From f3fde1500242436f5c46f428b09c48a8de17f9b6 Mon Sep 17 00:00:00 2001
From: "Andrew M. Stoltz" <1578013+astoltz@users.noreply.github.com>
Date: Tue, 24 Mar 2026 15:55:52 -0500
Subject: [PATCH] Update telephony-web image to v20260324d, resolve merge
 conflicts

---
 README.md                           |    4 +-
 apps/asterisk/deployment.yaml       |  300 +++---
 apps/asterisk/service.yaml          |   80 +-
 apps/fc-landing/fc-landing.yaml     |  640 ++++++-------
 apps/gitea-public/gitea-public.yaml |   40 +-
 apps/guacamole/guacamole.yaml       |  770 +++++++--------
 apps/intranet/intranet.yaml         |  271 +++---
 apps/irc/irc.yaml                   | 1362 +++++++++++++--------------
 apps/mail/mail.yaml                 |  518 +++++-----
 apps/matrix/matrix.yaml             |  990 +++++++++----------
 apps/noc-services/noc-services.yaml |  514 +++++-----
 apps/teamspeak/teamspeak.yaml       |  290 +++---
 apps/voice/voice.yaml               |  254 ++---
 apps/zabbix/zabbix.yaml             |  720 +++++++-------
 14 files changed, 3333 insertions(+), 3420 deletions(-)

diff --git a/README.md b/README.md
index 3239be3..4d74f5c 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,3 @@
-# bluejay-infra
-
+# bluejay-infra
+
 Infrastructure manifests for ArgoCD
\ No newline at end of file
diff --git a/apps/asterisk/deployment.yaml b/apps/asterisk/deployment.yaml
index 3667c2a..c8b9846 100644
--- a/apps/asterisk/deployment.yaml
+++ b/apps/asterisk/deployment.yaml
@@ -1,150 +1,150 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: asterisk
-  namespace: telephony
-  labels:
-    app: asterisk
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: asterisk
-  template:
-    metadata:
-      labels:
-        app: asterisk
-    spec:
-      hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
-      securityContext:
-        fsGroup: 0
-      initContainers:
-        - name: install-sounds
-          image: busybox:latest
-          command:
-            - sh
-            - -c
-            - |
-              mkdir -p /sounds/en &&
-              wget -qO- http://downloads.asterisk.org/pub/telephony/sounds/asterisk-core-sounds-en-ulaw-current.tar.gz | tar xz -C /sounds/en/ &&
-              wget -qO- http://downloads.asterisk.org/pub/telephony/sounds/asterisk-extra-sounds-en-ulaw-current.tar.gz | tar xz -C /sounds/en/ &&
-              echo "Sound files installed: $(find /sounds/en -type f | wc -l) files"
-          volumeMounts:
-            - name: sounds
-              mountPath: /sounds/en
-      containers:
-        - name: asterisk
-          image: localhost/andrius/asterisk:latest
-          imagePullPolicy: Never
-          ports:
-            - name: sip-udp
-              containerPort: 5060
-              protocol: UDP
-            - name: sip-tcp
-              containerPort: 5060
-              protocol: TCP
-            - name: ari
-              containerPort: 8088
-              protocol: TCP
-          volumeMounts:
-            - name: config-modules
-              mountPath: /etc/asterisk/modules.conf
-              subPath: modules.conf
-            - name: config-http
-              mountPath: /etc/asterisk/http.conf
-              subPath: http.conf
-            - name: config-ari
-              mountPath: /etc/asterisk/ari.conf
-              subPath: ari.conf
-            - name: config-manager
-              mountPath: /etc/asterisk/manager.conf
-              subPath: manager.conf
-            - name: config-pjsip
-              mountPath: /etc/asterisk/pjsip.conf
-              subPath: pjsip.conf
-            - name: config-extensions
-              mountPath: /etc/asterisk/extensions.conf
-              subPath: extensions.conf
-            - name: config-rtp
-              mountPath: /etc/asterisk/rtp.conf
-              subPath: rtp.conf
-            - name: asterisk-data
-              mountPath: /var/spool/asterisk
-            - name: asterisk-logs
-              mountPath: /var/log/asterisk
-            - name: sounds
-              mountPath: /var/lib/asterisk/sounds/en
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-            limits:
-              cpu: "1"
-              memory: 512Mi
-          livenessProbe:
-            tcpSocket:
-              port: 8088
-            initialDelaySeconds: 15
-            periodSeconds: 10
-          readinessProbe:
-            httpGet:
-              path: /ari/asterisk/info
-              port: 8088
-              httpHeaders:
-                - name: Authorization
-                  value: "Basic Zmxvd2VyY29yZTpibHVlamF5LWFzdGVyaXNrLWFyaQ=="
-            initialDelaySeconds: 10
-            periodSeconds: 5
-      volumes:
-        - name: config-modules
-          configMap:
-            name: asterisk-config
-            items:
-              - key: modules.conf
-                path: modules.conf
-        - name: config-http
-          configMap:
-            name: asterisk-config
-            items:
-              - key: http.conf
-                path: http.conf
-        - name: config-ari
-          configMap:
-            name: asterisk-config
-            items:
-              - key: ari.conf
-                path: ari.conf
-        - name: config-manager
-          configMap:
-            name: asterisk-config
-            items:
-              - key: manager.conf
-                path: manager.conf
-        - name: config-pjsip
-          configMap:
-            name: asterisk-config
-            items:
-              - key: pjsip.conf
-                path: pjsip.conf
-        - name: config-extensions
-          configMap:
-            name: asterisk-config
-            items:
-              - key: extensions.conf
-                path: extensions.conf
-        - name: config-rtp
-          configMap:
-            name: asterisk-config
-            items:
-              - key: rtp.conf
-                path: rtp.conf
-        - name: asterisk-data
-          persistentVolumeClaim:
-            claimName: asterisk-data
-        - name: asterisk-logs
-          emptyDir: {}
-        - name: sounds
-          emptyDir: {}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: asterisk
+  namespace: telephony
+  labels:
+    app: asterisk
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: asterisk
+  template:
+    metadata:
+      labels:
+        app: asterisk
+    spec:
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      securityContext:
+        fsGroup: 0
+      initContainers:
+        - name: install-sounds
+          image: busybox:latest
+          command:
+            - sh
+            - -c
+            - |
+              mkdir -p /sounds/en &&
+              wget -qO- http://downloads.asterisk.org/pub/telephony/sounds/asterisk-core-sounds-en-ulaw-current.tar.gz | tar xz -C /sounds/en/ &&
+              wget -qO- http://downloads.asterisk.org/pub/telephony/sounds/asterisk-extra-sounds-en-ulaw-current.tar.gz | tar xz -C /sounds/en/ &&
+              echo "Sound files installed: $(find /sounds/en -type f | wc -l) files"
+          volumeMounts:
+            - name: sounds
+              mountPath: /sounds/en
+      containers:
+        - name: asterisk
+          image: localhost/andrius/asterisk:latest
+          imagePullPolicy: Never
+          ports:
+            - name: sip-udp
+              containerPort: 5060
+              protocol: UDP
+            - name: sip-tcp
+              containerPort: 5060
+              protocol: TCP
+            - name: ari
+              containerPort: 8088
+              protocol: TCP
+          volumeMounts:
+            - name: config-modules
+              mountPath: /etc/asterisk/modules.conf
+              subPath: modules.conf
+            - name: config-http
+              mountPath: /etc/asterisk/http.conf
+              subPath: http.conf
+            - name: config-ari
+              mountPath: /etc/asterisk/ari.conf
+              subPath: ari.conf
+            - name: config-manager
+              mountPath: /etc/asterisk/manager.conf
+              subPath: manager.conf
+            - name: config-pjsip
+              mountPath: /etc/asterisk/pjsip.conf
+              subPath: pjsip.conf
+            - name: config-extensions
+              mountPath: /etc/asterisk/extensions.conf
+              subPath: extensions.conf
+            - name: config-rtp
+              mountPath: /etc/asterisk/rtp.conf
+              subPath: rtp.conf
+            - name: asterisk-data
+              mountPath: /var/spool/asterisk
+            - name: asterisk-logs
+              mountPath: /var/log/asterisk
+            - name: sounds
+              mountPath: /var/lib/asterisk/sounds/en
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: "1"
+              memory: 512Mi
+          livenessProbe:
+            tcpSocket:
+              port: 8088
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /ari/asterisk/info
+              port: 8088
+              httpHeaders:
+                - name: Authorization
+                  value: "Basic Zmxvd2VyY29yZTpibHVlamF5LWFzdGVyaXNrLWFyaQ=="
+            initialDelaySeconds: 10
+            periodSeconds: 5
+      volumes:
+        - name: config-modules
+          configMap:
+            name: asterisk-config
+            items:
+              - key: modules.conf
+                path: modules.conf
+        - name: config-http
+          configMap:
+            name: asterisk-config
+            items:
+              - key: http.conf
+                path: http.conf
+        - name: config-ari
+          configMap:
+            name: asterisk-config
+            items:
+              - key: ari.conf
+                path: ari.conf
+        - name: config-manager
+          configMap:
+            name: asterisk-config
+            items:
+              - key: manager.conf
+                path: manager.conf
+        - name: config-pjsip
+          configMap:
+            name: asterisk-config
+            items:
+              - key: pjsip.conf
+                path: pjsip.conf
+        - name: config-extensions
+          configMap:
+            name: asterisk-config
+            items:
+              - key: extensions.conf
+                path: extensions.conf
+        - name: config-rtp
+          configMap:
+            name: asterisk-config
+            items:
+              - key: rtp.conf
+                path: rtp.conf
+        - name: asterisk-data
+          persistentVolumeClaim:
+            claimName: asterisk-data
+        - name: asterisk-logs
+          emptyDir: {}
+        - name: sounds
+          emptyDir: {}
diff --git a/apps/asterisk/service.yaml b/apps/asterisk/service.yaml
index 45675a1..7de3538 100644
--- a/apps/asterisk/service.yaml
+++ b/apps/asterisk/service.yaml
@@ -1,40 +1,40 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: asterisk-sip
-  namespace: telephony
-  labels:
-    app: asterisk
-  annotations:
-    metallb.universe.tf/loadBalancerIPs: "10.0.56.207"
-spec:
-  type: LoadBalancer
-  externalTrafficPolicy: Local
-  selector:
-    app: asterisk
-  ports:
-    - name: sip-udp
-      port: 5060
-      targetPort: 5060
-      protocol: UDP
-    - name: sip-tcp
-      port: 5060
-      targetPort: 5060
-      protocol: TCP
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: asterisk-ari
-  namespace: telephony
-  labels:
-    app: asterisk
-spec:
-  type: ClusterIP
-  selector:
-    app: asterisk
-  ports:
-    - name: ari
-      port: 8088
-      targetPort: 8088
-      protocol: TCP
+apiVersion: v1
+kind: Service
+metadata:
+  name: asterisk-sip
+  namespace: telephony
+  labels:
+    app: asterisk
+  annotations:
+    metallb.universe.tf/loadBalancerIPs: "10.0.56.207"
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app: asterisk
+  ports:
+    - name: sip-udp
+      port: 5060
+      targetPort: 5060
+      protocol: UDP
+    - name: sip-tcp
+      port: 5060
+      targetPort: 5060
+      protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: asterisk-ari
+  namespace: telephony
+  labels:
+    app: asterisk
+spec:
+  type: ClusterIP
+  selector:
+    app: asterisk
+  ports:
+    - name: ari
+      port: 8088
+      targetPort: 8088
+      protocol: TCP
diff --git a/apps/fc-landing/fc-landing.yaml b/apps/fc-landing/fc-landing.yaml
index 2e4786c..ad6b4bc 100644
--- a/apps/fc-landing/fc-landing.yaml
+++ b/apps/fc-landing/fc-landing.yaml
@@ -1,320 +1,320 @@
-# FlowerCore Landing Page
-# Blue Jay Lab branded landing page - PUBLIC facing
-# ArgoCD managed - BlueJay Lab
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: fc-system
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
----
-# Landing page HTML (public-safe - no internal LAN references)
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: fc-landing-html
-  namespace: fc-system
-data:
-  index.html: |
-    <!DOCTYPE html>
-    <html lang="en">
-    <head>
-        <meta charset="utf-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <title>FlowerCore</title>
-        <style>
-            * { margin: 0; padding: 0; box-sizing: border-box; }
-            body {
-                font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-                background: linear-gradient(135deg, #0a1628 0%, #1a2744 50%, #0d1f3c 100%);
-                color: #e0e8f0;
-                min-height: 100vh;
-                display: flex;
-                flex-direction: column;
-                align-items: center;
-                justify-content: center;
-            }
-            .hero {
-                text-align: center;
-                padding: 3rem;
-                max-width: 800px;
-            }
-            .logo {
-                font-size: 5rem;
-                margin-bottom: 1.5rem;
-                filter: drop-shadow(0 0 20px rgba(74, 158, 255, 0.3));
-            }
-            h1 {
-                font-size: 3rem;
-                background: linear-gradient(135deg, #4a9eff, #7ab3ff);
-                -webkit-background-clip: text;
-                -webkit-text-fill-color: transparent;
-                background-clip: text;
-                margin-bottom: 0.5rem;
-            }
-            .subtitle {
-                font-size: 1.3rem;
-                color: #7ab3ff;
-                font-weight: 300;
-                margin-bottom: 1rem;
-            }
-            .description {
-                font-size: 1rem;
-                color: #8aa8c4;
-                line-height: 1.6;
-                margin-bottom: 3rem;
-                max-width: 600px;
-            }
-            .services {
-                display: grid;
-                grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
-                gap: 1rem;
-                width: 100%;
-                max-width: 700px;
-                padding: 0 1rem;
-            }
-            .service {
-                background: rgba(74, 158, 255, 0.08);
-                border: 1px solid rgba(74, 158, 255, 0.2);
-                border-radius: 8px;
-                padding: 1.2rem;
-                text-decoration: none;
-                color: inherit;
-                transition: all 0.2s;
-            }
-            .service:hover {
-                background: rgba(74, 158, 255, 0.15);
-                border-color: rgba(74, 158, 255, 0.5);
-                transform: translateY(-2px);
-            }
-            .service h3 { color: #4a9eff; font-size: 0.95rem; margin-bottom: 0.3rem; }
-            .service p { color: #8aa8c4; font-size: 0.8rem; }
-            .status-bar {
-                display: flex;
-                gap: 2rem;
-                margin-top: 2rem;
-                padding: 1rem 2rem;
-                background: rgba(74, 158, 255, 0.05);
-                border-radius: 8px;
-                border: 1px solid rgba(74, 158, 255, 0.1);
-            }
-            .status-item { text-align: center; }
-            .status-item .value { color: #4a9eff; font-size: 1.5rem; font-weight: 700; }
-            .status-item .label { color: #6a8ca4; font-size: 0.7rem; text-transform: uppercase; letter-spacing: 1px; }
-            .footer {
-                margin-top: 3rem;
-                color: #4a6580;
-                font-size: 0.8rem;
-            }
-            .footer a { color: #4a6580; text-decoration: none; }
-            .footer a:hover { color: #7ab3ff; }
-        </style>
-    </head>
-    <body>
-        <div class="hero">
-            <div class="logo">&#x1F33B;</div>
-            <h1>FlowerCore</h1>
-            <p class="subtitle">Blue Jay Lab</p>
-            <p class="description">
-                Multi-tenant service management platform built on .NET 10,
-                Kubernetes, and GitOps. Digital signage, telephony IVR,
-                MySQL/PHP hosting, and infrastructure automation.
-            </p>
-        </div>
-        <div class="services">
-            <a class="service" href="https://gitea.flowercore.io">
-                <h3>Source</h3>
-                <p>Gitea repositories</p>
-            </a>
-            <a class="service" href="https://webmail.flowercore.io">
-                <h3>Mail</h3>
-                <p>Webmail access</p>
-            </a>
-            <a class="service" href="https://element.flowercore.io">
-                <h3>Chat</h3>
-                <p>Matrix messaging</p>
-            </a>
-            <a class="service" href="https://github.com/FlowerCoreIO">
-                <h3>GitHub</h3>
-                <p>Open source</p>
-            </a>
-        </div>
-        <div class="status-bar">
-            <div class="status-item">
-                <div class="value">17</div>
-                <div class="label">Services</div>
-            </div>
-            <div class="status-item">
-                <div class="value">13</div>
-                <div class="label">VLANs</div>
-            </div>
-            <div class="status-item">
-                <div class="value">12k+</div>
-                <div class="label">Tests</div>
-            </div>
-        </div>
-        <p class="footer">
-            FlowerCore &middot; Bare-metal RKE2 &middot; ArgoCD managed
-            &middot; <a href="mailto:admin@flowercore.io">Contact</a>
-        </p>
-    </body>
-    </html>
----
-# nginx configuration
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: fc-landing-nginx-conf
-  namespace: fc-system
-data:
-  default.conf: |
-    server {
-        listen 80;
-        server_name _;
-        root /usr/share/nginx/html;
-        index index.html;
-
-        location / {
-            try_files $uri $uri/ =404;
-        }
-
-        location /healthz {
-            access_log off;
-            return 200 "ok";
-            add_header Content-Type text/plain;
-        }
-    }
----
-# Landing Page Deployment
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: fc-landing
-  namespace: fc-system
-  labels:
-    app: fc-landing
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: fc-landing
-  template:
-    metadata:
-      labels:
-        app: fc-landing
-    spec:
-      containers:
-        - name: nginx
-          image: nginx:alpine
-          ports:
-            - containerPort: 80
-              name: http
-          volumeMounts:
-            - name: nginx-conf
-              mountPath: /etc/nginx/conf.d/default.conf
-              subPath: default.conf
-            - name: html
-              mountPath: /usr/share/nginx/html
-          resources:
-            requests:
-              memory: 16Mi
-              cpu: 5m
-            limits:
-              memory: 64Mi
-              cpu: 50m
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 80
-            initialDelaySeconds: 5
-            periodSeconds: 10
-          readinessProbe:
-            httpGet:
-              path: /healthz
-              port: 80
-            initialDelaySeconds: 3
-            periodSeconds: 5
-      volumes:
-        - name: nginx-conf
-          configMap:
-            name: fc-landing-nginx-conf
-        - name: html
-          configMap:
-            name: fc-landing-html
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: fc-landing
-  namespace: fc-system
-spec:
-  selector:
-    app: fc-landing
-  ports:
-    - port: 80
-      targetPort: 80
-      name: http
----
-# Internal IngressRoute (LAN access)
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: fc-landing
-  namespace: fc-system
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`flowercore.iamworkin.lan`)
-      kind: Rule
-      services:
-        - name: fc-landing
-          port: 80
-  tls: {}
----
-# Public IngressRoute (flowercore.io with Cloudflare origin cert)
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: fc-landing-public
-  namespace: fc-system
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
-      kind: Rule
-      services:
-        - name: fc-landing
-          port: 80
-  tls:
-    secretName: cf-origin-flowercore-io
----
-# HTTP to HTTPS redirect for public domain
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: fc-landing-public-http
-  namespace: fc-system
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
-      kind: Rule
-      services:
-        - name: fc-landing
-          port: 80
-      middlewares:
-        - name: redirect-https
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: redirect-https
-  namespace: fc-system
-spec:
-  redirectScheme:
-    scheme: https
-    permanent: true
+# FlowerCore Landing Page
+# Blue Jay Lab branded landing page - PUBLIC facing
+# ArgoCD managed - BlueJay Lab
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: fc-system
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+---
+# Landing page HTML (public-safe - no internal LAN references)
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fc-landing-html
+  namespace: fc-system
+data:
+  index.html: |
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>FlowerCore</title>
+        <style>
+            * { margin: 0; padding: 0; box-sizing: border-box; }
+            body {
+                font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+                background: linear-gradient(135deg, #0a1628 0%, #1a2744 50%, #0d1f3c 100%);
+                color: #e0e8f0;
+                min-height: 100vh;
+                display: flex;
+                flex-direction: column;
+                align-items: center;
+                justify-content: center;
+            }
+            .hero {
+                text-align: center;
+                padding: 3rem;
+                max-width: 800px;
+            }
+            .logo {
+                font-size: 5rem;
+                margin-bottom: 1.5rem;
+                filter: drop-shadow(0 0 20px rgba(74, 158, 255, 0.3));
+            }
+            h1 {
+                font-size: 3rem;
+                background: linear-gradient(135deg, #4a9eff, #7ab3ff);
+                -webkit-background-clip: text;
+                -webkit-text-fill-color: transparent;
+                background-clip: text;
+                margin-bottom: 0.5rem;
+            }
+            .subtitle {
+                font-size: 1.3rem;
+                color: #7ab3ff;
+                font-weight: 300;
+                margin-bottom: 1rem;
+            }
+            .description {
+                font-size: 1rem;
+                color: #8aa8c4;
+                line-height: 1.6;
+                margin-bottom: 3rem;
+                max-width: 600px;
+            }
+            .services {
+                display: grid;
+                grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
+                gap: 1rem;
+                width: 100%;
+                max-width: 700px;
+                padding: 0 1rem;
+            }
+            .service {
+                background: rgba(74, 158, 255, 0.08);
+                border: 1px solid rgba(74, 158, 255, 0.2);
+                border-radius: 8px;
+                padding: 1.2rem;
+                text-decoration: none;
+                color: inherit;
+                transition: all 0.2s;
+            }
+            .service:hover {
+                background: rgba(74, 158, 255, 0.15);
+                border-color: rgba(74, 158, 255, 0.5);
+                transform: translateY(-2px);
+            }
+            .service h3 { color: #4a9eff; font-size: 0.95rem; margin-bottom: 0.3rem; }
+            .service p { color: #8aa8c4; font-size: 0.8rem; }
+            .status-bar {
+                display: flex;
+                gap: 2rem;
+                margin-top: 2rem;
+                padding: 1rem 2rem;
+                background: rgba(74, 158, 255, 0.05);
+                border-radius: 8px;
+                border: 1px solid rgba(74, 158, 255, 0.1);
+            }
+            .status-item { text-align: center; }
+            .status-item .value { color: #4a9eff; font-size: 1.5rem; font-weight: 700; }
+            .status-item .label { color: #6a8ca4; font-size: 0.7rem; text-transform: uppercase; letter-spacing: 1px; }
+            .footer {
+                margin-top: 3rem;
+                color: #4a6580;
+                font-size: 0.8rem;
+            }
+            .footer a { color: #4a6580; text-decoration: none; }
+            .footer a:hover { color: #7ab3ff; }
+        </style>
+    </head>
+    <body>
+        <div class="hero">
+            <div class="logo">&#x1F33B;</div>
+            <h1>FlowerCore</h1>
+            <p class="subtitle">Blue Jay Lab</p>
+            <p class="description">
+                Multi-tenant service management platform built on .NET 10,
+                Kubernetes, and GitOps. Digital signage, telephony IVR,
+                MySQL/PHP hosting, and infrastructure automation.
+            </p>
+        </div>
+        <div class="services">
+            <a class="service" href="https://gitea.flowercore.io">
+                <h3>Source</h3>
+                <p>Gitea repositories</p>
+            </a>
+            <a class="service" href="https://webmail.flowercore.io">
+                <h3>Mail</h3>
+                <p>Webmail access</p>
+            </a>
+            <a class="service" href="https://element.flowercore.io">
+                <h3>Chat</h3>
+                <p>Matrix messaging</p>
+            </a>
+            <a class="service" href="https://github.com/FlowerCoreIO">
+                <h3>GitHub</h3>
+                <p>Open source</p>
+            </a>
+        </div>
+        <div class="status-bar">
+            <div class="status-item">
+                <div class="value">17</div>
+                <div class="label">Services</div>
+            </div>
+            <div class="status-item">
+                <div class="value">13</div>
+                <div class="label">VLANs</div>
+            </div>
+            <div class="status-item">
+                <div class="value">12k+</div>
+                <div class="label">Tests</div>
+            </div>
+        </div>
+        <p class="footer">
+            FlowerCore &middot; Bare-metal RKE2 &middot; ArgoCD managed
+            &middot; <a href="mailto:admin@flowercore.io">Contact</a>
+        </p>
+    </body>
+    </html>
+---
+# nginx configuration
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fc-landing-nginx-conf
+  namespace: fc-system
+data:
+  default.conf: |
+    server {
+        listen 80;
+        server_name _;
+        root /usr/share/nginx/html;
+        index index.html;
+
+        location / {
+            try_files $uri $uri/ =404;
+        }
+
+        location /healthz {
+            access_log off;
+            return 200 "ok";
+            add_header Content-Type text/plain;
+        }
+    }
+---
+# Landing Page Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fc-landing
+  namespace: fc-system
+  labels:
+    app: fc-landing
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: fc-landing
+  template:
+    metadata:
+      labels:
+        app: fc-landing
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:alpine
+          ports:
+            - containerPort: 80
+              name: http
+          volumeMounts:
+            - name: nginx-conf
+              mountPath: /etc/nginx/conf.d/default.conf
+              subPath: default.conf
+            - name: html
+              mountPath: /usr/share/nginx/html
+          resources:
+            requests:
+              memory: 16Mi
+              cpu: 5m
+            limits:
+              memory: 64Mi
+              cpu: 50m
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 80
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 80
+            initialDelaySeconds: 3
+            periodSeconds: 5
+      volumes:
+        - name: nginx-conf
+          configMap:
+            name: fc-landing-nginx-conf
+        - name: html
+          configMap:
+            name: fc-landing-html
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: fc-landing
+  namespace: fc-system
+spec:
+  selector:
+    app: fc-landing
+  ports:
+    - port: 80
+      targetPort: 80
+      name: http
+---
+# Internal IngressRoute (LAN access)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: fc-landing
+  namespace: fc-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`flowercore.iamworkin.lan`)
+      kind: Rule
+      services:
+        - name: fc-landing
+          port: 80
+  tls: {}
+---
+# Public IngressRoute (flowercore.io with Cloudflare origin cert)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: fc-landing-public
+  namespace: fc-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+      kind: Rule
+      services:
+        - name: fc-landing
+          port: 80
+  tls:
+    secretName: cf-origin-flowercore-io
+---
+# HTTP to HTTPS redirect for public domain
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: fc-landing-public-http
+  namespace: fc-system
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+      kind: Rule
+      services:
+        - name: fc-landing
+          port: 80
+      middlewares:
+        - name: redirect-https
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+  namespace: fc-system
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
diff --git a/apps/gitea-public/gitea-public.yaml b/apps/gitea-public/gitea-public.yaml
index 9d91dfd..2f142fd 100644
--- a/apps/gitea-public/gitea-public.yaml
+++ b/apps/gitea-public/gitea-public.yaml
@@ -1,20 +1,20 @@
-# Gitea Public IngressRoute
-# Routes gitea.flowercore.io to internal Gitea service via Cloudflare origin cert
-# ArgoCD managed - BlueJay Lab
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: gitea-public
-  namespace: gitea
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`gitea.flowercore.io`)
-      kind: Rule
-      services:
-        - name: gitea-http
-          port: 3000
-  tls:
-    secretName: cf-origin-flowercore-io
+# Gitea Public IngressRoute
+# Routes gitea.flowercore.io to internal Gitea service via Cloudflare origin cert
+# ArgoCD managed - BlueJay Lab
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-public
+  namespace: gitea
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitea.flowercore.io`)
+      kind: Rule
+      services:
+        - name: gitea-http
+          port: 3000
+  tls:
+    secretName: cf-origin-flowercore-io
diff --git a/apps/guacamole/guacamole.yaml b/apps/guacamole/guacamole.yaml
index 4c5255d..3963e86 100644
--- a/apps/guacamole/guacamole.yaml
+++ b/apps/guacamole/guacamole.yaml
@@ -1,426 +1,344 @@
-# Apache Guacamole - Blue Jay Remote Access
-# FlowerCore Infrastructure Gateway
-# MySQL 8 + guacd + guacamole web (Blue Jay branded)
-# ArgoCD managed - BlueJay Lab
-# ALL credentials sourced from 1Password via OnePasswordItem CRD (guacamole-credentials)
-# Custom image: fc-guacamole:bluejay (Blue Jay branding + 1Password vault extension)
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: guacamole
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
----
-# MySQL 8 StatefulSet
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: guac-mysql
-  namespace: guacamole
-  labels:
-    app: guac-mysql
-spec:
-  serviceName: guac-mysql
-  replicas: 1
-  selector:
-    matchLabels:
-      app: guac-mysql
-  template:
-    metadata:
-      labels:
-        app: guac-mysql
-    spec:
-      containers:
-        - name: mysql
-          image: mysql:8.0
-          ports:
-            - containerPort: 3306
-              name: mysql
-          env:
-            - name: MYSQL_ROOT_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: guacamole-credentials
-                  key: DB-Root-Password
-            - name: MYSQL_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: guacamole-credentials
-                  key: DB-Name
-            - name: MYSQL_USER
-              valueFrom:
-                secretKeyRef:
-                  name: guacamole-credentials
-                  key: DB-User
-            - name: MYSQL_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: guacamole-credentials
-                  key: DB-Password
-          volumeMounts:
-            - name: guac-mysql-data
-              mountPath: /var/lib/mysql
-          resources:
-            requests:
-              memory: 256Mi
-              cpu: 100m
-            limits:
-              memory: 1Gi
-              cpu: 500m
-          livenessProbe:
-            exec:
-              command:
-                - mysqladmin
-                - ping
-                - -h
-                - localhost
-            initialDelaySeconds: 60
-            periodSeconds: 10
-          readinessProbe:
-            exec:
-              command:
-                - mysqladmin
-                - ping
-                - -h
-                - localhost
-            initialDelaySeconds: 30
-            periodSeconds: 5
-  volumeClaimTemplates:
-    - metadata:
-        name: guac-mysql-data
-      spec:
-        accessModes: [ReadWriteOnce]
-        resources:
-          requests:
-            storage: 5Gi
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: guac-mysql
-  namespace: guacamole
-spec:
-  selector:
-    app: guac-mysql
-  ports:
-    - port: 3306
-      targetPort: 3306
-      name: mysql
-  clusterIP: None
----
-# DB schema init Job
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: guacamole-initdb
-  namespace: guacamole
-  annotations:
-    argocd.argoproj.io/hook: PostSync
-    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
-spec:
-  ttlSecondsAfterFinished: 300
-  template:
-    spec:
-      restartPolicy: OnFailure
-      initContainers:
-        - name: wait-for-mysql
-          image: mysql:8.0
-          command:
-            - sh
-            - -c
-            - |
-              until mysqladmin ping -h guac-mysql --silent; do
-                echo "Waiting for MySQL..."
-                sleep 5
-              done
-      containers:
-        - name: initdb
-          image: guacamole/guacamole:latest
-          command:
-            - sh
-            - -c
-            - |
-              /opt/guacamole/bin/initdb.sh --mysql > /tmp/initdb.sql
-              mysql -h guac-mysql -u root -p"$MYSQL_ROOT_PASSWORD" "$MYSQL_DATABASE" < /tmp/initdb.sql || true
-          env:
-            - name: MYSQL_ROOT_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: guacamole-credentials
-                  key: DB-Root-Password
-            - name: MYSQL_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: guacamole-credentials
-                  key: DB-Name
----
-# guacd (Guacamole daemon)
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: guacd
-  namespace: guacamole
-  labels:
-    app: guacd
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: guacd
-  template:
-    metadata:
-      labels:
-        app: guacd
-    spec:
-      containers:
-        serviceAccountName: guacd-exec
-        - name: guacd
-          image: guacamole/guacd:latest
-          ports:
-            - containerPort: 4822
-              name: guacd
-          resources:
-            requests:
-              memory: 128Mi
-              cpu: 100m
-            limits:
-              memory: 512Mi
-              cpu: 500m
-          livenessProbe:
-            tcpSocket:
-              port: 4822
-            initialDelaySeconds: 15
-            periodSeconds: 10
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: guacd
-  namespace: guacamole
-spec:
-  selector:
-    app: guacd
-  ports:
-    - port: 4822
-      targetPort: 4822
-      name: guacd
----
-# Guacamole Properties ConfigMap
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: guacamole-properties
-  namespace: guacamole
-  labels:
-    app: guacamole
-data:
-  guacamole.properties: |
-    # Blue Jay Remote Access — Guacamole Configuration
-    # MySQL/guacd settings provided via env vars — do NOT duplicate here
-
-    # 1Password Vault Integration
-    1password-connect-url: http://onepassword-connect.onepassword-system.svc.cluster.local:8080
-    1password-connect-token: placeholder-configure-via-secret
-    1password-vault-id: qaphopopkryhbg353ukzhhuqoq
-
-    # Extension Priority
-    extension-priority: mysql, ban, bluejay, 1password-vault, *
-
-    # Ban (brute force)
-    ban-max-invalid-attempts: 5
-    ban-address-duration: 300000
-    ban-max-addresses: 1000
-
-    # TOTP
-    totp-issuer: Blue Jay Remote Access
-    totp-digits: 6
-    totp-period: 30
-    totp-mode: sha256
-
-    # Session Recording
-    recording-search-path: /var/lib/guacamole/recordings
-
-    # Logging
-    log-level: info
-
-    # API Token Expiry
-    api-session-timeout: 60
----
-# Guacamole Web Application — Blue Jay branded
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: guacamole
-  namespace: guacamole
-  labels:
-    app: guacamole
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: guacamole
-  template:
-    metadata:
-      labels:
-        app: guacamole
-    spec:
-      containers:
-        - name: guacamole
-          image: localhost/fc-guacamole:bluejay
-          imagePullPolicy: Never
-          ports:
-            - containerPort: 8080
-              name: http
-          env:
-            - name: GUACD_HOSTNAME
-              value: guacd
-            - name: GUACD_PORT
-              value: "4822"
-            - name: MYSQL_HOSTNAME
-              value: guac-mysql
-            - name: MYSQL_PORT
-              value: "3306"
-            - name: MYSQL_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: guacamole-credentials
-                  key: DB-Name
-            - name: MYSQL_USER
-              valueFrom:
-                secretKeyRef:
-                  name: guacamole-credentials
-                  key: DB-User
-            - name: MYSQL_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: guacamole-credentials
-                  key: DB-Password
-          volumeMounts:
-            - name: guac-properties
-              mountPath: /etc/guacamole/guacamole.properties
-              subPath: guacamole.properties
-          resources:
-            requests:
-              memory: 256Mi
-              cpu: 100m
-            limits:
-              memory: 1Gi
-              cpu: 500m
-          livenessProbe:
-            httpGet:
-              path: /guacamole/
-              port: 8080
-            initialDelaySeconds: 120
-            periodSeconds: 10
-          readinessProbe:
-            httpGet:
-              path: /guacamole/
-              port: 8080
-            initialDelaySeconds: 60
-            periodSeconds: 5
-      volumes:
-        - name: guac-properties
-          configMap:
-            name: guacamole-properties
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: guacamole
-  namespace: guacamole
-spec:
-  selector:
-    app: guacamole
-  ports:
-    - port: 8080
-      targetPort: 8080
-      name: http
----
-# Traefik addPrefix middleware
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: guac-add-prefix
-  namespace: guacamole
-spec:
-  addPrefix:
-    prefix: /guacamole
----
-# TLS Certificate via cert-manager
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: guacamole-tls
-  namespace: guacamole
-spec:
-  secretName: guacamole-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - guac.iamworkin.lan
----
-# Traefik IngressRoute
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: guacamole
-  namespace: guacamole
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`guac.iamworkin.lan`)
-      kind: Rule
-      middlewares:
-        - name: guac-add-prefix
-      services:
-        - name: guacamole
-          port: 8080
-  tls:
-    secretName: guacamole-tls
----
-# 1Password secret sync
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: guacamole-credentials
-  namespace: guacamole
-spec:
-  itemPath: vaults/IAmWorkin/items/Guacamole
----
-# RBAC for guacd K8s exec protocol
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: guacd-exec
-  namespace: guacamole
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: guacd-pod-exec
-rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "list"]
-  - apiGroups: [""]
-    resources: ["pods/exec"]
-    verbs: ["create"]
-  - apiGroups: [""]
-    resources: ["namespaces"]
-    verbs: ["list"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: guacd-pod-exec
-subjects:
-  - kind: ServiceAccount
-    name: guacd-exec
-    namespace: guacamole
-roleRef:
-  kind: ClusterRole
-  name: guacd-pod-exec
-  apiGroup: rbac.authorization.k8s.io
+# Apache Guacamole - Remote Desktop Gateway
+# MySQL 8 + guacd + guacamole web
+# ArgoCD managed - BlueJay Lab
+# ALL credentials sourced from 1Password via OnePasswordItem CRD (guacamole-credentials)
+# Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: guacamole
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+---
+# MySQL 8 StatefulSet
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: guac-mysql
+  namespace: guacamole
+  labels:
+    app: guac-mysql
+spec:
+  serviceName: guac-mysql
+  replicas: 1
+  selector:
+    matchLabels:
+      app: guac-mysql
+  template:
+    metadata:
+      labels:
+        app: guac-mysql
+    spec:
+      containers:
+        - name: mysql
+          image: mysql:8.0
+          ports:
+            - containerPort: 3306
+              name: mysql
+          env:
+            - name: MYSQL_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: guacamole-credentials
+                  key: DB-Root-Password
+            - name: MYSQL_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  name: guacamole-credentials
+                  key: DB-Name
+            - name: MYSQL_USER
+              valueFrom:
+                secretKeyRef:
+                  name: guacamole-credentials
+                  key: DB-User
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: guacamole-credentials
+                  key: DB-Password
+          volumeMounts:
+            - name: guac-mysql-data
+              mountPath: /var/lib/mysql
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 100m
+            limits:
+              memory: 1Gi
+              cpu: 500m
+          livenessProbe:
+            exec:
+              command:
+                - mysqladmin
+                - ping
+                - -h
+                - localhost
+            initialDelaySeconds: 60
+            periodSeconds: 10
+          readinessProbe:
+            exec:
+              command:
+                - mysqladmin
+                - ping
+                - -h
+                - localhost
+            initialDelaySeconds: 30
+            periodSeconds: 5
+  volumeClaimTemplates:
+    - metadata:
+        name: guac-mysql-data
+      spec:
+        accessModes: [ReadWriteOnce]
+        resources:
+          requests:
+            storage: 5Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: guac-mysql
+  namespace: guacamole
+spec:
+  selector:
+    app: guac-mysql
+  ports:
+    - port: 3306
+      targetPort: 3306
+      name: mysql
+  clusterIP: None
+---
+# DB schema init Job
+# Generates the MySQL schema and pipes it into the database
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: guacamole-initdb
+  namespace: guacamole
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    spec:
+      restartPolicy: OnFailure
+      initContainers:
+        - name: wait-for-mysql
+          image: mysql:8.0
+          command:
+            - sh
+            - -c
+            - |
+              until mysqladmin ping -h guac-mysql --silent; do
+                echo "Waiting for MySQL..."
