length;i++){var count=rsBlock[i*3+0];var totalCount=rsBlock[i*3+1];var dataCount=rsBlock[i*3+2];for(var j=0;j<count;j++){list.push(new QRRSBlock(totalCount,dataCount));}}return\
-    \ list;};\nQRRSBlock.getRsBlockTable=function(typeNumber,errorCorrectionLevel){switch(errorCorrectionLevel){case 1:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+0];case 0:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+1];case 3:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+2];case 2:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+3];default:return undefined;}};\nfunction QRBitBuffer(){this.buffer=[];this.length=0;}QRBitBuffer.prototype={get:function(index){var bufIndex=Math.floor(index/8);return((this.buffer[bufIndex]>>>(7-index%8))&1)==1;},put:function(num,length){for(var i=0;i<length;i++){this.putBit(((num>>>(length-i-1))&1)==1);}},getLengthInBits:function(){return this.length;},putBit:function(bit){var bufIndex=Math.floor(this.length/8);if(this.buffer.length<=bufIndex){this.buffer.push(0);}if(bit){this.buffer[bufIndex]|=(0x80>>>(this.length%8));}this.length++;}};\nreturn QRCode;})();\n\n/* ===== WiFi QR Code Rendering ===== */\n/* QR codes with passwords are generated via 1Password app, not stored in this page.\n   The inline QR library above is retained for potential future use (e.g., guest open network QR). */\nfunction initWifiQRCodes() {\n  /* Placeholder — QR codes are now served from 1Password app */\n}\n\nfunction printQRCodes() {\n  /* Switch to WiFi tab, mark it for print, print, then restore */\n  var allTabs = document.querySelectorAll('.tab-content');\n  var wifiTab = document.getElementById('tab-wifi');\n  allTabs.forEach(function(t) { t.classList.remove('print-active'); });\n  if (wifiTab) { wifiTab.classList.add('print-active'); }\n  window.print();\n  if (wifiTab) { wifiTab.classList.remove('print-active'); }\n}\n\n/* ===== Existing Functions ===== */\nfunction toggleTheme(){var h=document.documentElement,c=h.getAttribute('data-theme'),n=c==='dark'?'light':'dark';h.setAttribute('data-theme',n);document.getElementById('themeLabel').textContent=n==='dark'?'Light':'Dark';try{localStorage.setItem('bjTheme',n)}catch(e){}}\n(function(){try{var s=localStorage.getItem('bjTheme');if(s){document.documentElement.setAttribute('data-theme',s);var l=document.getElementById('themeLabel');if(l)l.textContent=s==='dark'?'Light':'Dark'}}catch(e){}})();\nvar ALL_TABS=['overview','isp','pfsense','switching','dns','k8s','noc','vpn','edge','storage','wifi','planned','topology','domains','credentials'];\nfunction switchTab(id,el){document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});document.querySelectorAll('.tab-btn').forEach(function(b){b.classList.remove('active')});var tgt=document.getElementById('tab-'+id);if(tgt)tgt.classList.add('active');if(el)el.classList.add('active');history.replaceState(null,null,'#'+id);window.scrollTo({top:0,behavior:'smooth'});if(id==='wifi'){setTimeout(initWifiQRCodes,50);}}\n(function(){var h=location.hash.replace('#','');if(h){var tgt=document.getElementById('tab-'+h);if(tgt){document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});document.querySelectorAll('.tab-btn').forEach(function(b){b.classList.remove('active')});tgt.classList.add('active');var idx=ALL_TABS.indexOf(h);var btns=document.querySelectorAll('.tab-btn');if(idx>=0&&btns[idx])btns[idx].classList.add('active');if(h==='wifi'){setTimeout(initWifiQRCodes,100);}}}})();\nfunction copyText(t){var btn=event.target;if(navigator.clipboard){navigator.clipboard.writeText(t).then(function(){btn.textContent='copied!';btn.classList.add('copied');setTimeout(function(){btn.textContent='copy';btn.classList.remove('copied')},1500)})}else{var ta=document.createElement('textarea');ta.value=t;ta.style.position='fixed';ta.style.opacity='0';document.body.appendChild(ta);ta.select();try{document.execCommand('copy')}catch(e){}document.body.removeChild(ta);btn.textContent='copied!';btn.classList.add('copied');setTimeout(function(){btn.textContent='copy';btn.classList.remove('copied')},1500)}}\ndocument.addEventListener('keydown',function(e){if(e.altKey){var k=parseInt(e.key);if(k>=1&&k<=9){e.preventDefault();var idx=k-1;if(idx<ALL_TABS.length){var btns=document.querySelectorAll('.tab-btn');btns.forEach(function(b){b.classList.remove('active')});if(btns[idx])btns[idx].classList.add('active');document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});var tgt=document.getElementById('tab-'+ALL_TABS[idx]);if(tgt)tgt.classList.add('active');if(ALL_TABS[idx]==='wifi'){setTimeout(initWifiQRCodes,50);}}}if(e.key==='0'){e.preventDefault();var btns=document.querySelectorAll('.tab-btn');btns.forEach(function(b){b.classList.remove('active')});if(btns[9])btns[9].classList.add('active');document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});var tgt=document.getElementById('tab-'+ALL_TABS[9]);if(tgt)tgt.classList.add('active');if(ALL_TABS[9]==='wifi'){setTimeout(initWifiQRCodes,50);}}}});\n</script>\n</body>\n</html>\n"
+    \ <span class=\"ip\">10.43.0.0/16</span></li>\n      <li><strong>Kubeconfig:</strong> <code>/root/.kube/rke2.yaml</code> on noc1 or WSL</li>\n      <li><strong>SSH:</strong> ed25519 key auth (root)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">RKE2 Nodes (Bare-Metal)</div>\n    <ul>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-server:</strong> <span class=\"ip\">rke2-server.iamworkin.lan</span> (i7-1260P / 64GB, control plane)</li>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-agent1:</strong> <span class=\"ip\">rke2-agent1.iamworkin.lan</span> (i7-1260P / 64GB, worker)</li>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-agent2:</strong> <span class=\"ip\">rke2-agent2.iamworkin.lan</span> (i5-1340P / 64GB, worker)</li>\n      <li><strong>SSH:</strong> <code>root@10.0.56.{11,12,13}</code> (ed25519 key)</li>\n      <li><strong>Puppet:</strong> profile::kubernetes::rke2 on all nodes</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">RKE2 Infrastructure</div>\n    <ul>\n      <li><span class=\"dot dot-green\"></span><strong>MetalLB:</strong> L2 mode, pool <span class=\"ip\">10.0.56.200-220</span></li>\n      <li><span class=\"dot dot-green\"></span><strong>Traefik:</strong> v3.3.4, 2 replicas, LB <span class=\"ip\">traefik.iamworkin.lan</span></li>\n      <li><span class=\"dot dot-green\"></span><strong>Longhorn:</strong> Default StorageClass (iSCSI), NAS backup integration</li>\n      <li><strong>Namespaces (33):</strong> fc-system, fc-tenant-{andrew,matt,dustin,erik,fit}, tenant-{andrew,dustin,erik,fit,flowercore}, traefik-system, metallb-system, argocd, irc, mail, matrix, zabbix, guacamole, gitea, teamspeak, onepassword-system, cert-manager, telephony, monitoring, selenium, agent-zero, intranet, pki, noc-proxy, longhorn-system, kube-system, calico-system, tigera-operator</li>\n      <li><strong>IngressRoutes:</strong> 44 Traefik routes (internal + Cloudflare public)</li>\n      <li><strong>PVCs:</strong> 17 persistent volumes, ~69 Gi total (Longhorn iSCSI, NAS backup)</li>\n      <li><strong>ArgoCD:</strong> 22 apps via bluejay-infra ApplicationSet (all Healthy &mdash; includes agent-zero, asterisk, monitoring, voice, 5 tenant landing pages, guacamole, mail, matrix, IRC, telephony, Gitea, Zabbix, PKI, intranet, noc-services)</li>\n      <li><strong>1Password:</strong> Operator v1.11.0 in onepassword-system, 7 CRDs syncing</li>\n      <li><strong>Cloudflare Origin Certs:</strong> *.flowercore.io + *.iamwork.in (15-year RSA) deployed across 8 namespaces</li>\n    </ul>\n  </div>\n</div>\n<h3>Cluster Resource Usage (2026-03-21)</h3>\n<table>\n<thead><tr><th>Node</th><th>CPU</th><th>Memory</th><th>Pods</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>rke2-server</td><td>866m (5%)</td><td>19,293 Mi (30%)</td><td>~40</td><td>Control plane + worker</td></tr>\n<tr><td>rke2-agent1</td><td>616m (3%)</td><td>20,905 Mi (32%)</td><td>~40</td><td>Worker</td></tr>\n<tr><td>rke2-agent2</td><td>1,430m (8%)</td><td>17,517 Mi (27%)</td><td>~40</td><td>Worker (Selenium + telephony)</td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>Capacity:</strong> 192 GB total RAM (64 GB/node), ~30% utilized. Selenium Grid (4 pods) + ArgoCD (7 pods) + Longhorn (29 pods) are the biggest consumers. Prometheus at 10 Gi retention (90 days). All stateful workloads backed up to BlueJayNAS via Longhorn NFS.</div>\n\n<h3>pfSense Static Routes (K8s)</h3>\n<table>\n<thead><tr><th>Destination</th><th>Gateway</th><th>Purpose</th></tr></thead>\n<tbody>\n<tr><td><span class=\"ip\">10.42.0.0/16</span></td><td><span class=\"ip\">rke2-server.iamworkin.lan</span> (rke2-server)</td><td>Pod CIDR routing</td></tr>\n<tr><td><span class=\"ip\">10.43.0.0/16</span></td><td><span class=\"ip\">rke2-server.iamworkin.lan</span> (rke2-server)</td><td>Service CIDR routing</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: NOC SERVICES ===== -->\n<div id=\"tab-noc\" class=\"tab-content\">\n<h2>NOC Services (noc1)</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>noc1 Host</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">noc1.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('noc1.iamworkin.lan')\">copy</button></li>\n      <li><strong>SSH:</strong> <code>root@pfsense.iamworkin.lan0</code> <button class=\"copy-btn\" onclick=\"copyText('ssh root@pfsense.iamworkin.lan0')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=gjb3da3jepm2xzr5mef3afzws4\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 noc1</span></a></li>\n      <li><strong>OS:</strong> openSUSE Leap Micro 6.2 (immutable)</li>\n      <li><strong>CPU:</strong> Intel Celeron N5105 (4C/4T)</li>\n      <li><strong>RAM:</strong> 32 GB</li>\n      <li><strong>Disk:</strong> 1TB NVMe (929GB free)</li>\n      <li><strong>Runtimes:</strong> Podman 5.4.2, K3s v1.34.5</li>\n    </ul>\n  </div>\n</div>\n<h3>Service Directory</h3>\n<table>\n<thead><tr><th>Service</th><th>URL</th><th>Port</th><th>Credentials</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>Cockpit</td><td><a href=\"https://cockpit.iamworkin.lan\" target=\"_blank\">https://cockpit.iamworkin.lan</a></td><td>443 (Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=gjb3da3jepm2xzr5mef3afzws4\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 noc1</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Prometheus</td><td><a href=\"https://prometheus.iamworkin.lan\" target=\"_blank\">https://prometheus.iamworkin.lan</a> <br/><small>Also: <a href=\"https://prometheus.iamworkin.lan\" target=\"_blank\">https://prometheus.iamworkin.lan</a> (noc1 direct)</small></td><td>443 (Traefik)</td><td><em>No auth</em> (90-day retention, 11 targets)</td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Grafana</td><td><a href=\"https://grafana.iamworkin.lan\" target=\"_blank\">https://grafana.iamworkin.lan</a> <br/><small>Also: <a href=\"https://grafana.iamworkin.lan\" target=\"_blank\">https://grafana.iamworkin.lan</a> (noc1 direct)</small></td><td>443 (Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=l2ld4i2m47keuyxrzmj5jm56nu\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Grafana</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Node Exporter</td><td>http://noc1.iamworkin.lan:9100</td><td>9100</td><td><em>Metrics only</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>SNMP Exporter</td><td>http://noc1.iamworkin.lan:9116</td><td>9116</td><td><em>pfSense + NAS + Switch + Printer SNMP scraper</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>step-ca ACME</td><td><a href=\"https://acme.iamworkin.lan:9443\" target=\"_blank\">https://acme.iamworkin.lan:9443</a></td><td>9443</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cg6ufz7vditglpqag2dyppi24q\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 step-ca</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>1Password Connect</td><td>http://op-connect.iamworkin.lan:8180</td><td>8180/8181</td><td><em>API token auth</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Puppet Server</td><td>noc1:8140</td><td>8140</td><td><em>OpenVox Server 8.12 (Podman)</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n</tbody>\n</table>\n<h3>RKE2 Services (22 ArgoCD Apps &mdash; All Healthy)</h3>\n<table>\n<thead><tr><th>Service</th><th>URL</th><th>MetalLB / Port</th><th>Credentials</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>ArgoCD</td><td><a href=\"https://argocd.iamworkin.lan\" target=\"_blank\">https://argocd.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cmin4ocvddco3vshzozgjbupva\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 ArgoCD</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Traefik</td><td><a href=\"https://traefik.iamworkin.lan:8080/dashboard/\" target=\"_blank\">traefik.iamworkin.lan:8080</a></td><td>MetalLB .200 &mdash; 80/443/8080/6667/6697</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=br3hedkopqujp7nzilxvtdpqnu\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Traefik Dashboard</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Gitea</td><td><a href=\"https://gitea.iamworkin.lan\" target=\"_blank\">https://gitea.iamworkin.lan</a></td><td>.201 SSH:22 &mdash; HTTPS via Traefik</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=h5q3v77rtaek4jifdqbjc7vqzi\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Gitea</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Guacamole</td><td><a href=\"https://guac.iamworkin.lan\" target=\"_blank\">https://guac.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=j7p2jalf5pcltawrx3c6o54yga\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Apache Guacamole</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>UnrealIRCd + Anope</td><td>irc.iamworkin.lan:6697 (TLS)</td><td>.200 &mdash; 6667/6697/8067</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=3kxdh2gkmczv5thiestcmlkb3m\"\