+                sleep 5
+              done
+      containers:
+        - name: initdb
+          image: guacamole/guacamole:latest
+          command:
+            - sh
+            - -c
+            - |
+              # Generate schema SQL
+              /opt/guacamole/bin/initdb.sh --mysql > /tmp/initdb.sql
+              # Apply schema (ignore errors if tables already exist)
+              mysql -h guac-mysql -u root -p"$MYSQL_ROOT_PASSWORD" "$MYSQL_DATABASE" < /tmp/initdb.sql || true
+          env:
+            - name: MYSQL_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: guacamole-credentials
+                  key: DB-Root-Password
+            - name: MYSQL_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  name: guacamole-credentials
+                  key: DB-Name
+---
+# guacd (Guacamole daemon)
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: guacd
+  namespace: guacamole
+  labels:
+    app: guacd
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: guacd
+  template:
+    metadata:
+      labels:
+        app: guacd
+    spec:
+      containers:
+        - name: guacd
+          image: guacamole/guacd:latest
+          ports:
+            - containerPort: 4822
+              name: guacd
+          resources:
+            requests:
+              memory: 128Mi
+              cpu: 100m
+            limits:
+              memory: 512Mi
+              cpu: 500m
+          livenessProbe:
+            tcpSocket:
+              port: 4822
+            initialDelaySeconds: 15
+            periodSeconds: 10
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: guacd
+  namespace: guacamole
+spec:
+  selector:
+    app: guacd
+  ports:
+    - port: 4822
+      targetPort: 4822
+      name: guacd
+---
+# Guacamole Web Application
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: guacamole
+  namespace: guacamole
+  labels:
+    app: guacamole
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: guacamole
+  template:
+    metadata:
+      labels:
+        app: guacamole
+    spec:
+      containers:
+        - name: guacamole
+          image: guacamole/guacamole:latest
+          ports:
+            - containerPort: 8080
+              name: http
+          env:
+            - name: GUACD_HOSTNAME
+              value: guacd
+            - name: GUACD_PORT
+              value: "4822"
+            - name: MYSQL_HOSTNAME
+              value: guac-mysql
+            - name: MYSQL_PORT
+              value: "3306"
+            - name: MYSQL_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  name: guacamole-credentials
+                  key: DB-Name
+            - name: MYSQL_USER
+              valueFrom:
+                secretKeyRef:
+                  name: guacamole-credentials
+                  key: DB-User
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: guacamole-credentials
+                  key: DB-Password
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 100m
+            limits:
+              memory: 1Gi
+              cpu: 500m
+          livenessProbe:
+            httpGet:
+              path: /guacamole/
+              port: 8080
+            initialDelaySeconds: 120
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /guacamole/
+              port: 8080
+            initialDelaySeconds: 60
+            periodSeconds: 5
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: guacamole
+  namespace: guacamole
+spec:
+  selector:
+    app: guacamole
+  ports:
+    - port: 8080
+      targetPort: 8080
+      name: http
+---
+# Traefik addPrefix middleware
+# External URL guac.iamworkin.lan/ gets prefix /guacamole added
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: guac-add-prefix
+  namespace: guacamole
+spec:
+  addPrefix:
+    prefix: /guacamole
+---
+# TLS Certificate via cert-manager
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: guacamole-tls
+  namespace: guacamole
+spec:
+  secretName: guacamole-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - guac.iamworkin.lan
+---
+# Traefik IngressRoute
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: guacamole
+  namespace: guacamole
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`guac.iamworkin.lan`)
+      kind: Rule
+      middlewares:
+        - name: guac-add-prefix
+      services:
+        - name: guacamole
+          port: 8080
+  tls:
+    secretName: guacamole-tls
+---
+# 1Password secret sync — creates guacamole-credentials K8s Secret
+# Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: guacamole-credentials
+  namespace: guacamole
+spec:
+  itemPath: vaults/IAmWorkin/items/Guacamole
diff --git a/apps/intranet/intranet.yaml b/apps/intranet/intranet.yaml
index ecf9367..9761aef 100644
--- a/apps/intranet/intranet.yaml
+++ b/apps/intranet/intranet.yaml
@@ -1,138 +1,133 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
-  name: intranet
----
-apiVersion: v1
-data:
-  default.conf: "server {\n    listen 80;\n    server_name _;\n    root /usr/share/nginx/html;\n    index index.html;\n\n    location / {\n        try_files $uri $uri/ =404;\n    }\n\n    location /healthz {\n        access_log off;\n        return 200 \"ok\";\n        add_header Content-Type text/plain;\n    }\n}\n"
-kind: ConfigMap
-metadata:
-  name: intranet-nginx-conf
-  namespace: intranet
----
-apiVersion: v1
-data:
-  index.html: "<!DOCTYPE html>\n<html lang=\"en\" data-theme=\"dark\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n<title>Blue Jay Lab Intranet - FlowerCore</title>\n<style>\n:root, [data-theme=\"dark\"] {\n  --bg: #0A1628; --bg-gradient: linear-gradient(180deg, #0A1628 0%, #0E1E36 100%);\n  --surface: #111D33; --surface2: #162844; --surface-hover: #1C3354;\n  --border: #1E3A5F; --border-accent: #2B8AFF;\n  --text: #E8EDF5; --text-heading: #FFFFFF; --text-muted: #8899B3;\n  --accent: #2B8AFF; --accent-light: #5BA3FF; --accent-bright: #82BBFF;\n  --gold: #FFB300; --gold-light: #FFCA40; --gold-dim: #CC8F00;\n  --green: #3DB86A; --green-bg: rgba(61,184,106,0.12); --green-border: rgba(61,184,106,0.25);\n  --yellow: #FFB300; --yellow-bg: rgba(255,179,0,0.12); --yellow-border: rgba(255,179,0,0.25);\n  --red: #E84545; --red-bg: rgba(232,69,69,0.12); --red-border: rgba(232,69,69,0.25);\n  --purple: #9B7ED8; --purple-bg: rgba(155,126,216,0.12); --purple-border: rgba(155,126,216,0.25);\n  --orange: #E8883E; --cyan: #39D2C0; --pink: #F778BA;\n  --navy: #0E1E36; --royal: #1A3A6A;\n  --code-bg: #0C1829; --code-text: #FFB300;\n  --card-shadow: 0 2px 6px rgba(0,0,0,0.35);\n  --header-gradient: linear-gradient(135deg, #0E1E36 0%, #1A3A6A 40%, #2B8AFF 100%);\n  --header-text-shadow: 0 2px 16px rgba(43,138,255,0.35);\n  --summary-border-top: 3px solid var(--gold);\n  --note-bg: rgba(43,138,255,0.08); --note-warn-bg: rgba(255,179,0,0.08);\n  --topo-bg: #0C1829; --topo-border: #1E3A5F; --topo-text: #5BA3FF;\n  --copy-bg: rgba(43,138,255,0.15); --copy-hover: rgba(43,138,255,0.3);\n  --zebra: rgba(255,255,255,0.02);\n}\n[data-theme=\"light\"] {\n  --bg: #F8FAFE; --bg-gradient: linear-gradient(180deg, #F8FAFE 0%, #EBF0F9 100%);\n  --surface: #FFFFFF; --surface2: #EDF2FA; --surface-hover: #DCE5F4;\n  --border: #C0D0E5; --border-accent: #2B7FE0;\n  --text: #1A2744; --text-heading: #0D1B2E; --text-muted: #5A6F8A;\n  --accent: #1565C0; --accent-light: #2B7FE0; --accent-bright: #1565C0;\n  --gold: #E6A100; --gold-light: #FFB300; --gold-dim: #B38000;\n  --green: #2A8A4A; --green-bg: rgba(42,138,74,0.1); --green-border: rgba(42,138,74,0.25);\n  --yellow: #E6A100; --yellow-bg: rgba(230,161,0,0.1); --yellow-border: rgba(230,161,0,0.25);\n  --red: #C03030; --red-bg: rgba(192,48,48,0.08); --red-border: rgba(192,48,48,0.2);\n  --purple: #6B4FA0; --purple-bg: rgba(107,79,160,0.1); --purple-border: rgba(107,79,160,0.2);\n  --orange: #C07020; --cyan: #288A7A; --pink: #C05090;\n  --navy: #1A2744; --royal: #1565C0;\n  --code-bg: #EDF2FA; --code-text: #C07020;\n  --card-shadow: 0 1px 4px rgba(26,39,68,0.1);\n  --header-gradient: linear-gradient(135deg, #0D1B2E 0%, #1565C0 40%, #2B7FE0 100%);\n  --header-text-shadow: 0 1px 8px rgba(0,0,0,0.2);\n  --summary-border-top: 3px solid var(--gold);\n  --note-bg: rgba(21,101,192,0.05); --note-warn-bg: rgba(230,161,0,0.05);\n  --topo-bg: #EDF2FA; --topo-border: #C0D0E5; --topo-text: #1565C0;\n  --copy-bg: rgba(21,101,192,0.08); --copy-hover: rgba(21,101,192,0.15);\n  --zebra: rgba(0,0,0,0.02);\n}\n* { box-sizing: border-box; margin: 0; padding: 0; }\nbody { font-family: 'Segoe UI', -apple-system, BlinkMacSystemFont, Helvetica, Arial, sans-serif; background: var(--bg); color: var(--text); line-height: 1.65; padding: 2rem; max-width: 1500px; margin: 0 auto; transition: background 0.3s, color 0.3s; }\nh1 { font-size: 2.2rem; margin-bottom: 0.25rem; font-weight: 800; color: var(--text-heading); letter-spacing: 0.5px; }\nh2 { font-size: 1.35rem; color: var(--gold); margin: 2.5rem 0 1rem; font-weight: 700; text-transform: uppercase; letter-spacing: 0.5px; border-bottom: 2px solid var(--gold-dim); padding-bottom: 0.5rem; }\nh3 { font-size: 1.05rem; color: var(--purple); margin: 1.5rem 0 0.75rem; font-weight: 700; }\nh4 { font-size: 0.95rem; color: var(--accent-light); margin: 1rem 0 0.5rem; font-weight: 600; }\n.subtitle { color: var(--gold-light); margin-bottom: 0.5rem; font-size: 1.05rem; }\n.last-updated { color: rgba(255,255,255,0.5); font-size: 0.82rem; }\ncode { background: var(--code-bg); padding: 2px 7px; border-radius: 4px; font-size: 0.83rem; color: var(--code-text); border: 1px solid var(--border); font-family: 'Cascadia Code','Fira Code','Consolas',monospace; }\na { color: var(--accent-light); text-decoration: none; }\na:hover { text-decoration: underline; color: var(--accent-bright); }\n.brand-header { background: var(--header-gradient); border: none; border-radius: 10px; padding: 2.5rem 2.5rem 2rem; margin-bottom: 1.5rem; position: relative; overflow: hidden; box-shadow: 0 4px 20px rgba(0,0,0,0.2); }\n.brand-header::before { content: ''; position: absolute; top: -40%; right: -10%; width: 50%; height: 180%; background: radial-gradient(ellipse, rgba(255,255,255,0.04) 0%, transparent 70%); pointer-events: none; }\n.brand-header h1 { color: #fff; text-shadow: var(--header-text-shadow); font-size: 2.4rem; letter-spacing: 1px; text-transform: uppercase; }\n.status-badge { display: inline-block; background: rgba(255,179,0,0.2); border: 1px solid rgba(255,179,0,0.4); color: #FFCA40; padding: 4px 14px; border-radius: 14px; font-size: 0.78rem; font-weight: 700; letter-spacing: 0.5px; text-transform: uppercase; margin-top: 0.5rem; }\n.theme-toggle { position: absolute; top: 1.25rem; right: 1.5rem; background: rgba(255,255,255,0.1); border: 1px solid rgba(255,255,255,0.15); border-radius: 20px; padding: 6px 14px; color: rgba(255,255,255,0.8); cursor: pointer; font-size: 0.78rem; font-weight: 600; letter-spacing: 0.3px; transition: background 0.2s; backdrop-filter: blur(4px); display: flex; align-items: center; gap: 6px; }\n.theme-toggle:hover { background: rgba(255,255,255,0.18); border-color: rgba(255,255,255,0.25); }\n.theme-toggle svg { width: 14px; height: 14px; fill: currentColor; }\nnav { background: var(--surface); border: 1px solid var(--border); border-radius: 8px; padding: 0.75rem 1rem; margin-bottom: 1.5rem; position: sticky; top: 0; z-index: 100; box-shadow: var(--card-shadow); }\nnav ul { list-style: none; display: flex; flex-wrap: wrap; gap: 4px; justify-content: center; }\nnav li { display: inline; }\nnav a { color: var(--accent-light); text-decoration: none; padding: 6px 14px; border-radius: 6px; font-size: 0.8rem; font-weight: 500; transition: all 0.2s; border: 1px solid transparent; cursor: pointer; display: inline-block; }\nnav a:hover { background: var(--surface2); border-color: var(--border); text-decoration: none; color: var(--accent-bright); }\nnav a.active { background: var(--accent); color: #fff; border-color: var(--accent); font-weight: 700; }\n.summary-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(140px, 1fr)); gap: 0.85rem; margin: 1.25rem 0; }\n.summary-card { background: var(--surface); border: 1px solid var(--border); border-top: var(--summary-border-top); border-radius: 8px; padding: 1.25rem; text-align: center; box-shadow: var(--card-shadow); transition: border-color 0.2s, transform 0.15s; }\n.summary-card:hover { border-color: var(--border-accent); transform: translateY(-1px); }\n.summary-number { font-size: 2rem; font-weight: 800; color: var(--accent-light); }\n.summary-label { color: var(--text-muted); font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.3px; margin-top: 2px; }\n.b { display: inline-block; padding: 2px 10px; border-radius: 10px; font-size: 0.7rem; font-weight: 600; text-transform: uppercase; letter-spacing: 0.4px; }\n.b-online { background: var(--green-bg); color: var(--green); border: 1px solid var(--green-border); }\n.b-planned { background: var(--yellow-bg); color: var(--yellow); border: 1px solid var(--yellow-border); }\n.op-link { text-decoration: none; } .op-link:hover .b-planned { background: var(--yellow-border); color: var(--text-heading); cursor: pointer; }\n.b-offline { background: var(--red-bg); color: var(--red); border: 1px solid var(--red-border); }\n.b-mgmt { background: rgba(43,138,255,0.12); color: var(--accent-light); border: 1px solid rgba(43,138,255,0.25); }\n.b-prod { background: var(--green-bg); color: var(--green); border: 1px solid var(--green-border); }\n.b-home { background: var(--purple-bg); color: var(--purple); border: 1px solid var(--purple-border); }\n.b-tenant { background: rgba(232,136,62,0.12); color: var(--orange); border: 1px solid rgba(232,136,62,0.25); }\n.b-wifi { background: rgba(57,210,192,0.12); color: var(--cyan); border: 1px solid rgba(57,210,192,0.25); }\n.b-voip { background: var(--yellow-bg); color: var(--yellow); border: 1px solid var(--yellow-border); }\n.b-spare { background: var(--surface2); color: var(--text-muted); border: 1px solid var(--border); }\n.dot { display: inline-block; width: 8px; height: 8px; border-radius: 50%; margin-right: 6px; vertical-align: middle; }\n.dot-green { background: var(--green); box-shadow: 0 0 4px var(--green); }\n.dot-yellow { background: var(--yellow); box-shadow: 0 0 4px var(--yellow); }\n.dot-gray { background: var(--text-muted); }\n.dot-red { background: var(--red); box-shadow: 0 0 4px var(--red); }\ntable { width: 100%; border-collapse: collapse; margin: 1rem 0; font-size: 0.87rem; }\nth, td { padding: 0.55rem 0.75rem; border: 1px solid var(--border); text-align: left; }\nth { background: var(--surface2); color: var(--text-muted); font-weight: 600; font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.3px; }\ntr:nth-child(even) { background: var(--zebra); }\ntr:hover { background: rgba(43,138,255,0.05); }\n.ip { font-family: 'Cascadia Code','Fira Code','Consolas',monospace; color: var(--accent-light); font-weight: 600; font-size: 0.85rem; }\n.pw { font-family: 'Cascadia Code','Fira Code','Consolas',monospace; color: var(--orange); font-size: 0.82rem; }\n.card-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(320px, 1fr)); gap: 12px; margin: 1rem 0; }\n.card { background: var(--surface); border: 1px solid var(--border); border-radius: 8px; padding:\
-    \ 16px; box-shadow: var(--card-shadow); transition: border-color 0.2s; }\n.card:hover { border-color: var(--border-accent); }\n.card-title { font-weight: 700; font-size: 1rem; color: var(--text-heading); margin-bottom: 8px; display: flex; align-items: center; gap: 8px; }\n.card p, .card li { color: var(--text-muted); font-size: 0.85rem; margin: 4px 0; }\n.card ul { list-style: none; padding: 0; }\n.card li { padding: 4px 0; border-bottom: 1px solid var(--border); }\n.card li:last-child { border-bottom: none; }\n.topology { background: var(--topo-bg); border: 2px solid var(--topo-border); border-radius: 8px; padding: 2rem; margin: 1rem 0; overflow-x: auto; }\n.topology pre { font-family: 'Cascadia Code','Fira Code','Consolas',monospace; font-size: 0.82rem; color: var(--topo-text); line-height: 1.5; white-space: pre; }\n.copy-btn { background: var(--copy-bg); border: 1px solid var(--border); border-radius: 4px; color: var(--accent-light); cursor: pointer; padding: 2px 8px; font-size: 0.72rem; font-family: inherit; transition: background 0.2s; margin-left: 6px; vertical-align: middle; }\n.copy-btn:hover { background: var(--copy-hover); }\n.copy-btn.copied { color: var(--green); border-color: var(--green-border); }\n.note { background: var(--note-bg); border-left: 3px solid var(--accent); padding: 0.75rem 1rem; margin: 1rem 0; border-radius: 0 6px 6px 0; font-size: 0.87rem; }\n.note-warn { background: var(--note-warn-bg); border-left-color: var(--yellow); }\n.quick-links { display: grid; grid-template-columns: repeat(auto-fill, minmax(220px, 1fr)); gap: 8px; margin: 1rem 0; }\n.quick-link { background: var(--surface); border: 1px solid var(--border); border-radius: 6px; padding: 10px 14px; display: flex; align-items: center; gap: 8px; transition: all 0.2s; text-decoration: none; color: var(--text); }\n.quick-link:hover { border-color: var(--accent); background: var(--surface-hover); text-decoration: none; }\n.quick-link .ql-name { font-weight: 600; font-size: 0.85rem; color: var(--text-heading); }\n.quick-link .ql-url { font-size: 0.72rem; color: var(--text-muted); font-family: 'Cascadia Code',monospace; }\n.tab-content { display: none; }\n.tab-content.active { display: block; }\n.wifi-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(280px, 1fr)); gap: 16px; margin: 1.5rem 0; }\n.wifi-card { background: var(--surface); border: 1px solid var(--border); border-radius: 10px; overflow: hidden; box-shadow: var(--card-shadow); transition: border-color 0.2s, transform 0.15s; }\n.wifi-card:hover { border-color: var(--border-accent); transform: translateY(-2px); }\n.wifi-card-header { padding: 14px 16px 10px; border-bottom: 3px solid var(--border); }\n.wifi-ssid { font-size: 1.15rem; font-weight: 800; color: var(--text-heading); letter-spacing: 0.3px; }\n.wifi-vlan { margin-top: 4px; }\n.wifi-qr { display: flex; justify-content: center; align-items: center; padding: 16px; background: #ffffff; min-height: 180px; }\n.wifi-qr canvas { border-radius: 4px; }\n.wifi-qr-placeholder { background: var(--surface2) !important; border: 2px dashed var(--border); min-height: 180px; }\n.wifi-qr-placeholder .qr-placeholder-box { display: flex; flex-direction: column; align-items: center; gap: 12px; color: var(--text-muted); padding: 16px; text-align: center; }\n.wifi-qr-placeholder .qr-placeholder-box svg { color: var(--accent); opacity: 0.6; }\n.wifi-qr-placeholder .qr-placeholder-text { font-size: 0.82rem; font-weight: 600; letter-spacing: 0.3px; color: var(--accent-light); }\n.wifi-qr-open { border-color: var(--green-border); }\n.wifi-qr-open .qr-placeholder-box svg { color: var(--green); }\n.wifi-qr-open .qr-placeholder-text { color: var(--green); }\n.wifi-details { padding: 12px 16px 16px; }\n.wifi-field { display: flex; justify-content: space-between; align-items: center; padding: 6px 0; border-bottom: 1px solid var(--border); font-size: 0.85rem; }\n.wifi-field:last-child { border-bottom: none; }\n.wifi-label { color: var(--text-muted); font-weight: 600; font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.3px; min-width: 80px; }\n.wifi-value { color: var(--text); text-align: right; }\n.print-qr-btn { background: var(--accent); color: #fff; border: none; border-radius: 6px; padding: 8px 18px; font-size: 0.85rem; font-weight: 600; cursor: pointer; margin-left: 12px; transition: background 0.2s; }\n.print-qr-btn:hover { background: var(--accent-light); }\n@media print {\n  body { background: #fff !important; color: #000 !important; padding: 0 !important; }\n  nav, .brand-header, .theme-toggle, .copy-btn, .print-qr-btn, .note, .tab-content:not(.print-active) { display: none !important; }\n  .tab-content.print-active { display: block !important; }\n  .wifi-grid { grid-template-columns: repeat(2, 1fr) !important; gap: 20px !important; }\n  .wifi-card { break-inside: avoid; border: 2px solid #333 !important; box-shadow: none !important; page-break-inside: avoid; }\n  .wifi-card-header { border-bottom-color: #333 !important; }\n  .wifi-ssid { color: #000 !important; }\n  .wifi-qr { background: #fff !important; padding: 12px !important; }\n  .wifi-qr-placeholder { background: #f5f5f5 !important; border-color: #999 !important; }\n  .wifi-qr-placeholder .qr-placeholder-box svg { color: #333 !important; }\n  .wifi-qr-placeholder .qr-placeholder-text { color: #333 !important; }\n  .wifi-details { color: #000 !important; }\n  .wifi-field { border-bottom-color: #ccc !important; }\n  .wifi-label { color: #555 !important; }\n  .wifi-value, .wifi-value code { color: #000 !important; background: #eee !important; }\n  .b { border-color: #999 !important; color: #333 !important; background: #eee !important; }\n}\n@media (max-width: 768px) {\n  body { padding: 1rem; }\n  .brand-header { padding: 1.5rem; }\n  .brand-header h1 { font-size: 1.5rem; }\n  .summary-grid { grid-template-columns: repeat(3, 1fr); }\n  .card-grid { grid-template-columns: 1fr; }\n  nav a { font-size: 0.72rem; padding: 4px 8px; }\n  .topology pre { font-size: 0.7rem; }\n  table { font-size: 0.78rem; }\n  th, td { padding: 0.4rem 0.5rem; }\n  .quick-links { grid-template-columns: 1fr 1fr; }\n  .wifi-grid { grid-template-columns: 1fr; }\n  .wifi-qr canvas { width: 140px !important; height: 140px !important; }\n}\n</style>\n</head>\n<body>\n\n<div class=\"brand-header\">\n  <button class=\"theme-toggle\" onclick=\"toggleTheme()\" title=\"Switch theme\">\n    <svg viewBox=\"0 0 24 24\"><path d=\"M12 3a9 9 0 1 0 9 9c0-.46-.04-.92-.1-1.36a5.389 5.389 0 0 1-4.4 2.26 5.403 5.403 0 0 1-3.14-9.8c-.44-.06-.9-.1-1.36-.1z\"/></svg>\n    <span id=\"themeLabel\">Light</span>\n  </button>\n  <h1>Blue Jay Lab Intranet</h1>\n  <p class=\"subtitle\">BlueJay Network Infrastructure &mdash; 13 VLANs | 9 Physical Nodes | RKE2 Bare-Metal Cluster | 5 WiFi SSIDs | 18 Domains | 22 ArgoCD Apps | NAS Storage | 4 Pi Devices</p>\n  <p class=\"last-updated\">Last updated: 2026-03-21 &mdash; PiManager deployed (piez+pirelay), 14 Guacamole connections, 13 Zabbix hosts, SSH keys on all nodes, Prometheus 15 scrape targets, pirelay node-exporter+zabbix-agent2 installed</p>\n  <div class=\"status-badge\">Network Rebuild 100% Complete &mdash; /28 Fully Live &mdash; 22 ArgoCD Apps Healthy &mdash; 4 Pi Fleet Nodes</div>\n</div>\n\n<nav>\n  <ul>\n    <li><a class=\"tab-btn active\" onclick=\"switchTab('overview',this)\">Overview</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('isp',this)\">ISP &amp; WAN</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('pfsense',this)\">pfSense</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('switching',this)\">Switch &amp; WiFi</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('dns',this)\">DNS Directory</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('k8s',this)\">Kubernetes</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('noc',this)\">NOC Services</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('vpn',this)\">VPN &amp; Security</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('remote',this)\">Remote Access</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('edge',this)\">Edge Nodes</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('storage',this)\">Storage</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('wifi',this)\">WiFi</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('planned',this)\">Planned</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('topology',this)\">Topology</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('domains',this)\">Domains</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('credentials',this)\">Credentials</a></li>\n  </ul>\n</nav>\n\n<!-- ===== TAB: OVERVIEW ===== -->\n<div id=\"tab-overview\" class=\"tab-content active\">\n<h2>Overview</h2>\n<div class=\"summary-grid\">\n  <div class=\"summary-card\"><div class=\"summary-number\">13</div><div class=\"summary-label\">VLANs</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">9</div><div class=\"summary-label\">Physical Nodes</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">3</div><div class=\"summary-label\">RKE2 Nodes</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">22</div><div class=\"summary-label\">ArgoCD Apps</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">13</div><div class=\"summary-label\">Zabbix Hosts</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">4</div><div class=\"summary-label\">Pi Devices</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">5</div><div class=\"summary-label\">WiFi SSIDs</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">8</div><div class=\"summary-label\">VPN Tunnels</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">13</div><div class=\"summary-label\">Public IPs</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\"\
-    >18</div><div class=\"summary-label\">Domains</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">14</div><div class=\"summary-label\">Guac Connections</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">9.1 TB</div><div class=\"summary-label\">NAS Storage</div></div>\n</div>\n\n<div class=\"note note-warn\"><strong>Network Status: ALL PHASES COMPLETE + TELEPHONY LIVE + PI FLEET DEPLOYED.</strong> K3s on noc1, bare-metal RKE2 on 3 NUCs. /28 FULLY LIVE: 13 VIPs, 30 port forwards (SIP+RTP added), Cloudflare DNS. ArgoCD: 11 apps all Healthy (via bluejay-infra ApplicationSet, incl infra-asterisk + infra-noc-services). Asterisk PBX: MetalLB .207, 4 PJSIP extensions, Twilio SIP trunk, calls working end-to-end. telephony-web: 32 MCP tools wired+deployed. 1Password: 7 services wired, 45+ vault items. Credential rotation 17/17 complete. BlueJayNAS (DS1621+) online with Longhorn backup. Zabbix: 13 hosts monitored. <strong>Pi Fleet:</strong> 4 devices (edge1 Pi5+Hailo, edge2 Pi4, piez Pi4+EZConnect, pirelay Pi3+Relay). FlowerCore.PiManager deployed to piez (:5000) and pirelay (:5100) &mdash; unified config-driven GPIO/relay/I2C/SPI management. Guacamole: 14 connections in 4 groups (all nodes). SSH ed25519 keys deployed to all 9 physical nodes.</div>\n\n<h3>Quick Links &mdash; Web UIs</h3>\n<div class=\"quick-links\">\n  <a class=\"quick-link\" href=\"https://pfsense.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>pfSense</div><div class=\"ql-url\">https://pfsense.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://unifi.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>UniFi Cloud Key</div><div class=\"ql-url\">https://unifi.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"http://wifi.iamworkin.lan:8000\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Synology WiFi (SRM)</div><div class=\"ql-url\">http://wifi.iamworkin.lan:8000</div></div></a>\n  <a class=\"quick-link\" href=\"https://element.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Element Web (Matrix)</div><div class=\"ql-url\">https://element.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://cockpit.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Cockpit (noc1)</div><div class=\"ql-url\">https://cockpit.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://grafana.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Grafana</div><div class=\"ql-url\">https://grafana.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://prometheus.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Prometheus</div><div class=\"ql-url\">https://prometheus.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://guac.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Guacamole</div><div class=\"ql-url\">https://guac.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://pki.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>PKI Web</div><div class=\"ql-url\">https://pki.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://argocd.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>ArgoCD</div><div class=\"ql-url\">https://argocd.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://zabbix.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Zabbix</div><div class=\"ql-url\">https://zabbix.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://gitea.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Gitea</div><div class=\"ql-url\">https://gitea.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"http://192.168.254.254\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Frontier Modem</div><div class=\"ql-url\">http://192.168.254.254</div></div></a>\n  <a class=\"quick-link\" href=\"https://nas.iamworkin.lan:5001\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>BlueJayNAS (DSM)</div><div class=\"ql-url\">https://nas.iamworkin.lan:5001</div></div></a>\n  <a class=\"quick-link\" href=\"https://matrix.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Matrix Synapse</div><div class=\"ql-url\">https://matrix.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://telephony.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Telephony</div><div class=\"ql-url\">https://telephony.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://intranet.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Intranet</div><div class=\"ql-url\">https://intranet.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"http://piez.iamworkin.lan:5000\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>PiManager (piez)</div><div class=\"ql-url\">http://piez.iamworkin.lan:5000</div></div></a>\n  <a class=\"quick-link\" href=\"http://pirelay.iamworkin.lan:5100\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>PiManager (pirelay)</div><div class=\"ql-url\">http://pirelay.iamworkin.lan:5100</div></div></a>\n  <a class=\"quick-link\" href=\"http://print.iamworkin.lan:5200\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Print Service</div><div class=\"ql-url\">http://print.iamworkin.lan:5200</div></div></a>\n  <a class=\"quick-link\" href=\"https://selenium.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Selenium Grid</div><div class=\"ql-url\">https://selenium.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"http://edge1.iamworkin.lan:5000\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Frigate NVR</div><div class=\"ql-url\">http://edge1.iamworkin.lan:5000</div></div></a>\n</div>\n\n<h3>Phase Progress</h3>\n<table>\n<thead><tr><th>Phase</th><th>Description</th><th>Status</th><th>Progress</th></tr></thead>\n<tbody>\n<tr><td>1</td><td>Frontier Modem Config</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>2</td><td>pfSense Base (WAN, LAN, VIPs)</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>3</td><td>VLAN Configuration (14 VLANs)</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>4</td><td>Firewall Rules &amp; Aliases</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>5</td><td>Bare-Metal RKE2 (Harvester Decommissioned)</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>6</td><td>OpenVPN (8 servers)</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>7</td><td>NAT Configuration</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>8</td><td>Traffic Shaper</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>9</td><td>DNS + NTP + SNMP</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>10</td><td>Switch + WiFi Config</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>11</td><td>NOC1 + Bare-Metal RKE2</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>12</td><td>GitOps + IaC (ArgoCD/Puppet)</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>13</td><td>Documentation Sync</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: ISP & WAN ===== -->\n<div id=\"tab-isp\" class=\"tab-content\">\n<h2>ISP &amp; WAN</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>ISP: Frontier Communications</div>\n    <ul>\n      <li><strong>Service:</strong> 1000/1000 Mbps fiber</li>\n      <li><strong>Account:</strong> 952-431-5646-020421-7</li>\n      <li><strong>Measured:</strong> 925 down / 677 up (MGMT VLAN)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Modem: NVG468MQ</div>\n    <ul>\n      <li><strong>Web:</strong> <a href=\"http://192.168.254.254\" target=\"_blank\">http://192.168.254.254 (modem LAN)</a> <button class=\"copy-btn\" onclick=\"copyText('192.168.254.254')\">copy</button></li>\n      <li><strong>Credentials:</strong> <code>admin</code> / <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=nasmtxdpd7moq6mbob2d5duc6a\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Frontier Modem</span></a></li>\n      <li><strong>Serial:</strong> 184795207512112</li>\n      <li><strong>Firmware:</strong> 9.3.0h7d91</li>\n      <li><strong>WAN IP:</strong> <span class=\"ip\">74.32.185.184</span> (DHCP) <button class=\"copy-btn\" onclick=\"copyText('74.32.185.184')\">copy</button></li>\n      <li><strong>Config:</strong> DMZ to pfSense, WiFi OFF, firewall OFF</li>\n    </ul>\n  </div>\n</div>\n<h3>WAN Status</h3>\n<table>\n<thead><tr><th>Property</th><th>Value</th></tr></thead>\n<tbody>\n<tr><td>pfSense WAN Interface</td><td>ix3 (DHCP from modem)</td></tr>\n<tr><td>pfSense WAN IP</td><td><span class=\"ip\">192.168.254.122</span> <button class=\"copy-btn\" onclick=\"copyText('192.168.254.122')\"\
-    >copy</button> (double NAT intentional)</td></tr>\n<tr><td>Public /28 Block</td><td><span class=\"ip\">74.40.140.16/28</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.16/28')\">copy</button></td></tr>\n<tr><td>Gateway</td><td><span class=\"ip\">74.40.140.30</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.30')\">copy</button></td></tr>\n<tr><td>Usable Range</td><td><span class=\"ip\">74.40.140.17 &ndash; 74.40.140.29</span> (13 IPs)</td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>ISP /28 Routing: FULLY OPERATIONAL.</strong> Public subnet (74.40.140.16/28) is live. 13 VIPs on WAN (ix3), 12 hybrid outbound NAT rules, 28 port forwards. Cloudflare DNS with 28+ A records pointing to /28 IPs. DDNS: gateway.iamwork.in updates pfSense WAN DHCP IP via Cloudflare API.</div>\n<h3>Modem Static Routes</h3>\n<table>\n<thead><tr><th>Name</th><th>Destination</th><th>Gateway</th><th>Interface</th></tr></thead>\n<tbody>\n<tr><td>pfSense-Public-28</td><td><span class=\"ip\">74.40.140.16/28</span></td><td><span class=\"ip\">192.168.254.122</span></td><td>LAN</td></tr>\n<tr><td>pfSense-Private-Subnets</td><td><span class=\"ip\">10.0.0.0/8</span></td><td><span class=\"ip\">192.168.254.122</span></td><td>LAN</td></tr>\n</tbody>\n</table>\n<h3>Public IP Allocation (13 usable)</h3>\n<table>\n<thead><tr><th>IP</th><th>Full Address</th><th>Assignment</th><th>VLAN(s)</th><th>Services</th></tr></thead>\n<tbody>\n<tr><td>.16</td><td><span class=\"ip\">74.40.140.16</span></td><td><em>Network address</em></td><td>&mdash;</td><td>Unusable</td></tr>\n<tr><td>.17</td><td><span class=\"ip\">74.40.140.17</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.17')\">copy</button></td><td>ANDREW + VPN</td><td>60</td><td>Andrew tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.18</td><td><span class=\"ip\">74.40.140.18</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.18')\">copy</button></td><td>ANDREW #2</td><td>60</td><td>Andrew secondary</td></tr>\n<tr><td>.19</td><td><span class=\"ip\">74.40.140.19</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.19')\">copy</button></td><td>MATT + VPN</td><td>61</td><td>Matt tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.20</td><td><span class=\"ip\">74.40.140.20</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.20')\">copy</button></td><td>MATT #2</td><td>61</td><td>Matt secondary</td></tr>\n<tr><td>.21</td><td><span class=\"ip\">74.40.140.21</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.21')\">copy</button></td><td>DUSTIN + VPN</td><td>62</td><td>Dustin tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.22</td><td><span class=\"ip\">74.40.140.22</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.22')\">copy</button></td><td>SIERRA (Dustin #2)</td><td>62</td><td>Dustin secondary</td></tr>\n<tr><td>.23</td><td><span class=\"ip\">74.40.140.23</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.23')\">copy</button></td><td>ERIK + VPN</td><td>63</td><td>Erik tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.24</td><td><span class=\"ip\">74.40.140.24</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.24')\">copy</button></td><td>PROD</td><td>57</td><td>K8s web + mail (flowercore.io, SMTP)</td></tr>\n<tr><td>.25</td><td><span class=\"ip\">74.40.140.25</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.25')\">copy</button></td><td>FIT + VPN</td><td>69</td><td>FIT tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.26</td><td><span class=\"ip\">74.40.140.26</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.26')\">copy</button></td><td>FIT #2</td><td>69</td><td>FIT secondary</td></tr>\n<tr><td>.27</td><td><span class=\"ip\">74.40.140.27</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.27')\">copy</button></td><td>COMMS</td><td>57</td><td>TeamSpeak, IRC, Matrix</td></tr>\n<tr><td>.28</td><td><span class=\"ip\">74.40.140.28</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.28')\">copy</button></td><td>SHARED</td><td>59,64,65,66,67</td><td>WORK+SCHOOL+GUEST+VOIP+EMPLOYEE outbound</td></tr>\n<tr><td>.29</td><td><span class=\"ip\">74.40.140.29</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.29')\">copy</button></td><td>HOME</td><td>58</td><td>Home traffic + Nintendo Switch static port NAT</td></tr>\n<tr><td>.30</td><td><span class=\"ip\">74.40.140.30</span></td><td><em>Gateway (Frontier)</em></td><td>&mdash;</td><td>ISP router</td></tr>\n<tr><td>.31</td><td><span class=\"ip\">74.40.140.31</span></td><td><em>Broadcast</em></td><td>&mdash;</td><td>Unusable</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: PFSENSE ===== -->\n<div id=\"tab-pfsense\" class=\"tab-content\">\n<h2>pfSense Firewall</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Netgate 4100</div>\n    <ul>\n      <li><strong>Web:</strong> <a href=\"https://pfsense.iamworkin.lan\" target=\"_blank\">https://pfsense.iamworkin.lan</a> <button class=\"copy-btn\" onclick=\"copyText('pfsense.iamworkin.lan')\">copy</button></li>\n      <li><strong>Credentials:</strong> <code>admin</code> / <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=kmmt7bckcm6hpvy5ajxgpodv5q\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 pfSense Firewall</span></a></li>\n      <li><strong>SSH:</strong> <code>admin@pfsense.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh admin@pfsense.iamworkin.lan')\">copy</button></li>\n      <li><strong>Hardware:</strong> 2x SFP+, 4x 2.5GbE (igc0-3)</li>\n      <li><strong>WAN:</strong> ix3 &mdash; LAN: igc0 (802.1Q trunk)</li>\n      <li><strong>Domain:</strong> iamworkin.lan</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Firewall Stats</div>\n    <ul>\n      <li><strong>Aliases:</strong> 36 (16 port, 5 host, 15 network)</li>\n      <li><strong>Rules:</strong> 90 active</li>\n      <li><strong>Policy:</strong> Air-gapped default &mdash; deny all, explicit allow</li>\n      <li><strong>SNMP:</strong> community <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=7qias4wucncvleievorxda5pym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 SNMP Community</span></a></li>\n      <li><strong>SNMP Modules:</strong> mibII, netgraph, pf, hostres, bridge</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Services</div>\n    <ul>\n      <li><strong>DNS:</strong> Unbound (DNSSEC, WAN-only outgoing, prefetch)</li>\n      <li><strong>DHCP:</strong> dhcpd on all 12 VLAN interfaces (.100-.199)</li>\n      <li><strong>NTP:</strong> ntpd on all VLAN interfaces, DHCP option 42</li>\n      <li><strong>Traffic Shaper:</strong> 24 dummynet pipes, fq_codel</li>\n    </ul>\n  </div>\n</div>\n<h3>VLAN Configuration (13 VLANs)</h3>\n<table>\n<thead><tr><th>VLAN</th><th>Name</th><th>Subnet</th><th>DHCP Range</th><th>Down/Up (Mbps)</th><th>Priority</th><th>Public IP</th></tr></thead>\n<tbody>\n<tr><td>56</td><td><span class=\"b b-mgmt\">MGMT</span></td><td><span class=\"ip\">10.0.56.0/24</span></td><td>.100-.199</td><td>500 / 500</td><td>5</td><td>WAN DHCP</td></tr>\n<tr><td>57</td><td><span class=\"b b-prod\">PROD</span></td><td><span class=\"ip\">10.0.57.0/24</span></td><td>.100-.199</td><td>500 / 500</td><td>5</td><td>.24</td></tr>\n<tr><td>58</td><td><span class=\"b b-home\">HOME</span></td><td><span class=\"ip\">10.0.58.0/24</span></td><td>.100-.199</td><td>800 / 800</td><td>3</td><td>.29</td></tr>\n<tr><td>59</td><td><span class=\"b b-wifi\">EMPLOYEE</span></td><td><span class=\"ip\">10.0.59.0/24</span></td><td>.100-.199</td><td>500 / 500</td><td>3</td><td>.28 (shared)</td></tr>\n<tr><td>60</td><td><span class=\"b b-tenant\">ANDREW</span></td><td><span class=\"ip\">10.0.60.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.17</td></tr>\n<tr><td>61</td><td><span class=\"b b-tenant\">MATT</span></td><td><span class=\"ip\">10.0.61.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.19</td></tr>\n<tr><td>62</td><td><span class=\"b b-tenant\">DUSTIN</span></td><td><span class=\"ip\">10.0.62.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.21</td></tr>\n<tr><td>63</td><td><span class=\"b b-tenant\">ERIK</span></td><td><span class=\"ip\">10.0.63.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.23</td></tr>\n<tr><td>64</td><td><span class=\"b b-wifi\">WORK</span></td><td><span class=\"ip\">10.0.64.0/24</span></td><td>.100-.199</td><td>500 / 500</td><td>3</td><td>.28 (shared)</td></tr>\n<tr><td>65</td><td><span class=\"b b-wifi\">SCHOOL</span></td><td><span class=\"ip\">10.0.65.0/24</span></td><td>.100-.199</td><td>200 / 200</td><td>1</td><td>.28 (shared)</td></tr>\n<tr><td>66</td><td><span class=\"b b-spare\">GUEST</span></td><td><span class=\"ip\">10.0.66.0/24</span></td><td>.100-.199</td><td>100 / 50</td><td>1</td><td>.28 (shared)</td></tr>\n<tr><td>67</td><td><span class=\"b b-voip\">VOIP</span></td><td><span class=\"ip\">10.0.67.0/24</span></td><td>.100-.199</td><td>100 / 100</td><td>7</td><td>.28 (shared)</td></tr>\n<tr><td>69</td><td><span class=\"b b-tenant\">FIT</span></td><td><span class=\"ip\">10.0.69.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.25</td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>Firewall Policy:</strong> MGMT has full access. HOME/WORK/SCHOOL get general internet. GUEST isolated except PROD web. Tenants fully isolated from each other &mdash; only PROD, DNS, NAS, and internet. VOIP is SIP-only outbound.</div>\n</div>\n\n<!-- ===== TAB: SWITCHING & WIFI ===== -->\n<div id=\"tab-switching\" class=\"tab-content\">\n<h2>Switching &amp; WiFi</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"\
-    card-title\"><span class=\"dot dot-green\"></span>UniFi Switch USW-Lite-16-PoE</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">switch.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('switch.iamworkin.lan')\">copy</button></li>\n      <li><strong>MAC:</strong> 74:ac:b9:e3:93:ba</li>\n      <li><strong>SSH:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=sqozg7dicrzxzyj2p47hnxn7di\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 UniFi Switch</span></a></li>\n      <li><strong>SSH Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=sqozg7dicrzxzyj2p47hnxn7di\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 UniFi Switch</span></a></li>\n      <li><strong>Firmware:</strong> 7.2.123.16565</li>\n      <li><strong>CLI:</strong> Type <code>cli</code> for Realtek switch CLI</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>UniFi Cloud Key G2</div>\n    <ul>\n      <li><strong>Web:</strong> <a href=\"https://unifi.iamworkin.lan\" target=\"_blank\">https://unifi.iamworkin.lan</a> <button class=\"copy-btn\" onclick=\"copyText('unifi.iamworkin.lan')\">copy</button></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=sqozg7dicrzxzyj2p47hnxn7di\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 UniFi Cloud Key</span></a></li>\n      <li><strong>SSH:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=sqozg7dicrzxzyj2p47hnxn7di\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 UniFi Cloud Key</span></a></li>\n      <li><strong>Network Version:</strong> 7.1.61</li>\n      <li><strong>MongoDB:</strong> port 27117 (database <code>ace</code>)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Synology RT6600AX (AP Mode)</div>\n    <ul>\n      <li><strong>Web:</strong> <a href=\"http://wifi.iamworkin.lan:8000\" target=\"_blank\">http://wifi.iamworkin.lan:8000</a> <button class=\"copy-btn\" onclick=\"copyText('wifi.iamworkin.lan')\">copy</button></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=hlys5gwgnfa2a2nclrr52dr6gu\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Synology WiFi Router</span></a></li>\n      <li><strong>SSH:</strong> <code>bluejay@wifi.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh bluejay@wifi.iamworkin.lan')\">copy</button></li>\n      <li><strong>MAC:</strong> 90:09:d0:3d:64:ae</li>\n      <li><strong>Mode:</strong> AP (bridge), all trunk ports enabled</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>BlueJayNAS (Synology DS1621+)</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">nas.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('nas.iamworkin.lan')\">copy</button> (HOME VLAN 58)</li>\n      <li><strong>DSM:</strong> <a href=\"https://nas.iamworkin.lan:5001\" target=\"_blank\">https://nas.iamworkin.lan:5001</a></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cbxfibct4j6jfm6ccsogpayjuy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJayNAS</span></a></li>\n      <li><strong>Storage:</strong> 9.1 TB Btrfs (RAID)</li>\n      <li><strong>NFS Exports:</strong> Longhorn backup, shared media, ISO library</li>\n      <li><strong>SNMP:</strong> Enabled (Zabbix monitored)</li>\n      <li><strong>Zabbix:</strong> Host monitored via SNMP v2c</li>\n      <li><strong>Switch Port:</strong> 14 (Access, VLAN 58)</li>\n    </ul>\n  </div>\n</div>\n<h3>Switch Port Assignments</h3>\n<table>\n<thead><tr><th>Port</th><th>Device</th><th>Mode</th><th>VLAN</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>1</td><td>pfSense Uplink</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>2</td><td>rke2-agent2</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>3</td><td>WiFi Uplink (Synology)</td><td>Trunk, native 58</td><td>57-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>4</td><td>rke2-agent1</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>5</td><td>Cloud Key G2</td><td>Access</td><td>56 (MGMT)</td><td><span class=\"dot dot-green\"></span>UP (PoE)</td></tr>\n<tr><td>6</td><td>rke2-server</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>7</td><td><em>Available</em></td><td>&mdash;</td><td>&mdash;</td><td><span class=\"dot dot-gray\"></span>Down</td></tr>\n<tr><td>8</td><td>noc1</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>9</td><td>Workstation</td><td>Access</td><td>56 (MGMT)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>10</td><td><em>Available</em></td><td>&mdash;</td><td>&mdash;</td><td><span class=\"dot dot-gray\"></span>Down</td></tr>\n<tr><td>11</td><td>edge2 (Pi 4)</td><td>Access</td><td>57 (PROD)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>12</td><td><em>Available</em></td><td>&mdash;</td><td>&mdash;</td><td><span class=\"dot dot-gray\"></span>Down</td></tr>\n<tr><td>13</td><td>edge1 (Pi 5)</td><td>Access</td><td>57 (PROD)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>14</td><td>Synology NAS</td><td>Access</td><td>58 (HOME)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>15</td><td><em>Available</em></td><td>&mdash;</td><td>&mdash;</td><td><span class=\"dot dot-gray\"></span>Down</td></tr>\n<tr><td>16</td><td>Synology 2</td><td>Access</td><td>58 (HOME)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n</tbody>\n</table>\n<h3>WiFi SSIDs</h3>\n<table>\n<thead><tr><th>SSID</th><th>Bridge</th><th>VLAN</th><th>Type</th><th>Password</th></tr></thead>\n<tbody>\n<tr><td><strong>BlueJay-Home</strong></td><td>br0</td><td>untagged (58)</td><td>Primary</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=vetpnvuxyfdcvkjr2cqhuaqekq\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJay-Home WiFi</span></a></td></tr>\n<tr><td><strong>BlueJay-Employee</strong></td><td>br2</td><td>59</td><td>Custom</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=g36whfbi5zwcvsr6itowe67jjm\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJay-Employee WiFi</span></a></td></tr>\n<tr><td><strong>BlueJay-Work</strong></td><td>br3</td><td>64</td><td>Custom</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=4omsv5ybqoyk4tvqrqww7kv3yu\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJay-Work WiFi</span></a></td></tr>\n<tr><td><strong>BlueJay-School</strong></td><td>br4</td><td>65</td><td>Custom</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=jnl2dodsrbli2y5rhwirvcywzy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJay-School WiFi</span></a></td></tr>\n<tr><td><strong>BlueJay-Guest</strong></td><td>gbr0</td><td>66</td><td>Guest (isolation+NAT)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=2nepku5kumcguwciiyhiiaifne\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJay-Guest WiFi</span></a></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: DNS ===== -->\n<div id=\"tab-dns\" class=\"tab-content\">\n<h2>DNS Directory</h2>\n<div class=\"note\">All entries are pfSense Unbound host overrides under <code>iamworkin.lan</code>. 52+ host overrides configured, plus 4 tenant wildcard redirect zones (*.bluejay.lan, *.timefortaco.lan, *.erik.lan, *.flowerinsider.lan &rarr; 10.0.56.200 Traefik).</div>\n<h3>Management Devices</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>pfsense.iamworkin.lan</td><td><span class=\"ip\">pfsense.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('pfsense.iamworkin.lan')\">copy</button></td><td>pfSense firewall</td></tr>\n<tr><td>switch.iamworkin.lan</td><td><span class=\"ip\">switch.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('switch.iamworkin.lan')\">copy</button></td><td>UniFi PoE Switch</td></tr>\n<tr><td>unifi.iamworkin.lan</td><td><span class=\"ip\">unifi.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('unifi.iamworkin.lan')\">copy</button></td><td>UniFi Cloud Key G2</td></tr>\n<tr><td>wifi.iamworkin.lan</td><td><span class=\"ip\">wifi.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('wifi.iamworkin.lan')\">copy</button></td><td>Synology WiFi Router (AP)</td></tr>\n<tr><td>nas.iamworkin.lan</td><td><span class=\"ip\">nas.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('nas.iamworkin.lan')\">copy</button></td><td>Synology NAS</td></tr>\n</tbody>\n</table>\n<h3>RKE2 Bare-Metal Cluster</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>rke2-server.iamworkin.lan</td><td><span class=\"ip\">rke2-server.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('rke2-server.iamworkin.lan')\"\
-    >copy</button></td><td>RKE2 control plane (bare-metal, openSUSE Leap 16)</td></tr>\n<tr><td>rke2-agent1.iamworkin.lan</td><td><span class=\"ip\">rke2-agent1.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('rke2-agent1.iamworkin.lan')\">copy</button></td><td>RKE2 worker node 1 (bare-metal, openSUSE Leap 16)</td></tr>\n<tr><td>rke2-agent2.iamworkin.lan</td><td><span class=\"ip\">rke2-agent2.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('rke2-agent2.iamworkin.lan')\">copy</button></td><td>RKE2 worker node 2 (bare-metal, openSUSE Leap 16)</td></tr>\n</tbody>\n</table>\n<h3>NOC Services (noc1)</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>noc1.iamworkin.lan</td><td><span class=\"ip\">noc1.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('noc1.iamworkin.lan')\">copy</button></td><td>NOC management node (K3s)</td></tr>\n<tr><td>acme.iamworkin.lan</td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>step-ca ACME CA</td></tr>\n<tr><td>pki.iamworkin.lan</td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>PKI cert/CRL distribution</td></tr>\n<tr><td>guac.iamworkin.lan</td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>Apache Guacamole</td></tr>\n<tr><td>grafana.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Grafana monitoring (monitoring ns, noc1 Podman stopped 2026-03-18, K8s only)</td></tr>\n<tr><td>prometheus.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Prometheus metrics (monitoring ns, noc1 Podman stopped 2026-03-18, K8s only)</td></tr>\n<tr><td>cockpit.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Cockpit web console (noc-proxy ns &rarr; noc1:9090)</td></tr>\n<tr><td>traefik.iamworkin.lan</td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>Traefik dashboard (K3s, legacy)</td></tr>\n<tr><td>op-connect.iamworkin.lan</td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>1Password Connect API (:8180)</td></tr>\n</tbody>\n</table>\n<h3>RKE2 Services (via Traefik at traefik.iamworkin.lan)</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>rke2.iamworkin.lan</td><td><span class=\"ip\">rke2-server.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('rke2-server.iamworkin.lan')\">copy</button></td><td>RKE2 API server (bare-metal control plane)</td></tr>\n<tr><td>rke2-traefik.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('traefik.iamworkin.lan')\">copy</button></td><td>Traefik LoadBalancer (MetalLB)</td></tr>\n<tr><td>argocd.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>ArgoCD GitOps (22 apps, all Healthy)</td></tr>\n<tr><td>gitea.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Gitea Git hosting (SSH at MetalLB .201)</td></tr>\n<tr><td>zabbix.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Zabbix monitoring (10 hosts, trapper at .203)</td></tr>\n<tr><td>guac.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Apache Guacamole (17 connections)</td></tr>\n<tr><td>irc.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>UnrealIRCd + Anope (ports 6667/6697/8067)</td></tr>\n<tr><td>matrix.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Matrix Synapse homeserver</td></tr>\n<tr><td>element.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Element Web (Matrix client)</td></tr>\n<tr><td>intranet.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Lab intranet dashboard</td></tr>\n<tr><td>pki.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>PKI cert/CRL distribution</td></tr>\n<tr><td>mail.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>docker-mailserver (SMTP at MetalLB .202)</td></tr>\n<tr><td>telephony.iamwork.in</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>FlowerCore.Telephony (:5100, Cloudflare origin cert)</td></tr>\n<tr><td>telephony.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>FlowerCore.Telephony (internal, step-ca cert)</td></tr>\n<tr><td>grafana.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Grafana (monitoring ns, noc1 Podman stopped 2026-03-18, K8s only)</td></tr>\n<tr><td>prometheus.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Prometheus (monitoring ns, noc1 Podman stopped 2026-03-18, K8s only)</td></tr>\n<tr><td>cockpit.iamworkin.lan</td><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Cockpit (noc-proxy ns &rarr; noc1:9090)</td></tr>\n</tbody>\n</table>\n<h3>RKE2 MetalLB Service IPs</h3>\n<table>\n<thead><tr><th>IP</th><th>Service</th><th>Ports</th></tr></thead>\n<tbody>\n<tr><td><span class=\"ip\">traefik.iamworkin.lan</span></td><td>Traefik Ingress</td><td>80, 443, 8080, 6667, 6697</td></tr>\n<tr><td><span class=\"ip\">gitea-ssh.iamworkin.lan</span></td><td>Gitea SSH</td><td>22</td></tr>\n<tr><td><span class=\"ip\">mail.iamworkin.lan</span></td><td>Mail SMTP</td><td>25, 465, 587</td></tr>\n<tr><td><span class=\"ip\">zabbix-trapper.iamworkin.lan</span></td><td>Zabbix Trapper</td><td>10051</td></tr>\n<tr><td><span class=\"ip\">ts.iamworkin.lan</span></td><td>TeamSpeak</td><td>9987/UDP, 30033, 10011</td></tr>\n</tbody>\n</table>\n<h3>Production / Edge Nodes</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>macmini.iamworkin.lan</td><td><span class=\"ip\">macmini.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('macmini.iamworkin.lan')\">copy</button></td><td>Mac Mini build node (Xcode)</td></tr>\n<tr><td>edge1.iamworkin.lan</td><td><span class=\"ip\">edge1.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('edge1.iamworkin.lan')\">copy</button></td><td>Pi 5 + Hailo AI HAT+ 2</td></tr>\n<tr><td>edge2.iamworkin.lan</td><td><span class=\"ip\">edge2.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('edge2.iamworkin.lan')\">copy</button></td><td>Pi 4 (Argon ONE, CI runner)</td></tr>\n<tr><td>piez.iamworkin.lan</td><td><span class=\"ip\">piez.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('piez.iamworkin.lan')\">copy</button></td><td>Pi 4 + EZ Connect (PiManager :5000, GPIO/I2C/SPI)</td></tr>\n<tr><td>pirelay.iamworkin.lan</td><td><span class=\"ip\">pirelay.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('pirelay.iamworkin.lan')\">copy</button></td><td>Pi 3 + 4-ch Relay (PiManager :5100, KS0212)</td></tr>\n</tbody>\n</table>\n<h3>Planned / Windows (pre-registered)</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>dc1.iamworkin.lan</td><td><span class=\"ip\">10.0.56.20</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.20')\">copy</button></td><td>AD Domain Controller (planned)</td></tr>\n<tr><td>wac1.iamworkin.lan</td><td><span class=\"ip\">10.0.56.21</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.21')\">copy</button></td><td>Windows Admin Center (planned)</td></tr>\n<tr><td>rds1.iamworkin.lan</td><td><span class=\"ip\">10.0.57.20</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.57.20')\">copy</button></td><td>Remote Desktop Services (planned)</td></tr>\n<tr><td>iis1.iamworkin.lan</td><td><span class=\"ip\">10.0.57.21</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.57.21')\">copy</button></td><td>IIS Web Server (planned)</td></tr>\n<tr><td>proxy.iamworkin.lan</td><td><span class=\"ip\">10.0.56.22</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.22')\">copy</button></td><td>Squid Authenticated Proxy (planned)</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: KUBERNETES ===== -->\n<div id=\"tab-k8s\" class=\"tab-content\">\n<h2>Kubernetes Clusters</h2>\n<h3>K3s (noc1 &mdash; Emergency Fallback, Scaled to 0)</h3>\n<div class=\"card-grid\">\n  <div class=\"card\" style=\"opacity:0.6;\">\n    <div class=\"card-title\"><span class=\"dot dot-yellow\"></span>K3s on noc1 (Standby)</div>\n    <ul>\n      <li><strong>Node:</strong> <span class=\"ip\">noc1.iamworkin.lan</span> (single-node)</li>\n      <li><strong>Version:</strong> K3s v1.34.5</li>\n      <li><strong>Status:</strong> Scaled to 0 &mdash; emergency fallback only</li>\n      <li><strong>Migration:</strong> All workloads moved to RKE2 (2026-03-09)</li>\n      <li><strong>Tools:</strong> kubectl v1.35.2, helm v3.20.0</li>\n    </ul>\n  </div>\n</div>\n<h3>Harvester HCI (DECOMMISSIONED 2026-03-09)</h3>\n<div class=\"card-grid\">\n  <div class=\"card\" style=\"opacity:0.5;border-color:var(--red-border);\">\n    <div class=\"card-title\"><span class=\"dot dot-red\"></span>Harvester Cluster &mdash; Decommissioned</div>\n    <ul>\n      <li><strong>Status:</strong> <span class=\"b b-offline\">Decommissioned</span> &mdash; replaced by bare-metal RKE2</li>\n      <li><strong>Reason:</strong> 6 K8s control planes caused 100&deg;C thermal throttling</li>\n      <li><strong>Migration:</strong> All 3 NUCs reformatted to openSUSE Leap 16, bare-metal RKE2</li>\n      <li><strong>Result:</strong> Temps 44-71&deg;C, 1 control plane instead of 6</li>\n    </ul>\n  </div>\n</div>\n<h3>RKE2 (Bare-Metal Cluster)</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>RKE2 Cluster</div>\n    <ul>\n      <li><strong>Version:</strong> RKE2 v1.34.5+rke2r1</li>\n      <li><strong>OS:</strong> openSUSE Leap 16.0 (bare-metal)</li>\n      <li><strong>CNI:</strong> Calico (VXLAN mode)</li>\n      <li><strong>Pod CIDR:</strong> <span class=\"ip\">10.42.0.0/16</span></li>\n      <li><strong>Service CIDR:</strong>\
-    \ <span class=\"ip\">10.43.0.0/16</span></li>\n      <li><strong>Kubeconfig:</strong> <code>/root/.kube/rke2.yaml</code> on noc1 or WSL</li>\n      <li><strong>SSH:</strong> ed25519 key auth (root)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">RKE2 Nodes (Bare-Metal)</div>\n    <ul>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-server:</strong> <span class=\"ip\">rke2-server.iamworkin.lan</span> (i7-1260P / 64GB, control plane)</li>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-agent1:</strong> <span class=\"ip\">rke2-agent1.iamworkin.lan</span> (i7-1260P / 64GB, worker)</li>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-agent2:</strong> <span class=\"ip\">rke2-agent2.iamworkin.lan</span> (i5-1340P / 64GB, worker)</li>\n      <li><strong>SSH:</strong> <code>root@10.0.56.{11,12,13}</code> (ed25519 key)</li>\n      <li><strong>Puppet:</strong> profile::kubernetes::rke2 on all nodes</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">RKE2 Infrastructure</div>\n    <ul>\n      <li><span class=\"dot dot-green\"></span><strong>MetalLB:</strong> L2 mode, pool <span class=\"ip\">10.0.56.200-220</span></li>\n      <li><span class=\"dot dot-green\"></span><strong>Traefik:</strong> v3.3.4, 2 replicas, LB <span class=\"ip\">traefik.iamworkin.lan</span></li>\n      <li><span class=\"dot dot-green\"></span><strong>Longhorn:</strong> Default StorageClass (iSCSI), NAS backup integration</li>\n      <li><strong>Namespaces (33):</strong> fc-system, fc-tenant-{andrew,matt,dustin,erik,fit}, tenant-{andrew,dustin,erik,fit,flowercore}, traefik-system, metallb-system, argocd, irc, mail, matrix, zabbix, guacamole, gitea, teamspeak, onepassword-system, cert-manager, telephony, monitoring, selenium, agent-zero, intranet, pki, noc-proxy, longhorn-system, kube-system, calico-system, tigera-operator</li>\n      <li><strong>IngressRoutes:</strong> 44 Traefik routes (internal + Cloudflare public)</li>\n      <li><strong>PVCs:</strong> 17 persistent volumes, ~69 Gi total (Longhorn iSCSI, NAS backup)</li>\n      <li><strong>ArgoCD:</strong> 22 apps via bluejay-infra ApplicationSet (all Healthy &mdash; includes agent-zero, asterisk, monitoring, voice, 5 tenant landing pages, guacamole, mail, matrix, IRC, telephony, Gitea, Zabbix, PKI, intranet, noc-services)</li>\n      <li><strong>1Password:</strong> Operator v1.11.0 in onepassword-system, 7 CRDs syncing</li>\n      <li><strong>Cloudflare Origin Certs:</strong> *.flowercore.io + *.iamwork.in (15-year RSA) deployed across 8 namespaces</li>\n    </ul>\n  </div>\n</div>\n<h3>Cluster Resource Usage (2026-03-21)</h3>\n<table>\n<thead><tr><th>Node</th><th>CPU</th><th>Memory</th><th>Pods</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>rke2-server</td><td>866m (5%)</td><td>19,293 Mi (30%)</td><td>~40</td><td>Control plane + worker</td></tr>\n<tr><td>rke2-agent1</td><td>616m (3%)</td><td>20,905 Mi (32%)</td><td>~40</td><td>Worker</td></tr>\n<tr><td>rke2-agent2</td><td>1,430m (8%)</td><td>17,517 Mi (27%)</td><td>~40</td><td>Worker (Selenium + telephony)</td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>Capacity:</strong> 192 GB total RAM (64 GB/node), ~30% utilized. Selenium Grid (4 pods) + ArgoCD (7 pods) + Longhorn (29 pods) are the biggest consumers. Prometheus at 10 Gi retention (90 days). All stateful workloads backed up to BlueJayNAS via Longhorn NFS.</div>\n\n<h3>pfSense Static Routes (K8s)</h3>\n<table>\n<thead><tr><th>Destination</th><th>Gateway</th><th>Purpose</th></tr></thead>\n<tbody>\n<tr><td><span class=\"ip\">10.42.0.0/16</span></td><td><span class=\"ip\">rke2-server.iamworkin.lan</span> (rke2-server)</td><td>Pod CIDR routing</td></tr>\n<tr><td><span class=\"ip\">10.43.0.0/16</span></td><td><span class=\"ip\">rke2-server.iamworkin.lan</span> (rke2-server)</td><td>Service CIDR routing</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: NOC SERVICES ===== -->\n<div id=\"tab-noc\" class=\"tab-content\">\n<h2>NOC Services (noc1)</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>noc1 Host</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">noc1.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('noc1.iamworkin.lan')\">copy</button></li>\n      <li><strong>SSH:</strong> <code>root@pfsense.iamworkin.lan0</code> <button class=\"copy-btn\" onclick=\"copyText('ssh root@pfsense.iamworkin.lan0')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=gjb3da3jepm2xzr5mef3afzws4\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 noc1</span></a></li>\n      <li><strong>OS:</strong> openSUSE Leap Micro 6.2 (immutable)</li>\n      <li><strong>CPU:</strong> Intel Celeron N5105 (4C/4T)</li>\n      <li><strong>RAM:</strong> 32 GB</li>\n      <li><strong>Disk:</strong> 1TB NVMe (929GB free)</li>\n      <li><strong>Runtimes:</strong> Podman 5.4.2, K3s v1.34.5</li>\n    </ul>\n  </div>\n</div>\n<h3>Service Directory</h3>\n<table>\n<thead><tr><th>Service</th><th>URL</th><th>Port</th><th>Credentials</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>Cockpit</td><td><a href=\"https://cockpit.iamworkin.lan\" target=\"_blank\">https://cockpit.iamworkin.lan</a></td><td>443 (Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=gjb3da3jepm2xzr5mef3afzws4\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 noc1</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Prometheus</td><td><a href=\"https://prometheus.iamworkin.lan\" target=\"_blank\">https://prometheus.iamworkin.lan</a> <br/><small>Also: <a href=\"https://prometheus.iamworkin.lan\" target=\"_blank\">https://prometheus.iamworkin.lan</a> (noc1 direct)</small></td><td>443 (Traefik)</td><td><em>No auth</em> (90-day retention, 11 targets)</td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Grafana</td><td><a href=\"https://grafana.iamworkin.lan\" target=\"_blank\">https://grafana.iamworkin.lan</a> <br/><small>Also: <a href=\"https://grafana.iamworkin.lan\" target=\"_blank\">https://grafana.iamworkin.lan</a> (noc1 direct)</small></td><td>443 (Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=l2ld4i2m47keuyxrzmj5jm56nu\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Grafana</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Node Exporter</td><td>http://noc1.iamworkin.lan:9100</td><td>9100</td><td><em>Metrics only</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>SNMP Exporter</td><td>http://noc1.iamworkin.lan:9116</td><td>9116</td><td><em>pfSense + NAS + Switch + Printer SNMP scraper</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>step-ca ACME</td><td><a href=\"https://acme.iamworkin.lan:9443\" target=\"_blank\">https://acme.iamworkin.lan:9443</a></td><td>9443</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cg6ufz7vditglpqag2dyppi24q\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 step-ca</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>1Password Connect</td><td>http://op-connect.iamworkin.lan:8180</td><td>8180/8181</td><td><em>API token auth</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Puppet Server</td><td>noc1:8140</td><td>8140</td><td><em>OpenVox Server 8.12 (Podman)</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n</tbody>\n</table>\n<h3>RKE2 Services (22 ArgoCD Apps &mdash; All Healthy)</h3>\n<table>\n<thead><tr><th>Service</th><th>URL</th><th>MetalLB / Port</th><th>Credentials</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>ArgoCD</td><td><a href=\"https://argocd.iamworkin.lan\" target=\"_blank\">https://argocd.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cmin4ocvddco3vshzozgjbupva\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 ArgoCD</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Traefik</td><td><a href=\"https://traefik.iamworkin.lan:8080/dashboard/\" target=\"_blank\">traefik.iamworkin.lan:8080</a></td><td>MetalLB .200 &mdash; 80/443/8080/6667/6697</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=br3hedkopqujp7nzilxvtdpqnu\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Traefik Dashboard</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Gitea</td><td><a href=\"https://gitea.iamworkin.lan\" target=\"_blank\">https://gitea.iamworkin.lan</a></td><td>.201 SSH:22 &mdash; HTTPS via Traefik</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=h5q3v77rtaek4jifdqbjc7vqzi\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Gitea</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Guacamole</td><td><a href=\"https://guac.iamworkin.lan\" target=\"_blank\">https://guac.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=j7p2jalf5pcltawrx3c6o54yga\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Apache Guacamole</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>UnrealIRCd + Anope</td><td>irc.iamworkin.lan:6697 (TLS)</td><td>.200 &mdash; 6667/6697/8067</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=3kxdh2gkmczv5thiestcmlkb3m\"\
-    \ target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 IRC Services</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Zabbix</td><td><a href=\"https://zabbix.iamworkin.lan\" target=\"_blank\">https://zabbix.iamworkin.lan</a></td><td>.203 trapper &mdash; Web via Traefik</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=mtazpqfrqltylsfzb25ejmmqdy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Zabbix Monitoring</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Mail (docker-mailserver)</td><td>mail.iamworkin.lan</td><td>.202 &mdash; SMTP 25/465/587</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=f6bdif4rxzgh6fi6lfirrtriaq\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Mail Server</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Matrix Synapse</td><td><a href=\"https://matrix.iamworkin.lan\" target=\"_blank\">https://matrix.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=hd75oppaq6dvf6hnmyntnth2ey\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Matrix Synapse</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Element Web</td><td><a href=\"https://element.iamworkin.lan\" target=\"_blank\">https://element.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><em>Uses Matrix account</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>TeamSpeak</td><td>ts.iamworkin.lan</td><td>.205 &mdash; 9987/UDP, 30033, 10011</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=736u546ufij75d36socv5lhop4\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 TeamSpeak</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>FlowerCore Landing</td><td>flowercore.io</td><td>443 (via Traefik, Cloudflare)</td><td><em>Static page</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>PKI Web</td><td><a href=\"https://pki.iamworkin.lan\" target=\"_blank\">https://pki.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><em>Public (CRL/certs)</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Intranet</td><td><a href=\"https://intranet.iamworkin.lan\" target=\"_blank\">https://intranet.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><em>Static page</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Snappymail</td><td><a href=\"https://mail-web.iamworkin.lan\" target=\"_blank\">https://mail-web.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=k5otwlgch366ozyc4yvrwohjya\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Snappymail</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Telephony</td><td><a href=\"https://telephony.iamworkin.lan\" target=\"_blank\">https://telephony.iamworkin.lan</a></td><td>5100 (via Traefik + Cloudflare)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=uo5kuszy6pjijrxrkuugpdnsrq\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Telephony</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Asterisk PBX</td><td>asterisk.iamworkin.lan:5060</td><td>.207 &mdash; SIP 5060/UDP, RTP 10000-20000</td><td><em>4 PJSIP ext, Twilio trunk</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Agent Zero</td><td><a href=\"https://agent-zero.iamworkin.lan\" target=\"_blank\">https://agent-zero.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=uo5kuszy6pjijrxrkuugpdnsrq\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Agent Zero</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>1Password Operator</td><td><em>In-cluster only</em></td><td>onepassword-system</td><td><em>Connect token</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Selenium Grid</td><td><a href=\"https://selenium.iamworkin.lan\" target=\"_blank\">https://selenium.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><em>Hub + 2 Chrome + 1 Firefox</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>FlowerCore.Print.Web</td><td><a href=\"http://print.iamworkin.lan:5200\" target=\"_blank\">http://print.iamworkin.lan:5200</a></td><td>5200 (edge2 direct)</td><td><em>12 pages, 9 symbologies, 10 MCP</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>PiManager (piez)</td><td><a href=\"http://piez.iamworkin.lan:5000\" target=\"_blank\">http://piez.iamworkin.lan:5000</a></td><td>5000 (piez direct)</td><td><em>GPIO, I2C, SPI, 20 MCP</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>PiManager (pirelay)</td><td><a href=\"http://pirelay.iamworkin.lan:5100\" target=\"_blank\">http://pirelay.iamworkin.lan:5100</a></td><td>5100 (pirelay direct)</td><td><em>4-ch relay, scheduling</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Frigate NVR</td><td><a href=\"http://edge1.iamworkin.lan:5000\" target=\"_blank\">http://edge1.iamworkin.lan:5000</a></td><td>5000 (edge1 direct)</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Frigate</span></a></td><td><span class=\"b b-online\">Online</span></td></tr>\n</tbody>\n</table>\n<h3>Monitoring</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">Prometheus (noc1)</div>\n    <ul>\n      <li><strong>Targets:</strong> 15 scrape jobs (node-exporter: noc1 + 3 RKE2 + 2 edge + piez + pirelay, SNMP: pfSense + Cloud Key + Switch + NAS + Printer, Blackbox: 4 AI stack probes, self)</li>\n      <li><strong>Alert Rules:</strong> 8 (NodeDown, PfSenseDown, HighCPU, HighMemory, DiskSpaceLow, +3)</li>\n      <li><strong>Config:</strong> <code>/opt/monitoring/prometheus/prometheus.yml</code></li>\n      <li><strong>Reload:</strong> <code>podman kill -s SIGHUP prometheus</code></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Grafana (noc1:3000)</div>\n    <ul>\n      <li><strong>Version:</strong> v12.4.0</li>\n      <li><strong>Dashboards:</strong> BlueJay Network Overview, Node Exporter Full (#1860), BlueJay Edge Nodes, BlueJay Operations (Prometheus+Zabbix unified) &mdash; all in BlueJay folder</li>\n      <li><strong>Datasources:</strong> Prometheus (http://localhost:9090), Zabbix (alexanderzobnin-zabbix-datasource v6.2.1)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Zabbix (RKE2) &mdash; 13 Hosts</div>\n    <ul>\n      <li><strong>Agent Hosts (8):</strong> noc1, rke2-server, rke2-agent1, rke2-agent2, edge1, edge2, piez, pirelay</li>\n      <li><strong>SNMP Hosts (3):</strong> pfSense, UniFi Switch, BlueJayNAS (DS1621+)</li>\n      <li><strong>SNMP Host (1):</strong> Epson ET-3750 EcoTank</li>\n      <li><strong>Local (1):</strong> Zabbix server self-check</li>\n      <li><strong>Agent Version:</strong> Zabbix Agent 2 v7.0.22&ndash;7.2.15 on all 8 Linux nodes</li>\n      <li><strong>Passive checks:</strong> Server= includes MetalLB VIP + RKE2 node IPs + pod CIDR</li>\n      <li><strong>Note:</strong> Mac Mini (macOS) pending Zabbix agent setup</li>\n    </ul>\n  </div>\n</div>\n<h3>Pi Fleet Services (FlowerCore.PiManager)</h3>\n<table>\n<thead><tr><th>Device</th><th>URL</th><th>Port</th><th>Capabilities</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>piez (Pi 4)</td><td><a href=\"http://piez.iamworkin.lan:5000\" target=\"_blank\">http://piez.iamworkin.lan:5000</a></td><td>5000</td><td>GPIO, I2C, SPI, Expanders (MCP23017/PCF8574/74HC595) &mdash; 10 pages, 35 API, 20 MCP</td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>pirelay (Pi 3)</td><td><a href=\"http://pirelay.iamworkin.lan:5100\" target=\"_blank\">http://pirelay.iamworkin.lan:5100</a></td><td>5100</td><td>4-ch relay (KS0212, active-LOW), scheduling, usage tracking &mdash; 8 pages, relay API</td><td><span class=\"b b-online\">Online</span></td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>PiManager:</strong> Unified .NET 10 service deployed to both Pi nodes with different <code>ASPNETCORE_ENVIRONMENT</code> overlays. Config-driven capabilities &mdash; same binary, different features per device. Supports relay presets: ks0212-4ch, walfront-16ch, sainsmart-8ch. API docs at <code>/scalar/v1</code> on each node.</div>\n\n<h3>Guacamole Connection Groups (14 connections)</h3>\n<table>\n<thead><tr><th>Group</th><th>Connections</th><th>Protocol</th></tr></thead>\n<tbody>\n<tr><td><strong>Kubernetes</strong> (3)</td><td>rke2-server, rke2-agent1, rke2-agent2</td><td>SSH</td></tr>\n<tr><td><strong>Network Devices</strong> (4)</td><td>pfSense, UniFi Cloud Key, Synology WiFi (SRM), BlueJayNAS</td><td>SSH</td></tr>\n<tr><td><strong>Servers</strong> (3)</td><td>noc1, Mac Mini (SSH), Mac Mini (VNC)</td><td>SSH/VNC</td></tr>\n<tr><td><strong>Edge Nodes</strong> (4)</td><td>edge1 (Pi 5 + AI), edge2 (Pi 4), piez (Pi 4 + EZ Connect), pirelay (Pi 3 + Relay)</td><td>SSH</td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>Guacamole credentials:</strong> All connection passwords are stored in the Guacamole MySQL database (synced from 1Password). Access at <a href=\"https://guac.iamworkin.lan\" target=\"\
-    _blank\">https://guac.iamworkin.lan</a> &mdash; <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=j7p2jalf5pcltawrx3c6o54yga\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Apache Guacamole</span></a></div>\n</div>\n\n<!-- ===== TAB: VPN & SECURITY ===== -->\n<div id=\"tab-vpn\" class=\"tab-content\">\n<h2>VPN &amp; Security</h2>\n<div class=\"note\"><strong>OpenVPN Status:</strong> 8 servers configured and operational. Bound to tenant VIPs (.17, .19, .21, .23, .25). Each tenant has TUN (L3 routed) and TAP (L2 bridged) instances on ports 1194/1195 UDP.</div>\n<h3>OpenVPN Configuration</h3>\n<table>\n<thead><tr><th>Tenant</th><th>VIP</th><th>TUN Port</th><th>TAP Port</th><th>Tunnel (TUN)</th><th>Tunnel (TAP)</th><th>VLAN</th></tr></thead>\n<tbody>\n<tr><td><span class=\"b b-tenant\">ANDREW</span></td><td><span class=\"ip\">.17</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.0/27</span></td><td><span class=\"ip\">10.0.68.128/27</span></td><td>60</td></tr>\n<tr><td><span class=\"b b-tenant\">MATT</span></td><td><span class=\"ip\">.19</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.32/27</span></td><td><span class=\"ip\">10.0.68.160/27</span></td><td>61</td></tr>\n<tr><td><span class=\"b b-tenant\">DUSTIN</span></td><td><span class=\"ip\">.21</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.64/27</span></td><td><span class=\"ip\">10.0.68.192/27</span></td><td>62</td></tr>\n<tr><td><span class=\"b b-tenant\">ERIK</span></td><td><span class=\"ip\">.23</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.96/27</span></td><td><span class=\"ip\">10.0.68.224/27</span></td><td>63</td></tr>\n<tr><td><span class=\"b b-tenant\">FIT</span></td><td><span class=\"ip\">.25</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.69.0/27</span></td><td><span class=\"ip\">10.0.69.128/27</span></td><td>69</td></tr>\n</tbody>\n</table>\n<h3>VPN Certificate Infrastructure</h3>\n<table>\n<thead><tr><th>Component</th><th>Details</th></tr></thead>\n<tbody>\n<tr><td>CA</td><td>BlueJay VPN CA (4096-bit RSA, SHA-256, 10-year)</td></tr>\n<tr><td>Server Certs</td><td>8 (one per VPN instance, 2048-bit RSA)</td></tr>\n<tr><td>Client Certs</td><td>4 (one per tenant, 2048-bit RSA)</td></tr>\n<tr><td>TLS Auth</td><td>Shared HMAC key across all servers</td></tr>\n<tr><td>Data Ciphers</td><td>AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305</td></tr>\n</tbody>\n</table>\n<h3>IPsec Site-to-Site (Planned)</h3>\n<table>\n<thead><tr><th>Tunnel</th><th>Local</th><th>Remote</th><th>Phase 1</th><th>Phase 2 SAs</th></tr></thead>\n<tbody>\n<tr><td>Matt</td><td>.29 (pfSense WAN)</td><td>Matt's public IP</td><td>IKEv2, AES-256-GCM, DH 14+</td><td>MATT (10.0.61.0/24) + PROD (10.0.57.0/24)</td></tr>\n<tr><td>Dustin</td><td>.29 (pfSense WAN)</td><td>Dustin's public IP</td><td>IKEv2, AES-256-GCM, DH 14+</td><td>DUSTIN (10.0.62.0/24) + PROD (10.0.57.0/24)</td></tr>\n</tbody>\n</table>\n<h3>Security Policies</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">Cloudflare Protection</div>\n    <ul>\n      <li><strong>SSL Mode:</strong> Full (strict) on all 6 zones</li>\n      <li><strong>Origin Certs:</strong> *.flowercore.io + *.iamwork.in (15-year RSA), deployed across 8 K8s namespaces</li>\n      <li><strong>HSTS:</strong> Enabled on all zones</li>\n      <li><strong>Min TLS:</strong> 1.2</li>\n      <li><strong>Anti-spoofing:</strong> null MX, SPF -all, DMARC reject on non-email domains</li>\n      <li><strong>Cloudflare-only inbound:</strong> Port forwards for 80/443 restrict source to Cloudflare IP ranges</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">SSH Key Policy</div>\n    <ul>\n      <li><strong>Key Type:</strong> ed25519 (deployed to all 9 physical nodes)</li>\n      <li><strong>WSL Key:</strong> <code>stoltz@IAMWORKIN-WS</code> &mdash; deployed to noc1, rke2-server, rke2-agent1, rke2-agent2, edge1, edge2, piez, pirelay, Mac Mini</li>\n      <li><strong>noc1 Key:</strong> <code>noc1-root</code> + <code>rke2@bluejay</code> &mdash; management keys for remote nodes</li>\n      <li><strong>Root Login:</strong> Key-only (PermitRootLogin without-password)</li>\n      <li><strong>RKE2 Nodes:</strong> SELinux enforcing, <code>chcon -t ssh_home_t</code> on authorized_keys</li>\n      <li><strong>Last verified:</strong> 2026-03-21 (all 9 nodes confirmed)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Network Security Rules</div>\n    <ul>\n      <li><strong>Forced DNS:</strong> HOME/WORK/SCHOOL/GUEST block port 53 except to gateway</li>\n      <li><strong>Blocked SMTP:</strong> Outbound 25/465/587 on HOME/WORK/SCHOOL/GUEST</li>\n      <li><strong>Firewall Policy:</strong> Deny-all default, explicit allow per VLAN</li>\n      <li><strong>Tenant Isolation:</strong> Tenants fully isolated from each other, only PROD + DNS + NAS + internet</li>\n    </ul>\n  </div>\n</div>\n<h3>PKI Hierarchy</h3>\n<table>\n<thead><tr><th>CA</th><th>Status</th><th>Purpose</th></tr></thead>\n<tbody>\n<tr><td>Root CA (IAmWorkin ACME CA)</td><td><span class=\"b b-online\">Operational</span></td><td>Trust anchor, ECDSA P-256, expires 2036</td></tr>\n<tr><td>ACME CA (step-ca on noc1)</td><td><span class=\"b b-online\">Operational</span></td><td>Automated cert issuance via ACME protocol</td></tr>\n<tr><td>Network CA</td><td><span class=\"b b-planned\">Planned</span></td><td>Switch, AP, pfSense device certs</td></tr>\n<tr><td>Windows AD CS CA</td><td><span class=\"b b-planned\">Planned</span></td><td>Domain-joined machine/user certs</td></tr>\n<tr><td>Internal Services CA</td><td><span class=\"b b-planned\">Planned</span></td><td>K8s service mesh, inter-service mTLS</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: REMOTE ACCESS ===== -->\n<div id=\"tab-remote\" class=\"tab-content\">\n<h2>Remote Access &mdash; Blue Jay Gateway</h2>\n<div class=\"note\">Apache Guacamole with Blue Jay branding, 1Password vault integration, K8s exec, and embedded panels. All credentials resolved from 1Password at connection time &mdash; no passwords stored in Guacamole.</div>\n\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Guacamole Web UI</div>\n    <ul>\n      <li><strong>URL:</strong> <a href=\"https://guac.iamworkin.lan/\" target=\"_blank\">guac.iamworkin.lan</a> <button class=\"copy-btn\" onclick=\"copyText('https://guac.iamworkin.lan/')\">copy</button></li>\n      <li><strong>Version:</strong> 1.6.0 + Blue Jay branding</li>\n      <li><strong>Admin:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">Guacamole</span></a></li>\n      <li><strong>K8s:</strong> <code>guacamole</code> namespace</li>\n      <li><strong>Ingress:</strong> Traefik &rarr; guacamole:8080 (WebSocket)</li>\n      <li><strong>ArgoCD:</strong> <code>infra-guacamole</code></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Extensions</div>\n    <ul>\n      <li><strong>Blue Jay Branding</strong> &mdash; Full dark theme, custom login, logo</li>\n      <li><strong>1Password Vault</strong> &mdash; <code>${VAULT_PASSWORD}</code> token resolution</li>\n      <li><strong>TOTP MFA</strong> &mdash; Required for all users</li>\n      <li><strong>Auth Ban</strong> &mdash; 5 failures = 5min IP ban</li>\n      <li><strong>JSON Auth</strong> &mdash; Signed tokens for embedded panels</li>\n      <li><strong>Time Restrict</strong> &mdash; Per-connection time windows</li>\n      <li><strong>Recording Storage</strong> &mdash; NFS (Synology) playback</li>\n      <li><strong>Display Statistics</strong> &mdash; Performance metrics</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>1Password Integration</div>\n    <ul>\n      <li><strong>Connect URL:</strong> <code>onepassword-connect:8080</code> (K8s internal)</li>\n      <li><strong>Vault:</strong> IAmWorkin (<code>qaphopopkryhbg353ukzhhuqoq</code>)</li>\n      <li><strong>Token:</strong> Via <code>OnePasswordItem</code> CRD</li>\n      <li><strong>Rotation:</strong> Automatic &mdash; change in 1Password, Guacamole picks up on next connect</li>\n      <li><strong>Cache TTL:</strong> 5 minutes</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Session Recording</div>\n    <ul>\n      <li><strong>Storage:</strong> NFS on Synology (<code>/volume1/guacamole/recordings</code>)</li>\n      <li><strong>PVC:</strong> <code>guacamole-recordings-pvc</code> (50 Gi)</li>\n      <li><strong>Format:</strong> Guacamole native (playable in browser)</li>\n      <li><strong>Retention:</strong> Linked to connection history</li>\n    </ul>\n  </div>\n</div>\n\n<h3 style=\"margin-top:1.5rem;\">Connection Inventory (${VAULT_*} tokens &mdash; no hardcoded passwords)</h3>\n<table>\n<thead><tr><th>Connection</th><th>Protocol</th><th>Host</th><th>VLAN</th><th>1Password Item</th></tr></thead>\n<tbody>\n<tr style=\"background:var(--surface2);\"><td colspan=\"5\" style=\"font-weight:600;color:var(--gold);\">MGMT (VLAN 56) &mdash; Infrastructure</td></tr>\n<tr><td>pfSense &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">pfsense.iamworkin.lan</span></td><td>56</td><td>pfSense Admin</td></tr>\n<tr><td>Cloud Key &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">unifi.iamworkin.lan</span></td><td>56</td><td>UniFi CloudKey</td></tr>\n<tr><td>UniFi Switch &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"\
-    ip\">switch.iamworkin.lan</span></td><td>56</td><td>UniFi CloudKey</td></tr>\n<tr><td>noc1 &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">noc1.iamworkin.lan</span></td><td>56</td><td>noc1 Root SSH</td></tr>\n<tr><td>rke2-server &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">rke2-server.iamworkin.lan</span></td><td>56</td><td>RKE2 Server</td></tr>\n<tr><td>rke2-agent1 &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">rke2-agent1.iamworkin.lan</span></td><td>56</td><td>RKE2 Agent 1</td></tr>\n<tr><td>rke2-agent2 &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">rke2-agent2.iamworkin.lan</span></td><td>56</td><td>RKE2 Agent 2</td></tr>\n\n<tr style=\"background:var(--surface2);\"><td colspan=\"5\" style=\"font-weight:600;color:var(--accent);\">PROD (VLAN 57) &mdash; Production</td></tr>\n<tr><td>edge1 (Pi 5) &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">edge1.iamworkin.lan</span></td><td>57</td><td>Edge1 Pi5 SSH</td></tr>\n<tr><td>edge2 (Pi 4) &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">edge2.iamworkin.lan</span></td><td>57</td><td>Edge2 Pi4 SSH</td></tr>\n<tr><td>Mac Mini &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">macmini.iamworkin.lan</span></td><td>57</td><td>Mac Mini</td></tr>\n<tr><td>Mac Mini &mdash; VNC</td><td><span class=\"b b-warn\" style=\"font-size:0.75em;\">VNC</span></td><td><span class=\"ip\">macmini.iamworkin.lan</span></td><td>57</td><td>Mac Mini</td></tr>\n\n<tr style=\"background:var(--surface2);\"><td colspan=\"5\" style=\"font-weight:600;color:var(--green);\">HOME (VLAN 58) &mdash; Home Network</td></tr>\n<tr><td>Synology NAS &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">nas.iamworkin.lan</span></td><td>58</td><td>Synology NAS</td></tr>\n<tr><td>Synology WiFi &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">wifi.iamworkin.lan</span></td><td>58</td><td>Synology SRM</td></tr>\n<tr><td>piez (Pi 4) &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">piez.iamworkin.lan</span></td><td>58</td><td>PiEZ SSH</td></tr>\n<tr><td>pirelay (Pi 3) &mdash; SSH</td><td><span class=\"b b-ok\" style=\"font-size:0.75em;\">SSH</span></td><td><span class=\"ip\">pirelay.iamworkin.lan</span></td><td>58</td><td>PiRelay SSH</td></tr>\n\n<tr style=\"background:var(--surface2);\"><td colspan=\"5\" style=\"font-weight:600;color:var(--cyan);\">Kubernetes &mdash; Pod Exec (auto-synced every 2min)</td></tr>\n<tr><td>argocd-server</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>gitea-0</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>asterisk</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>zabbix-server</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>synapse</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n<tr><td>unrealircd</td><td><span class=\"b b-planned\" style=\"font-size:0.75em;\">K8S</span></td><td>kubernetes.default.svc</td><td>&mdash;</td><td>(ServiceAccount)</td></tr>\n</tbody>\n</table>\n\n<h3 style=\"margin-top:1.5rem;\">Embedded Panel (Quick SSH)</h3>\n<div class=\"note\">The embedded panel below uses <code>guacamole-common-js</code> to connect directly to Guacamole's tunnel servlet. Requires authentication to <a href=\"https://guac.iamworkin.lan/\" target=\"_blank\">guac.iamworkin.lan</a> first.</div>\n<div class=\"card\" style=\"padding:0;overflow:hidden;\">\n  <div class=\"guac-embed\" id=\"panel-noc1\" data-connection=\"noc1 &mdash; SSH\" data-width=\"100%\" data-height=\"400\" style=\"width:100%;\">\n    <div style=\"display:flex;align-items:center;gap:8px;padding:8px 12px;background:var(--surface2);border-bottom:1px solid var(--border);\">\n      <span style=\"width:8px;height:8px;border-radius:50%;background:var(--text-muted);\" id=\"guac-status-dot\"></span>\n      <span style=\"color:var(--text-heading);font-weight:600;flex:1;\">noc1 &mdash; SSH Terminal</span>\n      <a href=\"https://guac.iamworkin.lan/#/client/bm9jMS1zc2g\" target=\"_blank\" style=\"color:var(--accent);text-decoration:none;font-size:0.85em;\">Open in Guacamole &rarr;</a>\n    </div>\n    <div style=\"height:400px;background:#000;display:flex;align-items:center;justify-content:center;color:var(--text-muted);font-family:var(--font-mono, monospace);\">\n      <p>Connect via <a href=\"https://guac.iamworkin.lan/\" target=\"_blank\" style=\"color:var(--accent);\">Blue Jay Remote Access</a> to use the embedded terminal.<br>\n      <span style=\"font-size:0.85em;opacity:0.7;\">Requires <code>bluejay-guac-embed.js</code> and <code>guacamole-common-js</code></span></p>\n    </div>\n  </div>\n</div>\n\n<h3 style=\"margin-top:1.5rem;\">Deployment Details</h3>\n<table>\n<thead><tr><th>Component</th><th>Image</th><th>Replicas</th><th>Resources</th></tr></thead>\n<tbody>\n<tr><td>guacamole (Tomcat)</td><td><code>fc-guacamole:1.6.0-bluejay</code></td><td>1</td><td>200m-1 CPU, 512Mi-1Gi</td></tr>\n<tr><td>guacd (C proxy)</td><td><code>guacamole/guacd:1.6.0</code></td><td>1</td><td>200m-2 CPU, 256Mi-1Gi</td></tr>\n<tr><td>MySQL 8</td><td><code>mysql:8.0</code></td><td>1 (StatefulSet)</td><td>100m-500m CPU, 256-512Mi</td></tr>\n<tr><td>K8s Sync CronJob</td><td><code>bitnami/kubectl:1.34</code></td><td>every 2min</td><td>minimal</td></tr>\n</tbody>\n</table>\n\n<h3 style=\"margin-top:1.5rem;\">Files Reference</h3>\n<table>\n<thead><tr><th>Artifact</th><th>Path</th></tr></thead>\n<tbody>\n<tr><td>Design plan</td><td><code>docs/infrastructure/guacamole-customization-plan.md</code></td></tr>\n<tr><td>K8s manifests</td><td><code>k8s/guacamole/*.yaml</code></td></tr>\n<tr><td>Branding extension</td><td><code>k8s/guacamole/extensions/bluejay-branding/</code></td></tr>\n<tr><td>1Password vault extension</td><td><code>k8s/guacamole/extensions/1password-vault/</code></td></tr>\n<tr><td>Embed library</td><td><code>k8s/guacamole/scripts/bluejay-guac-embed.js</code></td></tr>\n<tr><td>Dockerfile</td><td><code>k8s/guacamole/Dockerfile</code></td></tr>\n<tr><td>Bootstrap script</td><td><code>k8s/guacamole/scripts/bootstrap-connections.sh</code></td></tr>\n<tr><td>Build/deploy script</td><td><code>k8s/guacamole/scripts/build-image.sh</code></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: EDGE NODES ===== -->\n<div id=\"tab-edge\" class=\"tab-content\">\n<h2>Edge Nodes</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>edge1 &mdash; Raspberry Pi 5 + Hailo AI</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">edge1.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('edge1.iamworkin.lan')\">copy</button> (PROD VLAN 57)</li>\n      <li><strong>SSH:</strong> <code>stoltz@edge1.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@edge1.iamworkin.lan')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Edge1 Pi5 SSH</span></a></li>\n      <li><strong>Hardware:</strong> Pi 5 16GB + Hailo-10H 40 TOPS (AI HAT+ 2)</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>PCIe:</strong> Gen 3 x1 (8.0 GT/s)</li>\n      <li><strong>Power:</strong> 27W USB-C</li>\n      <li><strong>.NET SDK:</strong> 10.0.103</li>\n      <li><strong>GitHub Runner:</strong> v2.332.0 (labels: pi5, hailo)</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Puppet:</strong> profile::edge_ai</li>\n      <li><strong>Zabbix Agent:</strong> v7.2.15 (passive, port 10050)</li>\n      <li><strong>Switch Port:</strong> 13</li>\n      <li><strong>Disk:</strong> 93% (2.0GB free)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>edge2 &mdash; Raspberry Pi 4 (Argon ONE)</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">edge2.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('edge2.iamworkin.lan')\">copy</button> (PROD VLAN 57)</li>\n      <li><strong>SSH:</strong> <code>stoltz@edge2.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@edge2.iamworkin.lan')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=kyeqfwy76msqb4cfdjueaq5uta\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Edge2 Pi4 SSH</span></a></li>\n      <li><strong>Hardware:</strong> Pi 4 Model B 4GB, Argon ONE case</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>Fan Control:</strong> argononed.service (55&deg;C=10%, 60&deg;C=55%, 65&deg;C=100%)</li>\n      <li><strong>.NET SDK:</strong> 10.0.103</li>\n      <li><strong>Print Service:</strong> <span class=\"b b-online\"\
-    >LIVE</span> <a href=\"http://print.iamworkin.lan:5200\" target=\"_blank\">FlowerCore.Print.Web :5200</a> (12 pages, 9 symbologies, AI barcode)</li>\n      <li><strong>GitHub Runners:</strong> v2.332.0 &mdash; MySQL (edge2-mysql), PHP (edge2-php)</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Puppet:</strong> profile::edge_runner</li>\n      <li><strong>Zabbix Agent:</strong> v7.2.15 (passive, port 10050)</li>\n      <li><strong>Switch Port:</strong> 11</li>\n      <li><strong>Guacamole:</strong> SSH connection in Edge Nodes group</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>piez &mdash; Raspberry Pi 4 + EZ Connect</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">piez.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('piez.iamworkin.lan')\">copy</button> (HOME VLAN 58, WiFi)</li>\n      <li><strong>SSH:</strong> <code>stoltz@piez.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@piez.iamworkin.lan')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 piez SSH</span></a></li>\n      <li><strong>Hardware:</strong> Pi 4 Model B 4GB + Pi EZ Connect board</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>Role:</strong> GPIO prototyping, breadboard dev, I2C/SPI sensors</li>\n      <li><strong>.NET SDK:</strong> 10.0.201</li>\n      <li><strong>Web:</strong> <span class=\"b b-online\">LIVE</span> <a href=\"http://piez.iamworkin.lan:5000\" target=\"_blank\">FlowerCore.PiManager :5000</a> (10 pages, 35 API endpoints, 20 MCP tools)</li>\n      <li><strong>API Docs:</strong> <a href=\"http://piez.iamworkin.lan:5000/scalar/v1\" target=\"_blank\">Scalar :5000/scalar/v1</a></li>\n      <li><strong>Capabilities:</strong> GPIO, I2C, SPI, Expanders (MCP23017/PCF8574/74HC595)</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Zabbix Agent:</strong> v7.0.22 (passive, port 10050)</li>\n      <li><strong>Guacamole:</strong> SSH connection in Edge Nodes group</li>\n      <li><strong>Dashboard:</strong> <a href=\"piez-prototyping.html\">piez-prototyping.html</a></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>pirelay &mdash; Raspberry Pi 3 + 4-Ch Relay</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">pirelay.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('pirelay.iamworkin.lan')\">copy</button> (HOME VLAN 58)</li>\n      <li><strong>SSH:</strong> <code>stoltz@pirelay.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@pirelay.iamworkin.lan')\">copy</button></li>\n      <li><strong>Password:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 pirelay SSH</span></a></li>\n      <li><strong>Hardware:</strong> Pi 3 Model B v1.2, 906 MB RAM + Keyestudio KS0212 4-channel relay shield</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>Role:</strong> Relay controller, home automation prototyping</li>\n      <li><strong>Web:</strong> <span class=\"b b-online\">LIVE</span> <a href=\"http://pirelay.iamworkin.lan:5100\" target=\"_blank\">FlowerCore.PiManager :5100</a> (relay preset: ks0212-4ch)</li>\n      <li><strong>API Docs:</strong> <a href=\"http://pirelay.iamworkin.lan:5100/scalar/v1\" target=\"_blank\">Scalar :5100/scalar/v1</a></li>\n      <li><strong>GPIO (BCM, active-LOW):</strong> CH1=GPIO4, CH2=GPIO22, CH3=GPIO6, CH4=GPIO26</li>\n      <li><strong>Relay Ratings:</strong> 10A @ 250VAC / 30VDC per channel</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Zabbix Agent:</strong> v7.0.22 (passive, port 10050)</li>\n      <li><strong>Guacamole:</strong> SSH connection in Edge Nodes group</li>\n      <li><strong>Dashboard:</strong> <a href=\"relay-controller.html\">relay-controller.html</a></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Mac Mini (Build/Test Node)</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">macmini.iamworkin.lan</span> <button class=\"copy-btn\" onclick=\"copyText('macmini.iamworkin.lan')\">copy</button> (PROD VLAN 57)</li>\n      <li><strong>SSH:</strong> <code>bluejay@macmini.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh bluejay@macmini.iamworkin.lan')\">copy</button></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=npkseg2zvbmxmtg7qrseredvym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Mac Mini</span></a></li>\n      <li><strong>VNC:</strong> <code>vnc://macmini.iamworkin.lan:5900</code> &mdash; <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=npkseg2zvbmxmtg7qrseredvym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Mac Mini</span></a></li>\n      <li><strong>Hardware:</strong> Apple M1, 16GB RAM, 926GB SSD</li>\n      <li><strong>OS:</strong> macOS 26.3.1 (Darwin 25.3.0)</li>\n      <li><strong>Role:</strong> Xcode builds, Selenium Grid node, automated browser/app testing</li>\n      <li><strong>Guacamole:</strong> SSH + VNC connections in Servers group</li>\n    </ul>\n  </div>\n</div>\n\n<h3>Edge2 &mdash; Print Service</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>FlowerCore.Print.Web</div>\n    <ul>\n      <li><strong>URL:</strong> <a href=\"http://print.iamworkin.lan:5200\" target=\"_blank\">http://print.iamworkin.lan:5200</a></li>\n      <li><strong>Pages:</strong> 12 Blazor pages (barcode gen, batch print, product cache, AI labels)</li>\n      <li><strong>Symbologies:</strong> 9 (Code128, EAN-13, QR, DataMatrix, ITF-14, UPC-A/E, Code39, Codabar)</li>\n      <li><strong>Features:</strong> Product cache DB, AI label generation (Ollama on Pi), batch barcodes, combo labels</li>\n      <li><strong>MCP Tools:</strong> 10 tools for programmatic barcode/label generation</li>\n      <li><strong>Thermal Printer:</strong> Connected Epson ET-3750 (<span class=\"ip\">printer.iamworkin.lan</span>)</li>\n      <li><strong>systemd:</strong> <code>flowercore-print.service</code> (auto-start)</li>\n    </ul>\n  </div>\n</div>\n\n<h3>Edge1 AI &amp; Speech Services</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Ollama (LLM Inference)</div>\n    <ul>\n      <li><strong>API:</strong> <span class=\"ip\">http://edge1.iamworkin.lan:11434</span> <button class=\"copy-btn\" onclick=\"copyText('http://edge1.iamworkin.lan:11434')\">copy</button></li>\n      <li><strong>Model:</strong> qwen2.5-coder:7b (4.7GB Q4_K_M)</li>\n      <li><strong>Managed by:</strong> profile::edge::ollama (Puppet)</li>\n      <li><strong>Firewall:</strong> nftables port 11434 from MGMT+PROD</li>\n      <li><strong>Note:</strong> SD card 95% full &mdash; one model max</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Piper TTS (Text-to-Speech)</div>\n    <ul>\n      <li><strong>Version:</strong> piper-tts 1.4.1 in ~/piper-env venv</li>\n      <li><strong>Voices:</strong> en_US-amy-low (16kHz) + en_US-amy-medium (22kHz)</li>\n      <li><strong>Performance:</strong> RTF 0.10 (10x real-time), 222ms latency (short)</li>\n      <li><strong>CPU Usage:</strong> 3/4 cores (271%)</li>\n      <li><strong>Note:</strong> 16kHz matches G.711 natively for telephony</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Hailo Whisper STT (Speech-to-Text)</div>\n    <ul>\n      <li><strong>Model:</strong> Whisper-Base HEF (131MB, v5.1.1)</li>\n      <li><strong>Path:</strong> /opt/hailo-models/Whisper-Base.hef</li>\n      <li><strong>Performance:</strong> RTF 0.05-0.11 (10-18x real-time)</li>\n      <li><strong>Model Load:</strong> 1.2s cold start</li>\n      <li><strong>Multi-process:</strong> VDevice for coexistence with Frigate</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Speech Pipeline Service</div>\n    <ul>\n      <li><strong>API:</strong> <span class=\"ip\">http://edge1.iamworkin.lan:8500</span> <button class=\"copy-btn\" onclick=\"copyText('http://edge1.iamworkin.lan:8500')\">copy</button></li>\n      <li><strong>Endpoints:</strong> POST /tts, POST /stt, GET /health</li>\n      <li><strong>User:</strong> <code>speech</code> in <code>hailo</code> group</li>\n      <li><strong>Managed by:</strong> profile::edge::speech_pipeline (Puppet)</li>\n      <li><strong>Firewall:</strong> nftables port 8500 from MGMT+PROD</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-yellow\"></span>Twilio Voice Bridge (PoC)</div>\n    <ul>\n      <li><strong>Location:</strong> /opt/twilio-bridge/ on edge1</li>\n      <li><strong>WebSocket:</strong> :8765 &bull; <strong>TwiML:</strong> :8766</li>\n      <li><strong>Cloudflare Tunnel:</strong> bluejay-voice (3ddfa567-b0a7-40cb-9c57-7f20f3ec3637)</li>\n      <li><strong>URLs:</strong> voice.bluejay.dev (TwiML), voice-ws.bluejay.dev (WS)</li>\n      <li><strong>Services:</strong> cloudflared-tunnel on noc1, twilio-bridge + twilio-twiml on edge1</li>\n      <li><strong>Status:</strong> <span class=\"b b-planned\">PoC</span>\