+    \ target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 IRC Services</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Zabbix</td><td><a href=\"https://zabbix.iamworkin.lan\" target=\"_blank\">https://zabbix.iamworkin.lan</a></td><td>.203 trapper &mdash; Web via Traefik</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=mtazpqfrqltylsfzb25ejmmqdy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Zabbix Monitoring</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Mail (docker-mailserver)</td><td>mail.iamworkin.lan</td><td>.202 &mdash; SMTP 25/465/587</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=f6bdif4rxzgh6fi6lfirrtriaq\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Mail Server</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Matrix Synapse</td><td><a href=\"https://matrix.iamworkin.lan\" target=\"_blank\">https://matrix.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=hd75oppaq6dvf6hnmyntnth2ey\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Matrix Synapse</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Element Web</td><td><a href=\"https://element.iamworkin.lan\" target=\"_blank\">https://element.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><em>Uses Matrix account</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>TeamSpeak</td><td>ts.iamworkin.lan</td><td>.205 &mdash; 9987/UDP, 30033, 10011</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=736u546ufij75d36socv5lhop4\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 TeamSpeak</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>FlowerCore Landing</td><td>flowercore.io</td><td>443 (via Traefik, Cloudflare)</td><td><em>Static page</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>PKI Web</td><td><a href=\"https://pki.iamworkin.lan\" target=\"_blank\">https://pki.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><em>Public (CRL/certs)</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Intranet</td><td><a href=\"https://intranet.iamworkin.lan\" target=\"_blank\">https://intranet.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><em>Static page</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Snappymail</td><td><a href=\"https://mail-web.iamworkin.lan\" target=\"_blank\">https://mail-web.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=k5otwlgch366ozyc4yvrwohjya\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Snappymail</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Telephony</td><td><a href=\"https://telephony.iamworkin.lan\" target=\"_blank\">https://telephony.iamworkin.lan</a></td><td>5100 (via Traefik + Cloudflare)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=uo5kuszy6pjijrxrkuugpdnsrq\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Telephony</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Asterisk PBX</td><td>asterisk.iamworkin.lan:5060</td><td>.207 &mdash; SIP 5060/UDP, RTP 10000-20000</td><td><em>4 PJSIP ext, Twilio trunk</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Agent Zero</td><td><a href=\"https://agent-zero.iamworkin.lan\" target=\"_blank\">https://agent-zero.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=uo5kuszy6pjijrxrkuugpdnsrq\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Agent Zero</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>1Password Operator</td><td><em>In-cluster only</em></td><td>onepassword-system</td><td><em>Connect token</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Selenium Grid</td><td><a href=\"https://selenium.iamworkin.lan\" target=\"_blank\">https://selenium.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><em>Hub + 2 Chrome + 1 Firefox</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>FlowerCore.Print.Web</td><td><a href=\"http://print.iamworkin.lan:5200\" target=\"_blank\">http://print.iamworkin.lan:5200</a></td><td>5200 (edge2 direct)</td><td><em>12 pages, 9 symbologies, 10 MCP</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>PiManager (piez)</td><td><a href=\"http://piez.iamworkin.lan:5000\" target=\"_blank\">http://piez.iamworkin.lan:5000</a></td><td>5000 (piez direct)</td><td><em>GPIO, I2C, SPI, 20 MCP</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>PiManager (pirelay)</td><td><a href=\"http://pirelay.iamworkin.lan:5100\" target=\"_blank\">http://pirelay.iamworkin.lan:5100</a></td><td>5100 (pirelay direct)</td><td><em>4-ch relay, scheduling</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Frigate NVR</td><td><a href=\"http://edge1.iamworkin.lan:5000\" target=\"_blank\">http://edge1.iamworkin.lan:5000</a></td><td>5000 (edge1 direct)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Frigate</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n</tbody>\n</table>\n<h3>Monitoring</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">Prometheus (noc1)</div>\n    <ul>\n      <li><strong>Targets:</strong> 15 scrape jobs (node-exporter: noc1 + 3 RKE2 + 2 edge + piez + pirelay, SNMP: pfSense + Cloud Key + Switch + NAS + Printer, Blackbox: 4 AI stack probes, self)</li>\n      <li><strong>Alert Rules:</strong> 8 (NodeDown, PfSenseDown, HighCPU, HighMemory, DiskSpaceLow, +3)</li>\n      <li><strong>Config:</strong> <code>/opt/monitoring/prometheus/prometheus.yml</code></li>\n      <li><strong>Reload:</strong> <code>podman kill -s SIGHUP prometheus</code></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Grafana (noc1:3000)</div>\n    <ul>\n      <li><strong>Version:</strong> v12.4.0</li>\n      <li><strong>Dashboards:</strong> BlueJay Network Overview, Node Exporter Full (#1860), BlueJay Edge Nodes, BlueJay Operations (Prometheus+Zabbix unified) &mdash; all in BlueJay folder</li>\n      <li><strong>Datasources:</strong> Prometheus (http://localhost:9090), Zabbix (alexanderzobnin-zabbix-datasource v6.2.1)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Zabbix (RKE2) &mdash; 13 Hosts</div>\n    <ul>\n      <li><strong>Agent Hosts (8):</strong> noc1, rke2-server, rke2-agent1, rke2-agent2, edge1, edge2, piez, pirelay</li>\n      <li><strong>SNMP Hosts (3):</strong> pfSense, UniFi Switch, BlueJayNAS (DS1621+)</li>\n      <li><strong>SNMP Host (1):</strong> Epson ET-3750 EcoTank</li>\n      <li><strong>Local (1):</strong> Zabbix server self-check</li>\n      <li><strong>Agent Version:</strong> Zabbix Agent 2 v7.0.22&ndash;7.2.15 on all 8 Linux nodes</li>\n      <li><strong>Passive checks:</strong> Server= includes MetalLB VIP + RKE2 node IPs + pod CIDR</li>\n      <li><strong>Note:</strong> Mac Mini (macOS) pending Zabbix agent setup</li>\n    </ul>\n  </div>\n</div>\n<h3>Pi Fleet Services (FlowerCore.PiManager)</h3>\n<table>\n<thead><tr><th>Device</th><th>URL</th><th>Port</th><th>Capabilities</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>piez (Pi 4)</td><td><a href=\"http://piez.iamworkin.lan:5000\" target=\"_blank\">http://piez.iamworkin.lan:5000</a></td><td>5000</td><td>GPIO, I2C, SPI, Expanders (MCP23017/PCF8574/74HC595) &mdash; 10 pages, 35 API, 20 MCP</td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>pirelay (Pi 3)</td><td><a href=\"http://pirelay.iamworkin.lan:5100\" target=\"_blank\">http://pirelay.iamworkin.lan:5100</a></td><td>5100</td><td>4-ch relay (KS0212, active-LOW), scheduling, usage tracking &mdash; 8 pages, relay API</td><td><span class=\"b b-online\">Online</span></td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>PiManager:</strong> Unified .NET 10 service deployed to both Pi nodes with different <code>ASPNETCORE_ENVIRONMENT</code> overlays. Config-driven capabilities &mdash; same binary, different features per device. Supports relay presets: ks0212-4ch, walfront-16ch, sainsmart-8ch. API docs at <code>/scalar/v1</code> on each node.</div>\n\n<h3>Guacamole Connection Groups (14 connections)</h3>\n<table>\n<thead><tr><th>Group</th><th>Connections</th><th>Protocol</th></tr></thead>\n<tbody>\n<tr><td><strong>Kubernetes</strong> (3)</td><td>rke2-server, rke2-agent1, rke2-agent2</td><td>SSH</td></tr>\n<tr><td><strong>Network Devices</strong> (4)</td><td>pfSense, UniFi Cloud Key, Synology WiFi (SRM), BlueJayNAS</td><td>SSH</td></tr>\n<tr><td><strong>Servers</strong> (3)</td><td>noc1, Mac Mini (SSH), Mac Mini (VNC)</td><td>SSH/VNC</td></tr>\n<tr><td><strong>Edge Nodes</strong> (4)</td><td>edge1 (Pi 5 + AI), edge2 (Pi 4), piez (Pi 4 + EZ Connect), pirelay (Pi 3 + Relay)</td><td>SSH</td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>Guacamole credentials:</strong> All connection passwords are stored in the Guacamole MySQL database (synced from 1Password). Access at <a href=\"https://guac.iamworkin.lan\" target=\"\
+    _blank\">https://guac.iamworkin.lan</a> &mdash; <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=j7p2jalf5pcltawrx3c6o54yga\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Apache Guacamole</span></a></div>\n</div>\n\n<!-- ===== TAB: VPN & SECURITY ===== -->\n<div id=\"tab-vpn\" class=\"tab-content\">\n<h2>VPN &amp; Security</h2>\n<div class=\"note\"><strong>OpenVPN Status:</strong> 8 servers configured and operational. Bound to tenant VIPs (.17, .19, .21, .23, .25). Each tenant has TUN (L3 routed) and TAP (L2 bridged) instances on ports 1194/1195 UDP.</div>\n<h3>OpenVPN Configuration</h3>\n<table>\n<thead><tr><th>Tenant</th><th>VIP</th><th>TUN Port</th><th>TAP Port</th><th>Tunnel (TUN)</th><th>Tunnel (TAP)</th><th>VLAN</th></tr></thead>\n<tbody>\n<tr><td><span class=\"b b-tenant\">ANDREW</span></td><td><span class=\"ip\">.17</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.0/27</span></td><td><span class=\"ip\">10.0.68.128/27</span></td><td>60</td></tr>\n<tr><td><span class=\"b b-tenant\">MATT</span></td><td><span class=\"ip\">.19</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.32/27</span></td><td><span class=\"ip\">10.0.68.160/27</span></td><td>61</td></tr>\n<tr><td><span class=\"b b-tenant\">DUSTIN</span></td><td><span class=\"ip\">.21</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.64/27</span></td><td><span class=\"ip\">10.0.68.192/27</span></td><td>62</td></tr>\n<tr><td><span class=\"b b-tenant\">ERIK</span></td><td><span class=\"ip\">.23</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.96/27</span></td><td><span class=\"ip\">10.0.68.224/27</span></td><td>63</td></tr>\n<tr><td><span class=\"b b-tenant\">FIT</span></td><td><span class=\"ip\">.25</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.69.0/27</span></td><td><span class=\"ip\">10.0.69.128/27</span></td><td>69</td></tr>\n</tbody>\n</table>\n<h3>VPN Certificate Infrastructure</h3>\n<table>\n<thead><tr><th>Component</th><th>Details</th></tr></thead>\n<tbody>\n<tr><td>CA</td><td>BlueJay VPN CA (4096-bit RSA, SHA-256, 10-year)</td></tr>\n<tr><td>Server Certs</td><td>8 (one per VPN instance, 2048-bit RSA)</td></tr>\n<tr><td>Client Certs</td><td>4 (one per tenant, 2048-bit RSA)</td></tr>\n<tr><td>TLS Auth</td><td>Shared HMAC key across all servers</td></tr>\n<tr><td>Data Ciphers</td><td>AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305</td></tr>\n</tbody>\n</table>\n<h3>IPsec Site-to-Site (Planned)</h3>\n<table>\n<thead><tr><th>Tunnel</th><th>Local</th><th>Remote</th><th>Phase 1</th><th>Phase 2 SAs</th></tr></thead>\n<tbody>\n<tr><td>Matt</td><td>.29 (pfSense WAN)</td><td>Matt's public IP</td><td>IKEv2, AES-256-GCM, DH 14+</td><td>MATT (10.0.61.0/24) + PROD (10.0.57.0/24)</td></tr>\n<tr><td>Dustin</td><td>.29 (pfSense WAN)</td><td>Dustin's public IP</td><td>IKEv2, AES-256-GCM, DH 14+</td><td>DUSTIN (10.0.62.0/24) + PROD (10.0.57.0/24)</td></tr>\n</tbody>\n</table>\n<h3>Security Policies</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">Cloudflare Protection</div>\n    <ul>\n      <li><strong>SSL Mode:</strong> Full (strict) on all 6 zones</li>\n      <li><strong>Origin Certs:</strong> *.flowercore.io + *.iamwork.in (15-year RSA), deployed across 8 K8s namespaces</li>\n      <li><strong>HSTS:</strong> Enabled on all zones</li>\n      <li><strong>Min TLS:</strong> 1.2</li>\n      <li><strong>Anti-spoofing:</strong> null MX, SPF -all, DMARC reject on non-email domains</li>\n      <li><strong>Cloudflare-only inbound:</strong> Port forwards for 80/443 restrict source to Cloudflare IP ranges</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">SSH Key Policy</div>\n    <ul>\n      <li><strong>Key Type:</strong> ed25519 (deployed to all 9 physical nodes)</li>\n      <li><strong>WSL Key:</strong> <code>stoltz@IAMWORKIN-WS</code> &mdash; deployed to noc1, rke2-server, rke2-agent1, rke2-agent2, edge1, edge2, piez, pirelay, Mac Mini</li>\n      <li><strong>noc1 Key:</strong> <code>noc1-root</code> + <code>rke2@bluejay</code> &mdash; management keys for remote nodes</li>\n      <li><strong>Root Login:</strong> Key-only (PermitRootLogin without-password)</li>\n      <li><strong>RKE2 Nodes:</strong> SELinux enforcing, <code>chcon -t ssh_home_t</code> on authorized_keys</li>\n      <li><strong>Last verified:</strong> 2026-03-21 (all 9 nodes confirmed)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Network Security Rules</div>\n    <ul>\n      <li><strong>Forced DNS:</strong> HOME/WORK/SCHOOL/GUEST block port 53 except to gateway</li>\n      <li><strong>Blocked SMTP:</strong> Outbound 25/465/587 on HOME/WORK/SCHOOL/GUEST</li>\n      <li><strong>Firewall Policy:</strong> Deny-all default, explicit allow per VLAN</li>\n      <li><strong>Tenant Isolation:</strong> Tenants fully isolated from each other, only PROD + DNS + NAS + internet</li>\n    </ul>\n  </div>\n</div>\n<h3>PKI Hierarchy</h3>\n<table>\n<thead><tr><th>CA</th><th>Status</th><th>Purpose</th></tr></thead>\n<tbody>\n<tr><td>Root CA (IAmWorkin ACME CA)</td><td><span class=\"b b-online\">Operational</span></td><td>Trust anchor, ECDSA P-256, expires 2036</td></tr>\n<tr><td>ACME CA (step-ca on noc1)</td><td><span class=\"b b-online\">Operational</span></td><td>Automated cert issuance via ACME protocol</td></tr>\n<tr><td>Network CA</td><td><span class=\"b b-planned\">Planned</span></td><td>Switch, AP, pfSense device certs</td></tr>\n<tr><td>Windows AD CS CA</td><td><span class=\"b b-planned\">Planned</span></td><td>Domain-joined machine/user certs</td></tr>\n<tr><td>Internal Services CA</td><td><span class=\"b b-planned\">Planned</span></td><td>K8s service mesh, inter-service mTLS</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: REMOTE ACCESS ===== -->\n<div id=\"tab-remote\" class=\"tab-content\">\n<h2>Remote Access &mdash; Blue Jay Gateway</h2>\n<div class=\"note\">Apache Guacamole with Blue Jay branding, 1Password vault integration, K8s exec, and embedded panels. All credentials resolved from 1Password at connection time &mdash; no passwords stored in Guacamole.</div>\n\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Guacamole Web UI</div>\n    <ul>\n      <li><strong>URL:</strong> <a href=\"https://guac.iamworkin.lan/\" target=\"_blank\">guac.iamworkin.lan</a> <button class=\"copy-btn\" onclick=\"copyText('https://guac.iamworkin.lan/')\">copy</button></li>\n      <li><strong>Version:</strong> 1.6.0 + Blue Jay branding</li>\n      <li><strong>Admin:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">Guacamole</span></a></li>\n      <li><strong>K8s:</strong> <code>guacamole</code> namespace</li>\n      <li><strong>Ingress:</strong> Traefik &rarr; guacamole:8080 (WebSocket)</li>\n      <li><strong>ArgoCD:</strong> <code>infra-guacamole</code></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Extensions</div>\n    <ul>\n      <li><strong>Blue Jay Branding</strong> &mdash; Full dark theme, custom login, logo</li>\n      <li><strong>1Password Vault</strong> &mdash; <code>${VAULT_PASSWORD}</code> token resolution</li>\n      <li><strong>TOTP MFA</strong> &mdash; Required for all users</li>\n      <li><strong>Auth Ban</strong> &mdash; 5 failures = 5min IP ban</li>\n      <li><strong>JSON Auth</strong> &mdash; Signed tokens for embedded panels</li>\n      <li><strong>Time Restrict</strong> &mdash; Per-connection time windows</li>\n      <li><strong>Recording Storage</strong> &mdash; NFS (Synology) playback</li>\n      <li><strong>Display Statistics</strong> &mdash; Performance metrics</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>1Password Integration</div>\n    <ul>\n      <li><strong>Connect URL:</strong> <code>onepassword-connect:8080</code> (K8s internal)</li>\n      <li><strong>Vault:</strong> IAmWorkin (<code>qaphopopkryhbg353ukzhhuqoq</code>)</li>\n      <li><strong>Token:</strong> Via <code>OnePasswordItem</code> CRD</li>\n      <li><strong>Rotation:</strong> Automatic &mdash; change in 1Password, Guacamole picks up on next connect</li>\n      <li><strong>Cache TTL:</strong> 5 minutes</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Session Recording</div>\n    <ul>\n      <li><strong>Storage:</strong> NFS on Synology (<code>/volume1/guacamole/recordings</code>)</li>\n      <li><strong>PVC:</strong> <code>guacamole-recordings-pvc</code> (50 Gi)</li>\n      <li><strong>Format:</strong> Guacamole native (playable in browser)</li>\n      <li><strong>Retention:</strong> Linked to connection history</li>\n    </ul>\n  </div>\n</div>\n\n<h3 style=\"margin-top:1.5rem;\">Connection Inventory (${VAULT_*} tokens &mdash; no hardcoded passwords)</h3>\n<table>\n<thead><tr><th>Connection</th><th>Protocol</th><th>Host</th><th>VLAN</th><th>1Password Item</th></tr></thead>\n<tbody>\n<tr style=\"background:var(--surface2);\"><td colspan=\"5\" style=\"font-weight:600;color:var(--gold);\">MGMT (VLAN 56) &mdash; Infrastructure</td></tr>\n<tr><td>pfSense &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">pfsense.iamworkin.lan</span></td><td>56</td><td>pfSense Admin</td></tr>\n<tr><td>Cloud Key &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">unifi.iamworkin.lan</span></td><td>56</td><td>UniFi CloudKey</td></tr>\n<tr><td>UniFi Switch &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"\
+    ip\">switch.iamworkin.lan</span></td><td>56</td><td>UniFi CloudKey</td></tr>\n<tr><td>noc1 &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>56</td><td>noc1 Root SSH</td></tr>\n<tr><td>rke2-server &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">rke2-server.iamworkin.lan</span></td><td>56</td><td>RKE2 Server</td></tr>\n<tr><td>rke2-agent1 &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">rke2-agent1.iamworkin.lan</span></td><td>56</td><td>RKE2 Agent 1</td></tr>\n<tr><td>rke2-agent2 &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">rke2-agent2.iamworkin.lan</span></td><td>56</td><td>RKE2 Agent 2</td></tr>\n\n<tr style=\"background:var(--surface2);\"><td colspan=\"5\" style=\"font-weight:600;color:var(--accent);\">PROD (VLAN 57) &mdash; Production</td></tr>\n<tr><td>edge1 (Pi 5) &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">edge1.iamworkin.lan</span></td><td>57</td><td>Edge1 Pi5 SSH</td></tr>\n<tr><td>edge2 (Pi 4) &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">edge2.iamworkin.lan</span></td><td>57</td><td>Edge2 Pi4 SSH</td></tr>\n<tr><td>Mac Mini &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">macmini.iamworkin.lan</span></td><td>57</td><td>Mac Mini</td></tr>\n<tr><td>Mac Mini &mdash; VNC</td><td><span class=\"b b-warn\" style=\"font-size:0.75em;\">VNC</span></td><td><span class=\"ip\">macmini.iamworkin.lan</span></td><td>57</td><td>Mac Mini</td></tr>\n\n<tr style=\"background:var(--surface2);\"><td colspan=\"5\" style=\"font-weight:600;color:var(--green);\">HOME (VLAN 58) &mdash; Home Network</td></tr>\n<tr><td>Synology NAS &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">nas.iamworkin.lan</span></td><td>58</td><td>Synology NAS</td></tr>\n<tr><td>Synology WiFi &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">wifi.iamworkin.lan</span></td><td>58</td><td>Synology SRM</td></tr>\n<tr><td>piez (Pi 4) &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">piez.iamworkin.lan</span></td><td>58</td><td>PiEZ SSH</td></tr>\n<tr><td>pirelay (Pi 3) &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">pirelay.iamworkin.lan</span></td><td>58</td><td>PiRelay SSH</td></tr>\n\n<tr style=\"background:var(--surface2);\"><td colspan=\"5\" style=\"font-weight:600;color:var(--cyan);\">Kubernetes &mdash; Pod Exec (auto-synced every 2min)</td></tr>\n<tr><td>argocd-server</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>gitea-0</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>asterisk</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>zabbix-server</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>synapse</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>unrealircd</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n</tbody>\n</table>\n\n<h3 style=\"margin-top:1.5rem;\">Embedded Panel (Quick SSH)</h3>\n<div class=\"note\">The embedded panel below uses <code>guacamole-common-js</code> to connect directly to Guacamole's tunnel servlet. Requires authentication to <a href=\"https://guac.iamworkin.lan/\" target=\"_blank\">guac.iamworkin.lan</a> first.</div>\n<div class=\"card\" style=\"padding:0;overflow:hidden;\">\n  <div class=\"guac-embed\" id=\"panel-noc1\" data-connection=\"noc1 &mdash; SSH\" data-width=\"100%\" data-height=\"400\" style=\"width:100%;\">\n    <div style=\"display:flex;align-items:center;gap:8px;padding:8px 12px;background:var(--surface2);border-bottom:1px solid var(--border);\">\n      <span style=\"width:8px;height:8px;border-radius:50%;background:var(--text-muted);\" id=\"guac-status-dot\"></span>\n      <span style=\"color:var(--text-heading);font-weight:600;flex:1;\">noc1 &mdash; SSH Terminal</span>\n      <a href=\"https://guac.iamworkin.lan/#/client/bm9jMS1zc2g\" target=\"_blank\" style=\"color:var(--accent);text-decoration:none;font-size:0.85em;\">Open in Guacamole &rarr;</a>\n    </div>\n    <div style=\"height:400px;background:#000;display:flex;align-items:center;justify-content:center;color:var(--text-muted);font-family:var(--font-mono, monospace);\">\n      <p>Connect via <a href=\"https://guac.iamworkin.lan/\" target=\"_blank\" style=\"color:var(--accent);\">Blue Jay Remote Access</a> to use the embedded terminal.<br>\n      <span style=\"font-size:0.85em;opacity:0.7;\">Requires <code>bluejay-guac-embed.js</code> and <code>guacamole-common-js</code></span></p>\n    </div>\n  </div>\n</div>\n\n<h3 style=\"margin-top:1.5rem;\">Deployment Details</h3>\n<table>\n<thead><tr><th>Component</th><th>Image</th><th>Replicas</th><th>Resources</th></tr></thead>\n<tbody>\n<tr><td>guacamole (Tomcat)</td><td><code>fc-guacamole:1.6.0-bluejay</code></td><td>1</td><td>200m-1 CPU, 512Mi-1Gi</td></tr>\n<tr><td>guacd (C proxy)</td><td><code>guacamole/guacd:1.6.0</code></td><td>1</td><td>200m-2 CPU, 256Mi-1Gi</td></tr>\n<tr><td>MySQL 8</td><td><code>mysql:8.0</code></td><td>1 (StatefulSet)</td><td>100m-500m CPU, 256-512Mi</td></tr>\n<tr><td>K8s Sync CronJob</td><td><code>bitnami/kubectl:1.34</code></td><td>every 2min</td><td>minimal</td></tr>\n</tbody>\n</table>\n\n<h3 style=\"margin-top:1.5rem;\">Files Reference</h3>\n<table>\n<thead><tr><th>Artifact</th><th>Path</th></tr></thead>\n<tbody>\n<tr><td>Design plan</td><td><code>docs/infrastructure/guacamole-customization-plan.md</code></td></tr>\n<tr><td>K8s manifests</td><td><code>k8s/guacamole/*.yaml</code></td></tr>\n<tr><td>Branding extension</td><td><code>k8s/guacamole/extensions/bluejay-branding/</code></td></tr>\n<tr><td>1Password vault extension</td><td><code>k8s/guacamole/extensions/1password-vault/</code></td></tr>\n<tr><td>Embed library</td><td><code>k8s/guacamole/scripts/bluejay-guac-embed.js</code></td></tr>\n<tr><td>Dockerfile</td><td><code>k8s/guacamole/Dockerfile</code></td></tr>\n<tr><td>Bootstrap script</td><td><code>k8s/guacamole/scripts/bootstrap-connections.sh</code></td></tr>\n<tr><td>Build/deploy script</td><td><code>k8s/guacamole/scripts/build-image.sh</code></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: EDGE NODES ===== -->\n<div id=\"tab-edge\" class=\"tab-content\">\n<h2>Edge Nodes</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>edge1 &mdash; Raspberry Pi 5 + Hailo AI</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">edge1.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('edge1.iamworkin.lan')\">copy</button> (PROD VLAN 57)</li>\n      <li><strong>SSH:</strong> <code>stoltz@edge1.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@edge1.iamworkin.lan')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Edge1 Pi5 SSH</span></a></li>\n      <li><strong>Hardware:</strong> Pi 5 16GB + Hailo-10H 40 TOPS (AI HAT+ 2)</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>PCIe:</strong> Gen 3 x1 (8.0 GT/s)</li>\n      <li><strong>Power:</strong> 27W USB-C</li>\n      <li><strong>.NET SDK:</strong> 10.0.103</li>\n      <li><strong>GitHub Runner:</strong> v2.332.0 (labels: pi5, hailo)</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Puppet:</strong> profile::edge_ai</li>\n      <li><strong>Zabbix Agent:</strong> v7.2.15 (passive, port 10050)</li>\n      <li><strong>Switch Port:</strong> 13</li>\n      <li><strong>Disk:</strong> 93% (2.0GB free)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>edge2 &mdash; Raspberry Pi 4 (Argon ONE)</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">edge2.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('edge2.iamworkin.lan')\">copy</button> (PROD VLAN 57)</li>\n      <li><strong>SSH:</strong> <code>stoltz@edge2.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@edge2.iamworkin.lan')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=kyeqfwy76msqb4cfdjueaq5uta\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Edge2 Pi4 SSH</span></a></li>\n      <li><strong>Hardware:</strong> Pi 4 Model B 4GB, Argon ONE case</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>Fan Control:</strong> argononed.service (55&deg;C=10%, 60&deg;C=55%, 65&deg;C=100%)</li>\n      <li><strong>.NET SDK:</strong> 10.0.103</li>\n      <li><strong>Print Service:</strong> <span class=\"b b-online\"\