-    \ &mdash; STT fixed, TTS stream API mismatch</li>\n    </ul>\n  </div>\n</div>\n</div>\n\n<!-- ===== TAB: STORAGE ===== -->\n<div id=\"tab-storage\" class=\"tab-content\">\n<h2>Storage</h2>\n<div class=\"card-grid\">\n  <div class=\"card\" style=\"border-top: 3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>BlueJayNAS &mdash; Synology DS1621+</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">nas.iamworkin.lan</span> (HOME VLAN 58, switch port 14)</li>\n      <li><strong>DNS:</strong> <code>nas.iamworkin.lan</code>, <code>synology.iamworkin.lan</code></li>\n      <li><strong>DSM:</strong> <a href=\"https://nas.iamworkin.lan:5001\" target=\"_blank\">https://nas.iamworkin.lan:5001</a> (v7.3.2-86009 Update 1)</li>\n      <li><strong>SSH:</strong> <code>bluejay@nas.iamworkin.lan</code> <button class=\"copy-btn\" onclick=\"copyText('ssh bluejay@nas.iamworkin.lan')\">copy</button></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cbxfibct4j6jfm6ccsogpayjuy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 BlueJayNAS</span></a></li>\n      <li><strong>Model:</strong> DS1621+ (6-bay, AMD Ryzen V1500B)</li>\n      <li><strong>Storage:</strong> 9.1 TB Btrfs (RAID), ~7.8 TB free</li>\n      <li><strong>MAC:</strong> 00:11:32:f2:43:6b</li>\n      <li><strong>TLS Cert:</strong> ca.iamworkin.lan (step-ca ACME, expires 2026-06-03)</li>\n      <li><strong>NFS Domain:</strong> private.iamwork.in</li>\n      <li><strong>2FA:</strong> TOTP enabled on DSM</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--green);\">\n    <div class=\"card-title\">NFS Exports &amp; Services</div>\n    <ul>\n      <li><strong>Longhorn Backup:</strong> <code>nfs://nas.iamworkin.lan:/volume1/NetBackup/longhorn-backups</code></li>\n      <li><strong>Kubernetes Shared:</strong> <code>/volume1/kubernetes</code> (NFS mount for PVCs)</li>\n      <li><strong>Selenium Screenshots:</strong> <code>/volume1/selenium/screenshots</code> (AAT visual tests via PVC)</li>\n      <li><strong>Selenium Videos:</strong> <code>/volume1/selenium/videos</code> (test recordings)</li>\n      <li><strong>NFS Permissions:</strong> RKE2 nodes rke2-server/agent1/agent2 (MGMT VLAN cross-VLAN rule)</li>\n      <li><strong>Ports:</strong> NFS (2049), iSCSI (3260, no targets yet), DSM API (5001), SSH (22), SNMP (161)</li>\n      <li><strong>pfSense Rule:</strong> RKE2 &rarr; NAS on 2049/3260/5001</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--gold);\">\n    <div class=\"card-title\">Monitoring &amp; Security</div>\n    <ul>\n      <li><strong>SNMP:</strong> v2c community <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=7qias4wucncvleievorxda5pym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 SNMP</span></a></li>\n      <li><strong>Zabbix Host:</strong> BlueJayNAS (ID 10678) &mdash; Linux by SNMP template</li>\n      <li><strong>Prometheus:</strong> SNMP scrape via snmp-exporter (synology module)</li>\n      <li><strong>Auto Block:</strong> Enabled (brute-force protection)</li>\n      <li><strong>DSM Firewall:</strong> <span class=\"b b-offline\">DO NOT ENABLE</span> &mdash; synofirewall segfaults on 7.3.2, causes lockout</li>\n      <li><strong>admin account:</strong> <span class=\"b b-online\">ENABLED</span> &mdash; never disable (breaks all admin-group privileges)</li>\n      <li><strong>SSH:</strong> Keep <code>PasswordAuthentication yes</code> (disabling breaks sudo/PAM)</li>\n      <li><strong>Guacamole:</strong> SSH connection in Network Devices group</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--red);\">\n    <div class=\"card-title\">Recovery Notes</div>\n    <ul>\n      <li><strong>admin disabled recovery:</strong> Physical RESET button (4s hold, 1 beep) + power cycle</li>\n      <li><strong>Firewall lockout:</strong> Physical RESET (same procedure)</li>\n      <li><strong>Security hardening:</strong> Use pfSense cross-VLAN rules, NOT DSM-level firewall/SSH hardening</li>\n      <li><strong>CLI tools:</strong> <code>/usr/syno/bin/synopkg</code>, <code>/usr/syno/sbin/synouser</code>, <code>/usr/syno/sbin/synogroup</code></li>\n      <li><strong>DSM API:</strong> <code>https://nas.iamworkin.lan:5001/webapi/entry.cgi</code> &mdash; SYNO.API.Auth + otp_code for 2FA</li>\n    </ul>\n  </div>\n</div>\n\n<h3>Longhorn Persistent Volume Claims (17 PVCs, ~69 Gi)</h3>\n<div class=\"note\"><strong>Longhorn &rarr; NAS Backup:</strong> Longhorn is the default StorageClass on the RKE2 cluster (iSCSI). All 17 PVCs backed up to BlueJayNAS via NFS. Daily backups at 02:00 UTC (retain 14 days), hourly snapshots (retain 24).</div>\n<table>\n<thead><tr><th>Namespace</th><th>PVC</th><th>Size</th><th>Purpose</th></tr></thead>\n<tbody>\n<tr><td>monitoring</td><td>prometheus-data + grafana-data</td><td>12 Gi</td><td>Prometheus TSDB (90-day retention) + Grafana dashboards/DB</td></tr>\n<tr><td>zabbix</td><td>zabbix-postgres-data</td><td>10 Gi</td><td>Zabbix PostgreSQL (13 hosts, history/trends)</td></tr>\n<tr><td>gitea</td><td>gitea-shared-storage</td><td>10 Gi</td><td>Git repositories, LFS objects, attachments</td></tr>\n<tr><td>telephony</td><td>asterisk-data + telephony-data</td><td>10 Gi</td><td>Asterisk PBX config + FlowerCore.Telephony DB</td></tr>\n<tr><td>matrix</td><td>matrix-postgres-data + synapse-data</td><td>7 Gi</td><td>Matrix Synapse PostgreSQL + media store</td></tr>\n<tr><td>mail</td><td>mail-data + mail-state</td><td>6 Gi</td><td>docker-mailserver (Postfix queues, Dovecot mail)</td></tr>\n<tr><td>agent-zero</td><td>agent-zero-data + knowledge</td><td>6 Gi</td><td>Agent Zero persistent data + FAISS knowledge base</td></tr>\n<tr><td>guacamole</td><td>guac-mysql-data</td><td>5 Gi</td><td>Guacamole MySQL (14 connections, session history)</td></tr>\n<tr><td>irc</td><td>anope-data + unrealircd-data</td><td>2 Gi</td><td>IRC services DB (channels, nicks) + UnrealIRCd config</td></tr>\n<tr><td>teamspeak</td><td>teamspeak-data</td><td>1 Gi</td><td>TeamSpeak virtual server config + file transfers</td></tr>\n</tbody>\n</table>\n<table>\n<thead><tr><th>Component</th><th>Detail</th></tr></thead>\n<tbody>\n<tr><td>Storage Backend</td><td>Longhorn (iSCSI, default StorageClass, 3 replicas per volume)</td></tr>\n<tr><td>Backup Target</td><td><code>nfs://nas.iamworkin.lan:/volume1/NetBackup/longhorn-backups</code></td></tr>\n<tr><td>Backup Schedule</td><td>Daily at 02:00 UTC (retain 14 days), hourly snapshots (retain 24)</td></tr>\n<tr><td>RKE2 Requirement</td><td>iscsid enabled on all nodes (<code>systemctl enable --now iscsid</code>)</td></tr>\n<tr><td>Managed by</td><td>Puppet profile::kubernetes::rke2 (prerequisites, kernel modules, sysctl)</td></tr>\n</tbody>\n</table>\n\n<h3>Synology CSI Driver (Pending)</h3>\n<div class=\"note note-warn\"><strong>Status:</strong> Helm repo added, deployment pending. Will enable dynamic PVC provisioning directly from Synology NFS/iSCSI.</div>\n<table>\n<thead><tr><th>Component</th><th>Detail</th></tr></thead>\n<tbody>\n<tr><td>Driver</td><td>SynologyOpenSource/synology-csi v1.2.1</td></tr>\n<tr><td>Helm Chart</td><td>christian-schlichtherle, v0.11.0</td></tr>\n<tr><td>Protocols</td><td>NFS, iSCSI, SMB</td></tr>\n<tr><td>Service Account</td><td><code>k8s-csi</code> (UID 1032) on BlueJayNAS</td></tr>\n<tr><td>1Password</td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=cbxfibct4j6jfm6ccsogpayjuy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Synology CSI creds</span></a></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: WIFI ===== -->\n<div id=\"tab-wifi\" class=\"tab-content\">\n<h2>WiFi Networks</h2>\n<div class=\"note\"><strong>Credentials:</strong> All WiFi passwords are stored in the <strong>IAmWorkin</strong> vault on 1Password. To connect a device, open the 1Password app, find the WiFi entry, and scan the QR code from there. Passwords are not stored in this page for security.</div>\n<div class=\"note note-warn\"><strong>QR Code Connection:</strong> Open 1Password &rarr; search for the SSID name &rarr; tap &ldquo;Show QR Code&rdquo; &rarr; scan with your device camera. The QR code encodes the full <code>WIFI:T:WPA;S:{SSID};P:{PASSWORD};;;</code> connection string.</div>\n\n<div class=\"wifi-grid\" id=\"wifiGrid\">\n  <!-- BlueJay-Home -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Home\" data-vlan=\"58\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--purple);\">\n      <div class=\"wifi-ssid\">BlueJay-Home</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-home\">HOME (VLAN 58)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"\
-    wifi-value\"><code>BlueJay-Home</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">58 (untagged on AP)</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=vetpnvuxyfdcvkjr2cqhuaqekq\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">\U0001F510 Open in 1Password</span></a></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Home network &mdash; personal / family use</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">800 / 800 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.29</span></span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-Employee -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Employee\" data-vlan=\"59\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--cyan);\">\n      <div class=\"wifi-ssid\">BlueJay-Employee</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-wifi\">EMPLOYEE (VLAN 59)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Employee</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">59</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=g36whfbi5zwcvsr6itowe67jjm\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">\U0001F510 Open in 1Password</span></a></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Employee network &mdash; staff device access</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">500 / 500 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-Work -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Work\" data-vlan=\"64\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--accent);\">\n      <div class=\"wifi-ssid\">BlueJay-Work</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-wifi\">WORK (VLAN 64)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Work</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">64</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=4omsv5ybqoyk4tvqrqww7kv3yu\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">\U0001F510 Open in 1Password</span></a></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Work network &mdash; business devices</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">500 / 500 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-School -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-School\" data-vlan=\"65\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--green);\">\n      <div class=\"wifi-ssid\">BlueJay-School</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-wifi\">SCHOOL (VLAN 65)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-School</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">65</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=jnl2dodsrbli2y5rhwirvcywzy\" target=\"_blank\" class=\"op-link\"><span class=\"b b-planned\">\U0001F510 Open in 1Password</span></a></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">School network &mdash; student devices</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">200 / 200 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-Guest -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Guest\" data-vlan=\"66\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--gold);\">\n      <div class=\"wifi-ssid\">BlueJay-Guest</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-spare\">GUEST (VLAN 66)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder wifi-qr-open\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"\
-    7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Open network &mdash; no password required</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Guest</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">66</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">Open / Captive Portal</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><span class=\"b b-online\">None (open)</span></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Guest WiFi &mdash; fully isolated, NAT only</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">100 / 50 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n</div>\n\n<h3>WiFi Access Point</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Synology RT6600AX (AP Mode)</div>\n    <ul>\n      <li><strong>Management:</strong> <a href=\"http://wifi.iamworkin.lan:8000\" target=\"_blank\">http://wifi.iamworkin.lan:8000</a></li>\n      <li><strong>Credentials:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=hlys5gwgnfa2a2nclrr52dr6gu\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Synology WiFi Router</span></a></li>\n      <li><strong>Mode:</strong> Access Point (bridge mode), all trunk ports enabled</li>\n      <li><strong>Bands:</strong> Wi-Fi 6E (2.4 GHz + 5 GHz + 6 GHz)</li>\n      <li><strong>Switch Port:</strong> 3 (trunk, native VLAN 58)</li>\n    </ul>\n  </div>\n</div>\n\n<div class=\"note\"><strong>Network Isolation:</strong> Each SSID maps to a separate VLAN with independent firewall rules and bandwidth limits. GUEST is fully isolated with NAT &mdash; no access to internal resources. EMPLOYEE, WORK, and SCHOOL share public IP .28 with traffic shaping.</div>\n</div>\n\n<!-- ===== TAB: CREDENTIALS ===== -->\n<div id=\"tab-credentials\" class=\"tab-content\">\n<h2>Credentials &amp; 1Password</h2>\n<div class=\"card-grid\">\n  <div class=\"card\" style=\"border-top: 3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>1Password Connect Server</div>\n    <ul>\n      <li><strong>API:</strong> <span class=\"ip\">http://op-connect.iamworkin.lan:8180</span> <button class=\"copy-btn\" onclick=\"copyText('http://op-connect.iamworkin.lan:8180')\">copy</button></li>\n      <li><strong>Sync:</strong> <span class=\"ip\">http://op-connect.iamworkin.lan:8181</span></li>\n      <li><strong>Host:</strong> noc1 (Podman containers)</li>\n      <li><strong>Status:</strong> <span class=\"b b-online\">Online</span></li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>1Password K8s Operator</div>\n    <ul>\n      <li><strong>Namespace:</strong> <code>onepassword-system</code></li>\n      <li><strong>Chart:</strong> 1password/connect v2.3.0</li>\n      <li><strong>Operator:</strong> v1.11.0</li>\n      <li><strong>Poll Interval:</strong> 600s</li>\n      <li><strong>Status:</strong> <span class=\"b b-online\">Online</span></li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--gold);\">\n    <div class=\"card-title\">IAmWorkin Vault</div>\n    <ul>\n      <li><strong>Vault Name:</strong> IAmWorkin</li>\n      <li><strong>Items:</strong> 45+ items (infra credentials + WiFi QR codes + Pi device passwords)</li>\n      <li><strong>Rotation:</strong> Quarterly (Jan/Apr/Jul/Oct)</li>\n      <li><strong>Script:</strong> <code>/opt/scripts/rotate-credentials.sh</code></li>\n      <li><strong>Timer:</strong> <code>credential-rotation.timer</code></li>\n    </ul>\n  </div>\n</div>\n\n<div class=\"note\"><strong>All infrastructure credentials are managed in 1Password.</strong> The IAmWorkin vault contains credentials for every service listed on this intranet. K8s workloads (Zabbix, Matrix, Guacamole, Mail, IRC, Gitea, ArgoCD) sync secrets automatically via OnePasswordItem CRDs. Credential rotation runs quarterly via systemd timer.</div>\n\n<h3>K8s Secret Sync (OnePasswordItem CRDs)</h3>\n<table>\n<thead><tr><th>Namespace</th><th>Secret Name</th><th>Source (1Password Item)</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>zabbix</td><td>zabbix-credentials</td><td>Zabbix Monitoring</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>matrix</td><td>matrix-credentials</td><td>Matrix Synapse</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>guacamole</td><td>guacamole-credentials</td><td>Apache Guacamole</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>mail</td><td>mail-credentials</td><td>Mail Server</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>irc</td><td>irc-credentials</td><td>IRC Services</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>gitea</td><td>gitea-credentials</td><td>Gitea</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>argocd</td><td>argocd-credentials</td><td>ArgoCD</td><td><span class=\"b b-online\">Synced</span></td></tr>\n</tbody>\n</table>\n\n<h3>Pi Fleet &amp; Edge Node Credentials</h3>\n<table>\n<thead><tr><th>Device</th><th>IP</th><th>User</th><th>1Password Item</th><th>Services</th></tr></thead>\n<tbody>\n<tr><td>edge1 (Pi 5)</td><td><span class=\"ip\">edge1.iamworkin.lan</span></td><td><code>stoltz</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Edge1 Pi5 SSH</span></a></td><td>Ollama, Piper TTS, Hailo STT, Frigate</td></tr>\n<tr><td>edge2 (Pi 4)</td><td><span class=\"ip\">edge2.iamworkin.lan</span></td><td><code>stoltz</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=kyeqfwy76msqb4cfdjueaq5uta\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Edge2 Pi4 SSH</span></a></td><td>GitHub Actions runners</td></tr>\n<tr><td>piez (Pi 4)</td><td><span class=\"ip\">piez.iamworkin.lan</span></td><td><code>stoltz</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 piez</span></a></td><td>PiManager :5000 (GPIO, I2C, SPI)</td></tr>\n<tr><td>pirelay (Pi 3)</td><td><span class=\"ip\">pirelay.iamworkin.lan</span></td><td><code>stoltz</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=62jgyxh6emltmharocvzxq2oue\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 pirelay</span></a></td><td>PiManager :5100 (4-ch relay)</td></tr>\n<tr><td>Mac Mini</td><td><span class=\"ip\">macmini.iamworkin.lan</span></td><td><code>bluejay</code></td><td><a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=npkseg2zvbmxmtg7qrseredvym\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Mac Mini</span></a></td><td>SSH + VNC :5900, Xcode builds</td></tr>\n</tbody>\n</table>\n\n<h3>Credential Rotation</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">Rotation Script</div>\n    <ul>\n      <li><strong>Path:</strong> <code>/opt/scripts/rotate-credentials.sh</code></li>\n      <li><strong>Usage:</strong> <code>rotate-credentials.sh {service|all} [--dry-run]</code></li>\n      <li><strong>Services:</strong> grafana, guacamole, zabbix, argocd, gitea, snappymail, traefik, matrix, harvester (17/17 complete, all XKCD-style)</li>\n      <li><strong>Schedule:</strong> Quarterly (1st of Jan/Apr/Jul/Oct at 03:00 UTC)</li>\n      <li><strong>Log:</strong> <code>/var/log/credential-rotation.log</code></li>\n    </ul>\n  </div>\n</div>\n</div>\n\n<!-- ===== TAB: PLANNED ===== -->\n<div id=\"tab-planned\" class=\"tab-content\">\n<h2>Planned Services</h2>\n<div class=\"note\">All previously planned services (Gitea, IRC, Zabbix, ArgoCD, 1Password, Mail, Matrix, TeamSpeak, Guacamole) are now <strong>live on RKE2</strong>. Remaining planned items are Windows Server VMs and authenticated proxy.</div>\n<table>\n<thead><tr><th>Service</th><th>IP</th><th>Host</th><th>Role</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>Windows DC1</td><td><span class=\"ip\">10.0.56.20</span></td><td>VM (hypervisor TBD)</td><td>AD Domain Controller (iamworkin.lan)</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Windows WAC1</td><td><span class=\"ip\">10.0.56.21</span></td><td>VM (hypervisor TBD)</td><td>Windows Admin Center</td><td><span\
-    \ class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Windows RDS1</td><td><span class=\"ip\">10.0.57.20</span></td><td>VM (hypervisor TBD)</td><td>Remote Desktop Services</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Windows IIS1</td><td><span class=\"ip\">10.0.57.21</span></td><td>VM (hypervisor TBD)</td><td>IIS Web Server</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Squid Proxy</td><td><span class=\"ip\">10.0.56.22</span></td><td>VM (hypervisor TBD)</td><td>Authenticated web proxy (Kerberos/LDAP)</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: TOPOLOGY ===== -->\n<div id=\"tab-topology\" class=\"tab-content\">\n<h2>Network Topology</h2>\n<div style=\"display:flex;flex-direction:column;align-items:center;gap:8px;padding:1.5rem;\">\n\n<div class=\"card\" style=\"text-align:center;max-width:280px;border-color:var(--text-muted);\"><div class=\"card-title\" style=\"justify-content:center;\">Internet</div></div>\n<div style=\"width:2px;height:16px;background:var(--border-accent);\"></div>\n<div class=\"card\" style=\"text-align:center;max-width:320px;\"><div class=\"card-title\" style=\"justify-content:center;\"><span class=\"dot dot-green\"></span>Frontier ONT + NVG468MQ Modem</div><p><span class=\"ip\">WAN: 74.32.185.184</span> &bull; <span class=\"ip\">/28: .17-.29</span></p><p style=\"font-size:0.78rem;\">192.168.254.254 &bull; DMZ to pfSense</p></div>\n<div style=\"width:2px;height:16px;background:var(--border-accent);\"></div>\n<div class=\"card\" style=\"text-align:center;max-width:360px;border-color:var(--accent);\"><div class=\"card-title\" style=\"justify-content:center;\"><span class=\"dot dot-green\"></span>pfSense Netgate 4100</div><p><span class=\"ip\">WAN: ix3 (.122)</span> &bull; <span class=\"ip\">LAN: igc0</span> (802.1Q trunk)</p><p style=\"font-size:0.78rem;\">13 VLANs &bull; 13 VIPs &bull; 28 port forwards &bull; DNS/DHCP/NTP/SNMP</p></div>\n<div style=\"width:2px;height:16px;background:var(--border-accent);\"></div>\n<div class=\"card\" style=\"text-align:center;max-width:340px;\"><div class=\"card-title\" style=\"justify-content:center;\"><span class=\"dot dot-green\"></span>UniFi USW-Lite-16-PoE Switch</div><p><span class=\"ip\">switch.iamworkin.lan</span> &bull; 16 ports &bull; VLANs 56-67</p></div>\n<div style=\"width:2px;height:8px;background:var(--border-accent);\"></div>\n\n<div style=\"display:grid;grid-template-columns:repeat(auto-fit,minmax(200px,1fr));gap:10px;width:100%;max-width:1200px;\">\n  <div class=\"card\" style=\"border-left:3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>noc1</div>\n    <p><span class=\"ip\">noc1.iamworkin.lan</span> <span class=\"b b-mgmt\">MGMT</span></p>\n    <p style=\"font-size:0.78rem;\">Celeron N5105 &bull; 32GB &bull; K3s + Podman</p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>Grafana :3000</li><li>Prometheus :9091</li>\n      <li>step-ca :9443</li><li>Cockpit :9090</li>\n      <li>Puppet :8140</li><li>1Password Connect :8180</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--green);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>RKE2 Bare-Metal Cluster</div>\n    <p><span class=\"ip\">Traefik: traefik.iamworkin.lan</span> <span class=\"b b-mgmt\">MGMT</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>rke2-server: <span class=\"ip\">.11</span> (i7-1260P/64GB, control plane)</li>\n      <li>rke2-agent1: <span class=\"ip\">.12</span> (i7-1260P/64GB, worker)</li>\n      <li>rke2-agent2: <span class=\"ip\">.13</span> (i5-1340P/64GB, worker)</li>\n    </ul>\n    <p style=\"font-size:0.78rem;\">RKE2 v1.34.5 &bull; Calico &bull; MetalLB &bull; Longhorn &bull; Traefik v3.3.4 &bull; ArgoCD &bull; 11 apps &bull; Asterisk PBX</p>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--cyan);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>WiFi (Synology RT6600AX)</div>\n    <p><span class=\"ip\">wifi.iamworkin.lan</span> <span class=\"b b-home\">HOME</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>BlueJay-Home (untagged)</li><li>BlueJay-Employee (VLAN 59)</li>\n      <li>BlueJay-Work (VLAN 64)</li><li>BlueJay-School (VLAN 65)</li>\n      <li>BlueJay-Guest (VLAN 66)</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--orange);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>PROD Nodes</div>\n    <p><span class=\"b b-prod\">PROD VLAN 57</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>Mac Mini: <span class=\"ip\">macmini.iamworkin.lan</span> (Xcode)</li>\n      <li>edge1 Pi5: <span class=\"ip\">edge1.iamworkin.lan</span> (Hailo AI)</li>\n      <li>edge2 Pi4: <span class=\"ip\">edge2.iamworkin.lan</span> (CI runner)</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--purple);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>HOME Pi Fleet</div>\n    <p><span class=\"b b-home\">HOME VLAN 58</span> &bull; FlowerCore.PiManager</p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>piez Pi4: <span class=\"ip\">piez.iamworkin.lan</span> (EZ Connect, GPIO/I2C/SPI) — <a href=\"http://piez.iamworkin.lan:5000\">:5000</a></li>\n      <li>pirelay Pi3: <span class=\"ip\">pirelay.iamworkin.lan</span> (KS0212 4-ch relay) — <a href=\"http://pirelay.iamworkin.lan:5100\">:5100</a></li>\n      <li style=\"font-size:0.72rem;color:var(--text-muted);\">Unified PiManager binary &bull; config-driven &bull; node-exporter &bull; Zabbix</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--gold);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Network Devices &amp; Storage</div>\n    <ul style=\"font-size:0.78rem;\">\n      <li>Cloud Key: <span class=\"ip\">unifi.iamworkin.lan</span></li>\n      <li>BlueJayNAS (DS1621+): <span class=\"ip\">nas.iamworkin.lan</span></li>\n      <li style=\"font-size:0.72rem;color:var(--text-muted);\">9.1TB Btrfs &bull; NFS &bull; Longhorn backup &bull; SNMP</li>\n      <li>Modem: <span class=\"ip\">192.168.254.254</span></li>\n    </ul>\n  </div>\n</div>\n</div>\n</div>\n\n<!-- ===== TAB: DOMAINS ===== -->\n<div id=\"tab-domains\" class=\"tab-content\">\n<h2>Domains</h2>\n<div class=\"summary-grid\">\n  <div class=\"summary-card\"><div class=\"summary-number\">17</div><div class=\"summary-label\">Registered Domains</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">1</div><div class=\"summary-label\">Internal Domain</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">1</div><div class=\"summary-label\">Blog Hosting (DreamHost)</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">18</div><div class=\"summary-label\">Total Domains</div></div>\n</div>\n\n<h3>FlowerCore Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>flowercore.io</strong></td><td><span class=\"b b-prod\">FlowerCore</span></td><td>Andrew</td><td>Production API</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>flowerinsider.xyz</strong></td><td><span class=\"b b-prod\">FlowerCore</span></td><td>Andrew</td><td>Dev/staging</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>flowerinsider.com</strong></td><td><span class=\"b b-prod\">FlowerCore Co</span></td><td>Andrew</td><td>Company site</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>flowerinsider.nl</strong></td><td><span class=\"b b-prod\">FlowerCore Co</span></td><td>Andrew</td><td>Dutch site</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Work Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>iamwork.in</strong></td><td><span class=\"b b-wifi\">Work</span></td><td>Andrew</td><td>Employee portal, IVR, Telephony</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>iamworkin.com</strong></td><td><span class=\"b b-wifi\">Work</span></td><td>Andrew</td><td>Redirect</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Personal &amp; Tenant Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>ackeroni.com</strong></td><td><span class=\"b b-tenant\">Erik</span></td><td>Erik</td><td>Personal</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>erckak.com</strong></td><td><span class=\"b b-tenant\">Erik</span></td><td>Erik</td><td>Personal</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>erckak.dev</strong></td><td><span class=\"b b-tenant\">Erik</span></td><td>Erik</td><td>Developer portfolio</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>digirido.com</strong></td><td><span class=\"b b-spare\">Random</span></td><td>Andrew</td><td>DigiKey testing</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>timeforta.co</strong></td><td><span class=\"b b-tenant\">Dustin</span></td><td>Dustin</td><td>Personal</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>shenanjia.com</strong></td><td><span class=\"b b-home\">Wife</span></td><td>Wife</td><td>Personal site</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>bluejay.api</strong></td><td><span class=\"b b-mgmt\">Personal Fun</span></td><td>Andrew</td><td>API experiments</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>bluejay.dev</strong></td><td><span class=\"b b-mgmt\">Personal Fun</span></td><td>Andrew</td><td>Dev projects, voice bridge</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>jayblue.dev</strong></td><td><span class=\"\
-    b b-mgmt\">Personal Fun</span></td><td>Andrew</td><td>Dev projects</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>z.orb</strong></td><td><span class=\"b b-spare\">Random</span></td><td>Andrew</td><td>Short URL</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Blog &amp; Content Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>pebbleandpeanut.com</strong></td><td><span class=\"b b-home\">Blog</span></td><td>Andrew</td><td>Personal blog</td><td>DreamHost</td><td>Namecheap</td></tr>\n<tr><td><strong>pebblesandpeanuts.com</strong></td><td><span class=\"b b-home\">Blog</span></td><td>Andrew</td><td>Alt redirect</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Internal Domain</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Notes</th></tr></thead>\n<tbody>\n<tr><td><strong>iamworkin.lan</strong></td><td><span class=\"b b-mgmt\">Internal</span></td><td>Andrew</td><td>Internal infrastructure, future AD DS</td><td>pfSense Unbound</td><td>52+ host overrides + 4 wildcard redirect zones, not publicly registered</td></tr>\n</tbody>\n</table>\n\n<h3>Cloudflare (6 Zones)</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Cloudflare Account</div>\n    <ul>\n      <li><strong>Account:</strong> Astoltz@iamwork.in</li>\n      <li><strong>Plan:</strong> Pro (planned)</li>\n      <li><strong>NS:</strong> dan.ns.cloudflare.com, frida.ns.cloudflare.com</li>\n      <li><strong>All Zones:</strong> SSL Full(strict), HSTS, min TLS 1.2</li>\n      <li><strong>API Tokens:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=mp5u2gxtq4xaz2wfsggxzm2a3e\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Cloudflare API Tokens</span></a></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Active Zones</div>\n    <ul>\n      <li><strong>flowercore.io</strong> &mdash; Production API, landing page</li>\n      <li><strong>iamwork.in</strong> &mdash; Employee portal, telephony, DDNS</li>\n      <li><strong>bluejay.dev</strong> &mdash; Dev projects, voice bridge</li>\n      <li><strong>erckak.dev</strong> &mdash; Erik developer portfolio</li>\n      <li><strong>timeforta.co</strong> &mdash; Dustin personal</li>\n      <li><strong>flowerinsider.xyz</strong> &mdash; Dev/staging</li>\n    </ul>\n  </div>\n</div>\n<h3>Namecheap API</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">API Configuration</div>\n    <ul>\n      <li><strong>Base URL:</strong> <code>https://api.namecheap.com/xml.response</code> <button class=\"copy-btn\" onclick=\"copyText('https://api.namecheap.com/xml.response')\">copy</button></li>\n      <li><strong>API User:</strong> <code>astoltz</code> <button class=\"copy-btn\" onclick=\"copyText('astoltz')\">copy</button></li>\n      <li><strong>API Key:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=wghrgst2tjer36istiwej43fcy\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Namecheap API</span></a></li>\n      <li><strong>Sandbox URL:</strong> <code>https://api.sandbox.namecheap.com/xml.response</code> <button class=\"copy-btn\" onclick=\"copyText('https://api.sandbox.namecheap.com/xml.response')\">copy</button></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Dynamic DNS</div>\n    <ul>\n      <li><strong>Hostname:</strong> <code>gateway.iamwork.in</code> <button class=\"copy-btn\" onclick=\"copyText('gateway.iamwork.in')\">copy</button></li>\n      <li><strong>Points to:</strong> pfSense WAN IP (auto-updated)</li>\n      <li><strong>DDNS:</strong> gateway.iamwork.in &rarr; pfSense WAN DHCP IP (via Cloudflare API)</li>\n      <li><strong>Update Method:</strong> pfSense Dynamic DNS client (Cloudflare API token)</li>\n      <li><strong>Token:</strong> <a href=\"https://start.1password.com/open/i?v=qaphopopkryhbg353ukzhhuqoq&i=mp5u2gxtq4xaz2wfsggxzm2a3e\" target=\"_blank\" class=\"op-link\" title=\"Open in 1Password\"><span class=\"b b-planned\">\U0001F510 Cloudflare pfSense Token</span></a></li>\n    </ul>\n  </div>\n</div>\n\n<h3>Internal DNS Architecture</h3>\n<div class=\"note\"><strong>Split-Horizon DNS (LIVE):</strong> External requests to flowercore.io resolve via Cloudflare to public IP .24 (PROD). Internal requests resolve via pfSense Unbound to K8s MetalLB VIP (10.0.56.200), avoiding NAT hairpin. All internal infrastructure uses iamworkin.lan zone. 4 tenant .lan wildcard redirect zones configured in Unbound (base64-encoded custom_options).</div>\n\n<h3>Planned IPv6 (ULA)</h3>\n<table>\n<thead><tr><th>Prefix</th><th>Scheme</th><th>Method</th></tr></thead>\n<tbody>\n<tr><td><code>fdbc:56:XX::/64</code></td><td>XX = VLAN ID (e.g., fdbc:56:56::/64 for MGMT)</td><td>SLAAC + DHCPv6 (servers), SLAAC-only (clients)</td></tr>\n</tbody>\n</table>\n</div>\n\n<script>\n/* ===== QR Code Generator (inline, air-gap safe) ===== */\n/* Minimal QR code encoder — generates canvas-based QR codes. Based on public domain QR algorithms. */\nvar QRCode=(function(){\nvar PAD0=0xEC,PAD1=0x11;\nfunction QRCode(typeNumber,errorCorrectionLevel){this.typeNumber=typeNumber;this.errorCorrectionLevel=errorCorrectionLevel;this.modules=null;this.moduleCount=0;this.dataCache=null;this.dataList=[];}\nQRCode.prototype={addData:function(data){this.dataList.push(new QR8bitByte(data));this.dataCache=null;},make:function(){if(this.typeNumber<1){var tn=1;for(tn=1;tn<40;tn++){var rs=QRRSBlock.getRSBlocks(tn,this.errorCorrectionLevel);var buf=new QRBitBuffer();for(var i=0;i<this.dataList.length;i++){var d=this.dataList[i];buf.put(d.mode,4);buf.put(d.getLength(),QRUtil.getLengthInBits(d.mode,tn));d.write(buf);}var totalDataCount=0;for(i=0;i<rs.length;i++){totalDataCount+=rs[i].dataCount;}if(buf.getLengthInBits()<=totalDataCount*8)break;}this.typeNumber=tn;}this.makeImpl(false,this.getBestMaskPattern());},makeImpl:function(test,maskPattern){this.moduleCount=this.typeNumber*4+17;this.modules=new Array(this.moduleCount);for(var row=0;row<this.moduleCount;row++){this.modules[row]=new Array(this.moduleCount);for(var col=0;col<this.moduleCount;col++){this.modules[row][col]=null;}}this.setupPositionProbePattern(0,0);this.setupPositionProbePattern(this.moduleCount-7,0);this.setupPositionProbePattern(0,this.moduleCount-7);this.setupPositionAdjustPattern();this.setupTimingPattern();this.setupTypeInfo(test,maskPattern);if(this.typeNumber>=7){this.setupTypeNumber(test);}if(this.dataCache==null){this.dataCache=QRCode.createData(this.typeNumber,this.errorCorrectionLevel,this.dataList);}this.mapData(this.dataCache,maskPattern);},setupPositionProbePattern:function(row,col){for(var r=-1;r<=7;r++){if(row+r<=-1||this.moduleCount<=row+r)continue;for(var c=-1;c<=7;c++){if(col+c<=-1||this.moduleCount<=col+c)continue;if((0<=r&&r<=6&&(c==0||c==6))||(0<=c&&c<=6&&(r==0||r==6))||(2<=r&&r<=4&&2<=c&&c<=4)){this.modules[row+r][col+c]=true;}else{this.modules[row+r][col+c]=false;}}}},getBestMaskPattern:function(){var minLostPoint=0;var pattern=0;for(var i=0;i<8;i++){this.makeImpl(true,i);var lostPoint=QRUtil.getLostPoint(this);if(i==0||minLostPoint>lostPoint){minLostPoint=lostPoint;pattern=i;}}return pattern;},setupTimingPattern:function(){for(var r=8;r<this.moduleCount-8;r++){if(this.modules[r][6]!=null)continue;this.modules[r][6]=(r%2==0);}for(var c=8;c<this.moduleCount-8;c++){if(this.modules[6][c]!=null)continue;this.modules[6][c]=(c%2==0);}},setupPositionAdjustPattern:function(){var pos=QRUtil.getPatternPosition(this.typeNumber);for(var i=0;i<pos.length;i++){for(var j=0;j<pos.length;j++){var row=pos[i];var col=pos[j];if(this.modules[row][col]!=null)continue;for(var r=-2;r<=2;r++){for(var c=-2;c<=2;c++){if(r==-2||r==2||c==-2||c==2||(r==0&&c==0)){this.modules[row+r][col+c]=true;}else{this.modules[row+r][col+c]=false;}}}}}},setupTypeNumber:function(test){var bits=QRUtil.getBCHTypeNumber(this.typeNumber);for(var i=0;i<18;i++){var mod=(!test&&((bits>>i)&1)==1);this.modules[Math.floor(i/3)][i%3+this.moduleCount-8-3]=mod;}for(i=0;i<18;i++){mod=(!test&&((bits>>i)&1)==1);this.modules[i%3+this.moduleCount-8-3][Math.floor(i/3)]=mod;}},setupTypeInfo:function(test,maskPattern){var data=(this.errorCorrectionLevel<<3)|maskPattern;var bits=QRUtil.getBCHTypeInfo(data);for(var i=0;i<15;i++){var mod=(!test&&((bits>>i)&1)==1);if(i<6){this.modules[i][8]=mod;}else if(i<8){this.modules[i+1][8]=mod;}else{this.modules[this.moduleCount-15+i][8]=mod;}}for(i=0;i<15;i++){mod=(!test&&((bits>>i)&1)==1);if(i<8){this.modules[8][this.moduleCount-i-1]=mod;}else if(i<9){this.modules[8][15-i-1+1]=mod;}else{this.modules[8][15-i-1]=mod;}}this.modules[this.moduleCount-8][8]=(!test);},mapData:function(data,maskPattern){var inc=-1;var row=this.moduleCount-1;var bitIndex=7;var byteIndex=0;for(var col=this.moduleCount-1;col>0;col-=2){if(col==6)col--;while(true){for(var c=0;c<2;c++){if(this.modules[row][col-c]==null){var dark=false;if(byteIndex<data.length){dark=(((data[byteIndex]>>>bitIndex)&1)==1);}var mask=QRUtil.getMask(maskPattern,row,col-c);if(mask){dark=!dark;}this.modules[row][col-c]=dark;bitIndex--;if(bitIndex==-1){byteIndex++;bitIndex=7;}}}row+=inc;if(row<0||this.moduleCount<=row){row-=inc;inc=-inc;break;}}}}};\nQRCode.createData=function(typeNumber,errorCorrectionLevel,dataList){var rsBlocks=QRRSBlock.getRSBlocks(typeNumber,errorCorrectionLevel);var buffer=new QRBitBuffer();for(var i=0;i<dataList.length;i++){var data=dataList[i];buffer.put(data.mode,4);buffer.put(data.getLength(),QRUtil.getLengthInBits(data.mode,typeNumber));data.write(buffer);}var totalDataCount=0;for(i=0;i<rsBlocks.length;i++){totalDataCount+=rsBlocks[i].dataCount;}if(buffer.getLengthInBits()>totalDataCount*8){throw\
-    \ new Error('code length overflow. ('+buffer.getLengthInBits()+'>'+totalDataCount*8+')');}if(buffer.getLengthInBits()+4<=totalDataCount*8){buffer.put(0,4);}while(buffer.getLengthInBits()%8!=0){buffer.putBit(false);}while(true){if(buffer.getLengthInBits()>=totalDataCount*8)break;buffer.put(PAD0,8);if(buffer.getLengthInBits()>=totalDataCount*8)break;buffer.put(PAD1,8);}return QRCode.createBytes(buffer,rsBlocks);};\nQRCode.createBytes=function(buffer,rsBlocks){var offset=0;var maxDcCount=0;var maxEcCount=0;var dcdata=new Array(rsBlocks.length);var ecdata=new Array(rsBlocks.length);for(var r=0;r<rsBlocks.length;r++){var dcCount=rsBlocks[r].dataCount;var ecCount=rsBlocks[r].totalCount-dcCount;maxDcCount=Math.max(maxDcCount,dcCount);maxEcCount=Math.max(maxEcCount,ecCount);dcdata[r]=new Array(dcCount);for(var i=0;i<dcdata[r].length;i++){dcdata[r][i]=0xff&buffer.buffer[i+offset];}offset+=dcCount;var rsPoly=QRUtil.getErrorCorrectPolynomial(ecCount);var rawPoly=new QRPolynomial(dcdata[r],rsPoly.getLength()-1);var modPoly=rawPoly.mod(rsPoly);ecdata[r]=new Array(rsPoly.getLength()-1);for(i=0;i<ecdata[r].length;i++){var modIndex=i+modPoly.getLength()-ecdata[r].length;ecdata[r][i]=(modIndex>=0)?modPoly.get(modIndex):0;}}var totalCodeCount=0;for(i=0;i<rsBlocks.length;i++){totalCodeCount+=rsBlocks[i].totalCount;}var data=new Array(totalCodeCount);var index=0;for(i=0;i<maxDcCount;i++){for(r=0;r<rsBlocks.length;r++){if(i<dcdata[r].length){data[index++]=dcdata[r][i];}}}for(i=0;i<maxEcCount;i++){for(r=0;r<rsBlocks.length;r++){if(i<ecdata[r].length){data[index++]=ecdata[r][i];}}}return data;};\nfunction QR8bitByte(data){this.mode=4;this.data=data;}QR8bitByte.prototype={getLength:function(){return this.data.length;},write:function(buffer){for(var i=0;i<this.data.length;i++){buffer.put(this.data.charCodeAt(i),8);}}};\nvar QRUtil={PATTERN_POSITION_TABLE:[[],[6,18],[6,22],[6,26],[6,30],[6,34],[6,22,38],[6,24,42],[6,26,46],[6,28,50],[6,30,54],[6,32,58],[6,34,62],[6,26,46,66],[6,26,48,70],[6,26,50,74],[6,30,54,78],[6,30,56,82],[6,30,58,86],[6,34,62,90],[6,28,50,72,94],[6,26,50,74,98],[6,30,54,78,102],[6,28,54,80,106],[6,32,58,84,110],[6,30,58,86,114],[6,34,62,90,118],[6,26,50,74,98,122],[6,30,54,78,102,126],[6,26,52,78,104,130],[6,30,56,82,108,134],[6,34,60,86,112,138],[6,30,58,86,114,142],[6,34,62,90,118,146],[6,30,54,78,102,126,150],[6,24,50,76,102,128,154],[6,28,54,80,106,132,158],[6,32,58,84,110,136,162],[6,26,54,82,110,138,166],[6,30,58,86,114,142,170]],G15:(1<<10)|(1<<8)|(1<<5)|(1<<4)|(1<<2)|(1<<1)|(1<<0),G18:(1<<12)|(1<<11)|(1<<10)|(1<<9)|(1<<8)|(1<<5)|(1<<2)|(1<<0),G15_MASK:(1<<14)|(1<<12)|(1<<10)|(1<<4)|(1<<1),getBCHTypeInfo:function(data){var d=data<<10;while(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G15)>=0){d^=(QRUtil.G15<<(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G15)));}return((data<<10)|d)^QRUtil.G15_MASK;},getBCHTypeNumber:function(data){var d=data<<12;while(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G18)>=0){d^=(QRUtil.G18<<(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G18)));}return(data<<12)|d;},getBCHDigit:function(data){var digit=0;while(data!=0){digit++;data>>>=1;}return digit;},getPatternPosition:function(typeNumber){return QRUtil.PATTERN_POSITION_TABLE[typeNumber-1];},getMask:function(maskPattern,i,j){switch(maskPattern){case 0:return(i+j)%2==0;case 1:return i%2==0;case 2:return j%3==0;case 3:return(i+j)%3==0;case 4:return(Math.floor(i/2)+Math.floor(j/3))%2==0;case 5:return(i*j)%2+(i*j)%3==0;case 6:return((i*j)%2+(i*j)%3)%2==0;case 7:return((i*j)%3+(i+j)%2)%2==0;default:throw new Error('bad maskPattern:'+maskPattern);}},getErrorCorrectPolynomial:function(errorCorrectLength){var a=new QRPolynomial([1],0);for(var i=0;i<errorCorrectLength;i++){a=a.multiply(new QRPolynomial([1,QRMath.gexp(i)],0));}return a;},getLengthInBits:function(mode,type){if(1<=type&&type<10){return 8;}else if(type<27){return 16;}else if(type<41){return 16;}throw new Error('type:'+type);},getLostPoint:function(qrCode){var moduleCount=qrCode.moduleCount;var lostPoint=0;for(var row=0;row<moduleCount;row++){for(var col=0;col<moduleCount;col++){var sameCount=0;var dark=qrCode.modules[row][col];for(var r=-1;r<=1;r++){if(row+r<0||moduleCount<=row+r)continue;for(var c=-1;c<=1;c++){if(col+c<0||moduleCount<=col+c)continue;if(r==0&&c==0)continue;if(dark==qrCode.modules[row+r][col+c]){sameCount++;}}}if(sameCount>5){lostPoint+=(3+sameCount-5);}}}for(row=0;row<moduleCount-1;row++){for(col=0;col<moduleCount-1;col++){var count=0;if(qrCode.modules[row][col])count++;if(qrCode.modules[row+1][col])count++;if(qrCode.modules[row][col+1])count++;if(qrCode.modules[row+1][col+1])count++;if(count==0||count==4){lostPoint+=3;}}}for(row=0;row<moduleCount;row++){for(col=0;col<moduleCount-6;col++){if(qrCode.modules[row][col]&&!qrCode.modules[row][col+1]&&qrCode.modules[row][col+2]&&qrCode.modules[row][col+3]&&qrCode.modules[row][col+4]&&!qrCode.modules[row][col+5]&&qrCode.modules[row][col+6]){lostPoint+=40;}}}for(col=0;col<moduleCount;col++){for(row=0;row<moduleCount-6;row++){if(qrCode.modules[row][col]&&!qrCode.modules[row+1][col]&&qrCode.modules[row+2][col]&&qrCode.modules[row+3][col]&&qrCode.modules[row+4][col]&&!qrCode.modules[row+5][col]&&qrCode.modules[row+6][col]){lostPoint+=40;}}}var darkCount=0;for(col=0;col<moduleCount;col++){for(row=0;row<moduleCount;row++){if(qrCode.modules[row][col]){darkCount++;}}}var ratio=Math.abs(100*darkCount/moduleCount/moduleCount-50)/5;lostPoint+=ratio*10;return lostPoint;}};\nvar QRMath={glog:function(n){if(n<1)throw new Error('glog('+n+')');return QRMath.LOG_TABLE[n];},gexp:function(n){while(n<0){n+=255;}while(n>=256){n-=255;}return QRMath.EXP_TABLE[n];},EXP_TABLE:new Array(256),LOG_TABLE:new Array(256)};for(var i=0;i<8;i++){QRMath.EXP_TABLE[i]=1<<i;}for(i=8;i<256;i++){QRMath.EXP_TABLE[i]=QRMath.EXP_TABLE[i-4]^QRMath.EXP_TABLE[i-5]^QRMath.EXP_TABLE[i-6]^QRMath.EXP_TABLE[i-8];}for(i=0;i<255;i++){QRMath.LOG_TABLE[QRMath.EXP_TABLE[i]]=i;}\nfunction QRPolynomial(num,shift){if(num.length==undefined)throw new Error(num.length+'/'+shift);var offset=0;while(offset<num.length&&num[offset]==0){offset++;}this.num=new Array(num.length-offset+shift);for(var i=0;i<num.length-offset;i++){this.num[i]=num[i+offset];}}QRPolynomial.prototype={get:function(index){return this.num[index];},getLength:function(){return this.num.length;},multiply:function(e){var num=new Array(this.getLength()+e.getLength()-1);for(var i=0;i<this.getLength();i++){for(var j=0;j<e.getLength();j++){num[i+j]^=QRMath.gexp(QRMath.glog(this.get(i))+QRMath.glog(e.get(j)));}}return new QRPolynomial(num,0);},mod:function(e){if(this.getLength()-e.getLength()<0)return this;var ratio=QRMath.glog(this.get(0))-QRMath.glog(e.get(0));var num=new Array(this.getLength());for(var i=0;i<this.getLength();i++){num[i]=this.get(i);}for(i=0;i<e.getLength();i++){num[i]^=QRMath.gexp(QRMath.glog(e.get(i))+ratio);}return new QRPolynomial(num,0).mod(e);}};\nfunction QRRSBlock(totalCount,dataCount){this.totalCount=totalCount;this.dataCount=dataCount;}\nQRRSBlock.RS_BLOCK_TABLE=[[1,26,19],[1,26,16],[1,26,13],[1,26,9],[1,44,34],[1,44,28],[1,44,22],[1,44,16],[1,70,55],[1,70,44],[2,35,17],[2,35,13],[1,100,80],[2,50,32],[2,50,24],[4,25,9],[1,134,108],[2,67,43],[2,33,15,2,34,16],[2,33,11,2,34,12],[2,86,68],[4,43,27],[4,43,19],[4,43,15],[2,98,78],[4,49,31],[2,32,14,4,33,15],[4,39,13,1,40,14],[2,121,97],[2,60,38,2,61,39],[4,40,18,2,41,19],[4,40,14,2,41,15],[2,146,116],[3,58,36,2,59,37],[4,36,16,4,37,17],[4,36,12,4,37,13],[2,86,68,2,87,69],[4,69,43,1,70,44],[6,43,19,2,44,20],[6,43,15,2,44,16],[4,101,81],[1,80,50,4,81,51],[4,50,22,4,51,23],[3,36,12,8,37,13],[2,116,92,2,117,93],[6,58,36,2,59,37],[4,46,20,6,47,21],[7,42,14,4,43,15],[4,133,107],[8,59,37,1,60,38],[8,44,20,4,45,21],[12,33,11,4,34,12],[3,145,115,1,146,116],[4,64,40,5,65,41],[11,36,16,5,37,17],[11,36,12,5,37,13],[5,109,87,1,110,88],[5,65,41,5,66,42],[5,54,24,7,55,25],[11,36,12,7,37,13],[5,122,98,1,123,99],[7,73,45,3,74,46],[15,43,19,2,44,20],[3,45,15,13,46,16],[1,135,107,5,136,108],[10,74,46,1,75,47],[1,50,22,15,51,23],[2,42,14,17,43,15],[5,150,120,1,151,121],[9,69,43,4,70,44],[17,50,22,1,51,23],[2,42,14,19,43,15],[3,141,113,4,142,114],[3,70,44,11,71,45],[17,47,21,4,48,22],[9,39,13,16,40,14],[3,135,107,5,136,108],[3,67,41,13,68,42],[15,54,24,5,55,25],[15,43,15,10,44,16],[4,144,116,4,145,117],[17,68,42],[17,50,22,6,51,23],[19,46,16,6,47,17],[2,139,111,7,140,112],[17,74,46],[7,54,24,16,55,25],[34,37,13],[4,151,121,5,152,122],[4,75,47,14,76,48],[11,54,24,14,55,25],[16,45,15,14,46,16],[6,147,117,4,148,118],[6,73,45,14,74,46],[11,54,24,16,55,25],[30,46,16,2,47,17],[8,132,106,4,133,107],[8,75,47,13,76,48],[7,54,24,22,55,25],[22,45,15,13,46,16],[10,142,114,2,143,115],[19,74,46,4,75,47],[28,50,22,6,51,23],[33,46,16,4,47,17],[8,152,122,4,153,123],[22,73,45,3,74,46],[8,53,23,26,54,24],[12,45,15,28,46,16],[3,147,117,10,148,118],[3,73,45,23,74,46],[4,54,24,31,55,25],[11,45,15,31,46,16],[7,146,116,7,147,117],[21,73,45,7,74,46],[1,53,23,37,54,24],[19,45,15,26,46,16],[5,145,115,10,146,116],[19,75,47,10,76,48],[15,54,24,25,55,25],[23,45,15,25,46,16],[13,145,115,3,146,116],[2,74,46,29,75,47],[42,54,24,1,55,25],[23,45,15,28,46,16],[17,145,115],[10,74,46,23,75,47],[10,54,24,35,55,25],[19,45,15,35,46,16],[17,145,115,1,146,116],[14,74,46,21,75,47],[29,54,24,19,55,25],[11,45,15,46,46,16],[13,145,115,6,146,116],[14,74,46,23,75,47],[44,54,24,7,55,25],[59,46,16,1,47,17],[12,151,121,7,152,122],[12,75,47,26,76,48],[39,54,24,14,55,25],[22,45,15,41,46,16],[6,151,121,14,152,122],[6,75,47,34,76,48],[46,54,24,10,55,25],[2,45,15,64,46,16],[17,152,122,4,153,123],[29,74,46,14,75,47],[49,54,24,10,55,25],[24,45,15,46,46,16],[4,152,122,18,153,123],[13,74,46,32,75,47],[48,54,24,14,55,25],[42,45,15,32,46,16],[20,147,117,4,148,118],[40,75,47,7,76,48],[43,54,24,22,55,25],[10,45,15,67,46,16],[19,148,118,6,149,119],[18,75,47,31,76,48],[34,54,24,34,55,25],[20,45,15,61,46,16]];\nQRRSBlock.getRSBlocks=function(typeNumber,errorCorrectionLevel){var rsBlock=QRRSBlock.getRsBlockTable(typeNumber,errorCorrectionLevel);if(rsBlock==undefined){throw\