+    >LIVE</span> <a href=\"http://print.iamworkin.lan:5200\" target=\"_blank\">FlowerCore.Print.Web :5200</a> (12 pages, 9 symbologies, AI barcode)</li>\n      <li><strong>GitHub Runners:</strong> v2.332.0 &mdash; MySQL (edge2-mysql), PHP (edge2-php)</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Puppet:</strong> profile::edge_runner</li>\n      <li><strong>Zabbix Agent:</strong> v7.2.15 (passive, port 10050)</li>\n      <li><strong>Switch Port:</strong> 11</li>\n      <li><strong>Guacamole:</strong> SSH connection in Edge Nodes group</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>piez &mdash; Raspberry Pi 4 + EZ Connect</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">piez.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('piez.iamworkin.lan')\">copy</button> (HOME VLAN 58, WiFi)</li>\n      <li><strong>SSH:</strong> <code>stoltz@piez.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@piez.iamworkin.lan')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 piez SSH</span></a></li>\n      <li><strong>Hardware:</strong> Pi 4 Model B 4GB + Pi EZ Connect board</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>Role:</strong> GPIO prototyping, breadboard dev, I2C/SPI sensors</li>\n      <li><strong>.NET SDK:</strong> 10.0.201</li>\n      <li><strong>Web:</strong> <span class=\"b b-online\">LIVE</span> <a href=\"http://piez.iamworkin.lan:5000\" target=\"_blank\">FlowerCore.PiManager :5000</a> (10 pages, 35 API endpoints, 20 MCP tools)</li>\n      <li><strong>API Docs:</strong> <a href=\"http://piez.iamworkin.lan:5000/scalar/v1\" target=\"_blank\">Scalar :5000/scalar/v1</a></li>\n      <li><strong>Capabilities:</strong> GPIO, I2C, SPI, Expanders (MCP23017/PCF8574/74HC595)</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Zabbix Agent:</strong> v7.0.22 (passive, port 10050)</li>\n      <li><strong>Guacamole:</strong> SSH connection in Edge Nodes group</li>\n      <li><strong>Dashboard:</strong> <a href=\"piez-prototyping.html\">piez-prototyping.html</a></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>pirelay &mdash; Raspberry Pi 3 + 4-Ch Relay</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">pirelay.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('pirelay.iamworkin.lan')\">copy</button> (HOME VLAN 58)</li>\n      <li><strong>SSH:</strong> <code>stoltz@pirelay.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@pirelay.iamworkin.lan')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 pirelay SSH</span></a></li>\n      <li><strong>Hardware:</strong> Pi 3 Model B v1.2, 906 MB RAM + Keyestudio KS0212 4-channel relay shield</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>Role:</strong> Relay controller, home automation prototyping</li>\n      <li><strong>Web:</strong> <span class=\"b b-online\">LIVE</span> <a href=\"http://pirelay.iamworkin.lan:5100\" target=\"_blank\">FlowerCore.PiManager :5100</a> (relay preset: ks0212-4ch)</li>\n      <li><strong>API Docs:</strong> <a href=\"http://pirelay.iamworkin.lan:5100/scalar/v1\" target=\"_blank\">Scalar :5100/scalar/v1</a></li>\n      <li><strong>GPIO (BCM, active-LOW):</strong> CH1=GPIO4, CH2=GPIO22, CH3=GPIO6, CH4=GPIO26</li>\n      <li><strong>Relay Ratings:</strong> 10A @ 250VAC / 30VDC per channel</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Zabbix Agent:</strong> v7.0.22 (passive, port 10050)</li>\n      <li><strong>Guacamole:</strong> SSH connection in Edge Nodes group</li>\n      <li><strong>Dashboard:</strong> <a href=\"relay-controller.html\">relay-controller.html</a></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Mac Mini (Build/Test Node)</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">macmini.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('macmini.iamworkin.lan')\">copy</button> (PROD VLAN 57)</li>\n      <li><strong>SSH:</strong> <code>bluejay@macmini.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh bluejay@macmini.iamworkin.lan')\">copy</button></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=npkseg2zvbmxmtg7qrseredvym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Mac Mini</span></a></li>\n      <li><strong>VNC:</strong> <code>vnc://macmini.iamworkin.lan:5900</code> &mdash; <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=npkseg2zvbmxmtg7qrseredvym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Mac Mini</span></a></li>\n      <li><strong>Hardware:</strong> Apple M1, 16GB RAM, 926GB SSD</li>\n      <li><strong>OS:</strong> macOS 26.3.1 (Darwin 25.3.0)</li>\n      <li><strong>Role:</strong> Xcode builds, Selenium Grid node, automated browser/app testing</li>\n      <li><strong>Guacamole:</strong> SSH + VNC connections in Servers group</li>\n    </ul>\n  </div>\n</div>\n\n<h3>Edge2 &mdash; Print Service</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>FlowerCore.Print.Web</div>\n    <ul>\n      <li><strong>URL:</strong> <a href=\"http://print.iamworkin.lan:5200\" target=\"_blank\">http://print.iamworkin.lan:5200</a></li>\n      <li><strong>Pages:</strong> 12 Blazor pages (barcode gen, batch print, product cache, AI labels)</li>\n      <li><strong>Symbologies:</strong> 9 (Code128, EAN-13, QR, DataMatrix, ITF-14, UPC-A/E, Code39, Codabar)</li>\n      <li><strong>Features:</strong> Product cache DB, AI label generation (Ollama on Pi), batch barcodes, combo labels</li>\n      <li><strong>MCP Tools:</strong> 10 tools for programmatic barcode/label generation</li>\n      <li><strong>Thermal Printer:</strong> Connected Epson ET-3750 (<span class=\"ip\">printer.iamworkin.lan</span>)</li>\n      <li><strong>systemd:</strong> <code>flowercore-print.service</code> (auto-start)</li>\n    </ul>\n  </div>\n</div>\n\n<h3>Edge1 AI &amp; Speech Services</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Ollama (LLM Inference)</div>\n    <ul>\n      <li><strong>API:</strong> <span class=\"ip\">http://edge1.iamworkin.lan:11434</span> <button class=\"copy-btn\" onclick=\"copyText('http://edge1.iamworkin.lan:11434')\">copy</button></li>\n      <li><strong>Model:</strong> qwen2.5-coder:7b (4.7GB Q4_K_M)</li>\n      <li><strong>Managed by:</strong> profile::edge::ollama (Puppet)</li>\n      <li><strong>Firewall:</strong> nftables port 11434 from MGMT+PROD</li>\n      <li><strong>Note:</strong> SD card 95% full &mdash; one model max</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Piper TTS (Text-to-Speech)</div>\n    <ul>\n      <li><strong>Version:</strong> piper-tts 1.4.1 in ~/piper-env venv</li>\n      <li><strong>Voices:</strong> en_US-amy-low (16kHz) + en_US-amy-medium (22kHz)</li>\n      <li><strong>Performance:</strong> RTF 0.10 (10x real-time), 222ms latency (short)</li>\n      <li><strong>CPU Usage:</strong> 3/4 cores (271%)</li>\n      <li><strong>Note:</strong> 16kHz matches G.711 natively for telephony</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Hailo Whisper STT (Speech-to-Text)</div>\n    <ul>\n      <li><strong>Model:</strong> Whisper-Base HEF (131MB, v5.1.1)</li>\n      <li><strong>Path:</strong> /opt/hailo-models/Whisper-Base.hef</li>\n      <li><strong>Performance:</strong> RTF 0.05-0.11 (10-18x real-time)</li>\n      <li><strong>Model Load:</strong> 1.2s cold start</li>\n      <li><strong>Multi-process:</strong> VDevice for coexistence with Frigate</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Speech Pipeline Service</div>\n    <ul>\n      <li><strong>API:</strong> <span class=\"ip\">http://edge1.iamworkin.lan:8500</span> <button class=\"copy-btn\" onclick=\"copyText('http://edge1.iamworkin.lan:8500')\">copy</button></li>\n      <li><strong>Endpoints:</strong> POST /tts, POST /stt, GET /health</li>\n      <li><strong>User:</strong> <code>speech</code> in <code>hailo</code> group</li>\n      <li><strong>Managed by:</strong> profile::edge::speech_pipeline (Puppet)</li>\n      <li><strong>Firewall:</strong> nftables port 8500 from MGMT+PROD</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-yellow\"></span>Twilio Voice Bridge (PoC)</div>\n    <ul>\n      <li><strong>Location:</strong> /opt/twilio-bridge/ on edge1</li>\n      <li><strong>WebSocket:</strong> :8765 &bull; <strong>TwiML:</strong> :8766</li>\n      <li><strong>Cloudflare Tunnel:</strong> bluejay-voice (3ddfa567-b0a7-40cb-9c57-7f20f3ec3637)</li>\n      <li><strong>URLs:</strong> voice.bluejay.dev (TwiML), voice-ws.bluejay.dev (WS)</li>\n      <li><strong>Services:</strong> cloudflared-tunnel on noc1, twilio-bridge + twilio-twiml on edge1</li>\n      <li><strong>Status:</strong> <span class=\"b b-planned\">PoC</span>\
+    \ &mdash; STT fixed, TTS stream API mismatch</li>\n    </ul>\n  </div>\n</div>\n</div>\n\n<!-- ===== TAB: STORAGE ===== -->\n<div id=\"tab-storage\" class=\"tab-content\">\n<h2>Storage</h2>\n<div class=\"card-grid\">\n  <div class=\"card\" style=\"border-top: 3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>BlueJayNAS &mdash; Synology DS1621+</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">nas.iamworkin.lan</span> (HOME VLAN 58, switch port 14)</li>\n      <li><strong>DNS:</strong> <code>nas.iamworkin.lan</code>, <code>synology.iamworkin.lan</code></li>\n      <li><strong>DSM:</strong> <a href=\"https://nas.iamworkin.lan:5001\" target=\"_blank\">https://nas.iamworkin.lan:5001</a> (v7.3.2-86009 Update 1)</li>\n      <li><strong>SSH:</strong> <code>bluejay@nas.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh bluejay@nas.iamworkin.lan')\">copy</button></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cbxfibct4j6jfm6ccsogpayjuy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJayNAS</span></a></li>\n      <li><strong>Model:</strong> DS1621+ (6-bay, AMD Ryzen V1500B)</li>\n      <li><strong>Storage:</strong> 9.1 TB Btrfs (RAID), ~7.8 TB free</li>\n      <li><strong>MAC:</strong> 00:11:32:f2:43:6b</li>\n      <li><strong>TLS Cert:</strong> ca.iamworkin.lan (step-ca ACME, expires 2026-06-03)</li>\n      <li><strong>NFS Domain:</strong> private.iamwork.in</li>\n      <li><strong>2FA:</strong> TOTP enabled on DSM</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--green);\">\n    <div class=\"card-title\">NFS Exports &amp; Services</div>\n    <ul>\n      <li><strong>Longhorn Backup:</strong> <code>nfs://nas.iamworkin.lan:/volume1/NetBackup/longhorn-backups</code></li>\n      <li><strong>Kubernetes Shared:</strong> <code>/volume1/kubernetes</code> (NFS mount for PVCs)</li>\n      <li><strong>Selenium Screenshots:</strong> <code>/volume1/selenium/screenshots</code> (AAT visual tests via PVC)</li>\n      <li><strong>Selenium Videos:</strong> <code>/volume1/selenium/videos</code> (test recordings)</li>\n      <li><strong>NFS Permissions:</strong> RKE2 nodes rke2-server/agent1/agent2 (MGMT VLAN cross-VLAN rule)</li>\n      <li><strong>Ports:</strong> NFS (2049), iSCSI (3260, no targets yet), DSM API (5001), SSH (22), SNMP (161)</li>\n      <li><strong>pfSense Rule:</strong> RKE2 &rarr; NAS on 2049/3260/5001</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--gold);\">\n    <div class=\"card-title\">Monitoring &amp; Security</div>\n    <ul>\n      <li><strong>SNMP:</strong> v2c community <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=7qias4wucncvleievorxda5pym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 SNMP</span></a></li>\n      <li><strong>Zabbix Host:</strong> BlueJayNAS (ID 10678) &mdash; Linux by SNMP template</li>\n      <li><strong>Prometheus:</strong> SNMP scrape via snmp-exporter (synology module)</li>\n      <li><strong>Auto Block:</strong> Enabled (brute-force protection)</li>\n      <li><strong>DSM Firewall:</strong> <span class=\"b b-offline\">DO NOT ENABLE</span> &mdash; synofirewall segfaults on 7.3.2, causes lockout</li>\n      <li><strong>admin account:</strong> <span class=\"b b-online\">ENABLED</span> &mdash; never disable (breaks all admin-group privileges)</li>\n      <li><strong>SSH:</strong> Keep <code>PasswordAuthentication yes</code> (disabling breaks sudo/PAM)</li>\n      <li><strong>Guacamole:</strong> SSH connection in Network Devices group</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--red);\">\n    <div class=\"card-title\">Recovery Notes</div>\n    <ul>\n      <li><strong>admin disabled recovery:</strong> Physical RESET button (4s hold, 1 beep) + power cycle</li>\n      <li><strong>Firewall lockout:</strong> Physical RESET (same procedure)</li>\n      <li><strong>Security hardening:</strong> Use pfSense cross-VLAN rules, NOT DSM-level firewall/SSH hardening</li>\n      <li><strong>CLI tools:</strong> <code>/usr/syno/bin/synopkg</code>, <code>/usr/syno/sbin/synouser</code>, <code>/usr/syno/sbin/synogroup</code></li>\n      <li><strong>DSM API:</strong> <code>https://nas.iamworkin.lan:5001/webapi/entry.cgi</code> &mdash; SYNO.API.Auth + otp_code for 2FA</li>\n    </ul>\n  </div>\n</div>\n\n<h3>Longhorn Persistent Volume Claims (17 PVCs, ~69 Gi)</h3>\n<div class=\"note\"><strong>Longhorn &rarr; NAS Backup:</strong> Longhorn is the default StorageClass on the RKE2 cluster (iSCSI). All 17 PVCs backed up to BlueJayNAS via NFS. Daily backups at 02:00 UTC (retain 14 days), hourly snapshots (retain 24).</div>\n<table>\n<thead><tr><th>Namespace</th><th>PVC</th><th>Size</th><th>Purpose</th></tr></thead>\n<tbody>\n<tr><td>monitoring</td><td>prometheus-data + grafana-data</td><td>12 Gi</td><td>Prometheus TSDB (90-day retention) + Grafana dashboards/DB</td></tr>\n<tr><td>zabbix</td><td>zabbix-postgres-data</td><td>10 Gi</td><td>Zabbix PostgreSQL (13 hosts, history/trends)</td></tr>\n<tr><td>gitea</td><td>gitea-shared-storage</td><td>10 Gi</td><td>Git repositories, LFS objects, attachments</td></tr>\n<tr><td>telephony</td><td>asterisk-data + telephony-data</td><td>10 Gi</td><td>Asterisk PBX config + FlowerCore.Telephony DB</td></tr>\n<tr><td>matrix</td><td>matrix-postgres-data + synapse-data</td><td>7 Gi</td><td>Matrix Synapse PostgreSQL + media store</td></tr>\n<tr><td>mail</td><td>mail-data + mail-state</td><td>6 Gi</td><td>docker-mailserver (Postfix queues, Dovecot mail)</td></tr>\n<tr><td>agent-zero</td><td>agent-zero-data + knowledge</td><td>6 Gi</td><td>Agent Zero persistent data + FAISS knowledge base</td></tr>\n<tr><td>guacamole</td><td>guac-mysql-data</td><td>5 Gi</td><td>Guacamole MySQL (14 connections, session history)</td></tr>\n<tr><td>irc</td><td>anope-data + unrealircd-data</td><td>2 Gi</td><td>IRC services DB (channels, nicks) + UnrealIRCd config</td></tr>\n<tr><td>teamspeak</td><td>teamspeak-data</td><td>1 Gi</td><td>TeamSpeak virtual server config + file transfers</td></tr>\n</tbody>\n</table>\n<table>\n<thead><tr><th>Component</th><th>Detail</th></tr></thead>\n<tbody>\n<tr><td>Storage Backend</td><td>Longhorn (iSCSI, default StorageClass, 3 replicas per volume)</td></tr>\n<tr><td>Backup Target</td><td><code>nfs://nas.iamworkin.lan:/volume1/NetBackup/longhorn-backups</code></td></tr>\n<tr><td>Backup Schedule</td><td>Daily at 02:00 UTC (retain 14 days), hourly snapshots (retain 24)</td></tr>\n<tr><td>RKE2 Requirement</td><td>iscsid enabled on all nodes (<code>systemctl enable --now iscsid</code>)</td></tr>\n<tr><td>Managed by</td><td>Puppet profile::kubernetes::rke2 (prerequisites, kernel modules, sysctl)</td></tr>\n</tbody>\n</table>\n\n<h3>Synology CSI Driver (Pending)</h3>\n<div class=\"note note-warn\"><strong>Status:</strong> Helm repo added, deployment pending. Will enable dynamic PVC provisioning directly from Synology NFS/iSCSI.</div>\n<table>\n<thead><tr><th>Component</th><th>Detail</th></tr></thead>\n<tbody>\n<tr><td>Driver</td><td>SynologyOpenSource/synology-csi v1.2.1</td></tr>\n<tr><td>Helm Chart</td><td>christian-schlichtherle, v0.11.0</td></tr>\n<tr><td>Protocols</td><td>NFS, iSCSI, SMB</td></tr>\n<tr><td>Service Account</td><td><code>k8s-csi</code> (UID 1032) on BlueJayNAS</td></tr>\n<tr><td>1Password</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cbxfibct4j6jfm6ccsogpayjuy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Synology CSI creds</span></a></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: WIFI ===== -->\n<div id=\"tab-wifi\" class=\"tab-content\">\n<h2>WiFi Networks</h2>\n<div class=\"note\"><strong>Credentials:</strong> All WiFi passwords are stored in the <strong>IAmWorkin</strong> vault on 1Password. To connect a device, open the 1Password app, find the WiFi entry, and scan the QR code from there. Passwords are not stored in this page for security.</div>\n<div class=\"note note-warn\"><strong>QR Code Connection:</strong> Open 1Password &rarr; search for the SSID name &rarr; tap &ldquo;Show QR Code&rdquo; &rarr; scan with your device camera. The QR code encodes the full <code>WIFI:T:WPA;S:{SSID};P:{PASSWORD};;;</code> connection string.</div>\n\n<div class=\"wifi-grid\" id=\"wifiGrid\">\n  <!-- BlueJay-Home -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Home\" data-vlan=\"58\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--purple);\">\n      <div class=\"wifi-ssid\">BlueJay-Home</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-home\">HOME (VLAN 58)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"\
+    wifi-value\"><code>BlueJay-Home</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">58 (untagged on AP)</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=vetpnvuxyfdcvkjr2cqhuaqekq\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">\U0001F510 Open in 1Password</span></a></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Home network &mdash; personal / family use</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">800 / 800 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.29</span></span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-Employee -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Employee\" data-vlan=\"59\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--cyan);\">\n      <div class=\"wifi-ssid\">BlueJay-Employee</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-wifi\">EMPLOYEE (VLAN 59)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Employee</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">59</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=g36whfbi5zwcvsr6itowe67jjm\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">\U0001F510 Open in 1Password</span></a></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Employee network &mdash; staff device access</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">500 / 500 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-Work -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Work\" data-vlan=\"64\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--accent);\">\n      <div class=\"wifi-ssid\">BlueJay-Work</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-wifi\">WORK (VLAN 64)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Work</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">64</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=4omsv5ybqoyk4tvqrqww7kv3yu\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">\U0001F510 Open in 1Password</span></a></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Work network &mdash; business devices</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">500 / 500 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-School -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-School\" data-vlan=\"65\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--green);\">\n      <div class=\"wifi-ssid\">BlueJay-School</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-wifi\">SCHOOL (VLAN 65)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-School</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">65</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=jnl2dodsrbli2y5rhwirvcywzy\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">\U0001F510 Open in 1Password</span></a></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">School network &mdash; student devices</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">200 / 200 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-Guest -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Guest\" data-vlan=\"66\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--gold);\">\n      <div class=\"wifi-ssid\">BlueJay-Guest</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-spare\">GUEST (VLAN 66)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder wifi-qr-open\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"\
+    7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Open network &mdash; no password required</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Guest</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">66</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">Open / Captive Portal</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><span class=\"b b-online\">None (open)</span></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Guest WiFi &mdash; fully isolated, NAT only</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">100 / 50 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n</div>\n\n<h3>WiFi Access Point</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Synology RT6600AX (AP Mode)</div>\n    <ul>\n      <li><strong>Management:</strong> <a href=\"http://wifi.iamworkin.lan:8000\" target=\"_blank\">http://wifi.iamworkin.lan:8000</a></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=hlys5gwgnfa2a2nclrr52dr6gu\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Synology WiFi Router</span></a></li>\n      <li><strong>Mode:</strong> Access Point (bridge mode), all trunk ports enabled</li>\n      <li><strong>Bands:</strong> Wi-Fi 6E (2.4 GHz + 5 GHz + 6 GHz)</li>\n      <li><strong>Switch Port:</strong> 3 (trunk, native VLAN 58)</li>\n    </ul>\n  </div>\n</div>\n\n<div class=\"note\"><strong>Network Isolation:</strong> Each SSID maps to a separate VLAN with independent firewall rules and bandwidth limits. GUEST is fully isolated with NAT &mdash; no access to internal resources. EMPLOYEE, WORK, and SCHOOL share public IP .28 with traffic shaping.</div>\n</div>\n\n<!-- ===== TAB: CREDENTIALS ===== -->\n<div id=\"tab-credentials\" class=\"tab-content\">\n<h2>Credentials &amp; 1Password</h2>\n<div class=\"card-grid\">\n  <div class=\"card\" style=\"border-top: 3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>1Password Connect Server</div>\n    <ul>\n      <li><strong>API:</strong> <span class=\"ip\">http://op-connect.iamworkin.lan:8180</span> <button class=\"copy-btn\" onclick=\"copyText('http://op-connect.iamworkin.lan:8180')\">copy</button></li>\n      <li><strong>Sync:</strong> <span class=\"ip\">http://op-connect.iamworkin.lan:8181</span></li>\n      <li><strong>Host:</strong> noc1 (Podman containers)</li>\n      <li><strong>Status:</strong> <span class=\"b b-online\">Online</span></li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>1Password K8s Operator</div>\n    <ul>\n      <li><strong>Namespace:</strong> <code>onepassword-system</code></li>\n      <li><strong>Chart:</strong> 1password/connect v2.3.0</li>\n      <li><strong>Operator:</strong> v1.11.0</li>\n      <li><strong>Poll Interval:</strong> 600s</li>\n      <li><strong>Status:</strong> <span class=\"b b-online\">Online</span></li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--gold);\">\n    <div class=\"card-title\">IAmWorkin Vault</div>\n    <ul>\n      <li><strong>Vault Name:</strong> IAmWorkin</li>\n      <li><strong>Items:</strong> 45+ items (infra credentials + WiFi QR codes + Pi device passwords)</li>\n      <li><strong>Rotation:</strong> Quarterly (Jan/Apr/Jul/Oct)</li>\n      <li><strong>Script:</strong> <code>/opt/scripts/rotate-credentials.sh</code></li>\n      <li><strong>Timer:</strong> <code>credential-rotation.timer</code></li>\n    </ul>\n  </div>\n</div>\n\n<div class=\"note\"><strong>All infrastructure credentials are managed in 1Password.