-    \ new Error('bad rs block @ typeNumber:'+typeNumber+'/errorCorrectionLevel:'+errorCorrectionLevel);}var length=rsBlock.length/3;var list=[];for(var i=0;i<length;i++){var count=rsBlock[i*3+0];var totalCount=rsBlock[i*3+1];var dataCount=rsBlock[i*3+2];for(var j=0;j<count;j++){list.push(new QRRSBlock(totalCount,dataCount));}}return list;};\nQRRSBlock.getRsBlockTable=function(typeNumber,errorCorrectionLevel){switch(errorCorrectionLevel){case 1:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+0];case 0:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+1];case 3:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+2];case 2:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+3];default:return undefined;}};\nfunction QRBitBuffer(){this.buffer=[];this.length=0;}QRBitBuffer.prototype={get:function(index){var bufIndex=Math.floor(index/8);return((this.buffer[bufIndex]>>>(7-index%8))&1)==1;},put:function(num,length){for(var i=0;i<length;i++){this.putBit(((num>>>(length-i-1))&1)==1);}},getLengthInBits:function(){return this.length;},putBit:function(bit){var bufIndex=Math.floor(this.length/8);if(this.buffer.length<=bufIndex){this.buffer.push(0);}if(bit){this.buffer[bufIndex]|=(0x80>>>(this.length%8));}this.length++;}};\nreturn QRCode;})();\n\n/* ===== WiFi QR Code Rendering ===== */\n/* QR codes with passwords are generated via 1Password app, not stored in this page.\n   The inline QR library above is retained for potential future use (e.g., guest open network QR). */\nfunction initWifiQRCodes() {\n  /* Placeholder — QR codes are now served from 1Password app */\n}\n\nfunction printQRCodes() {\n  /* Switch to WiFi tab, mark it for print, print, then restore */\n  var allTabs = document.querySelectorAll('.tab-content');\n  var wifiTab = document.getElementById('tab-wifi');\n  allTabs.forEach(function(t) { t.classList.remove('print-active'); });\n  if (wifiTab) { wifiTab.classList.add('print-active'); }\n  window.print();\n  if (wifiTab) { wifiTab.classList.remove('print-active'); }\n}\n\n/* ===== Existing Functions ===== */\nfunction toggleTheme(){var h=document.documentElement,c=h.getAttribute('data-theme'),n=c==='dark'?'light':'dark';h.setAttribute('data-theme',n);document.getElementById('themeLabel').textContent=n==='dark'?'Light':'Dark';try{localStorage.setItem('bjTheme',n)}catch(e){}}\n(function(){try{var s=localStorage.getItem('bjTheme');if(s){document.documentElement.setAttribute('data-theme',s);var l=document.getElementById('themeLabel');if(l)l.textContent=s==='dark'?'Light':'Dark'}}catch(e){}})();\nvar ALL_TABS=['overview','isp','pfsense','switching','dns','k8s','noc','vpn','edge','storage','wifi','planned','topology','domains','credentials'];\nfunction switchTab(id,el){document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});document.querySelectorAll('.tab-btn').forEach(function(b){b.classList.remove('active')});var tgt=document.getElementById('tab-'+id);if(tgt)tgt.classList.add('active');if(el)el.classList.add('active');history.replaceState(null,null,'#'+id);window.scrollTo({top:0,behavior:'smooth'});if(id==='wifi'){setTimeout(initWifiQRCodes,50);}}\n(function(){var h=location.hash.replace('#','');if(h){var tgt=document.getElementById('tab-'+h);if(tgt){document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});document.querySelectorAll('.tab-btn').forEach(function(b){b.classList.remove('active')});tgt.classList.add('active');var idx=ALL_TABS.indexOf(h);var btns=document.querySelectorAll('.tab-btn');if(idx>=0&&btns[idx])btns[idx].classList.add('active');if(h==='wifi'){setTimeout(initWifiQRCodes,100);}}}})();\nfunction copyText(t){var btn=event.target;if(navigator.clipboard){navigator.clipboard.writeText(t).then(function(){btn.textContent='copied!';btn.classList.add('copied');setTimeout(function(){btn.textContent='copy';btn.classList.remove('copied')},1500)})}else{var ta=document.createElement('textarea');ta.value=t;ta.style.position='fixed';ta.style.opacity='0';document.body.appendChild(ta);ta.select();try{document.execCommand('copy')}catch(e){}document.body.removeChild(ta);btn.textContent='copied!';btn.classList.add('copied');setTimeout(function(){btn.textContent='copy';btn.classList.remove('copied')},1500)}}\ndocument.addEventListener('keydown',function(e){if(e.altKey){var k=parseInt(e.key);if(k>=1&&k<=9){e.preventDefault();var idx=k-1;if(idx<ALL_TABS.length){var btns=document.querySelectorAll('.tab-btn');btns.forEach(function(b){b.classList.remove('active')});if(btns[idx])btns[idx].classList.add('active');document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});var tgt=document.getElementById('tab-'+ALL_TABS[idx]);if(tgt)tgt.classList.add('active');if(ALL_TABS[idx]==='wifi'){setTimeout(initWifiQRCodes,50);}}}if(e.key==='0'){e.preventDefault();var btns=document.querySelectorAll('.tab-btn');btns.forEach(function(b){b.classList.remove('active')});if(btns[9])btns[9].classList.add('active');document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});var tgt=document.getElementById('tab-'+ALL_TABS[9]);if(tgt)tgt.classList.add('active');if(ALL_TABS[9]==='wifi'){setTimeout(initWifiQRCodes,50);}}}});\n</script>\n</body>\n</html>\n"
-kind: ConfigMap
-metadata:
-  name: intranet-html
-  namespace: intranet
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: intranet
-  name: intranet
-  namespace: intranet
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: intranet
-  template:
-    metadata:
-      labels:
-        app: intranet
-    spec:
-      containers:
-      - image: nginx:alpine
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: 80
-          initialDelaySeconds: 5
-          periodSeconds: 10
-        name: nginx
-        ports:
-        - containerPort: 80
-          name: http
-        readinessProbe:
-          httpGet:
-            path: /healthz
-            port: 80
-          initialDelaySeconds: 3
-          periodSeconds: 5
-        resources:
-          limits:
-            cpu: 50m
-            memory: 64Mi
-          requests:
-            cpu: 5m
-            memory: 16Mi
-        volumeMounts:
-        - mountPath: /etc/nginx/conf.d/default.conf
-          name: nginx-conf
-          subPath: default.conf
-        - mountPath: /usr/share/nginx/html
-          name: html
-      volumes:
-      - configMap:
-          name: intranet-nginx-conf
-        name: nginx-conf
-      - configMap:
-          name: intranet-html
-        name: html
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: intranet
-  namespace: intranet
-spec:
-  ports:
-  - name: http
-    port: 80
-    targetPort: 80
-  selector:
-    app: intranet
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: intranet-tls
-  namespace: intranet
-spec:
-  dnsNames:
-  - intranet.iamworkin.lan
-  issuerRef:
-    kind: ClusterIssuer
-    name: step-ca-acme
-  secretName: intranet-tls
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: intranet
-  namespace: intranet
-spec:
-  entryPoints:
-  - websecure
-  routes:
-  - kind: Rule
-    match: Host(`intranet.iamworkin.lan`)
-    services:
-    - name: intranet
-      port: 80
-  tls:
-    secretName: intranet-tls
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+  name: intranet
+---
+apiVersion: v1
+data:
+  default.conf: "server {\n    listen 80;\n    server_name _;\n    root /usr/share/nginx/html;\n    index index.html;\n\n    location / {\n        try_files $uri $uri/ =404;\n    }\n\n    location /healthz {\n        access_log off;\n        return 200 \"ok\";\n        add_header Content-Type text/plain;\n    }\n}\n"
+kind: ConfigMap
+metadata:
+  name: intranet-nginx-conf
+  namespace: intranet
+---
+apiVersion: v1
+data:
+  index.html: "<!DOCTYPE html>\n<html lang=\"en\" data-theme=\"dark\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n<title>Blue Jay Lab Intranet - FlowerCore</title>\n<style>\n:root, [data-theme=\"dark\"] {\n  --bg: #0A1628; --bg-gradient: linear-gradient(180deg, #0A1628 0%, #0E1E36 100%);\n  --surface: #111D33; --surface2: #162844; --surface-hover: #1C3354;\n  --border: #1E3A5F; --border-accent: #2B8AFF;\n  --text: #E8EDF5; --text-heading: #FFFFFF; --text-muted: #8899B3;\n  --accent: #2B8AFF; --accent-light: #5BA3FF; --accent-bright: #82BBFF;\n  --gold: #FFB300; --gold-light: #FFCA40; --gold-dim: #CC8F00;\n  --green: #3DB86A; --green-bg: rgba(61,184,106,0.12); --green-border: rgba(61,184,106,0.25);\n  --yellow: #FFB300; --yellow-bg: rgba(255,179,0,0.12); --yellow-border: rgba(255,179,0,0.25);\n  --red: #E84545; --red-bg: rgba(232,69,69,0.12); --red-border: rgba(232,69,69,0.25);\n  --purple: #9B7ED8; --purple-bg: rgba(155,126,216,0.12); --purple-border: rgba(155,126,216,0.25);\n  --orange: #E8883E; --cyan: #39D2C0; --pink: #F778BA;\n  --navy: #0E1E36; --royal: #1A3A6A;\n  --code-bg: #0C1829; --code-text: #FFB300;\n  --card-shadow: 0 2px 6px rgba(0,0,0,0.35);\n  --header-gradient: linear-gradient(135deg, #0E1E36 0%, #1A3A6A 40%, #2B8AFF 100%);\n  --header-text-shadow: 0 2px 16px rgba(43,138,255,0.35);\n  --summary-border-top: 3px solid var(--gold);\n  --note-bg: rgba(43,138,255,0.08); --note-warn-bg: rgba(255,179,0,0.08);\n  --topo-bg: #0C1829; --topo-border: #1E3A5F; --topo-text: #5BA3FF;\n  --copy-bg: rgba(43,138,255,0.15); --copy-hover: rgba(43,138,255,0.3);\n  --zebra: rgba(255,255,255,0.02);\n}\n[data-theme=\"light\"] {\n  --bg: #F8FAFE; --bg-gradient: linear-gradient(180deg, #F8FAFE 0%, #EBF0F9 100%);\n  --surface: #FFFFFF; --surface2: #EDF2FA; --surface-hover: #DCE5F4;\n  --border: #C0D0E5; --border-accent: #2B7FE0;\n  --text: #1A2744; --text-heading: #0D1B2E; --text-muted: #5A6F8A;\n  --accent: #1565C0; --accent-light: #2B7FE0; --accent-bright: #1565C0;\n  --gold: #E6A100; --gold-light: #FFB300; --gold-dim: #B38000;\n  --green: #2A8A4A; --green-bg: rgba(42,138,74,0.1); --green-border: rgba(42,138,74,0.25);\n  --yellow: #E6A100; --yellow-bg: rgba(230,161,0,0.1); --yellow-border: rgba(230,161,0,0.25);\n  --red: #C03030; --red-bg: rgba(192,48,48,0.08); --red-border: rgba(192,48,48,0.2);\n  --purple: #6B4FA0; --purple-bg: rgba(107,79,160,0.1); --purple-border: rgba(107,79,160,0.2);\n  --orange: #C07020; --cyan: #288A7A; --pink: #C05090;\n  --navy: #1A2744; --royal: #1565C0;\n  --code-bg: #EDF2FA; --code-text: #C07020;\n  --card-shadow: 0 1px 4px rgba(26,39,68,0.1);\n  --header-gradient: linear-gradient(135deg, #0D1B2E 0%, #1565C0 40%, #2B7FE0 100%);\n  --header-text-shadow: 0 1px 8px rgba(0,0,0,0.2);\n  --summary-border-top: 3px solid var(--gold);\n  --note-bg: rgba(21,101,192,0.05); --note-warn-bg: rgba(230,161,0,0.05);\n  --topo-bg: #EDF2FA; --topo-border: #C0D0E5; --topo-text: #1565C0;\n  --copy-bg: rgba(21,101,192,0.08); --copy-hover: rgba(21,101,192,0.15);\n  --zebra: rgba(0,0,0,0.02);\n}\n* { box-sizing: border-box; margin: 0; padding: 0; }\nbody { font-family: 'Segoe UI', -apple-system, BlinkMacSystemFont, Helvetica, Arial, sans-serif; background: var(--bg); color: var(--text); line-height: 1.65; padding: 2rem; max-width: 1500px; margin: 0 auto; transition: background 0.3s, color 0.3s; }\nh1 { font-size: 2.2rem; margin-bottom: 0.25rem; font-weight: 800; color: var(--text-heading); letter-spacing: 0.5px; }\nh2 { font-size: 1.35rem; color: var(--gold); margin: 2.5rem 0 1rem; font-weight: 700; text-transform: uppercase; letter-spacing: 0.5px; border-bottom: 2px solid var(--gold-dim); padding-bottom: 0.5rem; }\nh3 { font-size: 1.05rem; color: var(--purple); margin: 1.5rem 0 0.75rem; font-weight: 700; }\nh4 { font-size: 0.95rem; color: var(--accent-light); margin: 1rem 0 0.5rem; font-weight: 600; }\n.subtitle { color: var(--gold-light); margin-bottom: 0.5rem; font-size: 1.05rem; }\n.last-updated { color: rgba(255,255,255,0.5); font-size: 0.82rem; }\ncode { background: var(--code-bg); padding: 2px 7px; border-radius: 4px; font-size: 0.83rem; color: var(--code-text); border: 1px solid var(--border); font-family: 'Cascadia Code','Fira Code','Consolas',monospace; }\na { color: var(--accent-light); text-decoration: none; }\na:hover { text-decoration: underline; color: var(--accent-bright); }\n.brand-header { background: var(--header-gradient); border: none; border-radius: 10px; padding: 2.5rem 2.5rem 2rem; margin-bottom: 1.5rem; position: relative; overflow: hidden; box-shadow: 0 4px 20px rgba(0,0,0,0.2); }\n.brand-header::before { content: ''; position: absolute; top: -40%; right: -10%; width: 50%; height: 180%; background: radial-gradient(ellipse, rgba(255,255,255,0.04) 0%, transparent 70%); pointer-events: none; }\n.brand-header h1 { color: #fff; text-shadow: var(--header-text-shadow); font-size: 2.4rem; letter-spacing: 1px; text-transform: uppercase; }\n.status-badge { display: inline-block; background: rgba(255,179,0,0.2); border: 1px solid rgba(255,179,0,0.4); color: #FFCA40; padding: 4px 14px; border-radius: 14px; font-size: 0.78rem; font-weight: 700; letter-spacing: 0.5px; text-transform: uppercase; margin-top: 0.5rem; }\n.theme-toggle { position: absolute; top: 1.25rem; right: 1.5rem; background: rgba(255,255,255,0.1); border: 1px solid rgba(255,255,255,0.15); border-radius: 20px; padding: 6px 14px; color: rgba(255,255,255,0.8); cursor: pointer; font-size: 0.78rem; font-weight: 600; letter-spacing: 0.3px; transition: background 0.2s; backdrop-filter: blur(4px); display: flex; align-items: center; gap: 6px; }\n.theme-toggle:hover { background: rgba(255,255,255,0.18); border-color: rgba(255,255,255,0.25); }\n.theme-toggle svg { width: 14px; height: 14px; fill: currentColor; }\nnav { background: var(--surface); border: 1px solid var(--border); border-radius: 8px; padding: 0.75rem 1rem; margin-bottom: 1.5rem; position: sticky; top: 0; z-index: 100; box-shadow: var(--card-shadow); }\nnav ul { list-style: none; display: flex; flex-wrap: wrap; gap: 4px; justify-content: center; }\nnav li { display: inline; }\nnav a { color: var(--accent-light); text-decoration: none; padding: 6px 14px; border-radius: 6px; font-size: 0.8rem; font-weight: 500; transition: all 0.2s; border: 1px solid transparent; cursor: pointer; display: inline-block; }\nnav a:hover { background: var(--surface2); border-color: var(--border); text-decoration: none; color: var(--accent-bright); }\nnav a.active { background: var(--accent); color: #fff; border-color: var(--accent); font-weight: 700; }\n.summary-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(140px, 1fr)); gap: 0.85rem; margin: 1.25rem 0; }\n.summary-card { background: var(--surface); border: 1px solid var(--border); border-top: var(--summary-border-top); border-radius: 8px; padding: 1.25rem; text-align: center; box-shadow: var(--card-shadow); transition: border-color 0.2s, transform 0.15s; }\n.summary-card:hover { border-color: var(--border-accent); transform: translateY(-1px); }\n.summary-number { font-size: 2rem; font-weight: 800; color: var(--accent-light); }\n.summary-label { color: var(--text-muted); font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.3px; margin-top: 2px; }\n.b { display: inline-block; padding: 2px 10px; border-radius: 10px; font-size: 0.7rem; font-weight: 600; text-transform: uppercase; letter-spacing: 0.4px; }\n.b-online { background: var(--green-bg); color: var(--green); border: 1px solid var(--green-border); }\n.b-planned { background: var(--yellow-bg); color: var(--yellow); border: 1px solid var(--yellow-border); }\n.b-offline { background: var(--red-bg); color: var(--red); border: 1px solid var(--red-border); }\n.b-mgmt { background: rgba(43,138,255,0.12); color: var(--accent-light); border: 1px solid rgba(43,138,255,0.25); }\n.b-prod { background: var(--green-bg); color: var(--green); border: 1px solid var(--green-border); }\n.b-home { background: var(--purple-bg); color: var(--purple); border: 1px solid var(--purple-border); }\n.b-tenant { background: rgba(232,136,62,0.12); color: var(--orange); border: 1px solid rgba(232,136,62,0.25); }\n.b-wifi { background: rgba(57,210,192,0.12); color: var(--cyan); border: 1px solid rgba(57,210,192,0.25); }\n.b-voip { background: var(--yellow-bg); color: var(--yellow); border: 1px solid var(--yellow-border); }\n.b-spare { background: var(--surface2); color: var(--text-muted); border: 1px solid var(--border); }\n.dot { display: inline-block; width: 8px; height: 8px; border-radius: 50%; margin-right: 6px; vertical-align: middle; }\n.dot-green { background: var(--green); box-shadow: 0 0 4px var(--green); }\n.dot-yellow { background: var(--yellow); box-shadow: 0 0 4px var(--yellow); }\n.dot-gray { background: var(--text-muted); }\n.dot-red { background: var(--red); box-shadow: 0 0 4px var(--red); }\ntable { width: 100%; border-collapse: collapse; margin: 1rem 0; font-size: 0.87rem; }\nth, td { padding: 0.55rem 0.75rem; border: 1px solid var(--border); text-align: left; }\nth { background: var(--surface2); color: var(--text-muted); font-weight: 600; font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.3px; }\ntr:nth-child(even) { background: var(--zebra); }\ntr:hover { background: rgba(43,138,255,0.05); }\n.ip { font-family: 'Cascadia Code','Fira Code','Consolas',monospace; color: var(--accent-light); font-weight: 600; font-size: 0.85rem; }\n.pw { font-family: 'Cascadia Code','Fira Code','Consolas',monospace; color: var(--orange); font-size: 0.82rem; }\n.card-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(320px, 1fr)); gap: 12px; margin: 1rem 0; }\n.card { background: var(--surface); border: 1px solid var(--border); border-radius: 8px; padding: 16px; box-shadow: var(--card-shadow); transition: border-color 0.2s; }\n.card:hover { border-color: var(--border-accent); }\n.card-title { font-weight:\
+    \ 700; font-size: 1rem; color: var(--text-heading); margin-bottom: 8px; display: flex; align-items: center; gap: 8px; }\n.card p, .card li { color: var(--text-muted); font-size: 0.85rem; margin: 4px 0; }\n.card ul { list-style: none; padding: 0; }\n.card li { padding: 4px 0; border-bottom: 1px solid var(--border); }\n.card li:last-child { border-bottom: none; }\n.topology { background: var(--topo-bg); border: 2px solid var(--topo-border); border-radius: 8px; padding: 2rem; margin: 1rem 0; overflow-x: auto; }\n.topology pre { font-family: 'Cascadia Code','Fira Code','Consolas',monospace; font-size: 0.82rem; color: var(--topo-text); line-height: 1.5; white-space: pre; }\n.copy-btn { background: var(--copy-bg); border: 1px solid var(--border); border-radius: 4px; color: var(--accent-light); cursor: pointer; padding: 2px 8px; font-size: 0.72rem; font-family: inherit; transition: background 0.2s; margin-left: 6px; vertical-align: middle; }\n.copy-btn:hover { background: var(--copy-hover); }\n.copy-btn.copied { color: var(--green); border-color: var(--green-border); }\n.note { background: var(--note-bg); border-left: 3px solid var(--accent); padding: 0.75rem 1rem; margin: 1rem 0; border-radius: 0 6px 6px 0; font-size: 0.87rem; }\n.note-warn { background: var(--note-warn-bg); border-left-color: var(--yellow); }\n.quick-links { display: grid; grid-template-columns: repeat(auto-fill, minmax(220px, 1fr)); gap: 8px; margin: 1rem 0; }\n.quick-link { background: var(--surface); border: 1px solid var(--border); border-radius: 6px; padding: 10px 14px; display: flex; align-items: center; gap: 8px; transition: all 0.2s; text-decoration: none; color: var(--text); }\n.quick-link:hover { border-color: var(--accent); background: var(--surface-hover); text-decoration: none; }\n.quick-link .ql-name { font-weight: 600; font-size: 0.85rem; color: var(--text-heading); }\n.quick-link .ql-url { font-size: 0.72rem; color: var(--text-muted); font-family: 'Cascadia Code',monospace; }\n.tab-content { display: none; }\n.tab-content.active { display: block; }\n.wifi-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(280px, 1fr)); gap: 16px; margin: 1.5rem 0; }\n.wifi-card { background: var(--surface); border: 1px solid var(--border); border-radius: 10px; overflow: hidden; box-shadow: var(--card-shadow); transition: border-color 0.2s, transform 0.15s; }\n.wifi-card:hover { border-color: var(--border-accent); transform: translateY(-2px); }\n.wifi-card-header { padding: 14px 16px 10px; border-bottom: 3px solid var(--border); }\n.wifi-ssid { font-size: 1.15rem; font-weight: 800; color: var(--text-heading); letter-spacing: 0.3px; }\n.wifi-vlan { margin-top: 4px; }\n.wifi-qr { display: flex; justify-content: center; align-items: center; padding: 16px; background: #ffffff; min-height: 180px; }\n.wifi-qr canvas { border-radius: 4px; }\n.wifi-qr-placeholder { background: var(--surface2) !important; border: 2px dashed var(--border); min-height: 180px; }\n.wifi-qr-placeholder .qr-placeholder-box { display: flex; flex-direction: column; align-items: center; gap: 12px; color: var(--text-muted); padding: 16px; text-align: center; }\n.wifi-qr-placeholder .qr-placeholder-box svg { color: var(--accent); opacity: 0.6; }\n.wifi-qr-placeholder .qr-placeholder-text { font-size: 0.82rem; font-weight: 600; letter-spacing: 0.3px; color: var(--accent-light); }\n.wifi-qr-open { border-color: var(--green-border); }\n.wifi-qr-open .qr-placeholder-box svg { color: var(--green); }\n.wifi-qr-open .qr-placeholder-text { color: var(--green); }\n.wifi-details { padding: 12px 16px 16px; }\n.wifi-field { display: flex; justify-content: space-between; align-items: center; padding: 6px 0; border-bottom: 1px solid var(--border); font-size: 0.85rem; }\n.wifi-field:last-child { border-bottom: none; }\n.wifi-label { color: var(--text-muted); font-weight: 600; font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.3px; min-width: 80px; }\n.wifi-value { color: var(--text); text-align: right; }\n.print-qr-btn { background: var(--accent); color: #fff; border: none; border-radius: 6px; padding: 8px 18px; font-size: 0.85rem; font-weight: 600; cursor: pointer; margin-left: 12px; transition: background 0.2s; }\n.print-qr-btn:hover { background: var(--accent-light); }\n@media print {\n  body { background: #fff !important; color: #000 !important; padding: 0 !important; }\n  nav, .brand-header, .theme-toggle, .copy-btn, .print-qr-btn, .note, .tab-content:not(.print-active) { display: none !important; }\n  .tab-content.print-active { display: block !important; }\n  .wifi-grid { grid-template-columns: repeat(2, 1fr) !important; gap: 20px !important; }\n  .wifi-card { break-inside: avoid; border: 2px solid #333 !important; box-shadow: none !important; page-break-inside: avoid; }\n  .wifi-card-header { border-bottom-color: #333 !important; }\n  .wifi-ssid { color: #000 !important; }\n  .wifi-qr { background: #fff !important; padding: 12px !important; }\n  .wifi-qr-placeholder { background: #f5f5f5 !important; border-color: #999 !important; }\n  .wifi-qr-placeholder .qr-placeholder-box svg { color: #333 !important; }\n  .wifi-qr-placeholder .qr-placeholder-text { color: #333 !important; }\n  .wifi-details { color: #000 !important; }\n  .wifi-field { border-bottom-color: #ccc !important; }\n  .wifi-label { color: #555 !important; }\n  .wifi-value, .wifi-value code { color: #000 !important; background: #eee !important; }\n  .b { border-color: #999 !important; color: #333 !important; background: #eee !important; }\n}\n@media (max-width: 768px) {\n  body { padding: 1rem; }\n  .brand-header { padding: 1.5rem; }\n  .brand-header h1 { font-size: 1.5rem; }\n  .summary-grid { grid-template-columns: repeat(3, 1fr); }\n  .card-grid { grid-template-columns: 1fr; }\n  nav a { font-size: 0.72rem; padding: 4px 8px; }\n  .topology pre { font-size: 0.7rem; }\n  table { font-size: 0.78rem; }\n  th, td { padding: 0.4rem 0.5rem; }\n  .quick-links { grid-template-columns: 1fr 1fr; }\n  .wifi-grid { grid-template-columns: 1fr; }\n  .wifi-qr canvas { width: 140px !important; height: 140px !important; }\n}\n</style>\n</head>\n<body>\n\n<div class=\"brand-header\">\n  <button class=\"theme-toggle\" onclick=\"toggleTheme()\" title=\"Switch theme\">\n    <svg viewBox=\"0 0 24 24\"><path d=\"M12 3a9 9 0 1 0 9 9c0-.46-.04-.92-.1-1.36a5.389 5.389 0 0 1-4.4 2.26 5.403 5.403 0 0 1-3.14-9.8c-.44-.06-.9-.1-1.36-.1z\"/></svg>\n    <span id=\"themeLabel\">Light</span>\n  </button>\n  <h1>Blue Jay Lab Intranet</h1>\n  <p class=\"subtitle\">BlueJay Network Infrastructure &mdash; 13 VLANs | 6 Nodes | Bare-Metal RKE2 | 5 WiFi SSIDs | 18 Domains | All Services Live</p>\n  <p class=\"last-updated\">Last updated: 2026-03-10</p>\n  <div class=\"status-badge\">REBUILD COMPLETE &mdash; All Services Live on Bare-Metal RKE2</div>\n</div>\n\n<nav>\n  <ul>\n    <li><a class=\"tab-btn active\" onclick=\"switchTab('overview',this)\">Overview</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('isp',this)\">ISP &amp; WAN</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('pfsense',this)\">pfSense</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('switching',this)\">Switch &amp; WiFi</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('dns',this)\">DNS Directory</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('k8s',this)\">Kubernetes</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('noc',this)\">NOC Services</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('vpn',this)\">VPN &amp; Security</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('edge',this)\">Edge Nodes</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('wifi',this)\">WiFi</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('planned',this)\">Planned</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('topology',this)\">Topology</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('domains',this)\">Domains</a></li>\n    <li><a class=\"tab-btn\" onclick=\"switchTab('credentials',this)\">Credentials</a></li>\n  </ul>\n</nav>\n\n<!-- ===== TAB: OVERVIEW ===== -->\n<div id=\"tab-overview\" class=\"tab-content active\">\n<h2>Overview</h2>\n<div class=\"summary-grid\">\n  <div class=\"summary-card\"><div class=\"summary-number\">12</div><div class=\"summary-label\">VLANs</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">6</div><div class=\"summary-label\">Physical Nodes</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">10</div><div class=\"summary-label\">ArgoCD Apps</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">43+</div><div class=\"summary-label\">DNS Entries</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">17</div><div class=\"summary-label\">Guacamole Conns</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">5</div><div class=\"summary-label\">WiFi SSIDs</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">8</div><div class=\"summary-label\">VPN Tunnels</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">13</div><div class=\"summary-label\">Public IPs</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">18</div><div class=\"summary-label\">Domains</div></div>\n</div>\n\n<div class=\"note note\"><strong>Network Status: REBUILD COMPLETE.</strong> All 13 phases complete. Bare-metal RKE2 3-node cluster, 10 ArgoCD apps healthy, Cloudflare DNS on /28, 1Password Connect wired. All services live.</div>\n\n<h3>Quick Links &mdash; Web UIs</h3>\n<div class=\"quick-links\">\n  <a class=\"quick-link\" href=\"https://10.0.56.1\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>pfSense</div><div class=\"ql-url\">https://10.0.56.1</div></div></a>\n  <a class=\"quick-link\" href=\"https://10.0.56.3\" target=\"_blank\"\
+    ><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>UniFi Cloud Key</div><div class=\"ql-url\">https://10.0.56.3</div></div></a>\n  <a class=\"quick-link\" href=\"http://10.0.58.2:8000\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Synology WiFi (SRM)</div><div class=\"ql-url\">http://10.0.58.2:8000</div></div></a>\n  <a class=\"quick-link\" href=\"https://traefik.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Traefik Dashboard</div><div class=\"ql-url\">https://traefik.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://10.0.56.10:9090\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Cockpit (noc1)</div><div class=\"ql-url\">https://10.0.56.10:9090</div></div></a>\n  <a class=\"quick-link\" href=\"http://10.0.56.10:3000\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Grafana</div><div class=\"ql-url\">http://10.0.56.10:3000</div></div></a>\n  <a class=\"quick-link\" href=\"http://10.0.56.10:9091\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Prometheus</div><div class=\"ql-url\">http://10.0.56.10:9091</div></div></a>\n  <a class=\"quick-link\" href=\"http://10.0.56.10:30080/guacamole/\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Guacamole</div><div class=\"ql-url\">http://10.0.56.10:30080/guacamole/</div></div></a>\n  <a class=\"quick-link\" href=\"http://pki.iamworkin.lan:30081\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>PKI Web</div><div class=\"ql-url\">http://pki.iamworkin.lan:30081</div></div></a>\n  <a class=\"quick-link\" href=\"https://argocd.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>ArgoCD</div><div class=\"ql-url\">https://argocd.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://zabbix.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Zabbix</div><div class=\"ql-url\">https://zabbix.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"https://gitea.iamworkin.lan\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Gitea</div><div class=\"ql-url\">https://gitea.iamworkin.lan</div></div></a>\n  <a class=\"quick-link\" href=\"http://192.168.254.254\" target=\"_blank\"><div><div class=\"ql-name\"><span class=\"dot dot-green\"></span>Frontier Modem</div><div class=\"ql-url\">http://192.168.254.254</div></div></a>\n</div>\n\n<h3>Phase Progress</h3>\n<table>\n<thead><tr><th>Phase</th><th>Description</th><th>Status</th><th>Progress</th></tr></thead>\n<tbody>\n<tr><td>1</td><td>Frontier Modem Config</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>2</td><td>pfSense Base (WAN, LAN, VIPs)</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>3</td><td>VLAN Configuration (12 VLANs)</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>4</td><td>Firewall Rules &amp; Aliases</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>5</td><td>Bare-Metal RKE2 Cluster</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>6</td><td>OpenVPN (8 servers)</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>7</td><td>NAT Configuration</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>8</td><td>Traffic Shaper</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>9</td><td>DNS + NTP + SNMP</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>10</td><td>Switch + WiFi Config</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>11</td><td>NOC1 + Bare-Metal RKE2</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>12</td><td>GitOps + ArgoCD</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n<tr><td>13</td><td>Documentation Sync</td><td><span class=\"b b-online\">Done</span></td><td>100%</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: ISP & WAN ===== -->\n<div id=\"tab-isp\" class=\"tab-content\">\n<h2>ISP &amp; WAN</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>ISP: Frontier Communications</div>\n    <ul>\n      <li><strong>Service:</strong> 1000/1000 Mbps fiber</li>\n      <li><strong>Account:</strong> 952-431-5646-020421-7</li>\n      <li><strong>Measured:</strong> 925 down / 677 up (MGMT VLAN)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Modem: NVG468MQ</div>\n    <ul>\n      <li><strong>Web:</strong> <a href=\"http://192.168.254.254\" target=\"_blank\">http://192.168.254.254</a> <button class=\"copy-btn\" onclick=\"copyText('192.168.254.254')\">copy</button></li>\n      <li><strong>Credentials:</strong> <code>admin</code> / <code class=\"pw\">5108967609</code> <button class=\"copy-btn\" onclick=\"copyText('5108967609')\">copy</button></li>\n      <li><strong>Serial:</strong> 184795207512112</li>\n      <li><strong>Firmware:</strong> 9.3.0h7d91</li>\n      <li><strong>WAN IP:</strong> <span class=\"ip\">74.32.187.152/22</span> <button class=\"copy-btn\" onclick=\"copyText('74.32.187.152')\">copy</button></li>\n      <li><strong>Config:</strong> DMZ to pfSense, WiFi OFF, firewall OFF</li>\n    </ul>\n  </div>\n</div>\n<h3>WAN Status</h3>\n<table>\n<thead><tr><th>Property</th><th>Value</th></tr></thead>\n<tbody>\n<tr><td>pfSense WAN Interface</td><td>ix3 (DHCP from modem)</td></tr>\n<tr><td>pfSense WAN IP</td><td><span class=\"ip\">192.168.254.122</span> <button class=\"copy-btn\" onclick=\"copyText('192.168.254.122')\">copy</button> (double NAT intentional)</td></tr>\n<tr><td>Public /28 Block</td><td><span class=\"ip\">74.40.140.16/28</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.16/28')\">copy</button></td></tr>\n<tr><td>Gateway</td><td><span class=\"ip\">74.40.140.30</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.30')\">copy</button></td></tr>\n<tr><td>Usable Range</td><td><span class=\"ip\">74.40.140.17 &ndash; 74.40.140.29</span> (13 IPs)</td></tr>\n</tbody>\n</table>\n<div class=\"note note-warn\"><strong>ISP /28 Routing: LIVE.</strong> Public /28 (74.40.140.16/28) fully operational. 13 VIPs, 12 outbound NAT rules, 18 port forwards. Cloudflare DNS on /28 IPs.</div>\n<h3>Modem Static Routes</h3>\n<table>\n<thead><tr><th>Name</th><th>Destination</th><th>Gateway</th><th>Interface</th></tr></thead>\n<tbody>\n<tr><td>pfSense-Public-28</td><td><span class=\"ip\">74.40.140.16/28</span></td><td><span class=\"ip\">192.168.254.122</span></td><td>LAN</td></tr>\n<tr><td>pfSense-Private-Subnets</td><td><span class=\"ip\">10.0.0.0/8</span></td><td><span class=\"ip\">192.168.254.122</span></td><td>LAN</td></tr>\n</tbody>\n</table>\n<h3>Public IP Allocation (13 usable)</h3>\n<table>\n<thead><tr><th>IP</th><th>Full Address</th><th>Assignment</th><th>VLAN(s)</th><th>Services</th></tr></thead>\n<tbody>\n<tr><td>.16</td><td><span class=\"ip\">74.40.140.16</span></td><td><em>Network address</em></td><td>&mdash;</td><td>Unusable</td></tr>\n<tr><td>.17</td><td><span class=\"ip\">74.40.140.17</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.17')\">copy</button></td><td>ANDREW + VPN</td><td>60</td><td>Andrew tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.18</td><td><span class=\"ip\">74.40.140.18</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.18')\">copy</button></td><td>MATT + VPN</td><td>61</td><td>Matt tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.19</td><td><span class=\"ip\">74.40.140.19</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.19')\">copy</button></td><td>DUSTIN + VPN</td><td>62</td><td>Dustin tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.20</td><td><span class=\"ip\">74.40.140.20</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.20')\">copy</button></td><td>ERIK + VPN</td><td>63</td><td>Erik tenant primary + VPN :1194/:1195</td></tr>\n<tr><td>.21</td><td><span class=\"ip\">74.40.140.21</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.21')\">copy</button></td><td>PROD</td><td>57</td><td>K8s Traefik shared ingress (flowercore.io)</td></tr>\n<tr><td>.22</td><td><span class=\"ip\">74.40.140.22</span></td><td><em>Reserved</em></td><td>&mdash;</td><td>&mdash;</td></tr>\n<tr><td>.23</td><td><span class=\"ip\">74.40.140.23</span></td><td><em>Reserved</em></td><td>&mdash;</td><td>&mdash;</td></tr>\n<tr><td>.24</td><td><span class=\"ip\">74.40.140.24</span></td><td><em>Reserved</em></td><td>&mdash;</td><td>&mdash;</td></tr>\n<tr><td>.25</td><td><span class=\"ip\">74.40.140.25</span></td><td><em>Reserved</em></td><td>&mdash;</td><td>&mdash;</td></tr>\n<tr><td>.26</td><td><span class=\"ip\">74.40.140.26</span></td><td><em>Reserved</em></td><td>&mdash;</td><td>&mdash;</td></tr>\n<tr><td>.27</td><td><span class=\"ip\">74.40.140.27</span></td><td><em>Reserved</em></td><td>&mdash;</td><td>&mdash;</td></tr>\n<tr><td>.28</td><td><span class=\"ip\">74.40.140.28</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.28')\">copy</button></td><td>SHARED</td><td>59,64,65,66,67</td><td>WORK+SCHOOL+GUEST+VOIP+EMPLOYEE outbound</td></tr>\n<tr><td>.29</td><td><span class=\"ip\">74.40.140.29</span> <button class=\"copy-btn\" onclick=\"copyText('74.40.140.29')\">copy</button></td><td>HOME</td><td>58</td><td>Home traffic + Nintendo Switch static port NAT</td></tr>\n<tr><td>.30</td><td><span class=\"ip\">74.40.140.30</span></td><td><em>Gateway (Frontier)</em></td><td>&mdash;</td><td>ISP\
+    \ router</td></tr>\n<tr><td>.31</td><td><span class=\"ip\">74.40.140.31</span></td><td><em>Broadcast</em></td><td>&mdash;</td><td>Unusable</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: PFSENSE ===== -->\n<div id=\"tab-pfsense\" class=\"tab-content\">\n<h2>pfSense Firewall</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Netgate 4100</div>\n    <ul>\n      <li><strong>Web:</strong> <a href=\"https://10.0.56.1\" target=\"_blank\">https://10.0.56.1</a> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.1')\">copy</button></li>\n      <li><strong>Credentials:</strong> <code>admin</code> / <code class=\"pw\">SCOOBY_entry1latimer</code> <button class=\"copy-btn\" onclick=\"copyText('SCOOBY_entry1latimer')\">copy</button></li>\n      <li><strong>SSH:</strong> <code>admin@10.0.56.1</code> <button class=\"copy-btn\" onclick=\"copyText('ssh admin@10.0.56.1')\">copy</button></li>\n      <li><strong>Hardware:</strong> 2x SFP+, 4x 2.5GbE (igc0-3)</li>\n      <li><strong>WAN:</strong> ix3 &mdash; LAN: igc0 (802.1Q trunk)</li>\n      <li><strong>Domain:</strong> iamworkin.lan</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Firewall Stats</div>\n    <ul>\n      <li><strong>Aliases:</strong> 36 (16 port, 5 host, 15 network)</li>\n      <li><strong>Rules:</strong> 90 active</li>\n      <li><strong>Policy:</strong> Air-gapped default &mdash; deny all, explicit allow</li>\n      <li><strong>SNMP:</strong> community <code class=\"pw\">bluejay_monitor</code> <button class=\"copy-btn\" onclick=\"copyText('bluejay_monitor')\">copy</button></li>\n      <li><strong>SNMP Modules:</strong> mibII, netgraph, pf, hostres, bridge</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Services</div>\n    <ul>\n      <li><strong>DNS:</strong> Unbound (DNSSEC, WAN-only outgoing, prefetch)</li>\n      <li><strong>DHCP:</strong> dhcpd on all 12 VLAN interfaces (.100-.199)</li>\n      <li><strong>NTP:</strong> ntpd on all VLAN interfaces, DHCP option 42</li>\n      <li><strong>Traffic Shaper:</strong> 24 dummynet pipes, fq_codel</li>\n    </ul>\n  </div>\n</div>\n<h3>VLAN Configuration (12 VLANs)</h3>\n<table>\n<thead><tr><th>VLAN</th><th>Name</th><th>Subnet</th><th>DHCP Range</th><th>Down/Up (Mbps)</th><th>Priority</th><th>Public IP</th></tr></thead>\n<tbody>\n<tr><td>56</td><td><span class=\"b b-mgmt\">MGMT</span></td><td><span class=\"ip\">10.0.56.0/24</span></td><td>.100-.199</td><td>500 / 500</td><td>5</td><td>WAN DHCP</td></tr>\n<tr><td>57</td><td><span class=\"b b-prod\">PROD</span></td><td><span class=\"ip\">10.0.57.0/24</span></td><td>.100-.199</td><td>500 / 500</td><td>5</td><td>.21</td></tr>\n<tr><td>58</td><td><span class=\"b b-home\">HOME</span></td><td><span class=\"ip\">10.0.58.0/24</span></td><td>.100-.199</td><td>800 / 800</td><td>3</td><td>.29</td></tr>\n<tr><td>59</td><td><span class=\"b b-wifi\">EMPLOYEE</span></td><td><span class=\"ip\">10.0.59.0/24</span></td><td>.100-.199</td><td>500 / 500</td><td>3</td><td>.28 (shared)</td></tr>\n<tr><td>60</td><td><span class=\"b b-tenant\">ANDREW</span></td><td><span class=\"ip\">10.0.60.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.17</td></tr>\n<tr><td>61</td><td><span class=\"b b-tenant\">MATT</span></td><td><span class=\"ip\">10.0.61.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.18</td></tr>\n<tr><td>62</td><td><span class=\"b b-tenant\">DUSTIN</span></td><td><span class=\"ip\">10.0.62.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.19</td></tr>\n<tr><td>63</td><td><span class=\"b b-tenant\">ERIK</span></td><td><span class=\"ip\">10.0.63.0/24</span></td><td>.100-.199</td><td>300 / 300</td><td>3</td><td>.20</td></tr>\n<tr><td>64</td><td><span class=\"b b-wifi\">WORK</span></td><td><span class=\"ip\">10.0.64.0/24</span></td><td>.100-.199</td><td>500 / 500</td><td>3</td><td>.28 (shared)</td></tr>\n<tr><td>65</td><td><span class=\"b b-wifi\">SCHOOL</span></td><td><span class=\"ip\">10.0.65.0/24</span></td><td>.100-.199</td><td>200 / 200</td><td>1</td><td>.28 (shared)</td></tr>\n<tr><td>66</td><td><span class=\"b b-spare\">GUEST</span></td><td><span class=\"ip\">10.0.66.0/24</span></td><td>.100-.199</td><td>100 / 50</td><td>1</td><td>.28 (shared)</td></tr>\n<tr><td>67</td><td><span class=\"b b-voip\">VOIP</span></td><td><span class=\"ip\">10.0.67.0/24</span></td><td>.100-.199</td><td>100 / 100</td><td>7</td><td>.28 (shared)</td></tr>\n</tbody>\n</table>\n<div class=\"note\"><strong>Firewall Policy:</strong> MGMT has full access. HOME/WORK/SCHOOL get general internet. GUEST isolated except PROD web. Tenants fully isolated from each other &mdash; only PROD, DNS, NAS, and internet. VOIP is SIP-only outbound.</div>\n</div>\n\n<!-- ===== TAB: SWITCHING & WIFI ===== -->\n<div id=\"tab-switching\" class=\"tab-content\">\n<h2>Switching &amp; WiFi</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>UniFi Switch USW-Lite-16-PoE</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">10.0.56.2</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.2')\">copy</button></li>\n      <li><strong>MAC:</strong> 74:ac:b9:e3:93:ba</li>\n      <li><strong>SSH:</strong> <code>GOShDkH@10.0.56.2</code> <button class=\"copy-btn\" onclick=\"copyText('ssh GOShDkH@10.0.56.2')\">copy</button></li>\n      <li><strong>SSH Password:</strong> <code class=\"pw\">6IDvT8vmQH6QqsP</code> <button class=\"copy-btn\" onclick=\"copyText('6IDvT8vmQH6QqsP')\">copy</button></li>\n      <li><strong>Firmware:</strong> 7.2.123.16565</li>\n      <li><strong>CLI:</strong> Type <code>cli</code> for Realtek switch CLI</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>UniFi Cloud Key G2</div>\n    <ul>\n      <li><strong>Web:</strong> <a href=\"https://10.0.56.3\" target=\"_blank\">https://10.0.56.3</a> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.3')\">copy</button></li>\n      <li><strong>Credentials:</strong> <code>admin</code> / <code class=\"pw\">nest7BEGGAR*revoked</code> <button class=\"copy-btn\" onclick=\"copyText('nest7BEGGAR*revoked')\">copy</button></li>\n      <li><strong>SSH:</strong> <code>root@10.0.56.3</code> / <code class=\"pw\">6IDvT8vmQH6QqsP</code></li>\n      <li><strong>Network Version:</strong> 7.1.61</li>\n      <li><strong>MongoDB:</strong> port 27117 (database <code>ace</code>)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Synology RT6600AX (AP Mode)</div>\n    <ul>\n      <li><strong>Web:</strong> <a href=\"http://10.0.58.2:8000\" target=\"_blank\">http://10.0.58.2:8000</a> <button class=\"copy-btn\" onclick=\"copyText('10.0.58.2')\">copy</button></li>\n      <li><strong>Credentials:</strong> <code>bluejay</code> / <code class=\"pw\">galileo_parisian8ADMIRE</code> <button class=\"copy-btn\" onclick=\"copyText('galileo_parisian8ADMIRE')\">copy</button></li>\n      <li><strong>SSH:</strong> <code>bluejay@10.0.58.2</code> port 22</li>\n      <li><strong>MAC:</strong> 90:09:d0:3d:64:ae</li>\n      <li><strong>Mode:</strong> AP (bridge), all trunk ports enabled</li>\n    </ul>\n  </div>\n</div>\n<h3>Switch Port Assignments</h3>\n<table>\n<thead><tr><th>Port</th><th>Device</th><th>Mode</th><th>VLAN</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>1</td><td>pfSense Uplink</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>2</td><td>harvester3</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>3</td><td>WiFi Uplink (Synology)</td><td>Trunk, native 58</td><td>57-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>4</td><td>harvester2</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>5</td><td>Cloud Key G2</td><td>Access</td><td>56 (MGMT)</td><td><span class=\"dot dot-green\"></span>UP (PoE)</td></tr>\n<tr><td>6</td><td>harvester1</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>7</td><td><em>Available</em></td><td>&mdash;</td><td>&mdash;</td><td><span class=\"dot dot-gray\"></span>Down</td></tr>\n<tr><td>8</td><td>noc1</td><td>Trunk (All)</td><td>56-67</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>9</td><td>Workstation</td><td>Access</td><td>56 (MGMT)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>10</td><td><em>Available</em></td><td>&mdash;</td><td>&mdash;</td><td><span class=\"dot dot-gray\"></span>Down</td></tr>\n<tr><td>11</td><td>edge2 (Pi 4)</td><td>Access</td><td>57 (PROD)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>12</td><td><em>Available</em></td><td>&mdash;</td><td>&mdash;</td><td><span class=\"dot dot-gray\"></span>Down</td></tr>\n<tr><td>13</td><td>edge1 (Pi 5)</td><td>Access</td><td>57 (PROD)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>14</td><td>Synology NAS</td><td>Access</td><td>58 (HOME)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n<tr><td>15</td><td><em>Available</em></td><td>&mdash;</td><td>&mdash;</td><td><span class=\"dot dot-gray\"></span>Down</td></tr>\n<tr><td>16</td><td>Synology 2</td><td>Access</td><td>58 (HOME)</td><td><span class=\"dot dot-green\"></span>UP</td></tr>\n</tbody>\n</table>\n<h3>WiFi SSIDs</h3>\n<table>\n<thead><tr><th>SSID</th><th>Bridge</th><th>VLAN</th><th>Type</th><th>Password</th></tr></thead>\n<tbody>\n<tr><td><strong>BlueJay-Home</strong></td><td>br0</td><td>untagged (58)</td><td>Primary</td><td><code class=\"pw\">Starling-Tundra-Condor-Coral</code> <button class=\"copy-btn\" onclick=\"copyText('Starling-Tundra-Condor-Coral')\">copy</button></td></tr>\n<tr><td><strong>BlueJay-Employee</strong></td><td>br2</td><td>59</td><td>Custom</td><td><code\
+    \ class=\"pw\">Merlin~Ivory~Oakleaf~Bramble</code> <button class=\"copy-btn\" onclick=\"copyText('Merlin~Ivory~Oakleaf~Bramble')\">copy</button></td></tr>\n<tr><td><strong>BlueJay-Work</strong></td><td>br3</td><td>64</td><td>Custom</td><td><code class=\"pw\">Forge.Hawk.Oakleaf.Topaz</code> <button class=\"copy-btn\" onclick=\"copyText('Forge.Hawk.Oakleaf.Topaz')\">copy</button></td></tr>\n<tr><td><strong>BlueJay-School</strong></td><td>br4</td><td>65</td><td>Custom</td><td><code class=\"pw\">Harbor-Eagle-Condor-Topaz</code> <button class=\"copy-btn\" onclick=\"copyText('Harbor-Eagle-Condor-Topaz')\">copy</button></td></tr>\n<tr><td><strong>BlueJay-Guest</strong></td><td>gbr0</td><td>66</td><td>Guest (isolation+NAT)</td><td><code class=\"pw\">Eagle.Oriole.Osprey.Silver</code> <button class=\"copy-btn\" onclick=\"copyText('Eagle.Oriole.Osprey.Silver')\">copy</button></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: DNS ===== -->\n<div id=\"tab-dns\" class=\"tab-content\">\n<h2>DNS Directory</h2>\n<div class=\"note\">All entries are pfSense Unbound host overrides under <code>iamworkin.lan</code>. 42+ total entries configured.</div>\n<h3>Management Devices</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>pfsense.iamworkin.lan</td><td><span class=\"ip\">10.0.56.1</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.1')\">copy</button></td><td>pfSense firewall</td></tr>\n<tr><td>switch.iamworkin.lan</td><td><span class=\"ip\">10.0.56.2</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.2')\">copy</button></td><td>UniFi PoE Switch</td></tr>\n<tr><td>unifi.iamworkin.lan</td><td><span class=\"ip\">10.0.56.3</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.3')\">copy</button></td><td>UniFi Cloud Key G2</td></tr>\n<tr><td>wifi.iamworkin.lan</td><td><span class=\"ip\">10.0.58.2</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.58.2')\">copy</button></td><td>Synology WiFi Router (AP)</td></tr>\n<tr><td>nas.iamworkin.lan</td><td><span class=\"ip\">10.0.58.3</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.58.3')\">copy</button></td><td>Synology NAS</td></tr>\n</tbody>\n</table>\n<h3>Harvester Cluster</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>harvester.iamworkin.lan</td><td><span class=\"ip\">10.0.56.14</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.14')\">copy</button></td><td>Harvester VIP (cluster dashboard)</td></tr>\n<tr><td>harvester1.iamworkin.lan</td><td><span class=\"ip\">10.0.56.11</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.11')\">copy</button></td><td>Harvester node 1</td></tr>\n<tr><td>harvester2.iamworkin.lan</td><td><span class=\"ip\">10.0.56.12</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.12')\">copy</button></td><td>Harvester node 2</td></tr>\n<tr><td>harvester3.iamworkin.lan</td><td><span class=\"ip\">10.0.56.13</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.13')\">copy</button></td><td>Harvester node 3</td></tr>\n</tbody>\n</table>\n<h3>NOC Services (noc1)</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>noc1.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.10')\">copy</button></td><td>NOC management node (K3s)</td></tr>\n<tr><td>acme.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span></td><td>step-ca ACME CA</td></tr>\n<tr><td>pki.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span></td><td>PKI cert/CRL distribution</td></tr>\n<tr><td>guac.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span></td><td>Apache Guacamole</td></tr>\n<tr><td>grafana.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span></td><td>Grafana monitoring</td></tr>\n<tr><td>prometheus.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span></td><td>Prometheus metrics</td></tr>\n<tr><td>cockpit.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span></td><td>Cockpit web console</td></tr>\n<tr><td>traefik.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span></td><td>Traefik dashboard (K3s)</td></tr>\n<tr><td>gitea.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span></td><td>Gitea Git hosting (K3s, :3000/SSH :30022)</td></tr>\n<tr><td>irc.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span></td><td>UnrealIRCd IRC server (K3s, TLS 6697)</td></tr>\n<tr><td>intranet.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span></td><td>Lab intranet dashboard (K3s + Traefik TLS)</td></tr>\n<tr><td>zabbix.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span></td><td>Zabbix monitoring (K3s, :30083, 10 hosts)</td></tr>\n<tr><td>op-connect.iamworkin.lan</td><td><span class=\"ip\">10.0.56.10</span></td><td>1Password Connect (planned)</td></tr>\n</tbody>\n</table>\n<h3>RKE2 Workload Cluster</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>rke2.iamworkin.lan</td><td><span class=\"ip\">10.0.56.118</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.118')\">copy</button></td><td>RKE2 API server</td></tr>\n<tr><td>rke2-node1.iamworkin.lan</td><td><span class=\"ip\">10.0.56.118</span></td><td>RKE2 node 1 (on harvester2)</td></tr>\n<tr><td>rke2-node2.iamworkin.lan</td><td><span class=\"ip\">10.0.56.119</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.119')\">copy</button></td><td>RKE2 node 2 (on harvester1)</td></tr>\n<tr><td>rke2-node3.iamworkin.lan</td><td><span class=\"ip\">10.0.56.120</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.120')\">copy</button></td><td>RKE2 node 3 (on harvester3)</td></tr>\n<tr><td>traefik.iamworkin.lan</td><td><span class=\"ip\">10.0.56.200</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.200')\">copy</button></td><td>Traefik LoadBalancer (MetalLB)</td></tr>\n<tr><td>rke2-ingress.iamworkin.lan</td><td><span class=\"ip\">10.0.56.200</span></td><td>RKE2 ingress (MetalLB)</td></tr>\n<tr><td>argocd.iamworkin.lan</td><td><span class=\"ip\">10.0.56.200</span></td><td>ArgoCD GitOps (RKE2 via Traefik)</td></tr>\n<tr><td>test.iamworkin.lan</td><td><span class=\"ip\">10.0.56.200</span></td><td>RKE2 test workload</td></tr>\n</tbody>\n</table>\n<h3>Production / Edge Nodes</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>macmini.iamworkin.lan</td><td><span class=\"ip\">10.0.57.50</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.57.50')\">copy</button></td><td>Mac Mini build node (Xcode)</td></tr>\n<tr><td>edge1.iamworkin.lan</td><td><span class=\"ip\">10.0.57.15</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.57.15')\">copy</button></td><td>Pi 5 + Hailo AI HAT+ 2</td></tr>\n<tr><td>edge2.iamworkin.lan</td><td><span class=\"ip\">10.0.57.16</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.57.16')\">copy</button></td><td>Pi 4 (Argon ONE, CI runner)</td></tr>\n</tbody>\n</table>\n<h3>Planned / Windows (pre-registered)</h3>\n<table>\n<thead><tr><th>Hostname</th><th>IP</th><th>Role</th></tr></thead>\n<tbody>\n<tr><td>dc1.iamworkin.lan</td><td><span class=\"ip\">10.0.56.20</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.20')\">copy</button></td><td>AD Domain Controller (planned)</td></tr>\n<tr><td>wac1.iamworkin.lan</td><td><span class=\"ip\">10.0.56.21</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.21')\">copy</button></td><td>Windows Admin Center (planned)</td></tr>\n<tr><td>rds1.iamworkin.lan</td><td><span class=\"ip\">10.0.57.20</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.57.20')\">copy</button></td><td>Remote Desktop Services (planned)</td></tr>\n<tr><td>iis1.iamworkin.lan</td><td><span class=\"ip\">10.0.57.21</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.57.21')\">copy</button></td><td>IIS Web Server (planned)</td></tr>\n<tr><td>proxy.iamworkin.lan</td><td><span class=\"ip\">10.0.56.22</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.22')\">copy</button></td><td>Squid Authenticated Proxy (planned)</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: KUBERNETES ===== -->\n<div id=\"tab-k8s\" class=\"tab-content\">\n<h2>Kubernetes Clusters</h2>\n<h3>K3s (noc1 &mdash; Management Services)</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>K3s on noc1</div>\n    <ul>\n      <li><strong>Node:</strong> <span class=\"ip\">10.0.56.10</span> (single-node)</li>\n      <li><strong>Version:</strong> K3s v1.34.5</li>\n      <li><strong>Traefik:</strong> Disabled (using NodePort)</li>\n      <li><strong>ServiceLB:</strong> Disabled</li>\n      <li><strong>Tools:</strong> kubectl v1.35.2, virtctl v1.7.0, helm v3.20.0</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">K3s Services</div>\n    <ul>\n      <li><span class=\"dot dot-green\"></span>Guacamole &mdash; :30080</li>\n      <li><span class=\"dot dot-green\"></span>PKI Web &mdash; :30081</li>\n      <li><span class=\"dot dot-green\"></span>Gitea &mdash; :3000 (SSH :30022)</li>\n      <li><span class=\"dot dot-green\"></span>UnrealIRCd + Anope &mdash; :6667/:6697</li>\n      <li><span class=\"dot dot-green\"></span>Zabbix &mdash; :30083</li>\n    </ul>\n  </div>\n</div>\n<h3>Harvester HCI (VM Platform)</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Harvester Cluster</div>\n    <ul>\n      <li><strong>Dashboard:</strong> <a href=\"https://10.0.56.14\" target=\"_blank\">https://10.0.56.14</a> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.14')\">copy</button></li>\n      <li><strong>Credentials:</strong> <code>admin</code> / <code class=\"pw\">getup-billion4AGAINST</code> <button class=\"copy-btn\" onclick=\"copyText('getup-billion4AGAINST')\">copy</button></li>\n      <li><strong>Version:</strong>\
+    \ DECOMMISSIONED &mdash; Replaced by Bare-Metal RKE2</li>\n      <li><strong>Kubeconfig:</strong> <code>/home/stoltz/.kube/rke2.yaml (WSL)</code> on noc1</li>\n      <li><strong>Cluster Token:</strong> <code class=\"pw\">See 1Password</code></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Harvester Nodes</div>\n    <ul>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-server:</strong> <span class=\"ip\">10.0.56.11</span> &mdash; i7-1260P / 64GB</li>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-agent1:</strong> <span class=\"ip\">10.0.56.12</span> &mdash; i7-1260P / 64GB</li>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-agent2:</strong> <span class=\"ip\">10.0.56.13</span> &mdash; i5-1340P / 64GB (bare-metal openSUSE Leap 16)</li>\n      <li><strong>SSH:</strong> <code>root@10.0.56.{11,12,13}</code> (ed25519 key auth)</li>\n      <li><strong>Password:</strong> <span class=\"b b-offline\">SSH Key Only</span> &mdash; See 1Password</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Harvester Resources</div>\n    <ul>\n      <li><strong>VM Images:</strong> 11 (Ubuntu, openSUSE, Windows, SQL Server)</li>\n      <li><strong>VM Networks:</strong> 13 (12 VLAN bridges + mgmt-untagged)</li>\n      <li><strong>Storage:</strong> Longhorn (replica count 2)</li>\n      <li><strong>Active VMs:</strong> rke2-node1, rke2-node2, rke2-node3</li>\n    </ul>\n  </div>\n</div>\n<h3>RKE2 (Workload Cluster)</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>RKE2 Cluster</div>\n    <ul>\n      <li><strong>Version:</strong> RKE2 v1.34.5+rke2r1</li>\n      <li><strong>OS:</strong> openSUSE Leap 16.0 (bare-metal)</li>\n      <li><strong>CNI:</strong> Calico (VXLAN mode)</li>\n      <li><strong>Pod CIDR:</strong> <span class=\"ip\">10.42.0.0/16</span></li>\n      <li><strong>Service CIDR:</strong> <span class=\"ip\">10.43.0.0/16</span></li>\n      <li><strong>Kubeconfig:</strong> <code>/root/.kube/rke2.yaml</code> on noc1</li>\n      <li><strong>Token:</strong> <code class=\"pw\">bluejay-rke2-2026</code></li>\n      <li><strong>Root Password:</strong> <code class=\"pw\">BlueJay-RKE2-2026</code> <button class=\"copy-btn\" onclick=\"copyText('BlueJay-RKE2-2026')\">copy</button></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">RKE2 Nodes</div>\n    <ul>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-server:</strong> <span class=\"ip\">10.0.56.11</span> (bare-metal)</li>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-agent1:</strong> <span class=\"ip\">10.0.56.12</span> (bare-metal)</li>\n      <li><span class=\"dot dot-green\"></span><strong>rke2-agent2:</strong> <span class=\"ip\">10.0.56.13</span> (bare-metal)</li>\n      <li><strong>Specs:</strong> Full NUC hardware (bare-metal)</li>\n      <li><strong>SSH Key:</strong> <code>ed25519 key (stoltz@IAMWORKIN-WS)</code> (ed25519)</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">RKE2 Infrastructure</div>\n    <ul>\n      <li><span class=\"dot dot-green\"></span><strong>MetalLB:</strong> v0.14.9, L2 mode, pool <span class=\"ip\">10.0.56.200-220</span></li>\n      <li><span class=\"dot dot-green\"></span><strong>Traefik:</strong> v3.6.9, 2 replicas, LB <span class=\"ip\">10.0.56.200</span></li>\n      <li><strong>Namespaces:</strong> fc-system, fc-tenant-andrew, fc-tenant-matt, fc-tenant-dustin, fc-tenant-erik, test, traefik-system, metallb-system</li>\n      <li><strong>NetworkPolicies:</strong> Applied to all 5 tenant namespaces</li>\n      <li><strong>Test:</strong> nginx + IngressRoute on test.iamworkin.lan verified</li>\n    </ul>\n  </div>\n</div>\n<h3>pfSense Static Routes (K8s)</h3>\n<table>\n<thead><tr><th>Destination</th><th>Gateway</th><th>Purpose</th></tr></thead>\n<tbody>\n<tr><td><span class=\"ip\">10.42.0.0/16</span></td><td><span class=\"ip\">10.0.56.11</span> (rke2-server)</td><td>Pod CIDR routing</td></tr>\n<tr><td><span class=\"ip\">10.43.0.0/16</span></td><td><span class=\"ip\">10.0.56.11</span> (rke2-server)</td><td>Service CIDR routing</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: NOC SERVICES ===== -->\n<div id=\"tab-noc\" class=\"tab-content\">\n<h2>NOC Services (noc1)</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>noc1 Host</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">10.0.56.10</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.56.10')\">copy</button></li>\n      <li><strong>SSH:</strong> <code>root@10.0.56.10</code> <button class=\"copy-btn\" onclick=\"copyText('ssh root@10.0.56.10')\">copy</button></li>\n      <li><strong>Password:</strong> <code class=\"pw\">harbor-badge-kitten-valley-falcon</code> <button class=\"copy-btn\" onclick=\"copyText('harbor-badge-kitten-valley-falcon')\">copy</button></li>\n      <li><strong>OS:</strong> openSUSE Leap Micro 6.2 (immutable)</li>\n      <li><strong>CPU:</strong> Intel Celeron N5105 (4C/4T)</li>\n      <li><strong>RAM:</strong> 32 GB</li>\n      <li><strong>Disk:</strong> 1TB NVMe (929GB free)</li>\n      <li><strong>Runtimes:</strong> Podman 5.4.2, K3s v1.34.5</li>\n    </ul>\n  </div>\n</div>\n<h3>Service Directory</h3>\n<table>\n<thead><tr><th>Service</th><th>URL</th><th>Port</th><th>Credentials</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>Cockpit</td><td><a href=\"https://10.0.56.10:9090\" target=\"_blank\">https://10.0.56.10:9090</a></td><td>9090</td><td><code>root</code> / <code class=\"pw\">harbor-badge-kitten-valley-falcon</code></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Prometheus</td><td><a href=\"http://10.0.56.10:9091\" target=\"_blank\">http://10.0.56.10:9091</a></td><td>9091</td><td><em>No auth</em> (90-day retention)</td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Grafana</td><td><a href=\"http://10.0.56.10:3000\" target=\"_blank\">http://10.0.56.10:3000</a></td><td>3000</td><td><code>admin</code> / <code class=\"pw\">holly-pine-atlas-crane</code> <button class=\"copy-btn\" onclick=\"copyText('holly-pine-atlas-crane')\">copy</button></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Node Exporter</td><td>http://10.0.56.10:9100</td><td>9100</td><td><em>Metrics only</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>SNMP Exporter</td><td>http://10.0.56.10:9116</td><td>9116</td><td><em>pfSense SNMP scraper</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Guacamole</td><td><a href=\"http://10.0.56.10:30080/guacamole/\" target=\"_blank\">http://10.0.56.10:30080/guacamole/</a></td><td>30080</td><td><code>guacadmin</code> / <code class=\"pw\">fern-anchor-amber-viper</code> <button class=\"copy-btn\" onclick=\"copyText('fern-anchor-amber-viper')\">copy</button></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>step-ca ACME</td><td><a href=\"https://acme.iamworkin.lan:9443\" target=\"_blank\">https://acme.iamworkin.lan:9443</a></td><td>9443</td><td>Password: <code class=\"pw\">BlueJay-StepCA-2026</code> <button class=\"copy-btn\" onclick=\"copyText('BlueJay-StepCA-2026')\">copy</button></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>PKI Web</td><td><a href=\"http://pki.iamworkin.lan:30081\" target=\"_blank\">http://pki.iamworkin.lan:30081</a></td><td>30081</td><td><em>Public (CRL/certs)</em></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Gitea</td><td><a href=\"https://gitea.iamworkin.lan\" target=\"_blank\">https://gitea.iamworkin.lan</a></td><td>3000</td><td><code>bluejay</code> / <code class=\"pw\">maple-wren-slate-anvil</code> <button class=\"copy-btn\" onclick=\"copyText('maple-wren-slate-anvil')\">copy</button></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>UnrealIRCd</td><td>irc.iamworkin.lan:6697 (TLS)</td><td>6697</td><td>OPER: <code>bluejay</code> / NickServ: <code class=\"pw\">willow-heron-hawk-haven</code> <button class=\"copy-btn\" onclick=\"copyText('willow-heron-hawk-haven')\">copy</button></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Zabbix</td><td><a href=\"https://zabbix.iamworkin.lan\" target=\"_blank\">https://zabbix.iamworkin.lan</a></td><td>30083</td><td><code>Admin</code> / <code class=\"pw\">fossil-ruby-kestrel-canyon</code> <button class=\"copy-btn\" onclick=\"copyText('fossil-ruby-kestrel-canyon')\">copy</button></td><td><span class=\"b b-online\">Online</span></td></tr>\n</tbody>\n</table>\n<h3>RKE2 Services</h3>\n<table>\n<thead><tr><th>Service</th><th>URL</th><th>Port</th><th>Credentials</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>ArgoCD</td><td><a href=\"https://argocd.iamworkin.lan\" target=\"_blank\">https://argocd.iamworkin.lan</a></td><td>443 (via Traefik)</td><td><code>admin</code> / <code class=\"pw\">6KJcJtH3SCAPrWVQ</code> <button class=\"copy-btn\" onclick=\"copyText('6KJcJtH3SCAPrWVQ')\">copy</button> &mdash; <code>bluejay</code> / <code class=\"pw\">6KJcJtH3SCAPrWVQ</code> <button class=\"copy-btn\" onclick=\"copyText('6KJcJtH3SCAPrWVQ')\">copy</button></td><td><span class=\"b b-online\">Online</span></td></tr>\n<tr><td>Traefik</td><td><a href=\"https://traefik.iamworkin.lan\" target=\"_blank\">https://traefik.iamworkin.lan</a></td><td>80/443 (MetalLB 10.0.56.200)</td><td><code>admin</code> / <code class=\"pw\">zenith-turret-falcon-umber</code> (BasicAuth)</td><td><span class=\"b b-online\">Online</span></td></tr>\n</tbody>\n<h3>Prometheus Alerting (8 rules)</h3>\n<p style=\"color:var(--text-muted);font-size:0.87rem;\">NodeDown, PfSenseDown, HighCPU, HighMemory, DiskSpaceLow, and 3 additional rules. 2 Grafana dashboards: Node Exporter Full + BlueJay Network Overview.</p>\n<h3>Guacamole Connection Groups (16 connections)</h3>\n<table>\n<thead><tr><th>Group</th><th>Connections</th><th>Protocol</th></tr></thead>\n<tbody>\n<tr><td><strong>Kubernetes</strong> (6)</td><td>rke2-server, rke2-agent1, rke2-agent2,\
+    \ noc1</td><td>SSH</td></tr>\n<tr><td><strong>Network Devices</strong> (4)</td><td>pfSense, UniFi Cloud Key, UniFi Switch, Synology WiFi</td><td>SSH</td></tr>\n<tr><td><strong>Servers</strong> (5)</td><td>noc1, Mac Mini (SSH+VNC), Edge1 Pi5, Synology NAS, Edge2 Pi4</td><td>SSH/VNC</td></tr>\n<tr><td><strong>Web Consoles</strong> (1)</td><td>Traefik Dashboard</td><td>HTTPS</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: VPN & SECURITY ===== -->\n<div id=\"tab-vpn\" class=\"tab-content\">\n<h2>VPN &amp; Security</h2>\n<div class=\"note note-warn\"><strong>OpenVPN Status:</strong> 8 servers were configured and verified but have been <strong>cleaned out</strong> pending ISP /28 fix. CA and certificates remain in pfSense config. Will re-create bound to new tenant VIPs (.17-.20) after Frontier restores /28 routing.</div>\n<h3>OpenVPN Configuration</h3>\n<table>\n<thead><tr><th>Tenant</th><th>VIP</th><th>TUN Port</th><th>TAP Port</th><th>Tunnel (TUN)</th><th>Tunnel (TAP)</th><th>VLAN</th></tr></thead>\n<tbody>\n<tr><td><span class=\"b b-tenant\">ANDREW</span></td><td><span class=\"ip\">.17</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.0/27</span></td><td><span class=\"ip\">10.0.68.128/27</span></td><td>60</td></tr>\n<tr><td><span class=\"b b-tenant\">MATT</span></td><td><span class=\"ip\">.18</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.32/27</span></td><td><span class=\"ip\">10.0.68.160/27</span></td><td>61</td></tr>\n<tr><td><span class=\"b b-tenant\">DUSTIN</span></td><td><span class=\"ip\">.19</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.64/27</span></td><td><span class=\"ip\">10.0.68.192/27</span></td><td>62</td></tr>\n<tr><td><span class=\"b b-tenant\">ERIK</span></td><td><span class=\"ip\">.20</span></td><td>1194/UDP</td><td>1195/UDP</td><td><span class=\"ip\">10.0.68.96/27</span></td><td><span class=\"ip\">10.0.68.224/27</span></td><td>63</td></tr>\n</tbody>\n</table>\n<h3>VPN Certificate Infrastructure</h3>\n<table>\n<thead><tr><th>Component</th><th>Details</th></tr></thead>\n<tbody>\n<tr><td>CA</td><td>BlueJay VPN CA (4096-bit RSA, SHA-256, 10-year)</td></tr>\n<tr><td>Server Certs</td><td>8 (one per VPN instance, 2048-bit RSA)</td></tr>\n<tr><td>Client Certs</td><td>4 (one per tenant, 2048-bit RSA)</td></tr>\n<tr><td>TLS Auth</td><td>Shared HMAC key across all servers</td></tr>\n<tr><td>Data Ciphers</td><td>AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305</td></tr>\n</tbody>\n</table>\n<h3>IPsec Site-to-Site (Planned)</h3>\n<table>\n<thead><tr><th>Tunnel</th><th>Local</th><th>Remote</th><th>Phase 1</th><th>Phase 2 SAs</th></tr></thead>\n<tbody>\n<tr><td>Matt</td><td>.29 (pfSense WAN)</td><td>Matt's public IP</td><td>IKEv2, AES-256-GCM, DH 14+</td><td>MATT (10.0.61.0/24) + PROD (10.0.57.0/24)</td></tr>\n<tr><td>Dustin</td><td>.29 (pfSense WAN)</td><td>Dustin's public IP</td><td>IKEv2, AES-256-GCM, DH 14+</td><td>DUSTIN (10.0.62.0/24) + PROD (10.0.57.0/24)</td></tr>\n</tbody>\n</table>\n<h3>PKI Hierarchy</h3>\n<table>\n<thead><tr><th>CA</th><th>Status</th><th>Purpose</th></tr></thead>\n<tbody>\n<tr><td>Root CA (IAmWorkin ACME CA)</td><td><span class=\"b b-online\">Operational</span></td><td>Trust anchor, ECDSA P-256, expires 2036</td></tr>\n<tr><td>ACME CA (step-ca on noc1)</td><td><span class=\"b b-online\">Operational</span></td><td>Automated cert issuance via ACME protocol</td></tr>\n<tr><td>Network CA</td><td><span class=\"b b-planned\">Planned</span></td><td>Switch, AP, pfSense device certs</td></tr>\n<tr><td>Windows AD CS CA</td><td><span class=\"b b-planned\">Planned</span></td><td>Domain-joined machine/user certs</td></tr>\n<tr><td>Internal Services CA</td><td><span class=\"b b-planned\">Planned</span></td><td>K8s service mesh, inter-service mTLS</td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: EDGE NODES ===== -->\n<div id=\"tab-edge\" class=\"tab-content\">\n<h2>Edge Nodes</h2>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>edge1 &mdash; Raspberry Pi 5 + Hailo AI</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">10.0.57.15</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.57.15')\">copy</button> (PROD VLAN 57)</li>\n      <li><strong>SSH:</strong> <code>stoltz@10.0.57.15</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@10.0.57.15')\">copy</button></li>\n      <li><strong>Password:</strong> <code class=\"pw\">lemon-torch-ruby-raven</code> <button class=\"copy-btn\" onclick=\"copyText('lemon-torch-ruby-raven')\">copy</button></li>\n      <li><strong>Hardware:</strong> Pi 5 16GB + Hailo-10H 40 TOPS</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>PCIe:</strong> Gen 3 x1 (8.0 GT/s)</li>\n      <li><strong>Power:</strong> 27W USB-C</li>\n      <li><strong>.NET SDK:</strong> 10.0.103</li>\n      <li><strong>GitHub Runner:</strong> v2.332.0 (labels: pi5, hailo)</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Switch Port:</strong> 13</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>edge2 &mdash; Raspberry Pi 4 (Argon ONE)</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">10.0.57.16</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.57.16')\">copy</button> (PROD VLAN 57)</li>\n      <li><strong>SSH:</strong> <code>stoltz@10.0.57.16</code> <button class=\"copy-btn\" onclick=\"copyText('ssh stoltz@10.0.57.16')\">copy</button></li>\n      <li><strong>Password:</strong> <code class=\"pw\">nebula-cipher-indigo-tango</code></li>\n      <li><strong>Hardware:</strong> Pi 4 Model B 4GB, Argon ONE case</li>\n      <li><strong>OS:</strong> Debian 13 (trixie) aarch64</li>\n      <li><strong>Fan Control:</strong> argononed.service</li>\n      <li><strong>.NET SDK:</strong> 10.0.103</li>\n      <li><strong>GitHub Runner:</strong> v2.332.0 (labels: pi4, ci-runner)</li>\n      <li><strong>Node Exporter:</strong> :9100</li>\n      <li><strong>Switch Port:</strong> 11</li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Mac Mini (Build/Test Node)</div>\n    <ul>\n      <li><strong>IP:</strong> <span class=\"ip\">10.0.57.50</span> <button class=\"copy-btn\" onclick=\"copyText('10.0.57.50')\">copy</button> (PROD VLAN 57)</li>\n      <li><strong>SSH:</strong> <code>bluejay@10.0.57.50</code> <button class=\"copy-btn\" onclick=\"copyText('ssh bluejay@10.0.57.50')\">copy</button></li>\n      <li><strong>Password:</strong> <code class=\"pw\">indigene-new-neptune-nuthatch</code> <button class=\"copy-btn\" onclick=\"copyText('indigene-new-neptune-nuthatch')\">copy</button></li>\n      <li><strong>VNC Password:</strong> <code class=\"pw\">tacokisses</code> <button class=\"copy-btn\" onclick=\"copyText('tacokisses')\">copy</button></li>\n      <li><strong>Role:</strong> Xcode builds, automated browser/app testing</li>\n    </ul>\n  </div>\n</div>\n</div>\n\n<!-- ===== TAB: WIFI ===== -->\n<div id=\"tab-wifi\" class=\"tab-content\">\n<h2>WiFi Networks</h2>\n<div class=\"note\"><strong>Credentials:</strong> All WiFi passwords are stored in the <strong>IAmWorkin</strong> vault on 1Password. To connect a device, open the 1Password app, find the WiFi entry, and scan the QR code from there. Passwords are not stored in this page for security.</div>\n<div class=\"note note-warn\"><strong>QR Code Connection:</strong> Open 1Password &rarr; search for the SSID name &rarr; tap &ldquo;Show QR Code&rdquo; &rarr; scan with your device camera. The QR code encodes the full <code>WIFI:T:WPA;S:{SSID};P:{PASSWORD};;;</code> connection string.</div>\n\n<div class=\"wifi-grid\" id=\"wifiGrid\">\n  <!-- BlueJay-Home -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Home\" data-vlan=\"58\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--purple);\">\n      <div class=\"wifi-ssid\">BlueJay-Home</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-home\">HOME (VLAN 58)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Home</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">58 (untagged on AP)</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><span class=\"b b-planned\">See 1Password</span></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Home network &mdash; personal / family use</span>\n      </div>\n      <div class=\"\
+    wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">800 / 800 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.29</span></span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-Employee -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Employee\" data-vlan=\"59\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--cyan);\">\n      <div class=\"wifi-ssid\">BlueJay-Employee</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-wifi\">EMPLOYEE (VLAN 59)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Employee</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">59</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><span class=\"b b-planned\">See 1Password</span></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Employee network &mdash; staff device access</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">500 / 500 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-Work -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Work\" data-vlan=\"64\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--accent);\">\n      <div class=\"wifi-ssid\">BlueJay-Work</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-wifi\">WORK (VLAN 64)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Work</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">64</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><span class=\"b b-planned\">See 1Password</span></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">Work network &mdash; business devices</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">500 / 500 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-School -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-School\" data-vlan=\"65\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--green);\">\n      <div class=\"wifi-ssid\">BlueJay-School</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-wifi\">SCHOOL (VLAN 65)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Scan from 1Password app</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-School</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">65</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">WPA2/WPA3</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><span class=\"b b-planned\">See 1Password</span></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\">School network &mdash; student devices</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">200 / 200 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n\n  <!-- BlueJay-Guest -->\n  <div class=\"wifi-card\" data-ssid=\"BlueJay-Guest\" data-vlan=\"66\">\n    <div class=\"wifi-card-header\" style=\"border-color: var(--gold);\">\n      <div class=\"wifi-ssid\">BlueJay-Guest</div>\n      <div class=\"wifi-vlan\"><span class=\"b b-spare\">GUEST (VLAN 66)</span></div>\n    </div>\n    <div class=\"wifi-qr wifi-qr-placeholder wifi-qr-open\">\n      <div class=\"qr-placeholder-box\">\n        <svg viewBox=\"0 0 24 24\" width=\"36\" height=\"36\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\">\n          <rect x=\"3\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"14\" y=\"3\" width=\"7\" height=\"7\" rx=\"1\"/><rect x=\"3\" y=\"14\" width=\"7\" height=\"7\" rx=\"1\"/>\n          <rect x=\"14\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"14\" width=\"3\" height=\"3\"/><rect x=\"14\" y=\"18\" width=\"3\" height=\"3\"/><rect x=\"18\" y=\"18\" width=\"3\" height=\"3\"/>\n          <rect x=\"5\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"16\" y=\"5\" width=\"3\" height=\"3\"/><rect x=\"5\" y=\"16\" width=\"3\" height=\"3\"/>\n        </svg>\n        <span class=\"qr-placeholder-text\">Open network &mdash; no password required</span>\n      </div>\n    </div>\n    <div class=\"wifi-details\">\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">SSID</span>\n        <span class=\"wifi-value\"><code>BlueJay-Guest</code></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">VLAN</span>\n        <span class=\"wifi-value\">66</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Security</span>\n        <span class=\"wifi-value\">Open / Captive Portal</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Password</span>\n        <span class=\"wifi-value\"><span class=\"b b-online\">None (open)</span></span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Purpose</span>\n        <span class=\"wifi-value\"\
+    >Guest WiFi &mdash; fully isolated, NAT only</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Bandwidth</span>\n        <span class=\"wifi-value\">100 / 50 Mbps</span>\n      </div>\n      <div class=\"wifi-field\">\n        <span class=\"wifi-label\">Public IP</span>\n        <span class=\"wifi-value\"><span class=\"ip\">74.40.140.28</span> (shared)</span>\n      </div>\n    </div>\n  </div>\n</div>\n\n<h3>WiFi Access Point</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Synology RT6600AX (AP Mode)</div>\n    <ul>\n      <li><strong>Management:</strong> <a href=\"http://10.0.58.2:8000\" target=\"_blank\">http://10.0.58.2:8000</a></li>\n      <li><strong>Credentials:</strong> <code>bluejay</code> / <code class=\"pw\">galileo_parisian8ADMIRE</code> <button class=\"copy-btn\" onclick=\"copyText('galileo_parisian8ADMIRE')\">copy</button></li>\n      <li><strong>Mode:</strong> Access Point (bridge mode), all trunk ports enabled</li>\n      <li><strong>Bands:</strong> Wi-Fi 6E (2.4 GHz + 5 GHz + 6 GHz)</li>\n      <li><strong>Switch Port:</strong> 3 (trunk, native VLAN 58)</li>\n    </ul>\n  </div>\n</div>\n\n<div class=\"note\"><strong>Network Isolation:</strong> Each SSID maps to a separate VLAN with independent firewall rules and bandwidth limits. GUEST is fully isolated with NAT &mdash; no access to internal resources. EMPLOYEE, WORK, and SCHOOL share public IP .28 with traffic shaping.</div>\n</div>\n\n<!-- ===== TAB: CREDENTIALS ===== -->\n<div id=\"tab-credentials\" class=\"tab-content\">\n<h2>Credentials &amp; 1Password</h2>\n<div class=\"card-grid\">\n  <div class=\"card\" style=\"border-top: 3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>1Password Connect Server</div>\n    <ul>\n      <li><strong>API:</strong> <span class=\"ip\">http://10.0.56.10:8180</span> <button class=\"copy-btn\" onclick=\"copyText('http://10.0.56.10:8180')\">copy</button></li>\n      <li><strong>Sync:</strong> <span class=\"ip\">http://10.0.56.10:8181</span></li>\n      <li><strong>Host:</strong> noc1 (Podman containers)</li>\n      <li><strong>Status:</strong> <span class=\"b b-online\">Online</span></li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>1Password K8s Operator</div>\n    <ul>\n      <li><strong>Namespace:</strong> <code>onepassword-system</code></li>\n      <li><strong>Chart:</strong> 1password/connect v2.3.0</li>\n      <li><strong>Operator:</strong> v1.11.0</li>\n      <li><strong>Poll Interval:</strong> 600s</li>\n      <li><strong>Status:</strong> <span class=\"b b-online\">Online</span></li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-top: 3px solid var(--gold);\">\n    <div class=\"card-title\">IAmWorkin Vault</div>\n    <ul>\n      <li><strong>Vault Name:</strong> IAmWorkin</li>\n      <li><strong>Items:</strong> 26+ credentials</li>\n      <li><strong>Rotation:</strong> Quarterly (Jan/Apr/Jul/Oct)</li>\n      <li><strong>Script:</strong> <code>/opt/scripts/rotate-credentials.sh</code></li>\n      <li><strong>Timer:</strong> <code>credential-rotation.timer</code></li>\n    </ul>\n  </div>\n</div>\n\n<div class=\"note\"><strong>All infrastructure credentials are managed in 1Password.</strong> The IAmWorkin vault contains credentials for every service listed on this intranet. K8s workloads (Zabbix, Matrix, Guacamole, Mail, IRC, Gitea, ArgoCD) sync secrets automatically via OnePasswordItem CRDs. Credential rotation runs quarterly via systemd timer.</div>\n\n<h3>K8s Secret Sync (OnePasswordItem CRDs)</h3>\n<table>\n<thead><tr><th>Namespace</th><th>Secret Name</th><th>Source (1Password Item)</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>zabbix</td><td>zabbix-credentials</td><td>Zabbix Monitoring</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>matrix</td><td>matrix-credentials</td><td>Matrix Synapse</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>guacamole</td><td>guacamole-credentials</td><td>Apache Guacamole</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>mail</td><td>mail-credentials</td><td>Mail Server</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>irc</td><td>irc-credentials</td><td>IRC Services</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>gitea</td><td>gitea-credentials</td><td>Gitea</td><td><span class=\"b b-online\">Synced</span></td></tr>\n<tr><td>argocd</td><td>argocd-credentials</td><td>ArgoCD</td><td><span class=\"b b-online\">Synced</span></td></tr>\n</tbody>\n</table>\n\n<h3>Credential Rotation</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">Rotation Script</div>\n    <ul>\n      <li><strong>Path:</strong> <code>/opt/scripts/rotate-credentials.sh</code></li>\n      <li><strong>Usage:</strong> <code>rotate-credentials.sh {service|all} [--dry-run]</code></li>\n      <li><strong>Services:</strong> grafana, guacamole, zabbix, argocd, gitea, snappymail, traefik, matrix, harvester</li>\n      <li><strong>Schedule:</strong> Quarterly (1st of Jan/Apr/Jul/Oct at 03:00 UTC)</li>\n      <li><strong>Log:</strong> <code>/var/log/credential-rotation.log</code></li>\n    </ul>\n  </div>\n</div>\n</div>\n\n<!-- ===== TAB: PLANNED ===== -->\n<div id=\"tab-planned\" class=\"tab-content\">\n<h2>Planned Services</h2>\n<table>\n<thead><tr><th>Service</th><th>IP</th><th>Host</th><th>Role</th><th>Status</th></tr></thead>\n<tbody>\n<tr><td>Windows DC1</td><td><span class=\"ip\">10.0.56.20</span></td><td>Harvester VM</td><td>AD Domain Controller (iamworkin.lan)</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Windows WAC1</td><td><span class=\"ip\">10.0.56.21</span></td><td>Harvester VM</td><td>Windows Admin Center</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Windows RDS1</td><td><span class=\"ip\">10.0.57.20</span></td><td>Harvester VM</td><td>Remote Desktop Services</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Windows IIS1</td><td><span class=\"ip\">10.0.57.21</span></td><td>Harvester VM</td><td>IIS Web Server</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Gitea</td><td><span class=\"ip\">10.0.56.10</span></td><td>K3s (noc1)</td><td>Git hosting (gitea.iamworkin.lan)</td><td><span class=\"b b-live\">Live</span></td></tr>\n<tr><td>UnrealIRCd</td><td><span class=\"ip\">10.0.56.10</span></td><td>K3s (noc1)</td><td>IRC server (irc.iamworkin.lan:6697)</td><td><span class=\"b b-live\">Live</span></td></tr>\n<tr><td>Zabbix</td><td><span class=\"ip\">10.0.56.10</span></td><td>K3s (noc1)</td><td>Network monitoring (zabbix.iamworkin.lan, 10 hosts)</td><td><span class=\"b b-live\">Live</span></td></tr>\n<tr><td>1Password Connect</td><td><span class=\"ip\">10.0.56.10</span></td><td>noc1</td><td>Secrets management API</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>Squid Proxy</td><td><span class=\"ip\">10.0.56.22</span></td><td>Harvester VM</td><td>Authenticated web proxy (Kerberos/LDAP)</td><td><span class=\"b b-planned\">Planned</span></td></tr>\n<tr><td>ArgoCD</td><td><span class=\"ip\">10.0.56.200</span></td><td>RKE2 (via Traefik)</td><td>GitOps for K8s workloads (argocd.iamworkin.lan)</td><td><span class=\"b b-live\">Live</span></td></tr>\n</tbody>\n</table>\n</div>\n\n<!-- ===== TAB: TOPOLOGY ===== -->\n<div id=\"tab-topology\" class=\"tab-content\">\n<h2>Network Topology</h2>\n<div style=\"display:flex;flex-direction:column;align-items:center;gap:8px;padding:1.5rem;\">\n\n<div class=\"card\" style=\"text-align:center;max-width:280px;border-color:var(--text-muted);\"><div class=\"card-title\" style=\"justify-content:center;\">Internet</div></div>\n<div style=\"width:2px;height:16px;background:var(--border-accent);\"></div>\n<div class=\"card\" style=\"text-align:center;max-width:320px;\"><div class=\"card-title\" style=\"justify-content:center;\"><span class=\"dot dot-green\"></span>Frontier ONT + NVG468MQ Modem</div><p><span class=\"ip\">WAN: 74.32.187.152</span> &bull; <span class=\"ip\">/28: .17-.29</span></p><p style=\"font-size:0.78rem;\">192.168.254.254 &bull; DMZ to pfSense</p></div>\n<div style=\"width:2px;height:16px;background:var(--border-accent);\"></div>\n<div class=\"card\" style=\"text-align:center;max-width:360px;border-color:var(--accent);\"><div class=\"card-title\" style=\"justify-content:center;\"><span class=\"dot dot-green\"></span>pfSense Netgate 4100</div><p><span class=\"ip\">WAN: ix3 (.122)</span> &bull; <span class=\"ip\">LAN: igc0</span> (802.1Q trunk)</p><p style=\"font-size:0.78rem;\">12 VLANs &bull; 36 aliases &bull; 90 rules &bull; DNS/DHCP/NTP/SNMP</p></div>\n<div style=\"width:2px;height:16px;background:var(--border-accent);\"></div>\n<div class=\"card\" style=\"text-align:center;max-width:340px;\"><div class=\"card-title\" style=\"justify-content:center;\"><span class=\"dot dot-green\"></span>UniFi USW-Lite-16-PoE Switch</div><p><span class=\"ip\">10.0.56.2</span> &bull; 16 ports &bull; VLANs 56-67</p></div>\n<div style=\"width:2px;height:8px;background:var(--border-accent);\"></div>\n\n<div style=\"display:grid;grid-template-columns:repeat(auto-fit,minmax(200px,1fr));gap:10px;width:100%;max-width:1200px;\">\n  <div class=\"card\" style=\"border-left:3px solid var(--accent);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>noc1</div>\n    <p><span class=\"ip\">10.0.56.10</span> <span class=\"b b-mgmt\">MGMT</span></p>\n    <p style=\"font-size:0.78rem;\">Celeron N5105 &bull; 32GB &bull; K3s + Podman</p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>Guacamole :30080</li><li>Grafana :3000</li><li>Prometheus :9091</li>\n      <li>step-ca :9443</li><li>Gitea :3000</li><li>IRC :6697</li>\n      <li>Zabbix :30083</li><li>Cockpit\
+    \ :9090</li><li>Puppet :8140</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--green);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Harvester Cluster</div>\n    <p><span class=\"ip\">VIP: 10.0.56.14</span> <span class=\"b b-mgmt\">MGMT</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>harvester1: <span class=\"ip\">.11</span> (i7-1260P/64GB)</li>\n      <li>harvester2: <span class=\"ip\">.12</span> (i7-1260P/64GB)</li>\n      <li>harvester3: <span class=\"ip\">.13</span> (i5-1340P/64GB)</li>\n    </ul>\n    <p style=\"font-size:0.78rem;\">Harvester v1.7.1 &bull; Longhorn &bull; Rancher embedded</p>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--purple);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>RKE2 Workload Cluster</div>\n    <p><span class=\"ip\">Traefik: 10.0.56.200</span> <span class=\"b b-mgmt\">MGMT</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>rke2-node1: <span class=\"ip\">.118</span> (on harvester2)</li>\n      <li>rke2-node2: <span class=\"ip\">.119</span> (on harvester1)</li>\n      <li>rke2-node3: <span class=\"ip\">.120</span> (on harvester3)</li>\n    </ul>\n    <p style=\"font-size:0.78rem;\">Calico &bull; MetalLB &bull; Traefik v3.6.10 &bull; ArgoCD</p>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--cyan);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>WiFi (Synology RT6600AX)</div>\n    <p><span class=\"ip\">10.0.58.2</span> <span class=\"b b-home\">HOME</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>BlueJay-Home (untagged)</li><li>BlueJay-Employee (VLAN 59)</li>\n      <li>BlueJay-Work (VLAN 64)</li><li>BlueJay-School (VLAN 65)</li>\n      <li>BlueJay-Guest (VLAN 66)</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--orange);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>PROD Nodes</div>\n    <p><span class=\"b b-prod\">PROD VLAN 57</span></p>\n    <ul style=\"font-size:0.78rem;\">\n      <li>Mac Mini: <span class=\"ip\">10.0.57.50</span> (Xcode)</li>\n      <li>edge1 Pi5: <span class=\"ip\">10.0.57.15</span> (Hailo AI)</li>\n      <li>edge2 Pi4: <span class=\"ip\">10.0.57.16</span> (CI runner)</li>\n    </ul>\n  </div>\n  <div class=\"card\" style=\"border-left:3px solid var(--gold);\">\n    <div class=\"card-title\"><span class=\"dot dot-green\"></span>Network Devices</div>\n    <ul style=\"font-size:0.78rem;\">\n      <li>Cloud Key: <span class=\"ip\">10.0.56.3</span></li>\n      <li>NAS: <span class=\"ip\">10.0.58.3</span></li>\n      <li>Modem: <span class=\"ip\">192.168.254.254</span></li>\n    </ul>\n  </div>\n</div>\n</div>\n</div>\n\n<!-- ===== TAB: DOMAINS ===== -->\n<div id=\"tab-domains\" class=\"tab-content\">\n<h2>Domains</h2>\n<div class=\"summary-grid\">\n  <div class=\"summary-card\"><div class=\"summary-number\">17</div><div class=\"summary-label\">Registered Domains</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">1</div><div class=\"summary-label\">Internal Domain</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">1</div><div class=\"summary-label\">Blog Hosting (DreamHost)</div></div>\n  <div class=\"summary-card\"><div class=\"summary-number\">18</div><div class=\"summary-label\">Total Domains</div></div>\n</div>\n\n<h3>FlowerCore Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>flowercore.io</strong></td><td><span class=\"b b-prod\">FlowerCore</span></td><td>Andrew</td><td>Production API</td><td>Cloudflare</td><td>Namecheap</td></tr>\n<tr><td><strong>flowerinsider.xyz</strong></td><td><span class=\"b b-prod\">FlowerCore</span></td><td>Andrew</td><td>Dev/staging</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>flowerinsider.com</strong></td><td><span class=\"b b-prod\">FlowerCore Co</span></td><td>Andrew</td><td>Company site</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>flowerinsider.nl</strong></td><td><span class=\"b b-prod\">FlowerCore Co</span></td><td>Andrew</td><td>Dutch site</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Work Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>iamwork.in</strong></td><td><span class=\"b b-wifi\">Work</span></td><td>Andrew</td><td>Employee portal, IVR</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>iamworkin.com</strong></td><td><span class=\"b b-wifi\">Work</span></td><td>Andrew</td><td>Redirect</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Personal &amp; Tenant Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>ackeroni.com</strong></td><td><span class=\"b b-tenant\">Erik</span></td><td>Erik</td><td>Personal</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>erckak.com</strong></td><td><span class=\"b b-tenant\">Erik</span></td><td>Erik</td><td>Personal</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>erckak.dev</strong></td><td><span class=\"b b-tenant\">Erik</span></td><td>Erik</td><td>Developer portfolio</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>digirido.com</strong></td><td><span class=\"b b-spare\">Random</span></td><td>Andrew</td><td>DigiKey testing</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>timeforta.co</strong></td><td><span class=\"b b-tenant\">Dustin</span></td><td>Dustin</td><td>Personal</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>shenanjia.com</strong></td><td><span class=\"b b-home\">Wife</span></td><td>Wife</td><td>Personal site</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>bluejay.api</strong></td><td><span class=\"b b-mgmt\">Personal Fun</span></td><td>Andrew</td><td>API experiments</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>bluejay.dev</strong></td><td><span class=\"b b-mgmt\">Personal Fun</span></td><td>Andrew</td><td>Dev projects</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>jayblue.dev</strong></td><td><span class=\"b b-mgmt\">Personal Fun</span></td><td>Andrew</td><td>Dev projects</td><td>Namecheap</td><td>Namecheap</td></tr>\n<tr><td><strong>z.orb</strong></td><td><span class=\"b b-spare\">Random</span></td><td>Andrew</td><td>Short URL</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Blog &amp; Content Domains</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Registrar</th></tr></thead>\n<tbody>\n<tr><td><strong>pebbleandpeanut.com</strong></td><td><span class=\"b b-home\">Blog</span></td><td>Andrew</td><td>Personal blog</td><td>DreamHost</td><td>Namecheap</td></tr>\n<tr><td><strong>pebblesandpeanuts.com</strong></td><td><span class=\"b b-home\">Blog</span></td><td>Andrew</td><td>Alt redirect</td><td>Namecheap</td><td>Namecheap</td></tr>\n</tbody>\n</table>\n\n<h3>Internal Domain</h3>\n<table>\n<thead><tr><th>Domain</th><th>Category</th><th>Owner</th><th>Purpose</th><th>DNS Provider</th><th>Notes</th></tr></thead>\n<tbody>\n<tr><td><strong>iamworkin.lan</strong></td><td><span class=\"b b-mgmt\">Internal</span></td><td>Andrew</td><td>Internal infrastructure, future AD DS</td><td>pfSense Unbound</td><td>43+ host overrides, not publicly registered</td></tr>\n</tbody>\n</table>\n\n<h3>Namecheap API</h3>\n<div class=\"card-grid\">\n  <div class=\"card\">\n    <div class=\"card-title\">API Configuration</div>\n    <ul>\n      <li><strong>Base URL:</strong> <code>https://api.namecheap.com/xml.response</code> <button class=\"copy-btn\" onclick=\"copyText('https://api.namecheap.com/xml.response')\">copy</button></li>\n      <li><strong>API User:</strong> <code>astoltz</code> <button class=\"copy-btn\" onclick=\"copyText('astoltz')\">copy</button></li>\n      <li><strong>API Key:</strong> <code class=\"pw\">e36f347844fb4cc3a82d4e0f4e4af82e</code> <button class=\"copy-btn\" onclick=\"copyText('e36f347844fb4cc3a82d4e0f4e4af82e')\">copy</button></li>\n      <li><strong>Sandbox URL:</strong> <code>https://api.sandbox.namecheap.com/xml.response</code> <button class=\"copy-btn\" onclick=\"copyText('https://api.sandbox.namecheap.com/xml.response')\">copy</button></li>\n    </ul>\n  </div>\n  <div class=\"card\">\n    <div class=\"card-title\">Dynamic DNS</div>\n    <ul>\n      <li><strong>Hostname:</strong> <code>gateway.iamwork.in</code> <button class=\"copy-btn\" onclick=\"copyText('gateway.iamwork.in')\">copy</button></li>\n      <li><strong>Points to:</strong> pfSense WAN IP (auto-updated)</li>\n      <li><strong>DDNS Endpoint:</strong> <code>https://dynamicdns.park-your-domain.com/update?host=gateway&domain=iamwork.in&password=d8ad7194c9224c26bc50cfa5feb8764e</code> <button class=\"copy-btn\" onclick=\"copyText('https://dynamicdns.park-your-domain.com/update?host=gateway&domain=iamwork.in&password=d8ad7194c9224c26bc50cfa5feb8764e')\">copy</button></li>\n      <li><strong>Update Method:</strong> pfSense Dynamic DNS client or cron</li>\n    </ul>\n  </div>\n</div>\n\n<h3>Internal DNS Architecture</h3>\n<div class=\"note\"><strong>Split-Horizon DNS (planned):</strong> External requests to flowercore.io resolve via Cloudflare to public IP .21. Internal requests resolve via pfSense Unbound to K8s MetalLB VIP (10.0.56.200), avoiding NAT hairpin. All internal infrastructure uses iamworkin.lan zone.</div>\n\n<h3>Planned IPv6 (ULA)</h3>\n<table>\n<thead><tr><th>Prefix</th><th>Scheme</th><th>Method</th></tr></thead>\n<tbody>\n<tr><td><code>fdbc:56:XX::/64</code></td><td>XX = VLAN ID (e.g., fdbc:56:56::/64 for MGMT)</td><td>SLAAC + DHCPv6 (servers),\