</strong> The IAmWorkin vault contains credentials for every service listed on this intranet. K8s workloads (Zabbix, Matrix, Guacamole, Mail, IRC, Gitea, ArgoCD) sync secrets automatically via OnePasswordItem CRDs. Credential rotation runs quarterly via systemd timer.</div>\n\n<h3>K8s Secret Sync (OnePasswordItem CRDs)</h3>\n<table>\n<thead><tr><th>Namespace</th><th>Secret Name</th><th>Source (1Password Item)</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>zabbix</td><td>zabbix-credentials</td><td>Zabbix Monitoring</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>matrix</td><td>matrix-credentials</td><td>Matrix Synapse</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>guacamole</td><td>guacamole-credentials</td><td>Apache Guacamole</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>mail</td><td>mail-credentials</td><td>Mail Server</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>irc</td><td>irc-credentials</td><td>IRC Services</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>gitea</td><td>gitea-credentials</td><td>Gitea</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>argocd</td><td>argocd-credentials</td><td>ArgoCD</td><td><span class=\"b b-online\">Synced</span></td></tr>\n</tbody>\n</table>\n\n<h3>Pi Fleet &amp; Edge Node Credentials</h3>\n<table>\n<thead><tr><th>Device</th><th>IP</th><th>User</th><th>1Password Item</th><th>Services</th></tr></thead>\n<tbody>\n<tr><td>edge1 (Pi 5)</td><td><span class=\"ip\">edge1.iamworkin.lan</span></td><td><code>stoltz</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Edge1 Pi5 SSH</span></a></td><td>Ollama, Piper TTS, Hailo STT, Frigate</td></tr>\n<tr><td>edge2 (Pi 4)</td><td><span class=\"ip\">edge2.iamworkin.lan</span></td><td><code>stoltz</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=kyeqfwy76msqb4cfdjueaq5uta\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Edge2 Pi4 SSH</span></a></td><td>GitHub Actions runners</td></tr>\n<tr><td>piez (Pi 4)</td><td><span class=\"ip\">piez.iamworkin.lan</span></td><td><code>stoltz</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 piez</span></a></td><td>PiManager :5000 (GPIO, I2C, SPI)</td></tr>\n<tr><td>pirelay (Pi 3)</td><td><span class=\"ip\">pirelay.iamworkin.lan</span></td><td><code>stoltz</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 pirelay</span></a></td><td>PiManager :5100 (4-ch relay)</td></tr>\n<tr><td>Mac Mini</td><td><span class=\"ip\">macmini.iamworkin.lan</span></td><td><code>bluejay</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=npkseg2zvbmxmtg7qrseredvym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Mac Mini</span></a></td><td>SSH + VNC :5900, Xcode builds</td></tr>\n</tbody>\n</table>\n\n<h3>Credential Rotation</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">Rotation Script</div>\n    <ul>\n      <li><strong>Path:</strong> <code>/opt/scripts/rotate-credentials.sh</code></li>\n      <li><strong>Usage:</strong> <code>rotate-credentials.sh {service|all} [--dry-run]</code></li>\n      <li><strong>Services:</strong> grafana, guacamole, zabbix, argocd, gitea, snappymail, traefik, matrix, harvester (17/17 complete, all XKCD-style)</li>\n      <li><strong>Schedule:</strong> Quarterly (1st of Jan/Apr/Jul/Oct at 03:00 UTC)</li>\n      <li><strong>Log:</strong> <code>/var/log/credential-rotation.log</code></li>\n    </ul>\n  </div>\n</div>\n</div>\n\n<!-- ===== TAB: PLANNED ===== -->\n<div id=\"tab-planned\" class=\"tab-content\">\n<h2>Planned Services</h2>\n<div class=\"note\">All previously planned services (Gitea, IRC, Zabbix, ArgoCD, 1Password, Mail, Matrix, TeamSpeak, Guacamole) are now <strong>live on RKE2</strong>. Remaining planned items are Windows Server VMs and authenticated proxy.</div>\n<table>\n<thead><tr><th>Service</th><th>IP</th><th>Host</th><th>Role</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>Windows DC1</td><td><span class=\"ip\">10.0.56.20</span></td><td>VM (hypervisor TBD)</td><td>AD Domain Controller (iamworkin.lan)</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Windows WAC1</td><td><span class=\"ip\">10.0.56.21</span></td><td>VM (hypervisor TBD)</td><td>Windows Admin Center</td><td><span\
+    \ class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Windows RDS1</td><td><span class=\"ip\">10.0.57.20</span></td><td>VM (hypervisor TBD)</td><td>Remote Desktop Services</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Windows IIS1</td><td><span class=\"ip\">10.0.57.21</span></td><td>VM (hypervisor TBD)</td><td>IIS Web Server</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Squid Proxy</td><td><span class=\"ip\">10.0.56.22</span></td><td>VM (hypervisor TBD)</td><td>Authenticated web proxy (Kerberos/LDAP)</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: TOPOLOGY ===== -->\n<div id=\"tab-topology\" class=\"tab-content\">\n<h2>Network Topology</h2>\n<div style=\"display:flex;flex-direction:column;align-items:center;gap:8px;padding:1.5rem;\">\n\n<div class=\"card\" style=\"text-align:center;max-width:280px;border-color:var(--text-muted);\"><div class=\"card-title\" style=\"justify-content:center;\">Internet</div></div>\n<div style=\"width:2px;height:16px;background:var(--border-accent);\"></div>\n<div class=\"card\" style=\"text-align:center;max-width:320px;\"><div class=\"card-title\" style=\"justify-content:center;\"><span class=\"dot dot-green\"></span>Frontier ONT + NVG468MQ Modem</div><p><span class=\"ip\">WAN: 74.32.185.184</span> &bull; <span class=\"ip\">/28: .17-.29</span></p><p style=\"font-size:0.78rem;\">192.168.254.254 &bull; DMZ to pfSense</p></div>\n<div style=\"width:2px;height:16px;background:var(--border-accent);\"></div>\n<div class=\"card\" style=\"text-align:center;max-width:360px;border-color:var(--accent);\"><div class=\"card-title\" style=\"justify-content:center;\"><span class=\"dot dot-green\"></span>pfSense Netgate 4100</div><p><span class=\"ip\">WAN: ix3 (.122)</span> &bull; <span class=\"ip\">LAN: igc0</span> (802.1Q trunk)</p><p style=\"font-size:0.78rem;\">13 VLANs &bull; 13 VIPs &bull; 28 port forwards &bull; DNS/DHCP/NTP/SNMP</p></div>\n<div style=\"width:2px;height:16px;background:var(--border-accent);\"></div>\n<div class=\"card\" style=\"text-align:center;max-width:340px;\"><div class=\"card-title\" style=\"justify-content:center;\"><span class=\"dot dot-green\"></span>UniFi USW-Lite-16-PoE Switch</div><p><span class=\"ip\">switch.iamworkin.lan</span> &bull; 16 ports &bull; VLANs 56-67</p></div>\n<div style=\"width:2px;height:8px;background:var(--border-accent);\"></div>\n\n<div style=\"display:grid;grid-template-columns:repeat(auto-fit,minmax(200px,1fr));gap:10px;width:100%;max-width:1200px;\">\n  <div class=\"card\" style=\"border-left:3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>noc1</div>\n    <p><span class=\"ip\">noc1.iamworkin.lan</span> <span class=\"b b-mgmt\">MGMT</span></p>\n    <p style=\"font-size:0.78rem;\">Celeron N5105 &bull; 32GB &bull; K3s + Podman</p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>Grafana :3000</li><li>Prometheus :9091</li>\n      <li>step-ca :9443</li><li>Cockpit :9090</li>\n      <li>Puppet :8140</li><li>1Password Connect :8180</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--green);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>RKE2 Bare-Metal Cluster</div>\n    <p><span class=\"ip\">Traefik: traefik.iamworkin.lan</span> <span class=\"b b-mgmt\">MGMT</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>rke2-server: <span class=\"ip\">.11</span> (i7-1260P/64GB, control plane)</li>\n      <li>rke2-agent1: <span class=\"ip\">.12</span> (i7-1260P/64GB, worker)</li>\n      <li>rke2-agent2: <span class=\"ip\">.13</span> (i5-1340P/64GB, worker)</li>\n    </ul>\n    <p style=\"font-size:0.78rem;\">RKE2 v1.34.5 &bull; Calico &bull; MetalLB &bull; Longhorn &bull; Traefik v3.3.4 &bull; ArgoCD &bull; 11 apps &bull; Asterisk PBX</p>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--cyan);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>WiFi (Synology RT6600AX)</div>\n    <p><span class=\"ip\">wifi.iamworkin.lan</span> <span class=\"b b-home\">HOME</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>BlueJay-Home (untagged)</li><li>BlueJay-Employee (VLAN 59)</li>\n      <li>BlueJay-Work (VLAN 64)</li><li>BlueJay-School (VLAN 65)</li>\n      <li>BlueJay-Guest (VLAN 66)</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--orange);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>PROD Nodes</div>\n    <p><span class=\"b b-prod\">PROD VLAN 57</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>Mac Mini: <span class=\"ip\">macmini.iamworkin.lan</span> (Xcode)</li>\n      <li>edge1 Pi5: <span class=\"ip\">edge1.iamworkin.lan</span> (Hailo AI)</li>\n      <li>edge2 Pi4: <span class=\"ip\">edge2.iamworkin.lan</span> (CI runner)</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--purple);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>HOME Pi Fleet</div>\n    <p><span class=\"b b-home\">HOME VLAN 58</span> &bull; FlowerCore.PiManager</p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>piez Pi4: <span class=\"ip\">piez.iamworkin.lan</span> (EZ Connect, GPIO/I2C/SPI) — <a href=\"http://piez.iamworkin.lan:5000\">:5000</a></li>\n      <li>pirelay Pi3: <span class=\"ip\">pirelay.iamworkin.lan</span> (KS0212 4-ch relay) — <a href=\"http://pirelay.iamworkin.lan:5100\">:5100</a></li>\n      <li style=\"font-size:0.72rem;color:var(--text-muted);\">Unified PiManager binary &bull; config-driven &bull; node-exporter &bull; Zabbix</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--gold);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Network Devices &amp; Storage</div>\n    <ul style=\"font-size:0.78rem;\">\n      <li>Cloud Key: <span class=\"ip\">unifi.iamworkin.lan</span></li>\n      <li>BlueJayNAS (DS1621+): <span class=\"ip\">nas.iamworkin.lan</span></li>\n      <li style=\"font-size:0.72rem;color:var(--text-muted);\">9.1TB Btrfs &bull; NFS &bull; Longhorn backup &bull; SNMP</li>\n      <li>Modem: <span class=\"ip\">192.168.254.254</span></li>\n    </ul>\n  </div>\n</div>\n</div>\n</div>\n\n<!-- ===== TAB: DOMAINS ===== -->\n<div id=\"tab-domains\" class=\"tab-content\">\n<h2>Domains</h2>\n<div class=\"summary-grid\">\n  <div class=\"summary-card\"><div class=\"summary-number\">17</div><div class=\"summary-label\">Registered Domains</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">1</div><div class=\"summary-label\">Internal Domain</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">1</div><div class=\"summary-label\">Blog Hosting (DreamHost)</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">18</div><div class=\"summary-label\">Total Domains</div></div>\n</div>\n\n<h3>FlowerCore Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>flowercore.io</strong></td><td><span class=\"b b-prod\">FlowerCore</span></td><td>Andrew</td><td>Production API</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>flowerinsider.xyz</strong></td><td><span class=\"b b-prod\">FlowerCore</span></td><td>Andrew</td><td>Dev/staging</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>flowerinsider.com</strong></td><td><span class=\"b b-prod\">FlowerCore Co</span></td><td>Andrew</td><td>Company site</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>flowerinsider.nl</strong></td><td><span class=\"b b-prod\">FlowerCore Co</span></td><td>Andrew</td><td>Dutch site</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Work Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>iamwork.in</strong></td><td><span class=\"b b-wifi\">Work</span></td><td>Andrew</td><td>Employee portal, IVR, Telephony</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>iamworkin.com</strong></td><td><span class=\"b b-wifi\">Work</span></td><td>Andrew</td><td>Redirect</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Personal &amp; Tenant Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>ackeroni.com</strong></td><td><span class=\"b b-tenant\">Erik</span></td><td>Erik</td><td>Personal</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>erckak.com</strong></td><td><span class=\"b b-tenant\">Erik</span></td><td>Erik</td><td>Personal</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>erckak.dev</strong></td><td><span class=\"b b-tenant\">Erik</span></td><td>Erik</td><td>Developer portfolio</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>digirido.com</strong></td><td><span class=\"b b-spare\">Random</span></td><td>Andrew</td><td>DigiKey testing</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>timeforta.co</strong></td><td><span class=\"b b-tenant\">Dustin</span></td><td>Dustin</td><td>Personal</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>shenanjia.com</strong></td><td><span class=\"b b-home\">Wife</span></td><td>Wife</td><td>Personal site</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>bluejay.api</strong></td><td><span class=\"b b-mgmt\">Personal Fun</span></td><td>Andrew</td><td>API experiments</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>bluejay.dev</strong></td><td><span class=\"b b-mgmt\">Personal Fun</span></td><td>Andrew</td><td>Dev projects, voice bridge</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>jayblue.dev</strong></td><td><span class=\"\
+    b b-mgmt\">Personal Fun</span></td><td>Andrew</td><td>Dev projects</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>z.orb</strong></td><td><span class=\"b b-spare\">Random</span></td><td>Andrew</td><td>Short URL</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Blog &amp; Content Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>pebbleandpeanut.com</strong></td><td><span class=\"b b-home\">Blog</span></td><td>Andrew</td><td>Personal blog</td><td>DreamHost</td><td>Namecheap</td></tr>\n<tr><td><strong>pebblesandpeanuts.com</strong></td><td><span class=\"b b-home\">Blog</span></td><td>Andrew</td><td>Alt redirect</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Internal Domain</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Notes</th></tr></thead>\n<tbody>\n<tr><td><strong>iamworkin.lan</strong></td><td><span class=\"b b-mgmt\">Internal</span></td><td>Andrew</td><td>Internal infrastructure, future AD DS</td><td>pfSense Unbound</td><td>52+ host overrides + 4 wildcard redirect zones, not publicly registered</td></tr>\n</tbody>\n</table>\n\n<h3>Cloudflare (6 Zones)</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Cloudflare Account</div>\n    <ul>\n      <li><strong>Account:</strong> Astoltz@iamwork.in</li>\n      <li><strong>Plan:</strong> Pro (planned)</li>\n      <li><strong>NS:</strong> dan.ns.cloudflare.com, frida.ns.cloudflare.com</li>\n      <li><strong>All Zones:</strong> SSL Full(strict), HSTS, min TLS 1.2</li>\n      <li><strong>API Tokens:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=mp5u2gxtq4xaz2wfsggxzm2a3e\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Cloudflare API Tokens</span></a></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Active Zones</div>\n    <ul>\n      <li><strong>flowercore.io</strong> &mdash; Production API, landing page</li>\n      <li><strong>iamwork.in</strong> &mdash; Employee portal, telephony, DDNS</li>\n      <li><strong>bluejay.dev</strong> &mdash; Dev projects, voice bridge</li>\n      <li><strong>erckak.dev</strong> &mdash; Erik developer portfolio</li>\n      <li><strong>timeforta.co</strong> &mdash; Dustin personal</li>\n      <li><strong>flowerinsider.xyz</strong> &mdash; Dev/staging</li>\n    </ul>\n  </div>\n</div>\n<h3>Namecheap API</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">API Configuration</div>\n    <ul>\n      <li><strong>Base URL:</strong> <code>https://api.namecheap.com/xml.response</code> <button class=\"copy-btn\" onclick=\"copyText('https://api.namecheap.com/xml.response')\">copy</button></li>\n      <li><strong>API User:</strong> <code>astoltz</code> <button class=\"copy-btn\" onclick=\"copyText('astoltz')\">copy</button></li>\n      <li><strong>API Key:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=wghrgst2tjer36istiwej43fcy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Namecheap API</span></a></li>\n      <li><strong>Sandbox URL:</strong> <code>https://api.sandbox.namecheap.com/xml.response</code> <button class=\"copy-btn\" onclick=\"copyText('https://api.sandbox.namecheap.com/xml.response')\">copy</button></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Dynamic DNS</div>\n    <ul>\n      <li><strong>Hostname:</strong> <code>gateway.iamwork.in</code> <button class=\"copy-btn\" onclick=\"copyText('gateway.iamwork.in')\">copy</button></li>\n      <li><strong>Points to:</strong> pfSense WAN IP (auto-updated)</li>\n      <li><strong>DDNS:</strong> gateway.iamwork.in &rarr; pfSense WAN DHCP IP (via Cloudflare API)</li>\n      <li><strong>Update Method:</strong> pfSense Dynamic DNS client (Cloudflare API token)</li>\n      <li><strong>Token:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=mp5u2gxtq4xaz2wfsggxzm2a3e\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Cloudflare pfSense Token</span></a></li>\n    </ul>\n  </div>\n</div>\n\n<h3>Internal DNS Architecture</h3>\n<div class=\"note\"><strong>Split-Horizon DNS (LIVE):</strong> External requests to flowercore.io resolve via Cloudflare to public IP .24 (PROD). Internal requests resolve via pfSense Unbound to K8s MetalLB VIP (10.0.56.200), avoiding NAT hairpin. All internal infrastructure uses iamworkin.lan zone. 4 tenant .lan wildcard redirect zones configured in Unbound (base64-encoded custom_options).</div>\n\n<h3>Planned IPv6 (ULA)</h3>\n<table>\n<thead><tr><th>Prefix</th><th>Scheme</th><th>Method</th></tr></thead>\n<tbody>\n<tr><td><code>fdbc:56:XX::/64</code></td><td>XX = VLAN ID (e.g., fdbc:56:56::/64 for MGMT)</td><td>SLAAC + DHCPv6 (servers), SLAAC-only (clients)</td></tr>\n</tbody>\n</table>\n</div>\n\n<script>\n/* ===== QR Code Generator (inline, air-gap safe) ===== */\n/* Minimal QR code encoder — generates canvas-based QR codes. Based on public domain QR algorithms. */\nvar QRCode=(function(){\nvar PAD0=0xEC,PAD1=0x11;\nfunction QRCode(typeNumber,errorCorrectionLevel){this.typeNumber=typeNumber;this.errorCorrectionLevel=errorCorrectionLevel;this.modules=null;this.moduleCount=0;this.dataCache=null;this.dataList=[];}\nQRCode.prototype={addData:function(data){this.dataList.push(new QR8bitByte(data));this.dataCache=null;},make:function(){if(this.typeNumber<1){var tn=1;for(tn=1;tn<40;tn++){var rs=QRRSBlock.getRSBlocks(tn,this.errorCorrectionLevel);var buf=new QRBitBuffer();for(var i=0;i<this.dataList.length;i++){var d=this.dataList[i];buf.put(d.mode,4);buf.put(d.getLength(),QRUtil.getLengthInBits(d.mode,tn));d.write(buf);}var totalDataCount=0;for(i=0;i<rs.length;i++){totalDataCount+=rs[i].dataCount;}if(buf.getLengthInBits()<=totalDataCount*8)break;}this.typeNumber=tn;}this.makeImpl(false,this.getBestMaskPattern());},makeImpl:function(test,maskPattern){this.moduleCount=this.typeNumber*4+17;this.modules=new Array(this.moduleCount);for(var row=0;row<this.moduleCount;row++){this.modules[row]=new Array(this.moduleCount);for(var col=0;col<this.moduleCount;col++){this.modules[row][col]=null;}}this.setupPositionProbePattern(0,0);this.setupPositionProbePattern(this.moduleCount-7,0);this.setupPositionProbePattern(0,this.moduleCount-7);this.setupPositionAdjustPattern();this.setupTimingPattern();this.setupTypeInfo(test,maskPattern);if(this.typeNumber>=7){this.setupTypeNumber(test);}if(this.dataCache==null){this.dataCache=QRCode.createData(this.typeNumber,this.errorCorrectionLevel,this.dataList);}this.mapData(this.dataCache,maskPattern);},setupPositionProbePattern:function(row,col){for(var r=-1;r<=7;r++){if(row+r<=-1||this.moduleCount<=row+r)continue;for(var c=-1;c<=7;c++){if(col+c<=-1||this.moduleCount<=col+c)continue;if((0<=r&&r<=6&&(c==0||c==6))||(0<=c&&c<=6&&(r==0||r==6))||(2<=r&&r<=4&&2<=c&&c<=4)){this.modules[row+r][col+c]=true;}else{this.modules[row+r][col+c]=false;}}}},getBestMaskPattern:function(){var minLostPoint=0;var pattern=0;for(var i=0;i<8;i++){this.makeImpl(true,i);var lostPoint=QRUtil.getLostPoint(this);if(i==0||minLostPoint>lostPoint){minLostPoint=lostPoint;pattern=i;}}return pattern;},setupTimingPattern:function(){for(var r=8;r<this.moduleCount-8;r++){if(this.modules[r][6]!=null)continue;this.modules[r][6]=(r%2==0);}for(var c=8;c<this.moduleCount-8;c++){if(this.modules[6][c]!=null)continue;this.modules[6][c]=(c%2==0);}},setupPositionAdjustPattern:function(){var pos=QRUtil.getPatternPosition(this.typeNumber);for(var i=0;i<pos.length;i++){for(var j=0;j<pos.length;j++){var row=pos[i];var col=pos[j];if(this.modules[row][col]!=null)continue;for(var r=-2;r<=2;r++){for(var c=-2;c<=2;c++){if(r==-2||r==2||c==-2||c==2||(r==0&&c==0)){this.modules[row+r][col+c]=true;}else{this.modules[row+r][col+c]=false;}}}}}},setupTypeNumber:function(test){var bits=QRUtil.getBCHTypeNumber(this.typeNumber);for(var i=0;i<18;i++){var mod=(!test&&((bits>>i)&1)==1);this.modules[Math.floor(i/3)][i%3+this.moduleCount-8-3]=mod;}for(i=0;i<18;i++){mod=(!test&&((bits>>i)&1)==1);this.modules[i%3+this.moduleCount-8-3][Math.floor(i/3)]=mod;}},setupTypeInfo:function(test,maskPattern){var data=(this.errorCorrectionLevel<<3)|maskPattern;var bits=QRUtil.getBCHTypeInfo(data);for(var i=0;i<15;i++){var mod=(!test&&((bits>>i)&1)==1);if(i<6){this.modules[i][8]=mod;}else if(i<8){this.modules[i+1][8]=mod;}else{this.modules[this.moduleCount-15+i][8]=mod;}}for(i=0;i<15;i++){mod=(!test&&((bits>>i)&1)==1);if(i<8){this.modules[8][this.moduleCount-i-1]=mod;}else if(i<9){this.modules[8][15-i-1+1]=mod;}else{this.modules[8][15-i-1]=mod;}}this.modules[this.moduleCount-8][8]=(!test);},mapData:function(data,maskPattern){var inc=-1;var row=this.moduleCount-1;var bitIndex=7;var byteIndex=0;for(var col=this.moduleCount-1;col>0;col-=2){if(col==6)col--;while(true){for(var c=0;c<2;c++){if(this.modules[row][col-c]==null){var dark=false;if(byteIndex<data.length){dark=(((data[byteIndex]>>>bitIndex)&1)==1);}var mask=QRUtil.getMask(maskPattern,row,col-c);if(mask){dark=!dark;}this.modules[row][col-c]=dark;bitIndex--;if(bitIndex==-1){byteIndex++;bitIndex=7;}}}row+=inc;if(row<0||this.moduleCount<=row){row-=inc;inc=-inc;break;}}}}};\nQRCode.createData=function(typeNumber,errorCorrectionLevel,dataList){var rsBlocks=QRRSBlock.getRSBlocks(typeNumber,errorCorrectionLevel);var buffer=new QRBitBuffer();for(var i=0;i<dataList.length;i++){var data=dataList[i];buffer.put(data.mode,4);buffer.put(data.getLength(),QRUtil.getLengthInBits(data.mode,typeNumber));data.write(buffer);}var totalDataCount=0;for(i=0;i<rsBlocks.length;i++){totalDataCount+=rsBlocks[i].dataCount;}if(buffer.getLengthInBits()>totalDataCount*8){throw\
+    \ new Error('code length overflow. ('+buffer.getLengthInBits()+'>'+totalDataCount*8+')');}if(buffer.getLengthInBits()+4<=totalDataCount*8){buffer.put(0,4);}while(buffer.getLengthInBits()%8!=0){buffer.putBit(false);}while(true){if(buffer.getLengthInBits()>=totalDataCount*8)break;buffer.put(PAD0,8);if(buffer.getLengthInBits()>=totalDataCount*8)break;buffer.put(PAD1,8);}return QRCode.createBytes(buffer,rsBlocks);};\nQRCode.createBytes=function(buffer,rsBlocks){var offset=0;var maxDcCount=0;var maxEcCount=0;var dcdata=new Array(rsBlocks.length);var ecdata=new Array(rsBlocks.length);for(var r=0;r<rsBlocks.length;r++){var dcCount=rsBlocks[r].dataCount;var ecCount=rsBlocks[r].totalCount-dcCount;maxDcCount=Math.max(maxDcCount,dcCount);maxEcCount=Math.max(maxEcCount,ecCount);dcdata[r]=new Array(dcCount);for(var i=0;i<dcdata[r].length;i++){dcdata[r][i]=0xff&buffer.buffer[i+offset];}offset+=dcCount;var rsPoly=QRUtil.getErrorCorrectPolynomial(ecCount);var rawPoly=new QRPolynomial(dcdata[r],rsPoly.getLength()-1);var modPoly=rawPoly.mod(rsPoly);ecdata[r]=new Array(rsPoly.getLength()-1);for(i=0;i<ecdata[r].length;i++){var modIndex=i+modPoly.getLength()-ecdata[r].length;ecdata[r][i]=(modIndex>=0)?modPoly.get(modIndex):0;}}var totalCodeCount=0;for(i=0;i<rsBlocks.length;i++){totalCodeCount+=rsBlocks[i].totalCount;}var data=new Array(totalCodeCount);var index=0;for(i=0;i<maxDcCount;i++){for(r=0;r<rsBlocks.length;r++){if(i<dcdata[r].length){data[index++]=dcdata[r][i];}}}for(i=0;i<maxEcCount;i++){for(r=0;r<rsBlocks.length;r++){if(i<ecdata[r].length){data[index++]=ecdata[r][i];}}}return data;};\nfunction QR8bitByte(data){this.mode=4;this.data=data;}QR8bitByte.prototype={getLength:function(){return this.data.length;},write:function(buffer){for(var i=0;i<this.data.length;i++){buffer.put(this.data.charCodeAt(i),8);}}};\nvar QRUtil={PATTERN_POSITION_TABLE:[[],[6,18],[6,22],[6,26],[6,30],[6,34],[6,22,38],[6,24,42],[6,26,46],[6,28,50],[6,30,54],[6,32,58],[6,34,62],[6,26,46,66],[6,26,48,70],[6,26,50,74],[6,30,54,78],[6,30,56,82],[6,30,58,86],[6,34,62,90],[6,28,50,72,94],[6,26,50,74,98],[6,30,54,78,102],[6,28,54,80,106],[6,32,58,84,110],[6,30,58,86,114],[6,34,62,90,118],[6,26,50,74,98,122],[6,30,54,78,102,126],[6,26,52,78,104,130],[6,30,56,82,108,134],[6,34,60,86,112,138],[6,30,58,86,114,142],[6,34,62,90,118,146],[6,30,54,78,102,126,150],[6,24,50,76,102,128,154],[6,28,54,80,106,132,158],[6,32,58,84,110,136,162],[6,26,54,82,110,138,166],[6,30,58,86,114,142,170]],G15:(1<<10)|(1<<8)|(1<<5)|(1<<4)|(1<<2)|(1<<1)|(1<<0),G18:(1<<12)|(1<<11)|(1<<10)|(1<<9)|(1<<8)|(1<<5)|(1<<2)|(1<<0),G15_MASK:(1<<14)|(1<<12)|(1<<10)|(1<<4)|(1<<1),getBCHTypeInfo:function(data){var d=data<<10;while(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G15)>=0){d^=(QRUtil.G15<<(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G15)));}return((data<<10)|d)^QRUtil.G15_MASK;},getBCHTypeNumber:function(data){var d=data<<12;while(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G18)>=0){d^=(QRUtil.G18<<(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G18)));}return(data<<12)|d;},getBCHDigit:function(data){var digit=0;while(data!