+    \ SLAAC-only (clients)</td></tr>\n</tbody>\n</table>\n</div>\n\n<script>\n/* ===== QR Code Generator (inline, air-gap safe) ===== */\n/* Minimal QR code encoder — generates canvas-based QR codes. Based on public domain QR algorithms. */\nvar QRCode=(function(){\nvar PAD0=0xEC,PAD1=0x11;\nfunction QRCode(typeNumber,errorCorrectionLevel){this.typeNumber=typeNumber;this.errorCorrectionLevel=errorCorrectionLevel;this.modules=null;this.moduleCount=0;this.dataCache=null;this.dataList=[];}\nQRCode.prototype={addData:function(data){this.dataList.push(new QR8bitByte(data));this.dataCache=null;},make:function(){if(this.typeNumber<1){var tn=1;for(tn=1;tn<40;tn++){var rs=QRRSBlock.getRSBlocks(tn,this.errorCorrectionLevel);var buf=new QRBitBuffer();for(var i=0;i<this.dataList.length;i++){var d=this.dataList[i];buf.put(d.mode,4);buf.put(d.getLength(),QRUtil.getLengthInBits(d.mode,tn));d.write(buf);}var totalDataCount=0;for(i=0;i<rs.length;i++){totalDataCount+=rs[i].dataCount;}if(buf.getLengthInBits()<=totalDataCount*8)break;}this.typeNumber=tn;}this.makeImpl(false,this.getBestMaskPattern());},makeImpl:function(test,maskPattern){this.moduleCount=this.typeNumber*4+17;this.modules=new Array(this.moduleCount);for(var row=0;row<this.moduleCount;row++){this.modules[row]=new Array(this.moduleCount);for(var col=0;col<this.moduleCount;col++){this.modules[row][col]=null;}}this.setupPositionProbePattern(0,0);this.setupPositionProbePattern(this.moduleCount-7,0);this.setupPositionProbePattern(0,this.moduleCount-7);this.setupPositionAdjustPattern();this.setupTimingPattern();this.setupTypeInfo(test,maskPattern);if(this.typeNumber>=7){this.setupTypeNumber(test);}if(this.dataCache==null){this.dataCache=QRCode.createData(this.typeNumber,this.errorCorrectionLevel,this.dataList);}this.mapData(this.dataCache,maskPattern);},setupPositionProbePattern:function(row,col){for(var r=-1;r<=7;r++){if(row+r<=-1||this.moduleCount<=row+r)continue;for(var c=-1;c<=7;c++){if(col+c<=-1||this.moduleCount<=col+c)continue;if((0<=r&&r<=6&&(c==0||c==6))||(0<=c&&c<=6&&(r==0||r==6))||(2<=r&&r<=4&&2<=c&&c<=4)){this.modules[row+r][col+c]=true;}else{this.modules[row+r][col+c]=false;}}}},getBestMaskPattern:function(){var minLostPoint=0;var pattern=0;for(var i=0;i<8;i++){this.makeImpl(true,i);var lostPoint=QRUtil.getLostPoint(this);if(i==0||minLostPoint>lostPoint){minLostPoint=lostPoint;pattern=i;}}return pattern;},setupTimingPattern:function(){for(var r=8;r<this.moduleCount-8;r++){if(this.modules[r][6]!=null)continue;this.modules[r][6]=(r%2==0);}for(var c=8;c<this.moduleCount-8;c++){if(this.modules[6][c]!=null)continue;this.modules[6][c]=(c%2==0);}},setupPositionAdjustPattern:function(){var pos=QRUtil.getPatternPosition(this.typeNumber);for(var i=0;i<pos.length;i++){for(var j=0;j<pos.length;j++){var row=pos[i];var col=pos[j];if(this.modules[row][col]!=null)continue;for(var r=-2;r<=2;r++){for(var c=-2;c<=2;c++){if(r==-2||r==2||c==-2||c==2||(r==0&&c==0)){this.modules[row+r][col+c]=true;}else{this.modules[row+r][col+c]=false;}}}}}},setupTypeNumber:function(test){var bits=QRUtil.getBCHTypeNumber(this.typeNumber);for(var i=0;i<18;i++){var mod=(!test&&((bits>>i)&1)==1);this.modules[Math.floor(i/3)][i%3+this.moduleCount-8-3]=mod;}for(i=0;i<18;i++){mod=(!test&&((bits>>i)&1)==1);this.modules[i%3+this.moduleCount-8-3][Math.floor(i/3)]=mod;}},setupTypeInfo:function(test,maskPattern){var data=(this.errorCorrectionLevel<<3)|maskPattern;var bits=QRUtil.getBCHTypeInfo(data);for(var i=0;i<15;i++){var mod=(!test&&((bits>>i)&1)==1);if(i<6){this.modules[i][8]=mod;}else if(i<8){this.modules[i+1][8]=mod;}else{this.modules[this.moduleCount-15+i][8]=mod;}}for(i=0;i<15;i++){mod=(!test&&((bits>>i)&1)==1);if(i<8){this.modules[8][this.moduleCount-i-1]=mod;}else if(i<9){this.modules[8][15-i-1+1]=mod;}else{this.modules[8][15-i-1]=mod;}}this.modules[this.moduleCount-8][8]=(!test);},mapData:function(data,maskPattern){var inc=-1;var row=this.moduleCount-1;var bitIndex=7;var byteIndex=0;for(var col=this.moduleCount-1;col>0;col-=2){if(col==6)col--;while(true){for(var c=0;c<2;c++){if(this.modules[row][col-c]==null){var dark=false;if(byteIndex<data.length){dark=(((data[byteIndex]>>>bitIndex)&1)==1);}var mask=QRUtil.getMask(maskPattern,row,col-c);if(mask){dark=!dark;}this.modules[row][col-c]=dark;bitIndex--;if(bitIndex==-1){byteIndex++;bitIndex=7;}}}row+=inc;if(row<0||this.moduleCount<=row){row-=inc;inc=-inc;break;}}}}};\nQRCode.createData=function(typeNumber,errorCorrectionLevel,dataList){var rsBlocks=QRRSBlock.getRSBlocks(typeNumber,errorCorrectionLevel);var buffer=new QRBitBuffer();for(var i=0;i<dataList.length;i++){var data=dataList[i];buffer.put(data.mode,4);buffer.put(data.getLength(),QRUtil.getLengthInBits(data.mode,typeNumber));data.write(buffer);}var totalDataCount=0;for(i=0;i<rsBlocks.length;i++){totalDataCount+=rsBlocks[i].dataCount;}if(buffer.getLengthInBits()>totalDataCount*8){throw new Error('code length overflow. ('+buffer.getLengthInBits()+'>'+totalDataCount*8+')');}if(buffer.getLengthInBits()+4<=totalDataCount*8){buffer.put(0,4);}while(buffer.getLengthInBits()%8!=0){buffer.putBit(false);}while(true){if(buffer.getLengthInBits()>=totalDataCount*8)break;buffer.put(PAD0,8);if(buffer.getLengthInBits()>=totalDataCount*8)break;buffer.put(PAD1,8);}return QRCode.createBytes(buffer,rsBlocks);};\nQRCode.createBytes=function(buffer,rsBlocks){var offset=0;var maxDcCount=0;var maxEcCount=0;var dcdata=new Array(rsBlocks.length);var ecdata=new Array(rsBlocks.length);for(var r=0;r<rsBlocks.length;r++){var dcCount=rsBlocks[r].dataCount;var ecCount=rsBlocks[r].totalCount-dcCount;maxDcCount=Math.max(maxDcCount,dcCount);maxEcCount=Math.max(maxEcCount,ecCount);dcdata[r]=new Array(dcCount);for(var i=0;i<dcdata[r].length;i++){dcdata[r][i]=0xff&buffer.buffer[i+offset];}offset+=dcCount;var rsPoly=QRUtil.getErrorCorrectPolynomial(ecCount);var rawPoly=new QRPolynomial(dcdata[r],rsPoly.getLength()-1);var modPoly=rawPoly.mod(rsPoly);ecdata[r]=new Array(rsPoly.getLength()-1);for(i=0;i<ecdata[r].length;i++){var modIndex=i+modPoly.getLength()-ecdata[r].length;ecdata[r][i]=(modIndex>=0)?modPoly.get(modIndex):0;}}var totalCodeCount=0;for(i=0;i<rsBlocks.length;i++){totalCodeCount+=rsBlocks[i].totalCount;}var data=new Array(totalCodeCount);var index=0;for(i=0;i<maxDcCount;i++){for(r=0;r<rsBlocks.length;r++){if(i<dcdata[r].length){data[index++]=dcdata[r][i];}}}for(i=0;i<maxEcCount;i++){for(r=0;r<rsBlocks.length;r++){if(i<ecdata[r].length){data[index++]=ecdata[r][i];}}}return data;};\nfunction QR8bitByte(data){this.mode=4;this.data=data;}QR8bitByte.prototype={getLength:function(){return this.data.length;},write:function(buffer){for(var i=0;i<this.data.length;i++){buffer.put(this.data.charCodeAt(i),8);}}};\nvar QRUtil={PATTERN_POSITION_TABLE:[[],[6,18],[6,22],[6,26],[6,30],[6,34],[6,22,38],[6,24,42],[6,26,46],[6,28,50],[6,30,54],[6,32,58],[6,34,62],[6,26,46,66],[6,26,48,70],[6,26,50,74],[6,30,54,78],[6,30,56,82],[6,30,58,86],[6,34,62,90],[6,28,50,72,94],[6,26,50,74,98],[6,30,54,78,102],[6,28,54,80,106],[6,32,58,84,110],[6,30,58,86,114],[6,34,62,90,118],[6,26,50,74,98,122],[6,30,54,78,102,126],[6,26,52,78,104,130],[6,30,56,82,108,134],[6,34,60,86,112,138],[6,30,58,86,114,142],[6,34,62,90,118,146],[6,30,54,78,102,126,150],[6,24,50,76,102,128,154],[6,28,54,80,106,132,158],[6,32,58,84,110,136,162],[6,26,54,82,110,138,166],[6,30,58,86,114,142,170]],G15:(1<<10)|(1<<8)|(1<<5)|(1<<4)|(1<<2)|(1<<1)|(1<<0),G18:(1<<12)|(1<<11)|(1<<10)|(1<<9)|(1<<8)|(1<<5)|(1<<2)|(1<<0),G15_MASK:(1<<14)|(1<<12)|(1<<10)|(1<<4)|(1<<1),getBCHTypeInfo:function(data){var d=data<<10;while(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G15)>=0){d^=(QRUtil.G15<<(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G15)));}return((data<<10)|d)^QRUtil.G15_MASK;},getBCHTypeNumber:function(data){var d=data<<12;while(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G18)>=0){d^=(QRUtil.G18<<(QRUtil.getBCHDigit(d)-QRUtil.getBCHDigit(QRUtil.G18)));}return(data<<12)|d;},getBCHDigit:function(data){var digit=0;while(data!=0){digit++;data>>>=1;}return digit;},getPatternPosition:function(typeNumber){return QRUtil.PATTERN_POSITION_TABLE[typeNumber-1];},getMask:function(maskPattern,i,j){switch(maskPattern){case 0:return(i+j)%2==0;case 1:return i%2==0;case 2:return j%3==0;case 3:return(i+j)%3==0;case 4:return(Math.floor(i/2)+Math.floor(j/3))%2==0;case 5:return(i*j)%2+(i*j)%3==0;case 6:return((i*j)%2+(i*j)%3)%2==0;case 7:return((i*j)%3+(i+j)%2)%2==0;default:throw new Error('bad maskPattern:'+maskPattern);}},getErrorCorrectPolynomial:function(errorCorrectLength){var a=new QRPolynomial([1],0);for(var i=0;i<errorCorrectLength;i++){a=a.multiply(new QRPolynomial([1,QRMath.gexp(i)],0));}return a;},getLengthInBits:function(mode,type){if(1<=type&&type<10){return 8;}else if(type<27){return 16;}else if(type<41){return 16;}throw new Error('type:'+type);},getLostPoint:function(qrCode){var moduleCount=qrCode.moduleCount;var lostPoint=0;for(var row=0;row<moduleCount;row++){for(var col=0;col<moduleCount;col++){var sameCount=0;var dark=qrCode.modules[row][col];for(var r=-1;r<=1;r++){if(row+r<0||moduleCount<=row+r)continue;for(var c=-1;c<=1;c++){if(col+c<0||moduleCount<=col+c)continue;if(r==0&&c==0)continue;if(dark==qrCode.modules[row+r][col+c]){sameCount++;}}}if(sameCount>5){lostPoint+=(3+sameCount-5);}}}for(row=0;row<moduleCount-1;row++){for(col=0;col<moduleCount-1;col++){var count=0;if(qrCode.modules[row][col])count++;if(qrCode.modules[row+1][col])count++;if(qrCode.modules[row][col+1])count++;if(qrCode.modules[row+1][col+1])count++;if(count==0||count==4){lostPoint+=3;}}}for(row=0;row<moduleCount;row++){for(col=0;col<moduleCount-6;col++){if(qrCode.modules[row][col]&&!qrCode.modules[row][col+1]&&qrCode.modules[row][col+2]&&qrCode.modules[row][col+3]&&qrCode.modules[row][col+4]&&!qrCode.modules[row][col+5]&&qrCode.modules[row][col+6]){lostPoint+=40;}}}for(col=0;col<moduleCount;col++){for(row=0;row<moduleCount-6;row++){if(qrCode.modules[row][col]&&!qrCode.modules[row+1][col]&&qrCode.modules[row+2][col]&&qrCode.modules[row+3][col]&&qrCode.modules[row+4][col]&&!qrCode.modules[row+5][col]&&qrCode.modules[row+6][col]){lostPoint+=40;}}}var\
+    \ darkCount=0;for(col=0;col<moduleCount;col++){for(row=0;row<moduleCount;row++){if(qrCode.modules[row][col]){darkCount++;}}}var ratio=Math.abs(100*darkCount/moduleCount/moduleCount-50)/5;lostPoint+=ratio*10;return lostPoint;}};\nvar QRMath={glog:function(n){if(n<1)throw new Error('glog('+n+')');return QRMath.LOG_TABLE[n];},gexp:function(n){while(n<0){n+=255;}while(n>=256){n-=255;}return QRMath.EXP_TABLE[n];},EXP_TABLE:new Array(256),LOG_TABLE:new Array(256)};for(var i=0;i<8;i++){QRMath.EXP_TABLE[i]=1<<i;}for(i=8;i<256;i++){QRMath.EXP_TABLE[i]=QRMath.EXP_TABLE[i-4]^QRMath.EXP_TABLE[i-5]^QRMath.EXP_TABLE[i-6]^QRMath.EXP_TABLE[i-8];}for(i=0;i<255;i++){QRMath.LOG_TABLE[QRMath.EXP_TABLE[i]]=i;}\nfunction QRPolynomial(num,shift){if(num.length==undefined)throw new Error(num.length+'/'+shift);var offset=0;while(offset<num.length&&num[offset]==0){offset++;}this.num=new Array(num.length-offset+shift);for(var i=0;i<num.length-offset;i++){this.num[i]=num[i+offset];}}QRPolynomial.prototype={get:function(index){return this.num[index];},getLength:function(){return this.num.length;},multiply:function(e){var num=new Array(this.getLength()+e.getLength()-1);for(var i=0;i<this.getLength();i++){for(var j=0;j<e.getLength();j++){num[i+j]^=QRMath.gexp(QRMath.glog(this.get(i))+QRMath.glog(e.get(j)));}}return new QRPolynomial(num,0);},mod:function(e){if(this.getLength()-e.getLength()<0)return this;var ratio=QRMath.glog(this.get(0))-QRMath.glog(e.get(0));var num=new Array(this.getLength());for(var i=0;i<this.getLength();i++){num[i]=this.get(i);}for(i=0;i<e.getLength();i++){num[i]^=QRMath.gexp(QRMath.glog(e.get(i))+ratio);}return new QRPolynomial(num,0).mod(e);}};\nfunction QRRSBlock(totalCount,dataCount){this.totalCount=totalCount;this.dataCount=dataCount;}\nQRRSBlock.RS_BLOCK_TABLE=[[1,26,19],[1,26,16],[1,26,13],[1,26,9],[1,44,34],[1,44,28],[1,44,22],[1,44,16],[1,70,55],[1,70,44],[2,35,17],[2,35,13],[1,100,80],[2,50,32],[2,50,24],[4,25,9],[1,134,108],[2,67,43],[2,33,15,2,34,16],[2,33,11,2,34,12],[2,86,68],[4,43,27],[4,43,19],[4,43,15],[2,98,78],[4,49,31],[2,32,14,4,33,15],[4,39,13,1,40,14],[2,121,97],[2,60,38,2,61,39],[4,40,18,2,41,19],[4,40,14,2,41,15],[2,146,116],[3,58,36,2,59,37],[4,36,16,4,37,17],[4,36,12,4,37,13],[2,86,68,2,87,69],[4,69,43,1,70,44],[6,43,19,2,44,20],[6,43,15,2,44,16],[4,101,81],[1,80,50,4,81,51],[4,50,22,4,51,23],[3,36,12,8,37,13],[2,116,92,2,117,93],[6,58,36,2,59,37],[4,46,20,6,47,21],[7,42,14,4,43,15],[4,133,107],[8,59,37,1,60,38],[8,44,20,4,45,21],[12,33,11,4,34,12],[3,145,115,1,146,116],[4,64,40,5,65,41],[11,36,16,5,37,17],[11,36,12,5,37,13],[5,109,87,1,110,88],[5,65,41,5,66,42],[5,54,24,7,55,25],[11,36,12,7,37,13],[5,122,98,1,123,99],[7,73,45,3,74,46],[15,43,19,2,44,20],[3,45,15,13,46,16],[1,135,107,5,136,108],[10,74,46,1,75,47],[1,50,22,15,51,23],[2,42,14,17,43,15],[5,150,120,1,151,121],[9,69,43,4,70,44],[17,50,22,1,51,23],[2,42,14,19,43,15],[3,141,113,4,142,114],[3,70,44,11,71,45],[17,47,21,4,48,22],[9,39,13,16,40,14],[3,135,107,5,136,108],[3,67,41,13,68,42],[15,54,24,5,55,25],[15,43,15,10,44,16],[4,144,116,4,145,117],[17,68,42],[17,50,22,6,51,23],[19,46,16,6,47,17],[2,139,111,7,140,112],[17,74,46],[7,54,24,16,55,25],[34,37,13],[4,151,121,5,152,122],[4,75,47,14,76,48],[11,54,24,14,55,25],[16,45,15,14,46,16],[6,147,117,4,148,118],[6,73,45,14,74,46],[11,54,24,16,55,25],[30,46,16,2,47,17],[8,132,106,4,133,107],[8,75,47,13,76,48],[7,54,24,22,55,25],[22,45,15,13,46,16],[10,142,114,2,143,115],[19,74,46,4,75,47],[28,50,22,6,51,23],[33,46,16,4,47,17],[8,152,122,4,153,123],[22,73,45,3,74,46],[8,53,23,26,54,24],[12,45,15,28,46,16],[3,147,117,10,148,118],[3,73,45,23,74,46],[4,54,24,31,55,25],[11,45,15,31,46,16],[7,146,116,7,147,117],[21,73,45,7,74,46],[1,53,23,37,54,24],[19,45,15,26,46,16],[5,145,115,10,146,116],[19,75,47,10,76,48],[15,54,24,25,55,25],[23,45,15,25,46,16],[13,145,115,3,146,116],[2,74,46,29,75,47],[42,54,24,1,55,25],[23,45,15,28,46,16],[17,145,115],[10,74,46,23,75,47],[10,54,24,35,55,25],[19,45,15,35,46,16],[17,145,115,1,146,116],[14,74,46,21,75,47],[29,54,24,19,55,25],[11,45,15,46,46,16],[13,145,115,6,146,116],[14,74,46,23,75,47],[44,54,24,7,55,25],[59,46,16,1,47,17],[12,151,121,7,152,122],[12,75,47,26,76,48],[39,54,24,14,55,25],[22,45,15,41,46,16],[6,151,121,14,152,122],[6,75,47,34,76,48],[46,54,24,10,55,25],[2,45,15,64,46,16],[17,152,122,4,153,123],[29,74,46,14,75,47],[49,54,24,10,55,25],[24,45,15,46,46,16],[4,152,122,18,153,123],[13,74,46,32,75,47],[48,54,24,14,55,25],[42,45,15,32,46,16],[20,147,117,4,148,118],[40,75,47,7,76,48],[43,54,24,22,55,25],[10,45,15,67,46,16],[19,148,118,6,149,119],[18,75,47,31,76,48],[34,54,24,34,55,25],[20,45,15,61,46,16]];\nQRRSBlock.getRSBlocks=function(typeNumber,errorCorrectionLevel){var rsBlock=QRRSBlock.getRsBlockTable(typeNumber,errorCorrectionLevel);if(rsBlock==undefined){throw new Error('bad rs block @ typeNumber:'+typeNumber+'/errorCorrectionLevel:'+errorCorrectionLevel);}var length=rsBlock.length/3;var list=[];for(var i=0;i<length;i++){var count=rsBlock[i*3+0];var totalCount=rsBlock[i*3+1];var dataCount=rsBlock[i*3+2];for(var j=0;j<count;j++){list.push(new QRRSBlock(totalCount,dataCount));}}return list;};\nQRRSBlock.getRsBlockTable=function(typeNumber,errorCorrectionLevel){switch(errorCorrectionLevel){case 1:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+0];case 0:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+1];case 3:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+2];case 2:return QRRSBlock.RS_BLOCK_TABLE[(typeNumber-1)*4+3];default:return undefined;}};\nfunction QRBitBuffer(){this.buffer=[];this.length=0;}QRBitBuffer.prototype={get:function(index){var bufIndex=Math.floor(index/8);return((this.buffer[bufIndex]>>>(7-index%8))&1)==1;},put:function(num,length){for(var i=0;i<length;i++){this.putBit(((num>>>(length-i-1))&1)==1);}},getLengthInBits:function(){return this.length;},putBit:function(bit){var bufIndex=Math.floor(this.length/8);if(this.buffer.length<=bufIndex){this.buffer.push(0);}if(bit){this.buffer[bufIndex]|=(0x80>>>(this.length%8));}this.length++;}};\nreturn QRCode;})();\n\n/* ===== WiFi QR Code Rendering ===== */\n/* QR codes with passwords are generated via 1Password app, not stored in this page.\n   The inline QR library above is retained for potential future use (e.g., guest open network QR). */\nfunction initWifiQRCodes() {\n  /* Placeholder — QR codes are now served from 1Password app */\n}\n\nfunction printQRCodes() {\n  /* Switch to WiFi tab, mark it for print, print, then restore */\n  var allTabs = document.querySelectorAll('.tab-content');\n  var wifiTab = document.getElementById('tab-wifi');\n  allTabs.forEach(function(t) { t.classList.remove('print-active'); });\n  if (wifiTab) { wifiTab.classList.add('print-active'); }\n  window.print();\n  if (wifiTab) { wifiTab.classList.remove('print-active'); }\n}\n\n/* ===== Existing Functions ===== */\nfunction toggleTheme(){var h=document.documentElement,c=h.getAttribute('data-theme'),n=c==='dark'?'light':'dark';h.setAttribute('data-theme',n);document.getElementById('themeLabel').textContent=n==='dark'?'Light':'Dark';try{localStorage.setItem('bjTheme',n)}catch(e){}}\n(function(){try{var s=localStorage.getItem('bjTheme');if(s){document.documentElement.setAttribute('data-theme',s);var l=document.getElementById('themeLabel');if(l)l.textContent=s==='dark'?'Light':'Dark'}}catch(e){}})();\nvar ALL_TABS=['overview','isp','pfsense','switching','dns','k8s','noc','vpn','edge','wifi','planned','topology','domains','credentials'];\nfunction switchTab(id,el){document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});document.querySelectorAll('.tab-btn').forEach(function(b){b.classList.remove('active')});var tgt=document.getElementById('tab-'+id);if(tgt)tgt.classList.add('active');if(el)el.classList.add('active');history.replaceState(null,null,'#'+id);window.scrollTo({top:0,behavior:'smooth'});if(id==='wifi'){setTimeout(initWifiQRCodes,50);}}\n(function(){var h=location.hash.replace('#','');if(h){var tgt=document.getElementById('tab-'+h);if(tgt){document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});document.querySelectorAll('.tab-btn').forEach(function(b){b.classList.remove('active')});tgt.classList.add('active');var idx=ALL_TABS.indexOf(h);var btns=document.querySelectorAll('.tab-btn');if(idx>=0&&btns[idx])btns[idx].classList.add('active');if(h==='wifi'){setTimeout(initWifiQRCodes,100);}}}})();\nfunction copyText(t){var btn=event.target;if(navigator.clipboard){navigator.clipboard.writeText(t).then(function(){btn.textContent='copied!';btn.classList.add('copied');setTimeout(function(){btn.textContent='copy';btn.classList.remove('copied')},1500)})}else{var ta=document.createElement('textarea');ta.value=t;ta.style.position='fixed';ta.style.opacity='0';document.body.appendChild(ta);ta.select();try{document.execCommand('copy')}catch(e){}document.body.removeChild(ta);btn.textContent='copied!';btn.classList.add('copied');setTimeout(function(){btn.textContent='copy';btn.classList.remove('copied')},1500)}}\ndocument.addEventListener('keydown',function(e){if(e.altKey){var k=parseInt(e.key);if(k>=1&&k<=9){e.preventDefault();var idx=k-1;if(idx<ALL_TABS.length){var btns=document.querySelectorAll('.tab-btn');btns.forEach(function(b){b.classList.remove('active')});if(btns[idx])btns[idx].classList.add('active');document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});var tgt=document.getElementById('tab-'+ALL_TABS[idx]);if(tgt)tgt.classList.add('active');if(ALL_TABS[idx]==='wifi'){setTimeout(initWifiQRCodes,50);}}}if(e.key==='0'){e.preventDefault();var btns=document.querySelectorAll('.tab-btn');btns.forEach(function(b){b.classList.remove('active')});if(btns[9])btns[9].classList.add('active');document.querySelectorAll('.tab-content').forEach(function(t){t.classList.remove('active')});var tgt=document.getElementById('tab-'+ALL_TABS[9]);if(tgt)tgt.classList.add('active');if(ALL_TABS[9]==='wifi'){setTimeout(initWifiQRCodes,50);}}}});\n\
+    </script>\n</body>\n</html>\n"
+kind: ConfigMap
+metadata:
+  name: intranet-html
+  namespace: intranet
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: intranet
+  name: intranet
+  namespace: intranet
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: intranet
+  template:
+    metadata:
+      labels:
+        app: intranet
+    spec:
+      containers:
+      - image: nginx:alpine
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        name: nginx
+        ports:
+        - containerPort: 80
+          name: http
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 80
+          initialDelaySeconds: 3
+          periodSeconds: 5
+        resources:
+          limits:
+            cpu: 50m
+            memory: 64Mi
+          requests:
+            cpu: 5m
+            memory: 16Mi
+        volumeMounts:
+        - mountPath: /etc/nginx/conf.d/default.conf
+          name: nginx-conf
+          subPath: default.conf
+        - mountPath: /usr/share/nginx/html
+          name: html
+      volumes:
+      - configMap:
+          name: intranet-nginx-conf
+        name: nginx-conf
+      - configMap:
+          name: intranet-html
+        name: html
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: intranet
+  namespace: intranet
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+  selector:
+    app: intranet
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: intranet-tls
+  namespace: intranet
+spec:
+  dnsNames:
+  - intranet.iamworkin.lan
+  issuerRef:
+    kind: ClusterIssuer
+    name: step-ca-acme
+  secretName: intranet-tls
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: intranet
+  namespace: intranet
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - kind: Rule
+    match: Host(`intranet.iamworkin.lan`)
+    services:
+    - name: intranet
+      port: 80
+  tls:
+    secretName: intranet-tls
diff --git a/apps/irc/irc.yaml b/apps/irc/irc.yaml
index d85873e..9d8fb69 100644
--- a/apps/irc/irc.yaml
+++ b/apps/irc/irc.yaml
@@ -1,681 +1,681 @@
-# UnrealIRCd + Anope IRC Services
-# ArgoCD managed - BlueJay Lab
-# Credentials: 1Password → OnePasswordItem → K8s Secret → initContainer sed injection
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: irc
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
----
-# 1Password → K8s Secret sync
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: irc-credentials
-  namespace: irc
-spec:
-  itemPath: "vaults/IAmWorkin/items/IRC UnrealIRCd"
----
-# TLS Certificate for IRC
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: irc-tls
-  namespace: irc
-spec:
-  secretName: irc-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - irc.iamworkin.lan
----
-# UnrealIRCd configuration template (passwords replaced by placeholders)
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: unrealircd-config-template
-  namespace: irc
-data:
-  unrealircd.conf: |
-    /* BlueJay Lab IRC - UnrealIRCd 6.x config */
-    /* Managed by ArgoCD */
-    /* Credentials injected from 1Password at pod startup */
-
-    include "modules.default.conf";
-    include "help/help.conf";
-    include "operclass.default.conf";
-    include "snomasks.default.conf";
-
-    loadmodule "cloak_sha256";
-
-    me {
-      name "irc.iamworkin.lan";
-      info "BlueJay Lab IRC Server";
-      sid 001;
-    }
-
-    admin {
-      "BlueJay Lab IRC";
-      "admin@iamwork.in";
-    }
-
-    class clients {
-      pingfreq 90;
-      maxclients 500;
-      sendq 200k;
-      recvq 8000;
-    }
-
-    class opers {
-      pingfreq 90;
-      maxclients 50;
-      sendq 1M;
-      recvq 8000;
-    }
-
-    class servers {
-      pingfreq 60;
-      connfreq 15;
-      maxclients 10;
-      sendq 20M;
-    }
-
-    allow {
-      mask *;
-      class clients;
-      maxperip 5;
-    }
-
-    listen {
-      ip *;
-      port 6667;
-    }
-
-    listen {
-      ip *;
-      port 6697;
-      options { tls; }
-      tls-options {
-        certificate "/app/conf/tls/server.cert.pem";
-        key "/app/conf/tls/server.key.pem";
-      }
-    }
-
-    listen {
-      ip *;
-      port 8067;
-    }
-
-    oper bluejay {
-      mask *;
-      password "__OPER_PASSWORD__";
-      operclass netadmin-with-override;
-      class opers;
-    }
-
-    drpass {
-      restart "__OPER_PASSWORD__";
-      die "__OPER_PASSWORD__";
-    }
-
-    link services.iamworkin.lan {
-      incoming {
-        mask *;
-      }
-      password "__LINK_PASSWORD__";
-      class servers;
-    }
-
-    ulines {
-      services.iamworkin.lan;
-    }
-
-    log {
-      source {
-        all;
-        \\!debug;
-      }
-      destination {
-        channel "#ops";
-      }
-    }
-
-    set {
-      network-name "BlueJayIRC";
-      default-server "irc.iamworkin.lan";
-      services-server "services.iamworkin.lan";
-      stats-server "stats.iamworkin.lan";
-      help-channel "#general";
-      cloak-keys {
-        "ZWKeb8YevNiL45Xdh2p5u4tv2xksWgb8YPQSvmerBmNObyGbTDGnU4PNomZaLbZ1D9M2Cy6njM1XLJUkJhAx1oY3coBdZoPykEo7";
-        "KqRaLeA6ijOnWDdCqYtJ6rb1VgR8lYnU9Sey7cbRhi3PsGzD5gZONJXyUdbJ7bD26QKCuiDydBsccUVKC3lYN0HJ9sGTlOYR3c2m";
-        "2I4oopLDY79Fr4Mucy63EVOfkelVV23nESPWoqMnP1pUc8Yg0D4RK1mVtxyEhdTPpLFyKgG4fRlb6R33eHoQe7yi7moOu4W1Waw6";
-      }
-      kline-address "admin@iamwork.in";
-      maxchannelsperuser 25;
-      anti-flood {
-        everyone {
-          connect-flood 3:60;
-        }
-      }
-      options {
-        hide-ulines;
-        show-connect-info;
-      }
-
-      /* TLS config */
-      tls {
-        certificate "/app/conf/tls/server.cert.pem";
-        key "/app/conf/tls/server.key.pem";
-        trusted-ca-file "/etc/ssl/certs/ca-certificates.crt";
-      }
-
-      /* Allow plaintext for server-to-server links (Anope is internal) */
-      plaintext-policy {
-        server allow;
-      }
-    }
----
-# Anope configuration template (passwords replaced by placeholders)
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: anope-config-template
-  namespace: irc
-data:
-  services.conf: |
-    define
-    {
-    	name = "services.host"
-    	value = "services.iamworkin.lan"
-    }
-
-    uplink
-    {
-    	host = "unrealircd.irc.svc.cluster.local"
-    	port = 8067
-    	password = "__LINK_PASSWORD__"
-    }
-
-    serverinfo
-    {
-    	name = "services.iamworkin.lan"
-    	description = "BlueJay IRC Services"
-    	pid = "/anope/data/services.pid"
-    	motd = "/anope/data/services.motd"
-    }
-
-    module { name = "unreal4" }
-
-    networkinfo
-    {
-    	networkname = "BlueJayIRC"
-    	nicklen = 31
-    	userlen = 10
-    	hostlen = 64
-    	chanlen = 32
-    }
-
-    options
-    {
-    	casemap = "ascii"
-    	strictpasswords = yes
-    	readtimeout = 5s
-    	warningtimeout = 4h
-    }
-
-    module { name = "enc_sha256" }
-
-    /* Service pseudo-client definitions */
-    service
-    {
-    	nick = "NickServ"
-    	user = "services"
-    	host = "services.host"
-    	gecos = "Nickname Registration Service"
-    }
-
-    service
-    {
-    	nick = "ChanServ"
-    	user = "services"
-    	host = "services.host"
-    	gecos = "Channel Registration Service"
-    }
-
-    service
-    {
-    	nick = "OperServ"
-    	user = "services"
-    	host = "services.host"
-    	gecos = "Operator Service"
-    }
-
-    service
-    {
-    	nick = "BotServ"
-    	user = "services"
-    	host = "services.host"
-    	gecos = "Bot Service"
-    }
-
-    service
-    {
-    	nick = "HostServ"
-    	user = "services"
-    	host = "services.host"
-    	gecos = "vHost Service"
-    }
-
-    service
-    {
-    	nick = "MemoServ"
-    	user = "services"
-    	host = "services.host"
-    	gecos = "Memo Service"
-    }
-
-    service
-    {
-    	nick = "Global"
-    	user = "services"
-    	host = "services.host"
-    	gecos = "Global Noticer"
-    }
-
-    /* Module configurations */
-    module
-    {
-    	name = "nickserv"
-    	client = "NickServ"
-    	defaults = "kill_quick ns_secure ns_private hide_email"
-    	registration = "none"
-    	expire = 90d
-    }
-
-    module { name = "ns_identify" }
-    module { name = "ns_register" }
-    module { name = "ns_set" }
-    module { name = "ns_drop" }
-    module { name = "ns_recover" }
-    module { name = "ns_info" }
-    module { name = "ns_list" }
-    module { name = "ns_access" }
-    module { name = "ns_group" }
-
-    module
-    {
-    	name = "chanserv"
-    	client = "ChanServ"
-    	defaults = "keeptopic peace cs_secure"
-    	expire = 14d
-    }
-
-    module { name = "cs_register" }
-    module { name = "cs_set" }
-    module { name = "cs_access" }
-    module { name = "cs_ban" }
-    module { name = "cs_kick" }
-    module { name = "cs_mode" }
-    module { name = "cs_topic" }
-    module { name = "cs_info" }
-    module { name = "cs_list" }
-    module { name = "cs_drop" }
-
-    module
-    {
-    	name = "operserv"
-    	client = "OperServ"
-    }
-
-    module { name = "os_akill" }
-    module { name = "os_mode" }
-    module { name = "os_kick" }
-    module { name = "os_kill" }
-    module { name = "os_list" }
-    module { name = "os_stats" }
-    module { name = "os_reload" }
-    module { name = "os_shutdown" }
-
-    module
-    {
-    	name = "botserv"
-    	client = "BotServ"
-    	defaults = "dontkickops fantasy greet"
-    }
-
-    module { name = "bs_bot" }
-    module { name = "bs_assign" }
-
-    module
-    {
-    	name = "hostserv"
-    	client = "HostServ"
-    }
-
-    module { name = "hs_set" }
-    module { name = "hs_request" }
-
-    module
-    {
-    	name = "memoserv"
-    	client = "MemoServ"
-    	maxmemos = 20
-    }
-
-    module { name = "ms_send" }
-    module { name = "ms_read" }
-    module { name = "ms_del" }
-    module { name = "ms_list" }
-
-    module
-    {
-    	name = "global"
-    	client = "Global"
-    }
-
-    module { name = "gl_global" }
-
-    opertype
-    {
-    	name = "Services Root"
-    	commands = "*"
-    	privs = "*"
-    }
-
-    oper
-    {
-    	name = "bluejay"
-    	type = "Services Root"
-    }
-
-    module
-    {
-    	name = "db_flatfile"
-    	database = "anope.db"
-    	fork = no
-    }
-
-    log
-    {
-    	target = "services.log"
-    	admin = "*"
-    	override = "chanserv/* nickserv/* operserv/*"
-    	commands = "chanserv/* nickserv/* operserv/*"
-    	servers = "*"
-    	channels = "*"
-    	users = "connect disconnect"
-    }
----
-# UnrealIRCd PVC
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: unrealircd-data
-  namespace: irc
-spec:
-  accessModes: [ReadWriteOnce]
-  resources:
-    requests:
-      storage: 1Gi
----
-# Anope PVC
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: anope-data
-  namespace: irc
-spec:
-  accessModes: [ReadWriteOnce]
-  resources:
-    requests:
-      storage: 1Gi
----
-# UnrealIRCd Deployment
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: unrealircd
-  namespace: irc
-  labels:
-    app: unrealircd
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: unrealircd
-  template:
-    metadata:
-      labels:
-        app: unrealircd
-    spec:
-      initContainers:
-        - name: inject-credentials
-          image: busybox:1.36
-          command: ["sh", "-c"]
-          args:
-            - |
-              OPER_PW=$(cat /secrets/password)
-              LINK_PW=$(cat /secrets/Link-Password)
-              sed -e "s|__OPER_PASSWORD__|${OPER_PW}|g" \
-                  -e "s|__LINK_PASSWORD__|${LINK_PW}|g" \
-                  /config-template/unrealircd.conf > /injected-config/unrealircd.conf
-              echo "Credentials injected into unrealircd.conf"
-          volumeMounts:
-            - name: irc-credentials
-              mountPath: /secrets
-              readOnly: true
-            - name: unrealircd-config-template
-              mountPath: /config-template
-              readOnly: true
-            - name: injected-config
-              mountPath: /injected-config
-        - name: copy-tls
-          image: busybox:1.36
-          command: ["sh", "-c"]
-          args:
-            - |
-              cp /tls-secret/tls.crt /tls/server.cert.pem
-              cp /tls-secret/tls.key /tls/server.key.pem
-              chmod 644 /tls/server.cert.pem
-              chmod 644 /tls/server.key.pem
-              chown 1000:1000 /tls/server.cert.pem /tls/server.key.pem 2>/dev/null || true
-              chmod 777 /data
-          volumeMounts:
-            - name: irc-tls-secret
-              mountPath: /tls-secret
-              readOnly: true
-            - name: irc-tls
-              mountPath: /tls
-            - name: unrealircd-data
-              mountPath: /data
-      containers:
-        - name: unrealircd
-          image: djlegolas/unrealircd:6.1.9.1
-          ports:
-            - containerPort: 6667
-              name: irc-plain
-            - containerPort: 6697
-              name: irc-tls
-            - containerPort: 8067
-              name: services-link
-          volumeMounts:
-            - name: injected-config
-              mountPath: /app/conf/unrealircd.conf
-              subPath: unrealircd.conf
-            - name: unrealircd-data
-              mountPath: /app/data
-            - name: irc-tls
-              mountPath: /app/conf/tls
-          resources:
-            requests:
-              memory: 64Mi
-              cpu: 50m
-            limits:
-              memory: 256Mi
-              cpu: 250m
-      volumes:
-        - name: irc-credentials
-          secret:
-            secretName: irc-credentials
-        - name: unrealircd-config-template
-          configMap:
-            name: unrealircd-config-template
-        - name: injected-config
-          emptyDir: {}
-        - name: unrealircd-data
-          persistentVolumeClaim:
-            claimName: unrealircd-data
-        - name: irc-tls-secret
-          secret:
-            secretName: irc-tls
-        - name: irc-tls
-          emptyDir: {}
----
-# Anope IRC Services Deployment
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: anope
-  namespace: irc
-  labels:
-    app: anope
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: anope
-  template:
-    metadata:
-      labels:
-        app: anope
-    spec:
-      initContainers:
-        - name: inject-credentials
-          image: busybox:1.36
-          command: ["sh", "-c"]
-          args:
-            - |
-              LINK_PW=$(cat /secrets/Link-Password)
-              sed -e "s|__LINK_PASSWORD__|${LINK_PW}|g" \
-                  /config-template/services.conf > /injected-config/services.conf
-              echo "Credentials injected into services.conf"
-          volumeMounts:
-            - name: irc-credentials
-              mountPath: /secrets
-              readOnly: true
-            - name: anope-config-template
-              mountPath: /config-template
-              readOnly: true
-            - name: injected-config
-              mountPath: /injected-config
-        - name: fix-perms
-          image: busybox:1.36
-          command: ["sh", "-c"]
-          args:
-            - |
-              mkdir -p /data/db /data/logs /data/runtime
-              touch /data/anope.db /data/services.motd
-              chmod 666 /data/anope.db
-              chown -R 10000:10000 /data 2>/dev/null || chmod -R 777 /data
-              echo "Anope data dir prepared: $(ls -la /data/anope.db)"
-          volumeMounts:
-            - name: anope-data
-              mountPath: /data
-      containers:
-        - name: anope
-          image: anope/anope:latest
-          volumeMounts:
-            - name: injected-config
-              mountPath: /anope/conf/services.conf
-              subPath: services.conf
-            - name: anope-data
-              mountPath: /anope/data
-          resources:
-            requests:
-              memory: 64Mi
-              cpu: 25m
-            limits:
-              memory: 128Mi
-              cpu: 100m
-      volumes:
-        - name: irc-credentials
-          secret:
-            secretName: irc-credentials
-        - name: anope-config-template
-          configMap:
-            name: anope-config-template
-        - name: injected-config
-          emptyDir: {}
-        - name: anope-data
-          persistentVolumeClaim:
-            claimName: anope-data
----
-# UnrealIRCd Service
-apiVersion: v1
-kind: Service
-metadata:
-  name: unrealircd
-  namespace: irc
-spec:
-  selector:
-    app: unrealircd
-  ports:
-    - port: 6667
-      targetPort: 6667
-      name: irc-plain
-    - port: 6697
-      targetPort: 6697
-      name: irc-tls
-    - port: 8067
-      targetPort: 8067
-      name: services-link
----
-# Anope Service
-apiVersion: v1
-kind: Service
-metadata:
-  name: anope
-  namespace: irc
-spec:
-  selector:
-    app: anope
-  ports:
-    - port: 8067
-      targetPort: 8067
-      name: services-link
----
-# Traefik IngressRouteTCP - IRC plain (6667)
-apiVersion: traefik.io/v1alpha1
-kind: IngressRouteTCP
-metadata:
-  name: irc-plain
-  namespace: irc
-spec:
-  entryPoints:
-    - irc
-  routes:
-    - match: HostSNI(`*`)
-      services:
-        - name: unrealircd
-          port: 6667
----
-# Traefik IngressRouteTCP - IRC TLS passthrough (6697)
-apiVersion: traefik.io/v1alpha1
-kind: IngressRouteTCP
-metadata:
-  name: irc-tls
-  namespace: irc
-spec:
-  entryPoints:
-    - irctls
-  routes:
-    - match: HostSNI(`*`)
-      services:
-        - name: unrealircd
-          port: 6697
-  tls:
-    passthrough: true
+# UnrealIRCd + Anope IRC Services
+# ArgoCD managed - BlueJay Lab
+# Credentials: 1Password → OnePasswordItem → K8s Secret → initContainer sed injection
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: irc
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+---
+# 1Password → K8s Secret sync
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: irc-credentials
+  namespace: irc
+spec:
+  itemPath: "vaults/IAmWorkin/items/IRC UnrealIRCd"
+---
+# TLS Certificate for IRC
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: irc-tls
+  namespace: irc
+spec:
+  secretName: irc-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - irc.iamworkin.lan
+---
+# UnrealIRCd configuration template (passwords replaced by placeholders)
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: unrealircd-config-template
+  namespace: irc
+data:
+  unrealircd.conf: |
+    /* BlueJay Lab IRC - UnrealIRCd 6.x config */
+    /* Managed by ArgoCD */
+    /* Credentials injected from 1Password at pod startup */
+
+    include "modules.default.conf";
+    include "help/help.conf";
+    include "operclass.default.conf";
+    include "snomasks.default.conf";
+
+    loadmodule "cloak_sha256";
+
+    me {
+      name "irc.iamworkin.lan";
+      info "BlueJay Lab IRC Server";
+      sid 001;
+    }
+
+    admin {
+      "BlueJay Lab IRC";
+      "admin@iamwork.in";
+    }
+
+    class clients {
+      pingfreq 90;
+      maxclients 500;
+      sendq 200k;
+      recvq 8000;
+    }
+
+    class opers {
+      pingfreq 90;
+      maxclients 50;
+      sendq 1M;
+      recvq 8000;
+    }
+
+    class servers {
+      pingfreq 60;
+      connfreq 15;
+      maxclients 10;
+      sendq 20M;
+    }
+
+    allow {
+      mask *;
+      class clients;
+      maxperip 5;
+    }
+
+    listen {
+      ip *;
+      port 6667;
+    }
+
+    listen {
+      ip *;
+      port 6697;
+      options { tls; }
+      tls-options {
+        certificate "/app/conf/tls/server.cert.pem";
+        key "/app/conf/tls/server.key.pem";
+      }
+    }
+
+    listen {
+      ip *;
+      port 8067;
+    }
+
+    oper bluejay {
+      mask *;
+      password "__OPER_PASSWORD__";
+      operclass netadmin-with-override;
+      class opers;
+    }
+
+    drpass {
+      restart "__OPER_PASSWORD__";
+      die "__OPER_PASSWORD__";
+    }
+
+    link services.iamworkin.lan {
+      incoming {
+        mask *;
+      }
+      password "__LINK_PASSWORD__";
+      class servers;
+    }
+
+    ulines {
+      services.iamworkin.lan;
+    }
+
+    log {
+      source {
+        all;
+        \\!debug;
+      }
+      destination {
+        channel "#ops";
+      }
+    }
+
+    set {
+      network-name "BlueJayIRC";
+      default-server "irc.iamworkin.lan";
+      services-server "services.iamworkin.lan";
+      stats-server "stats.iamworkin.lan";
+      help-channel "#general";
+      cloak-keys {
+        "ZWKeb8YevNiL45Xdh2p5u4tv2xksWgb8YPQSvmerBmNObyGbTDGnU4PNomZaLbZ1D9M2Cy6njM1XLJUkJhAx1oY3coBdZoPykEo7";
+        "KqRaLeA6ijOnWDdCqYtJ6rb1VgR8lYnU9Sey7cbRhi3PsGzD5gZONJXyUdbJ7bD26QKCuiDydBsccUVKC3lYN0HJ9sGTlOYR3c2m";
+        "2I4oopLDY79Fr4Mucy63EVOfkelVV23nESPWoqMnP1pUc8Yg0D4RK1mVtxyEhdTPpLFyKgG4fRlb6R33eHoQe7yi7moOu4W1Waw6";
+      }
+      kline-address "admin@iamwork.in";
+      maxchannelsperuser 25;
+      anti-flood {
+        everyone {
+          connect-flood 3:60;
+        }
+      }
+      options {
+        hide-ulines;
+        show-connect-info;
+      }
+
+      /* TLS config */
+      tls {
+        certificate "/app/conf/tls/server.cert.pem";
+        key "/app/conf/tls/server.key.pem";
+        trusted-ca-file "/etc/ssl/certs/ca-certificates.crt";
+      }
+
+      /* Allow plaintext for server-to-server links (Anope is internal) */
+      plaintext-policy {
+        server allow;
+      }
+    }
+---
+# Anope configuration template (passwords replaced by placeholders)
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: anope-config-template
+  namespace: irc
+data:
+  services.conf: |
+    define
+    {
+    	name = "services.host"
+    	value = "services.iamworkin.lan"
+    }
+
+    uplink
+    {
+    	host = "unrealircd.irc.svc.cluster.local"
+    	port = 8067
+    	password = "__LINK_PASSWORD__"
+    }
+
+    serverinfo
+    {
+    	name = "services.iamworkin.lan"
+    	description = "BlueJay IRC Services"
+    	pid = "/anope/data/services.pid"
+    	motd = "/anope/data/services.motd"
+    }
+
+    module { name = "unreal4" }
+
+    networkinfo
+    {
+    	networkname = "BlueJayIRC"
+    	nicklen = 31
+    	userlen = 10
+    	hostlen = 64
+    	chanlen = 32
+    }
+
+    options
+    {
+    	casemap = "ascii"
+    	strictpasswords = yes
+    	readtimeout = 5s
+    	warningtimeout = 4h
+    }
+
+    module { name = "enc_sha256" }
+
+    /* Service pseudo-client definitions */
+    service
+    {
+    	nick = "NickServ"
+    	user = "services"
+    	host = "services.host"
+    	gecos = "Nickname Registration Service"
+    }
+
+    service
+    {
+    	nick = "ChanServ"
+    	user = "services"
+    	host = "services.host"
+    	gecos = "Channel Registration Service"
+    }
+
+    service
+    {
+    	nick = "OperServ"
+    	user = "services"
+    	host = "services.host"
+    	gecos = "Operator Service"
+    }
+
+    service
+    {
+    	nick = "BotServ"
+    	user = "services"
+    	host = "services.host"
+    	gecos = "Bot Service"
+    }
+
+    service
+    {
+    	nick = "HostServ"
+    	user = "services"
+    	host = "services.host"
+    	gecos = "vHost Service"
+    }
+
+    service
+    {
+    	nick = "MemoServ"
+    	user = "services"
+    	host = "services.host"
+    	gecos = "Memo Service"
+    }
+
+    service
+    {
+    	nick = "Global"
+    	user = "services"
+    	host = "services.host"
+    	gecos = "Global Noticer"
+    }
+
+    /* Module configurations */
+    module
+    {
+    	name = "nickserv"
+    	client = "NickServ"
+    	defaults = "kill_quick ns_secure ns_private hide_email"
+    	registration = "none"
+    	expire = 90d
+    }
+
+    module { name = "ns_identify" }
+    module { name = "ns_register" }
+    module { name = "ns_set" }
+    module { name = "ns_drop" }
+    module { name = "ns_recover" }
+    module { name = "ns_info" }
+    module { name = "ns_list" }
+    module { name = "ns_access" }
+    module { name = "ns_group" }
+
+    module
+    {
+    	name = "chanserv"
+    	client = "ChanServ"
+    	defaults = "keeptopic peace cs_secure"
+    	expire = 14d
+    }
+
+    module { name = "cs_register" }
+    module { name = "cs_set" }
+    module { name = "cs_access" }
+    module { name = "cs_ban" }
+    module { name = "cs_kick" }
+    module { name = "cs_mode" }
+    module { name = "cs_topic" }
+    module { name = "cs_info" }
+    module { name = "cs_list" }
+    module { name = "cs_drop" }
+
+    module
+    {
+    	name = "operserv"
+    	client = "OperServ"
+    }
+
+    module { name = "os_akill" }
+    module { name = "os_mode" }
+    module { name = "os_kick" }
+    module { name = "os_kill" }
+    module { name = "os_list" }
+    module { name = "os_stats" }
+    module { name = "os_reload" }
+    module { name = "os_shutdown" }
+
+    module
+    {
+    	name = "botserv"
+    	client = "BotServ"
+    	defaults = "dontkickops fantasy greet"
+    }
+
+    module { name = "bs_bot" }
+    module { name = "bs_assign" }
+
+    module
+    {
+    	name = "hostserv"
+    	client = "HostServ"
+    }
+
+    module { name = "hs_set" }
+    module { name = "hs_request" }
+
+    module
+    {
+    	name = "memoserv"
+    	client = "MemoServ"
+    	maxmemos = 20
+    }
+
+    module { name = "ms_send" }
+    module { name = "ms_read" }
+    module { name = "ms_del" }
+    module { name = "ms_list" }
+
+    module
+    {
+    	name = "global"
+    	client = "Global"
+    }
+
+    module { name = "gl_global" }
+
+    opertype
+    {
+    	name = "Services Root"
+    	commands = "*"
+    	privs = "*"
+    }
+
+    oper
+    {
+    	name = "bluejay"
+    	type = "Services Root"
+    }
+
+    module
+    {
+    	name = "db_flatfile"
+    	database = "anope.db"
+    	fork = no
+    }
+
+    log
+    {
+    	target = "services.log"
+    	admin = "*"
+    	override = "chanserv/* nickserv/* operserv/*"
+    	commands = "chanserv/* nickserv/* operserv/*"
+    	servers = "*"
+    	channels = "*"
+    	users = "connect disconnect"
+    }
+---
+# UnrealIRCd PVC
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: unrealircd-data
+  namespace: irc
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 1Gi
+---
+# Anope PVC
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: anope-data
+  namespace: irc
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 1Gi
+---
+# UnrealIRCd Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: unrealircd
+  namespace: irc
+  labels:
+    app: unrealircd
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: unrealircd
+  template:
+    metadata:
+      labels:
+        app: unrealircd
+    spec:
+      initContainers:
+        - name: inject-credentials
+          image: busybox:1.36
+          command: ["sh", "-c"]
+          args:
+            - |
+              OPER_PW=$(cat /secrets/password)
+              LINK_PW=$(cat /secrets/Link-Password)
+              sed -e "s|__OPER_PASSWORD__|${OPER_PW}|g" \
+                  -e "s|__LINK_PASSWORD__|${LINK_PW}|g" \
+                  /config-template/unrealircd.conf > /injected-config/unrealircd.conf
+              echo "Credentials injected into unrealircd.conf"
+          volumeMounts:
+            - name: irc-credentials
+              mountPath: /secrets
+              readOnly: true
+            - name: unrealircd-config-template
+              mountPath: /config-template
+              readOnly: true
+            - name: injected-config
+              mountPath: /injected-config
+        - name: copy-tls
+          image: busybox:1.36
+          command: ["sh", "-c"]
+          args:
+            - |
+              cp /tls-secret/tls.crt /tls/server.cert.pem
+              cp /tls-secret/tls.key /tls/server.key.pem
+              chmod 644 /tls/server.cert.pem
+              chmod 644 /tls/server.key.pem
+              chown 1000:1000 /tls/server.cert.pem /tls/server.key.pem 2>/dev/null || true
+              chmod 777 /data
+          volumeMounts:
+            - name: irc-tls-secret
+              mountPath: /tls-secret
+              readOnly: true
+            - name: irc-tls
+              mountPath: /tls
+            - name: unrealircd-data
+              mountPath: /data
+      containers:
+        - name: unrealircd
+          image: djlegolas/unrealircd:6.1.9.1
+          ports:
+            - containerPort: 6667
+              name: irc-plain
+            - containerPort: 6697
+              name: irc-tls
+            - containerPort: 8067
+              name: services-link
+          volumeMounts:
+            - name: injected-config
+              mountPath: /app/conf/unrealircd.conf
+              subPath: unrealircd.conf
+            - name: unrealircd-data
+              mountPath: /app/data
+            - name: irc-tls
+              mountPath: /app/conf/tls
+          resources:
+            requests:
+              memory: 64Mi
+              cpu: 50m
+            limits:
+              memory: 256Mi
+              cpu: 250m
+      volumes:
+        - name: irc-credentials
+          secret:
+            secretName: irc-credentials
+        - name: unrealircd-config-template
+          configMap:
+            name: unrealircd-config-template
+        - name: injected-config
+          emptyDir: {}
+        - name: unrealircd-data
+          persistentVolumeClaim:
+            claimName: unrealircd-data
+        - name: irc-tls-secret
+          secret:
+            secretName: irc-tls
+        - name: irc-tls
+          emptyDir: {}
+---
+# Anope IRC Services Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: anope
+  namespace: irc
+  labels:
+    app: anope
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: anope
+  template:
+    metadata:
+      labels:
+        app: anope
+    spec:
+      initContainers:
+        - name: inject-credentials
+          image: busybox:1.36
+          command: ["sh", "-c"]
+          args:
+            - |
+              LINK_PW=$(cat /secrets/Link-Password)
+              sed -e "s|__LINK_PASSWORD__|${LINK_PW}|g" \
+                  /config-template/services.conf > /injected-config/services.conf
+              echo "Credentials injected into services.conf"
+          volumeMounts:
+            - name: irc-credentials
+              mountPath: /secrets
+              readOnly: true
+            - name: anope-config-template
+              mountPath: /config-template
+              readOnly: true
+            - name: injected-config
+              mountPath: /injected-config
+        - name: fix-perms
+          image: busybox:1.36
+          command: ["sh", "-c"]
+          args:
+            - |
+              mkdir -p /data/db /data/logs /data/runtime
+              touch /data/anope.db /data/services.motd
+              chmod 666 /data/anope.db
+              chown -R 10000:10000 /data 2>/dev/null || chmod -R 777 /data
+              echo "Anope data dir prepared: $(ls -la /data/anope.db)"
+          volumeMounts:
+            - name: anope-data
+              mountPath: /data
+      containers:
+        - name: anope
+          image: anope/anope:latest
+          volumeMounts:
+            - name: injected-config
+              mountPath: /anope/conf/services.conf
+              subPath: services.conf
+            - name: anope-data
+              mountPath: /anope/data
+          resources:
+            requests:
+              memory: 64Mi
+              cpu: 25m
+            limits:
+              memory: 128Mi
+              cpu: 100m
+      volumes:
+        - name: irc-credentials
+          secret:
+            secretName: irc-credentials
+        - name: anope-config-template
+          configMap:
+            name: anope-config-template
+        - name: injected-config
+          emptyDir: {}
+        - name: anope-data
+          persistentVolumeClaim:
+            claimName: anope-data
+---
+# UnrealIRCd Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: unrealircd
+  namespace: irc
+spec:
+  selector:
+    app: unrealircd
+  ports:
+    - port: 6667
+      targetPort: 6667
+      name: irc-plain
+    - port: 6697