=0){digit++;data>>>=1;}return digit;},getPatternPosition:function(typeNumber){return QRUtil.PATTERN_POSITION_TABLE[typeNumber-1];},getMask:function(maskPattern,i,j){switch(maskPattern){case 0:return(i+j)%2==0;case 1:return i%2==0;case 2:return j%3==0;case 3:return(i+j)%3==0;case 4:return(Math.floor(i/2)+Math.floor(j/3))%2==0;case 5:return(i*j)%2+(i*j)%3==0;case 6:return((i*j)%2+(i*j)%3)%2==0;case 7:return((i*j)%3+(i+j)%2)%2==0;default:throw new Error('bad maskPattern:'+maskPattern);}},getErrorCorrectPolynomial:function(errorCorrectLength){var a=new QRPolynomial([1],0);for(var i=0;i<errorCorrectLength;i++){a=a.multiply(new QRPolynomial([1,QRMath.gexp(i)],0));}return a;},getLengthInBits:function(mode,type){if(1<=type&&type<10){return 8;}else if(type<27){return 16;}else if(type<41){return 16;}throw new Error('type:'+type);},getLostPoint:function(qrCode){var moduleCount=qrCode.moduleCount;var lostPoint=0;for(var row=0;row<moduleCount;row++){for(var col=0;col<moduleCount;col++){var sameCount=0;var dark=qrCode.modules[row][col];for(var r=-1;r<=1;r++){if(row+r<0||moduleCount<=row+r)continue;for(var c=-1;c<=1;c++){if(col+c<0||moduleCount<=col+c)continue;if(r==0&&c==0)continue;if(dark==qrCode.modules[row+r][col+c]){sameCount++;}}}if(sameCount>5){lostPoint+=(3+sameCount-5);}}}for(row=0;row<moduleCount-1;row++){for(col=0;col<moduleCount-1;col++){var count=0;if(qrCode.modules[row][col])count++;if(qrCode.modules[row+1][col])count++;if(qrCode.modules[row][col+1])count++;if(qrCode.modules[row+1][col+1])count++;if(count==0||count==4){lostPoint+=3;}}}for(row=0;row<moduleCount;row++){for(col=0;col<moduleCount-6;col++){if(qrCode.modules[row][col]&&!qrCode.modules[row][col+1]&&qrCode.modules[row][col+2]&&qrCode.modules[row][col+3]&&qrCode.modules[row][col+4]&&!qrCode.modules[row][col+5]&&qrCode.modules[row][col+6]){lostPoint+=40;}}}for(col=0;col<moduleCount;col++){for(row=0;row<moduleCount-6;row++){if(qrCode.modules[row][col]&&!qrCode.modules[row+1][col]&&qrCode.modules[row+2][col]&&qrCode.modules[row+3][col]&&qrCode.modules[row+4][col]&&!qrCode.modules[row+5][col]&&qrCode.modules[row+6][col]){lostPoint+=40;}}}var darkCount=0;for(col=0;col<moduleCount;col++){for(row=0;row<moduleCount;row++){if(qrCode.modules[row][col]){darkCount++;}}}var ratio=Math.abs(100*darkCount/moduleCount/moduleCount-50)/5;lostPoint+=ratio*10;return lostPoint;}};\nvar QRMath={glog:function(n){if(n<1)throw new Error('glog('+n+')');return QRMath.LOG_TABLE[n];},gexp:function(n){while(n<0){n+=255;}while(n>=256){n-=255;}return QRMath.EXP_TABLE[n];},EXP_TABLE:new Array(256),LOG_TABLE:new Array(256)};for(var i=0;i<8;i++){QRMath.EXP_TABLE[i]=1<<i;}for(i=8;i<256;i++){QRMath.EXP_TABLE[i]=QRMath.EXP_TABLE[i-4]^QRMath.EXP_TABLE[i-5]^QRMath.EXP_TABLE[i-6]^QRMath.EXP_TABLE[i-8];}for(i=0;i<255;i++){QRMath.LOG_TABLE[QRMath.EXP_TABLE[i]]=i;}\nfunction QRPolynomial(num,shift){if(num.length==undefined)throw new Error(num.length+'/'+shift);var offset=0;while(offset<num.length&&num[offset]==0){offset++;}this.num=new Array(num.length-offset+shift);for(var i=0;i<num.length-offset;i++){this.num[i]=num[i+offset];}}QRPolynomial.prototype={get:function(index){return this.num[index];},getLength:function(){return this.num.length;},multiply:function(e){var num=new Array(this.getLength()+e.getLength()-1);for(var i=0;i<this.getLength();i++){for(var j=0;j<e.getLength();j++){num[i+j]^=QRMath.gexp(QRMath.glog(this.get(i))+QRMath.glog(e.get(j)));}}return new QRPolynomial(num,0);},mod:function(e){if(this.getLength()-e.getLength()<0)return this;var ratio=QRMath.glog(this.get(0))-QRMath.glog(e.get(0));var num=new Array(this.getLength());for(var i=0;i<this.getLength();i++){num[i]=this.get(i);}for(i=0;i<e.getLength();i++){num[i]^=QRMath.gexp(QRMath.glog(e.get(i))+ratio);}return new QRPolynomial(num,0).mod(e);}};\nfunction QRRSBlock(totalCount,dataCount){this.totalCount=totalCount;this.dataCount=dataCount;}\nQRRSBlock.RS_BLOCK_TABLE=[[1,26,19],[1,26,16],[1,26,13],[1,26,9],[1,44,34],[1,44,28],[1,44,22],[1,44,16],[1,70,55],[1,70,44],[2,35,17],[2,35,13],[1,100,80],[2,50,32],[2,50,24],[4,25,9],[1,134,108],[2,67,43],[2,33,15,2,34,16],[2,33,11,2,34,12],[2,86,68],[4,43,27],[4,43,19],[4,43,15],[2,98,78],[4,49,31],[2,32,14,4,33,15],[4,39,13,1,40,14],[2,121,97],[2,60,38,2,61,39],[4,40,18,2,41,19],[4,40,14,2,41,15],[2,146,116],[3,58,36,2,59,37],[4,36,16,4,37,17],[4,36,12,4,37,13],[2,86,68,2,87,69],[4,69,43,1,70,44],[6,43,19,2,44,20],[6,43,15,2,44,16],[4,101,81],[1,80,50,4,81,51],[4,50,22,4,51,23],[3,36,12,8,37,13],[2,116,92,2,117,93],[6,58,36,2,59,37],[4,46,20,6,47,21],[7,42,14,4,43,15],[4,133,107],[8,59,37,1,60,38],[8,44,20,4,45,21],[12,33,11,4,34,12],[3,145,115,1,146,116],[4,64,40,5,65,41],[11,36,16,5,37,17],[11,36,12,5,37,13],[5,109,87,1,110,88],[5,65,41,5,66,42],[5,54,24,7,55,25],[11,36,12,7,37,13],[5,122,98,1,123,99],[7,73,45,3,74,46],[15,43,19,2,44,20],[3,45,15,13,46,16],[1,135,107,5,136,108],[10,74,46,1,75,47],[1,50,22,15,51,23],[2,42,14,17,43,15],[5,150,120,1,151,121],[9,69,43,4,70,44],[17,50,22,1,51,23],[2,42,14,19,43,15],[3,141,113,4,142,114],[3,70,44,11,71,45],[17,47,21,4,48,22],[9,39,13,16,40,14],[3,135,107,5,136,108],[3,67,41,13,68,42],[15,54,24,5,55,25],[15,43,15,10,44,16],[4,144,116,4,145,117],[17,68,42],[17,50,22,6,51,23],[19,46,16,6,47,17],[2,139,111,7,140,112],[17,74,46],[7,54,24,16,55,25],[34,37,13],[4,151,121,5,152,122],[4,75,47,14,76,48],[11,54,24,14,55,25],[16,45,15,14,46,16],[6,147,117,4,148,118],[6,73,45,14,74,46],[11,54,24,16,55,25],[30,46,16,2,47,17],[8,132,106,4,133,107],[8,75,47,13,76,48],[7,54,24,22,55,25],[22,45,15,13,46,16],[10,142,114,2,143,115],[19,74,46,4,75,47],[28,50,22,6,51,23],[33,46,16,4,47,17],[8,152,122,4,153,123],[22,73,45,3,74,46],[8,53,23,26,54,24],[12,45,15,28,46,16],[3,147,117,10,148,118],[3,73,45,23,74,46],[4,54,24,31,55,25],[11,45,15,31,46,16],[7,146,116,7,147,117],[21,73,45,7,74,46],[1,53,23,37,54,24],[19,45,15,26,46,16],[5,145,115,10,146,116],[19,75,47,10,76,48],[15,54,24,25,55,25],[23,45,15,25,46,16],[13,145,115,3,146,116],[2,74,46,29,75,47],[42,54,24,1,55,25],[23,45,15,28,46,16],[17,145,115],[10,74,46,23,75,47],[10,54,24,35,55,25],[19,45,15,35,46,16],[17,145,115,1,146,116],[14,74,46,21,75,47],[29,54,24,19,55,25],[11,45,15,46,46,16],[13,145,115,6,146,116],[14,74,46,23,75,47],[44,54,24,7,55,25],[59,46,16,1,47,17],[12,151,121,7,152,122],[12,75,47,26,76,48],[39,54,24,14,55,25],[22,45,15,41,46,16],[6,151,121,14,152,122],[6,75,47,34,76,48],[46,54,24,10,55,25],[2,45,15,64,46,16],[17,152,122,4,153,123],[29,74,46,14,75,47],[49,54,24,10,55,25],[24,45,15,46,46,16],[4,152,122,18,153,123],[13,74,46,32,75,47],[48,54,24,14,55,25],[42,45,15,32,46,16],[20,147,117,4,148,118],[40,75,47,7,76,48],[43,54,24,22,55,25],[10,45,15,67,46,16],[19,148,118,6,149,119],[18,75,47,31,76,48],[34,54,24,34,55,25],[20,45,15,61,46,16]];\nQRRSBlock.getRSBlocks=function(typeNumber,errorCorrectionLevel){var rsBlock=QRRSBlock.getRsBlockTable(typeNumber,errorCorrectionLevel);if(rsBlock==undefined){throw\
+    \ new Error('bad rs block @ typeNumber:'+typeNumber+'/errorCorrectionLevel:'+errorCorrectionLevel);}var length=rsBlock.length/3;var list=[];for(var i=0;i<length;i++){var count=rsBlock[i*3+0];var totalCount=rsBlock[i*3+1];var dataCount=rsBlock[i*3+2];for(var j=0;j<count;j++){list.push(new QRRSBlock(totalCount,dataCount));}}return list;};\nQRRSBlock.getRsBlockTable=function(typeNumber,errorCorrectionLevel){switch(errorCorrectionLevel){case 1:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+0];case 0:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+1];case 3:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+2];case 2:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+3];default:return undefined;}};\nfunction QRBitBuffer(){this.buffer=[];this.length=0;}QRBitBuffer.prototype={get:function(index){var bufIndex=Math.floor(index/8);return((this.buffer[bufIndex]>>>(7-index%8))&1)==1;},put:function(num,length){for(var i=0;i<length;i++){this.putBit(((num>>>(length-i-1))&1)==1);}},getLengthInBits:function(){return this.length;},putBit:function(bit){var bufIndex=Math.floor(this.length/8);if(this.buffer.length<=bufIndex){this.buffer.push(0);}if(bit){this.buffer[bufIndex]|=(0x80>>>(this.length%8));}this.length++;}};\nreturn QRCode;})();\n\n/* ===== WiFi QR Code Rendering ===== */\n/* QR codes with passwords are generated via 1Password app, not stored in this page.\n   The inline QR library above is retained for potential future use (e.g., guest open network QR). */\nfunction initWifiQRCodes() {\n  /* Placeholder — QR codes are now served from 1Password app */\n}\n\nfunction printQRCodes() {\n  /* Switch to WiFi tab, mark it for print, print, then restore */\n  var allTabs = document.querySelectorAll('.tab-content');\n  var wifiTab = document.getElementById('tab-wifi');\n  allTabs.forEach(function(t) { t.classList.remove('print-active'); });\n  if (wifiTab) { wifiTab.classList.add('print-active'); }\n  window.print();\n  if (wifiTab) { wifiTab.classList.remove('print-active'); }\n}\n\n/* ===== Existing Functions ===== */\nfunction toggleTheme(){var h=document.documentElement,c=h.getAttribute('data-theme'),n=c==='dark'?'light':'dark';h.setAttribute('data-theme',n);document.getElementById('themeLabel').textContent=n==='dark'?'Light':'Dark';try{localStorage.setItem('bjTheme',n)}catch(e){}}\n(function(){try{var s=localStorage.getItem('bjTheme');if(s){document.documentElement.setAttribute('data-theme',s);var l=document.getElementById('themeLabel');if(l)l.textContent=s==='dark'?'Light':'Dark'}}catch(e){}})();\nvar ALL_TABS=['overview','isp','pfsense','switching','dns','k8s','noc','vpn','edge','storage','wifi','planned','topology','domains','credentials'];\nfunction switchTab(id,el){document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});document.querySelectorAll('.tab-btn').forEach(function(b){b.classList.remove('active')});var tgt=document.getElementById('tab-'+id);if(tgt)tgt.classList.add('active');if(el)el.classList.add('active');history.replaceState(null,null,'#'+id);window.scrollTo({top:0,behavior:'smooth'});if(id==='wifi'){setTimeout(initWifiQRCodes,50);}}\n(function(){var h=location.hash.replace('#','');if(h){var tgt=document.getElementById('tab-'+h);if(tgt){document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});document.querySelectorAll('.tab-btn').forEach(function(b){b.classList.remove('active')});tgt.classList.add('active');var idx=ALL_TABS.indexOf(h);var btns=document.querySelectorAll('.tab-btn');if(idx>=0&&btns[idx])btns[idx].classList.add('active');if(h==='wifi'){setTimeout(initWifiQRCodes,100);}}}})();\nfunction copyText(t){var btn=event.target;if(navigator.clipboard){navigator.clipboard.writeText(t).then(function(){btn.textContent='copied!';btn.classList.add('copied');setTimeout(function(){btn.textContent='copy';btn.classList.remove('copied')},1500)})}else{var ta=document.createElement('textarea');ta.value=t;ta.style.position='fixed';ta.style.opacity='0';document.body.appendChild(ta);ta.select();try{document.execCommand('copy')}catch(e){}document.body.removeChild(ta);btn.textContent='copied!';btn.classList.add('copied');setTimeout(function(){btn.textContent='copy';btn.classList.remove('copied')},1500)}}\ndocument.addEventListener('keydown',function(e){if(e.altKey){var k=parseInt(e.key);if(k>=1&&k<=9){e.preventDefault();var idx=k-1;if(idx<ALL_TABS.length){var btns=document.querySelectorAll('.tab-btn');btns.forEach(function(b){b.classList.remove('active')});if(btns[idx])btns[idx].classList.add('active');document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});var tgt=document.getElementById('tab-'+ALL_TABS[idx]);if(tgt)tgt.classList.add('active');if(ALL_TABS[idx]==='wifi'){setTimeout(initWifiQRCodes,50);}}}if(e.key==='0'){e.preventDefault();var btns=document.querySelectorAll('.tab-btn');btns.forEach(function(b){b.classList.remove('active')});if(btns[9])btns[9].classList.add('active');document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});var tgt=document.getElementById('tab-'+ALL_TABS[9]);if(tgt)tgt.classList.add('active');if(ALL_TABS[9]==='wifi'){setTimeout(initWifiQRCodes,50);}}}});\n</script>\n</body>\n</html>\n"
 kind: ConfigMap
 metadata:
   name: intranet-html