+      targetPort: 6697
+      name: irc-tls
+    - port: 8067
+      targetPort: 8067
+      name: services-link
+---
+# Anope Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: anope
+  namespace: irc
+spec:
+  selector:
+    app: anope
+  ports:
+    - port: 8067
+      targetPort: 8067
+      name: services-link
+---
+# Traefik IngressRouteTCP - IRC plain (6667)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: irc-plain
+  namespace: irc
+spec:
+  entryPoints:
+    - irc
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: unrealircd
+          port: 6667
+---
+# Traefik IngressRouteTCP - IRC TLS passthrough (6697)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: irc-tls
+  namespace: irc
+spec:
+  entryPoints:
+    - irctls
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: unrealircd
+          port: 6697
+  tls:
+    passthrough: true
diff --git a/apps/mail/mail.yaml b/apps/mail/mail.yaml
index 789ed87..150f625 100644
--- a/apps/mail/mail.yaml
+++ b/apps/mail/mail.yaml
@@ -1,259 +1,259 @@
-# docker-mailserver - Postfix + Dovecot + rspamd
-# ArgoCD managed - BlueJay Lab
-# Credentials: 1Password → OnePasswordItem CRD → K8s Secret
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: mail
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
----
-# 1Password → K8s Secret sync for mail credentials
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: mail-credentials
-  namespace: mail
-spec:
-  itemPath: "vaults/IAmWorkin/items/Mail Postmaster"
----
-# Mail data PVC
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: mail-data
-  namespace: mail
-spec:
-  accessModes: [ReadWriteOnce]
-  resources:
-    requests:
-      storage: 5Gi
----
-# Mail state PVC
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: mail-state
-  namespace: mail
-spec:
-  accessModes: [ReadWriteOnce]
-  resources:
-    requests:
-      storage: 1Gi
----
-# docker-mailserver Deployment
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: mailserver
-  namespace: mail
-  labels:
-    app: mailserver
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: mailserver
-  template:
-    metadata:
-      labels:
-        app: mailserver
-    spec:
-      hostname: mail
-      initContainers:
-        - name: inject-accounts
-          image: busybox:1.36
-          command:
-            - sh
-            - -c
-            - |
-              ADMIN_EMAIL=$(cat /credentials/Admin-Email)
-              ADMIN_HASH=$(cat /credentials/Admin-Hash)
-              NOREPLY_EMAIL=$(cat /credentials/Noreply-Email)
-              NOREPLY_HASH=$(cat /credentials/Noreply-Hash)
-              echo "${ADMIN_EMAIL}|${ADMIN_HASH}" > /accounts/postfix-accounts.cf
-              echo "${NOREPLY_EMAIL}|${NOREPLY_HASH}" >> /accounts/postfix-accounts.cf
-          volumeMounts:
-            - name: mail-credentials
-              mountPath: /credentials
-              readOnly: true
-            - name: mail-accounts-generated
-              mountPath: /accounts
-      containers:
-        - name: mailserver
-          image: docker.io/mailserver/docker-mailserver:latest
-          ports:
-            - containerPort: 25
-              name: smtp
-            - containerPort: 465
-              name: smtps
-            - containerPort: 587
-              name: submission
-            - containerPort: 143
-              name: imap
-            - containerPort: 993
-              name: imaps
-          env:
-            - name: ENABLE_SPAMASSASSIN
-              value: "1"
-            - name: ENABLE_CLAMAV
-              value: "0"
-            - name: ENABLE_RSPAMD
-              value: "1"
-            - name: TZ
-              value: America/Chicago
-            - name: POSTMASTER_ADDRESS
-              value: postmaster@iamwork.in
-            - name: OVERRIDE_HOSTNAME
-              value: mail.iamwork.in
-            - name: ENABLE_FAIL2BAN
-              value: "0"
-            - name: ENABLE_POSTGREY
-              value: "0"
-            - name: ONE_DIR
-              value: "1"
-            - name: PERMIT_DOCKER
-              value: network
-            - name: SSL_TYPE
-              value: manual
-            - name: SSL_CERT_PATH
-              value: /etc/ssl/mail/tls.crt
-            - name: SSL_KEY_PATH
-              value: /etc/ssl/mail/tls.key
-            - name: ACCOUNT_PROVISIONER
-              value: FILE
-          volumeMounts:
-            - name: mail-data
-              mountPath: /var/mail
-            - name: mail-state
-              mountPath: /var/mail-state
-            - name: mail-tls
-              mountPath: /etc/ssl/mail
-              readOnly: true
-            - name: mail-accounts-generated
-              mountPath: /tmp/docker-mailserver/postfix-accounts.cf
-              subPath: postfix-accounts.cf
-              readOnly: true
-          resources:
-            requests:
-              memory: 512Mi
-              cpu: 200m
-            limits:
-              memory: 2Gi
-              cpu: "1"
-          securityContext:
-            capabilities:
-              add:
-                - NET_ADMIN
-                - SYS_PTRACE
-      volumes:
-        - name: mail-data
-          persistentVolumeClaim:
-            claimName: mail-data
-        - name: mail-state
-          persistentVolumeClaim:
-            claimName: mail-state
-        - name: mail-tls
-          secret:
-            secretName: mail-tls
-        - name: mail-credentials
-          secret:
-            secretName: mail-credentials
-        - name: mail-accounts-generated
-          emptyDir: {}
----
-# SMTP LoadBalancer Service (external)
-apiVersion: v1
-kind: Service
-metadata:
-  name: mail-smtp
-  namespace: mail
-  annotations:
-    metallb.universe.tf/loadBalancerIPs: 10.0.56.202
-spec:
-  type: LoadBalancer
-  selector:
-    app: mailserver
-  ports:
-    - port: 25
-      targetPort: 25
-      name: smtp
-      protocol: TCP
-    - port: 465
-      targetPort: 465
-      name: smtps
-      protocol: TCP
-    - port: 587
-      targetPort: 587
-      name: submission
-      protocol: TCP
----
-# IMAP ClusterIP Service (internal)
-apiVersion: v1
-kind: Service
-metadata:
-  name: mail-imap
-  namespace: mail
-spec:
-  selector:
-    app: mailserver
-  ports:
-    - port: 143
-      targetPort: 143
-      name: imap
-    - port: 993
-      targetPort: 993
-      name: imaps
----
-# TLS Certificate via cert-manager
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: mail-tls
-  namespace: mail
-spec:
-  secretName: mail-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - mail.iamworkin.lan
----
-# Traefik IngressRoute - Webmail placeholder
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: mail-webmail
-  namespace: mail
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`mail.iamworkin.lan`)
-      kind: Rule
-      services:
-        - name: mail-imap
-          port: 993
-  tls:
-    secretName: mail-tls
----
-# Public IngressRoute - Webmail (flowercore.io with Cloudflare origin cert)
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: mail-webmail-public
-  namespace: mail
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`webmail.flowercore.io`)
-      kind: Rule
-      services:
-        - name: mail-webmail
-          port: 8080
-  tls:
-    secretName: cf-origin-flowercore-io
+# docker-mailserver - Postfix + Dovecot + rspamd
+# ArgoCD managed - BlueJay Lab
+# Credentials: 1Password → OnePasswordItem CRD → K8s Secret
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mail
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+---
+# 1Password → K8s Secret sync for mail credentials
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: mail-credentials
+  namespace: mail
+spec:
+  itemPath: "vaults/IAmWorkin/items/Mail Postmaster"
+---
+# Mail data PVC
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mail-data
+  namespace: mail
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 5Gi
+---
+# Mail state PVC
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mail-state
+  namespace: mail
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 1Gi
+---
+# docker-mailserver Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mailserver
+  namespace: mail
+  labels:
+    app: mailserver
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: mailserver
+  template:
+    metadata:
+      labels:
+        app: mailserver
+    spec:
+      hostname: mail
+      initContainers:
+        - name: inject-accounts
+          image: busybox:1.36
+          command:
+            - sh
+            - -c
+            - |
+              ADMIN_EMAIL=$(cat /credentials/Admin-Email)
+              ADMIN_HASH=$(cat /credentials/Admin-Hash)
+              NOREPLY_EMAIL=$(cat /credentials/Noreply-Email)
+              NOREPLY_HASH=$(cat /credentials/Noreply-Hash)
+              echo "${ADMIN_EMAIL}|${ADMIN_HASH}" > /accounts/postfix-accounts.cf
+              echo "${NOREPLY_EMAIL}|${NOREPLY_HASH}" >> /accounts/postfix-accounts.cf
+          volumeMounts:
+            - name: mail-credentials
+              mountPath: /credentials
+              readOnly: true
+            - name: mail-accounts-generated
+              mountPath: /accounts
+      containers:
+        - name: mailserver
+          image: docker.io/mailserver/docker-mailserver:latest
+          ports:
+            - containerPort: 25
+              name: smtp
+            - containerPort: 465
+              name: smtps
+            - containerPort: 587
+              name: submission
+            - containerPort: 143
+              name: imap
+            - containerPort: 993
+              name: imaps
+          env:
+            - name: ENABLE_SPAMASSASSIN
+              value: "1"
+            - name: ENABLE_CLAMAV
+              value: "0"
+            - name: ENABLE_RSPAMD
+              value: "1"
+            - name: TZ
+              value: America/Chicago
+            - name: POSTMASTER_ADDRESS
+              value: postmaster@iamwork.in
+            - name: OVERRIDE_HOSTNAME
+              value: mail.iamwork.in
+            - name: ENABLE_FAIL2BAN
+              value: "0"
+            - name: ENABLE_POSTGREY
+              value: "0"
+            - name: ONE_DIR
+              value: "1"
+            - name: PERMIT_DOCKER
+              value: network
+            - name: SSL_TYPE
+              value: manual
+            - name: SSL_CERT_PATH
+              value: /etc/ssl/mail/tls.crt
+            - name: SSL_KEY_PATH
+              value: /etc/ssl/mail/tls.key
+            - name: ACCOUNT_PROVISIONER
+              value: FILE
+          volumeMounts:
+            - name: mail-data
+              mountPath: /var/mail
+            - name: mail-state
+              mountPath: /var/mail-state
+            - name: mail-tls
+              mountPath: /etc/ssl/mail
+              readOnly: true
+            - name: mail-accounts-generated
+              mountPath: /tmp/docker-mailserver/postfix-accounts.cf
+              subPath: postfix-accounts.cf
+              readOnly: true
+          resources:
+            requests:
+              memory: 512Mi
+              cpu: 200m
+            limits:
+              memory: 2Gi
+              cpu: "1"
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+                - SYS_PTRACE
+      volumes:
+        - name: mail-data
+          persistentVolumeClaim:
+            claimName: mail-data
+        - name: mail-state
+          persistentVolumeClaim:
+            claimName: mail-state
+        - name: mail-tls
+          secret:
+            secretName: mail-tls
+        - name: mail-credentials
+          secret:
+            secretName: mail-credentials
+        - name: mail-accounts-generated
+          emptyDir: {}
+---
+# SMTP LoadBalancer Service (external)
+apiVersion: v1
+kind: Service
+metadata:
+  name: mail-smtp
+  namespace: mail
+  annotations:
+    metallb.universe.tf/loadBalancerIPs: 10.0.56.202
+spec:
+  type: LoadBalancer
+  selector:
+    app: mailserver
+  ports:
+    - port: 25
+      targetPort: 25
+      name: smtp
+      protocol: TCP
+    - port: 465
+      targetPort: 465
+      name: smtps
+      protocol: TCP
+    - port: 587
+      targetPort: 587
+      name: submission
+      protocol: TCP
+---
+# IMAP ClusterIP Service (internal)
+apiVersion: v1
+kind: Service
+metadata:
+  name: mail-imap
+  namespace: mail
+spec:
+  selector:
+    app: mailserver
+  ports:
+    - port: 143
+      targetPort: 143
+      name: imap
+    - port: 993
+      targetPort: 993
+      name: imaps
+---
+# TLS Certificate via cert-manager
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mail-tls
+  namespace: mail
+spec:
+  secretName: mail-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - mail.iamworkin.lan
+---
+# Traefik IngressRoute - Webmail placeholder
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: mail-webmail
+  namespace: mail
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`mail.iamworkin.lan`)
+      kind: Rule
+      services:
+        - name: mail-imap
+          port: 993
+  tls:
+    secretName: mail-tls
+---
+# Public IngressRoute - Webmail (flowercore.io with Cloudflare origin cert)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: mail-webmail-public
+  namespace: mail
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`webmail.flowercore.io`)
+      kind: Rule
+      services:
+        - name: mail-webmail
+          port: 8080
+  tls:
+    secretName: cf-origin-flowercore-io
diff --git a/apps/matrix/matrix.yaml b/apps/matrix/matrix.yaml
index e1db09a..8adba06 100644
--- a/apps/matrix/matrix.yaml
+++ b/apps/matrix/matrix.yaml
@@ -1,495 +1,495 @@
-# Matrix Synapse + Element Web
-# PostgreSQL 16 + Synapse homeserver + Element Web client
-# ArgoCD managed - BlueJay Lab
-# DB credentials sourced from 1Password via OnePasswordItem CRD (matrix-credentials)
-# Synapse homeserver.yaml DB password injected at runtime via init container
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: matrix
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
----
-# Synapse homeserver.yaml template ConfigMap
-# DB password placeholder __DB_PASSWORD__ is replaced at pod startup by init container
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: synapse-config
-  namespace: matrix
-data:
-  homeserver.yaml.template: |
-    server_name: "iamworkin.lan"
-    pid_file: /data/homeserver.pid
-    public_baseurl: "https://matrix.iamworkin.lan/"
-    listeners:
-      - port: 8008
-        tls: false
-        type: http
-        x_forwarded: true
-        bind_addresses: ["0.0.0.0"]
-        resources:
-          - names: [client, federation]
-            compress: false
-    database:
-      name: psycopg2
-      args:
-        user: __DB_USER__
-        password: __DB_PASSWORD__
-        database: synapse
-        host: matrix-postgres
-        port: 5432
-        cp_min: 5
-        cp_max: 10
-    log_config: "/config/log.config"
-    media_store_path: /data/media_store
-    registration_shared_secret: "a208f2e4b260f6b7d6ff4566df49c56c8b73fa20b911ce4e617b791ee7868adc"
-    report_stats: false
-    macaroon_secret_key: "9964f398e8b48a91469ad419d293c06db4562f49df8cc6e129fb3a801fd9052d"
-    form_secret: "7b0a9dbaf9ee94450e0b3271c408dfc4d313a55843ce4eec2ac1bb0315ffeb76"
-    signing_key_path: "/data/signing.key"
-    trusted_key_servers:
-      - server_name: "matrix.org"
-    enable_registration: false
-    suppress_key_server_warning: true
-  log.config: |
-    version: 1
-    formatters:
-      precise:
-        format: "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s"
-    handlers:
-      console:
-        class: logging.StreamHandler
-        formatter: precise
-    loggers:
-      synapse.storage.SQL:
-        level: WARNING
-    root:
-      level: WARNING
-      handlers: [console]
-    disable_existing_loggers: false
----
-# PostgreSQL 16 StatefulSet
-# Credentials from 1Password-synced matrix-credentials secret
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: matrix-postgres
-  namespace: matrix
-  labels:
-    app: matrix-postgres
-spec:
-  serviceName: matrix-postgres
-  replicas: 1
-  selector:
-    matchLabels:
-      app: matrix-postgres
-  template:
-    metadata:
-      labels:
-        app: matrix-postgres
-    spec:
-      containers:
-        - name: postgres
-          image: postgres:16-alpine
-          ports:
-            - containerPort: 5432
-              name: postgres
-          env:
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  name: matrix-credentials
-                  key: DB-User
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: matrix-credentials
-                  key: DB-Password
-            - name: POSTGRES_DB
-              value: synapse
-            - name: POSTGRES_INITDB_ARGS
-              value: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
-          volumeMounts:
-            - name: matrix-postgres-data
-              mountPath: /var/lib/postgresql/data
-              subPath: pgdata
-          resources:
-            requests:
-              memory: 256Mi
-              cpu: 100m
-            limits:
-              memory: 1Gi
-              cpu: 500m
-          livenessProbe:
-            exec:
-              command: ["pg_isready", "-U", "synapse"]
-            initialDelaySeconds: 30
-            periodSeconds: 10
-          readinessProbe:
-            exec:
-              command: ["pg_isready", "-U", "synapse"]
-            initialDelaySeconds: 5
-            periodSeconds: 5
-  volumeClaimTemplates:
-    - metadata:
-        name: matrix-postgres-data
-      spec:
-        accessModes: [ReadWriteOnce]
-        resources:
-          requests:
-            storage: 5Gi
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: matrix-postgres
-  namespace: matrix
-spec:
-  selector:
-    app: matrix-postgres
-  ports:
-    - port: 5432
-      targetPort: 5432
-      name: postgres
-  clusterIP: None
----
-# Synapse Data PVC
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: synapse-data
-  namespace: matrix
-spec:
-  accessModes: [ReadWriteOnce]
-  resources:
-    requests:
-      storage: 2Gi
----
-# Synapse Deployment
-# Init container injects DB credentials from 1Password secret into homeserver.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: synapse
-  namespace: matrix
-  labels:
-    app: synapse
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: synapse
-  template:
-    metadata:
-      labels:
-        app: synapse
-    spec:
-      initContainers:
-        - name: generate-signing-key
-          image: matrixdotorg/synapse:latest
-          securityContext:
-            runAsUser: 0
-          command: ["sh", "-c"]
-          args:
-            - |
-              if [ \! -f /data/signing.key ]; then
-                python -m synapse.app.homeserver --generate-keys --config-path /config-template/homeserver.yaml.template 2>/dev/null || true
-                # If key generation fails with template, create a minimal config for key gen
-                if [ \! -f /data/signing.key ]; then
-                  echo server_name: iamworkin.lan > /tmp/minimal.yaml
-                  echo signing_key_path: /data/signing.key >> /tmp/minimal.yaml
-                  python -c "from signedjson.key import generate_signing_key, write_signing_keys; import sys; key = generate_signing_key(a_auto); write_signing_keys(open(/data/signing.key,w), [key])" 2>/dev/null || true
-                fi
-              fi
-              chown 991:991 /data/signing.key 2>/dev/null || true
-              chmod 644 /data/signing.key 2>/dev/null || true
-              mkdir -p /data/media_store
-              chown -R 991:991 /data 2>/dev/null || true
-          volumeMounts:
-            - name: synapse-data
-              mountPath: /data
-            - name: synapse-config-template
-              mountPath: /config-template
-        - name: inject-credentials
-          image: busybox:latest
-          command: ["sh", "-c"]
-          args:
-            - |
-              # Copy template and substitute DB credentials from 1Password secret
-              cp /config-template/log.config /config/log.config
-              sed -e "s/__DB_PASSWORD__/${DB_PASSWORD}/g" \
-                  -e "s/__DB_USER__/${DB_USER}/g" \
-                  /config-template/homeserver.yaml.template > /config/homeserver.yaml
-              echo "Credentials injected into homeserver.yaml"
-          env:
-            - name: DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: matrix-credentials
-                  key: DB-Password
-            - name: DB_USER
-              valueFrom:
-                secretKeyRef:
-                  name: matrix-credentials
-                  key: DB-User
-          volumeMounts:
-            - name: synapse-config-template
-              mountPath: /config-template
-            - name: synapse-config-rendered
-              mountPath: /config
-      containers:
-        - name: synapse
-          image: matrixdotorg/synapse:latest
-          ports:
-            - containerPort: 8008
-              name: http
-          env:
-            - name: SYNAPSE_CONFIG_DIR
-              value: /config
-            - name: SYNAPSE_CONFIG_PATH
-              value: /config/homeserver.yaml
-          volumeMounts:
-            - name: synapse-data
-              mountPath: /data
-            - name: synapse-config-rendered
-              mountPath: /config
-          resources:
-            requests:
-              memory: 512Mi
-              cpu: 200m
-            limits:
-              memory: 2Gi
-              cpu: "1"
-          livenessProbe:
-            httpGet:
-              path: /health
-              port: 8008
-            initialDelaySeconds: 60
-            periodSeconds: 10
-          readinessProbe:
-            httpGet:
-              path: /health
-              port: 8008
-            initialDelaySeconds: 30
-            periodSeconds: 5
-      volumes:
-        - name: synapse-data
-          persistentVolumeClaim:
-            claimName: synapse-data
-        - name: synapse-config-template
-          configMap:
-            name: synapse-config
-        - name: synapse-config-rendered
-          emptyDir: {}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: synapse
-  namespace: matrix
-spec:
-  selector:
-    app: synapse
-  ports:
-    - port: 8008
-      targetPort: 8008
-      name: http
----
-# Element Web ConfigMap
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: element-web-config
-  namespace: matrix
-data:
-  config.json: |
-    {
-      "default_server_config": {
-        "m.homeserver": {
-          "base_url": "https://matrix.iamworkin.lan",
-          "server_name": "iamworkin.lan"
-        }
-      },
-      "brand": "BlueJay Chat",
-      "disable_guests": true,
-      "disable_3pid_login": true
-    }
----
-# Element Web Deployment
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: element-web
-  namespace: matrix
-  labels:
-    app: element-web
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: element-web
-  template:
-    metadata:
-      labels:
-        app: element-web
-    spec:
-      enableServiceLinks: false
-      containers:
-        - name: element-web
-          image: vectorim/element-web:latest
-          ports:
-            - containerPort: 80
-              name: http
-          volumeMounts:
-            - name: element-config
-              mountPath: /app/config.json
-              subPath: config.json
-          resources:
-            requests:
-              memory: 32Mi
-              cpu: 10m
-            limits:
-              memory: 128Mi
-              cpu: 100m
-          livenessProbe:
-            httpGet:
-              path: /
-              port: 80
-            initialDelaySeconds: 10
-            periodSeconds: 10
-          readinessProbe:
-            httpGet:
-              path: /
-              port: 80
-            initialDelaySeconds: 5
-            periodSeconds: 5
-      volumes:
-        - name: element-config
-          configMap:
-            name: element-web-config
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: element-web
-  namespace: matrix
-spec:
-  selector:
-    app: element-web
-  ports:
-    - port: 80
-      targetPort: 80
-      name: http
----
-# TLS Certificates via cert-manager
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: matrix-tls
-  namespace: matrix
-spec:
-  secretName: matrix-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - matrix.iamworkin.lan
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: element-tls
-  namespace: matrix
-spec:
-  secretName: element-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - element.iamworkin.lan
----
-# Traefik IngressRoute - Synapse
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: synapse
-  namespace: matrix
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`matrix.iamworkin.lan`)
-      kind: Rule
-      services:
-        - name: synapse
-          port: 8008
-  tls:
-    secretName: matrix-tls
----
-# Traefik IngressRoute - Element Web
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: element-web
-  namespace: matrix
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`element.iamworkin.lan`)
-      kind: Rule
-      services:
-        - name: element-web
-          port: 80
-  tls:
-    secretName: element-tls
----
-# 1Password secret sync — creates matrix-credentials K8s Secret
-# Fields: DB-User, DB-Password, Registration-Secret, username, password, URL
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: matrix-credentials
-  namespace: matrix
-spec:
-  itemPath: vaults/IAmWorkin/items/Matrix Synapse
----
-# Public IngressRoute - Element Web (flowercore.io with Cloudflare origin cert)
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: element-public
-  namespace: matrix
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`element.flowercore.io`)
-      kind: Rule
-      services:
-        - name: element-web
-          port: 80
-  tls:
-    secretName: cf-origin-flowercore-io
----
-# Public IngressRoute - Synapse (flowercore.io with Cloudflare origin cert)
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: synapse-public
-  namespace: matrix
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`matrix.flowercore.io`)
-      kind: Rule
-      services:
-        - name: synapse
-          port: 8008
-  tls:
-    secretName: cf-origin-flowercore-io
+# Matrix Synapse + Element Web
+# PostgreSQL 16 + Synapse homeserver + Element Web client
+# ArgoCD managed - BlueJay Lab
+# DB credentials sourced from 1Password via OnePasswordItem CRD (matrix-credentials)
+# Synapse homeserver.yaml DB password injected at runtime via init container
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: matrix
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+---
+# Synapse homeserver.yaml template ConfigMap
+# DB password placeholder __DB_PASSWORD__ is replaced at pod startup by init container
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: synapse-config
+  namespace: matrix
+data:
+  homeserver.yaml.template: |
+    server_name: "iamworkin.lan"
+    pid_file: /data/homeserver.pid
+    public_baseurl: "https://matrix.iamworkin.lan/"
+    listeners:
+      - port: 8008
+        tls: false
+        type: http
+        x_forwarded: true
+        bind_addresses: ["0.0.0.0"]
+        resources:
+          - names: [client, federation]
+            compress: false
+    database:
+      name: psycopg2
+      args:
+        user: __DB_USER__
+        password: __DB_PASSWORD__
+        database: synapse
+        host: matrix-postgres
+        port: 5432
+        cp_min: 5
+        cp_max: 10
+    log_config: "/config/log.config"
+    media_store_path: /data/media_store
+    registration_shared_secret: "a208f2e4b260f6b7d6ff4566df49c56c8b73fa20b911ce4e617b791ee7868adc"
+    report_stats: false
+    macaroon_secret_key: "9964f398e8b48a91469ad419d293c06db4562f49df8cc6e129fb3a801fd9052d"
+    form_secret: "7b0a9dbaf9ee94450e0b3271c408dfc4d313a55843ce4eec2ac1bb0315ffeb76"
+    signing_key_path: "/data/signing.key"
+    trusted_key_servers:
+      - server_name: "matrix.org"
+    enable_registration: false
+    suppress_key_server_warning: true
+  log.config: |
+    version: 1
+    formatters:
+      precise:
+        format: "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s"
+    handlers:
+      console:
+        class: logging.StreamHandler
+        formatter: precise
+    loggers:
+      synapse.storage.SQL:
+        level: WARNING
+    root:
+      level: WARNING
+      handlers: [console]
+    disable_existing_loggers: false
+---
+# PostgreSQL 16 StatefulSet
+# Credentials from 1Password-synced matrix-credentials secret
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: matrix-postgres
+  namespace: matrix
+  labels:
+    app: matrix-postgres
+spec:
+  serviceName: matrix-postgres
+  replicas: 1
+  selector:
+    matchLabels:
+      app: matrix-postgres
+  template:
+    metadata:
+      labels:
+        app: matrix-postgres
+    spec:
+      containers:
+        - name: postgres
+          image: postgres:16-alpine
+          ports:
+            - containerPort: 5432
+              name: postgres
+          env:
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-credentials
+                  key: DB-User
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-credentials
+                  key: DB-Password
+            - name: POSTGRES_DB
+              value: synapse
+            - name: POSTGRES_INITDB_ARGS
+              value: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
+          volumeMounts:
+            - name: matrix-postgres-data
+              mountPath: /var/lib/postgresql/data
+              subPath: pgdata
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 100m
+            limits:
+              memory: 1Gi
+              cpu: 500m
+          livenessProbe:
+            exec:
+              command: ["pg_isready", "-U", "synapse"]
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          readinessProbe:
+            exec:
+              command: ["pg_isready", "-U", "synapse"]
+            initialDelaySeconds: 5
+            periodSeconds: 5
+  volumeClaimTemplates:
+    - metadata:
+        name: matrix-postgres-data
+      spec:
+        accessModes: [ReadWriteOnce]
+        resources:
+          requests:
+            storage: 5Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-postgres
+  namespace: matrix
+spec:
+  selector:
+    app: matrix-postgres
+  ports:
+    - port: 5432
+      targetPort: 5432
+      name: postgres
+  clusterIP: None
+---
+# Synapse Data PVC
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: synapse-data
+  namespace: matrix
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 2Gi
+---
+# Synapse Deployment
+# Init container injects DB credentials from 1Password secret into homeserver.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: synapse
+  namespace: matrix
+  labels:
+    app: synapse
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: synapse
+  template:
+    metadata:
+      labels:
+        app: synapse
+    spec:
+      initContainers:
+        - name: generate-signing-key
+          image: matrixdotorg/synapse:latest
+          securityContext:
+            runAsUser: 0
+          command: ["sh", "-c"]
+          args:
+            - |
+              if [ \! -f /data/signing.key ]; then
+                python -m synapse.app.homeserver --generate-keys --config-path /config-template/homeserver.yaml.template 2>/dev/null || true
+                # If key generation fails with template, create a minimal config for key gen
+                if [ \! -f /data/signing.key ]; then
+                  echo server_name: iamworkin.lan > /tmp/minimal.yaml
+                  echo signing_key_path: /data/signing.key >> /tmp/minimal.yaml
+                  python -c "from signedjson.key import generate_signing_key, write_signing_keys; import sys; key = generate_signing_key(a_auto); write_signing_keys(open(/data/signing.key,w), [key])" 2>/dev/null || true
+                fi
+              fi
+              chown 991:991 /data/signing.key 2>/dev/null || true
+              chmod 644 /data/signing.key 2>/dev/null || true
+              mkdir -p /data/media_store
+              chown -R 991:991 /data 2>/dev/null || true
+          volumeMounts:
+            - name: synapse-data
+              mountPath: /data
+            - name: synapse-config-template
+              mountPath: /config-template
+        - name: inject-credentials
+          image: busybox:latest
+          command: ["sh", "-c"]
+          args:
+            - |
+              # Copy template and substitute DB credentials from 1Password secret
+              cp /config-template/log.config /config/log.config
+              sed -e "s/__DB_PASSWORD__/${DB_PASSWORD}/g" \
+                  -e "s/__DB_USER__/${DB_USER}/g" \
+                  /config-template/homeserver.yaml.template > /config/homeserver.yaml
+              echo "Credentials injected into homeserver.yaml"
+          env:
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-credentials
+                  key: DB-Password
+            - name: DB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-credentials
+                  key: DB-User
+          volumeMounts:
+            - name: synapse-config-template
+              mountPath: /config-template
+            - name: synapse-config-rendered
+              mountPath: /config
+      containers:
+        - name: synapse
+          image: matrixdotorg/synapse:latest
+          ports:
+            - containerPort: 8008
+              name: http
+          env:
+            - name: SYNAPSE_CONFIG_DIR
+              value: /config
+            - name: SYNAPSE_CONFIG_PATH
+              value: /config/homeserver.yaml
+          volumeMounts:
+            - name: synapse-data
+              mountPath: /data
+            - name: synapse-config-rendered
+              mountPath: /config
+          resources:
+            requests:
+              memory: 512Mi
+              cpu: 200m
+            limits:
+              memory: 2Gi
+              cpu: "1"
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8008
+            initialDelaySeconds: 60
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8008
+            initialDelaySeconds: 30
+            periodSeconds: 5
+      volumes:
+        - name: synapse-data
+          persistentVolumeClaim:
+            claimName: synapse-data
+        - name: synapse-config-template
+          configMap:
+            name: synapse-config
+        - name: synapse-config-rendered
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: synapse
+  namespace: matrix
+spec:
+  selector:
+    app: synapse
+  ports:
+    - port: 8008
+      targetPort: 8008
+      name: http
+---
+# Element Web ConfigMap
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: element-web-config
+  namespace: matrix
+data:
+  config.json: |
+    {
+      "default_server_config": {
+        "m.homeserver": {
+          "base_url": "https://matrix.iamworkin.lan",
+          "server_name": "iamworkin.lan"
+        }
+      },
+      "brand": "BlueJay Chat",
+      "disable_guests": true,
+      "disable_3pid_login": true
+    }
+---
+# Element Web Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: element-web
+  namespace: matrix
+  labels:
+    app: element-web
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: element-web
+  template:
+    metadata:
+      labels:
+        app: element-web
+    spec:
+      enableServiceLinks: false
+      containers:
+        - name: element-web
+          image: vectorim/element-web:latest
+          ports:
+            - containerPort: 80
+              name: http
+          volumeMounts:
+            - name: element-config
+              mountPath: /app/config.json
+              subPath: config.json
+          resources:
+            requests:
+              memory: 32Mi
+              cpu: 10m
+            limits:
+              memory: 128Mi
+              cpu: 100m
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 80
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 80
+            initialDelaySeconds: 5
+            periodSeconds: 5
+      volumes:
+        - name: element-config
+          configMap:
+            name: element-web-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: element-web
+  namespace: matrix
+spec:
+  selector:
+    app: element-web
+  ports:
+    - port: 80
+      targetPort: 80
+      name: http
+---
+# TLS Certificates via cert-manager
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: matrix-tls
+  namespace: matrix
+spec:
+  secretName: matrix-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - matrix.iamworkin.lan
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: element-tls
+  namespace: matrix
+spec:
+  secretName: element-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - element.iamworkin.lan
+---
+# Traefik IngressRoute - Synapse
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: synapse
+  namespace: matrix
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`matrix.iamworkin.lan`)
+      kind: Rule
+      services:
+        - name: synapse
+          port: 8008
+  tls:
+    secretName: matrix-tls
+---
+# Traefik IngressRoute - Element Web
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: element-web
+  namespace: matrix
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`element.iamworkin.lan`)
+      kind: Rule
+      services:
+        - name: element-web
+          port: 80
+  tls:
+    secretName: element-tls
+---
+# 1Password secret sync — creates matrix-credentials K8s Secret
+# Fields: DB-User, DB-Password, Registration-Secret, username, password, URL
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: matrix-credentials
+  namespace: matrix
+spec:
+  itemPath: vaults/IAmWorkin/items/Matrix Synapse
+---
+# Public IngressRoute - Element Web (flowercore.io with Cloudflare origin cert)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: element-public
+  namespace: matrix
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`element.flowercore.io`)
+      kind: Rule
+      services:
+        - name: element-web
+          port: 80
+  tls:
+    secretName: cf-origin-flowercore-io
+---
+# Public IngressRoute - Synapse (flowercore.io with Cloudflare origin cert)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: synapse-public
+  namespace: matrix
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`matrix.flowercore.io`)
+      kind: Rule
+      services:
+        - name: synapse
+          port: 8008
+  tls:
+    secretName: cf-origin-flowercore-io
diff --git a/apps/noc-services/noc-services.yaml b/apps/noc-services/noc-services.yaml
index 8788880..0743be1 100644
--- a/apps/noc-services/noc-services.yaml
+++ b/apps/noc-services/noc-services.yaml
@@ -1,257 +1,257 @@
-# NOC Services - Traefik IngressRoutes for noc1 services
-# Proxies internal .iamworkin.lan hostnames to noc1 (10.0.56.10) via
-# headless Service + manual Endpoints (standard K8s external proxy pattern)
-# ArgoCD managed - BlueJay Lab
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: noc-proxy
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
----
-# ============================================================
-# BasicAuth - shared across all NOC proxy IngressRoutes
-# ============================================================
-apiVersion: v1
-kind: Secret
-metadata:
-  name: noc-proxy-auth
-  namespace: noc-proxy
-type: Opaque
-data:
-  users: YWRtaW46JDJiJDEwJEZjdlVFNWNpNkxvNi5rZ1k5L3hJV2V5M2tvM3VVY1U5YXJaSlQ4N29ZREtCSi5lNkoucXJD
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: noc-proxy-auth
-  namespace: noc-proxy
-spec:
-  basicAuth:
-    secret: noc-proxy-auth
----
-# ============================================================
-# Grafana - noc1:3000
-# ============================================================
-apiVersion: v1
-kind: Service
-metadata:
-  name: grafana-external
-  namespace: noc-proxy
-spec:
-  ports:
-    - port: 3000
-      targetPort: 3000
-      name: http
-  clusterIP: None
----
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: grafana-external
-  namespace: noc-proxy
-subsets:
-  - addresses:
-      - ip: 10.0.56.10
-    ports:
-      - port: 3000
-        name: http
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: grafana-tls
-  namespace: noc-proxy
-spec:
-  secretName: grafana-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - grafana.iamworkin.lan
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: grafana
-  namespace: noc-proxy
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - kind: Rule
-      match: Host(`grafana.iamworkin.lan`)
-      middlewares:
-        - name: noc-proxy-auth
-      services:
-        - name: grafana-external
-          port: 3000
-  tls:
-    secretName: grafana-tls
----
-# ============================================================
-# Prometheus - noc1:9091
-# ============================================================
-apiVersion: v1
-kind: Service
-metadata:
-  name: prometheus-external
-  namespace: noc-proxy
-spec:
-  ports:
-    - port: 9091
-      targetPort: 9091
-      name: http
-  clusterIP: None
----
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: prometheus-external
-  namespace: noc-proxy
-subsets:
-  - addresses:
-      - ip: 10.0.56.10
-    ports:
-      - port: 9091
-        name: http
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: prometheus-tls
-  namespace: noc-proxy
-spec:
-  secretName: prometheus-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - prometheus.iamworkin.lan
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: prometheus
-  namespace: noc-proxy
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - kind: Rule
-      match: Host(`prometheus.iamworkin.lan`)
-      middlewares:
-        - name: noc-proxy-auth
-      services:
-        - name: prometheus-external
-          port: 9091
-  tls:
-    secretName: prometheus-tls
----
-# ============================================================
-# Cockpit - noc1:9090
-# ============================================================
-apiVersion: v1
-kind: Service
-metadata:
-  name: cockpit-external
-  namespace: noc-proxy
-spec:
-  ports:
-    - port: 9090
-      targetPort: 9090
-      name: https
-  clusterIP: None
----
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: cockpit-external
-  namespace: noc-proxy
-subsets:
-  - addresses:
-      - ip: 10.0.56.10
-    ports:
-      - port: 9090
-        name: https
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: cockpit-tls
-  namespace: noc-proxy
-spec:
-  secretName: cockpit-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - cockpit.iamworkin.lan
----
-# Cockpit uses self-signed HTTPS on 9090, so we need a ServersTransport
-# to skip backend TLS verification
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransport
-metadata:
-  name: cockpit-transport
-  namespace: noc-proxy
-spec:
-  insecureSkipVerify: true
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: cockpit
-  namespace: noc-proxy
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - kind: Rule
-      match: Host(`cockpit.iamworkin.lan`)
-      middlewares:
-        - name: noc-proxy-auth
-      services:
-        - name: cockpit-external
-          port: 9090
-          serversTransport: cockpit-transport
-  tls:
-    secretName: cockpit-tls
----
-# NetworkPolicy: allow Traefik ingress, allow egress to noc1
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: noc-proxy-netpol
-  namespace: noc-proxy
-spec:
-  podSelector: {}
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: traefik-system
-  egress:
-    - to:
-        - ipBlock:
-            cidr: 10.0.56.10/32
-      ports:
-        - port: 3000
-          protocol: TCP
-        - port: 9090
-          protocol: TCP
-        - port: 9091
-          protocol: TCP
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: kube-system
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
+# NOC Services - Traefik IngressRoutes for noc1 services
+# Proxies internal .iamworkin.lan hostnames to noc1 (10.0.56.10) via
+# headless Service + manual Endpoints (standard K8s external proxy pattern)
+# ArgoCD managed - BlueJay Lab
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: noc-proxy
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+---
+# ============================================================
+# BasicAuth - shared across all NOC proxy IngressRoutes
+# ============================================================
+apiVersion: v1
+kind: Secret
+metadata:
+  name: noc-proxy-auth
+  namespace: noc-proxy
+type: Opaque
+data:
+  users: YWRtaW46JDJiJDEwJEZjdlVFNWNpNkxvNi5rZ1k5L3hJV2V5M2tvM3VVY1U5YXJaSlQ4N29ZREtCSi5lNkoucXJD
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: noc-proxy-auth
+  namespace: noc-proxy
+spec:
+  basicAuth:
+    secret: noc-proxy-auth
+---
+# ============================================================
+# Grafana - noc1:3000
+# ============================================================
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana-external
+  namespace: noc-proxy
+spec:
+  ports:
+    - port: 3000
+      targetPort: 3000
+      name: http
+  clusterIP: None
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: grafana-external
+  namespace: noc-proxy
+subsets:
+  - addresses:
+      - ip: 10.0.56.10
+    ports:
+      - port: 3000
+        name: http
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+  namespace: noc-proxy
+spec:
+  secretName: grafana-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - grafana.iamworkin.lan
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana
+  namespace: noc-proxy
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`grafana.iamworkin.lan`)
+      middlewares:
+        - name: noc-proxy-auth
+      services:
+        - name: grafana-external
+          port: 3000
+  tls:
+    secretName: grafana-tls
+---
+# ============================================================
+# Prometheus - noc1:9091
+# ============================================================
+apiVersion: v1
+kind: Service
+metadata:
+  name: prometheus-external
+  namespace: noc-proxy
+spec:
+  ports:
+    - port: 9091
+      targetPort: 9091
+      name: http
+  clusterIP: None
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: prometheus-external
+  namespace: noc-proxy
+subsets:
+  - addresses:
+      - ip: 10.0.56.10
+    ports:
+      - port: 9091
+        name: http
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: prometheus-tls
+  namespace: noc-proxy
+spec:
+  secretName: prometheus-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - prometheus.iamworkin.lan
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: prometheus
+  namespace: noc-proxy
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`prometheus.iamworkin.lan`)
+      middlewares:
+        - name: noc-proxy-auth
+      services:
+        - name: prometheus-external
+          port: 9091
+  tls:
+    secretName: prometheus-tls
+---
+# ============================================================
+# Cockpit - noc1:9090
+# ============================================================
+apiVersion: v1
+kind: Service
+metadata:
+  name: cockpit-external
+  namespace: noc-proxy
+spec:
+  ports:
+    - port: 9090
+      targetPort: 9090
+      name: https
+  clusterIP: None
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: cockpit-external
+  namespace: noc-proxy
+subsets:
+  - addresses:
+      - ip: 10.0.56.10
+    ports:
+      - port: 9090
+        name: https
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cockpit-tls
+  namespace: noc-proxy
+spec:
+  secretName: cockpit-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - cockpit.iamworkin.lan
+---
+# Cockpit uses self-signed HTTPS on 9090, so we need a ServersTransport
+# to skip backend TLS verification
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: cockpit-transport
+  namespace: noc-proxy
+spec:
+  insecureSkipVerify: true
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: cockpit
+  namespace: noc-proxy
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`cockpit.iamworkin.lan`)
+      middlewares:
+        - name: noc-proxy-auth
+      services:
+        - name: cockpit-external
+          port: 9090
+          serversTransport: cockpit-transport
+  tls:
+    secretName: cockpit-tls
+---
+# NetworkPolicy: allow Traefik ingress, allow egress to noc1
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: noc-proxy-netpol
+  namespace: noc-proxy
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 10.0.56.10/32
+      ports:
+        - port: 3000
+          protocol: TCP
+        - port: 9090
+          protocol: TCP
+        - port: 9091
+          protocol: TCP
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
diff --git a/apps/teamspeak/teamspeak.yaml b/apps/teamspeak/teamspeak.yaml
index cfeec85..a773fdc 100644
--- a/apps/teamspeak/teamspeak.yaml
+++ b/apps/teamspeak/teamspeak.yaml
@@ -1,145 +1,145 @@
-# TeamSpeak 3 Server
-# ArgoCD managed - BlueJay Lab
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: teamspeak
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
----
-# 1Password secret sync - TeamSpeak credentials
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: teamspeak-credentials
-  namespace: teamspeak
-spec:
-  itemPath: "vaults/IAmWorkin/items/TeamSpeak 3"
----
-# TeamSpeak data PVC
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: teamspeak-data
-  namespace: teamspeak
-spec:
-  accessModes: [ReadWriteOnce]
-  resources:
-    requests:
-      storage: 1Gi
----
-# TeamSpeak license key
-apiVersion: v1
-kind: Secret
-metadata:
-  name: teamspeak-license
-  namespace: teamspeak
-type: Opaque
-data:
-  licensekey.dat: Y29tcGFueSBuYW1lIDogQW5kcmV3IFN0b2x0egphZGRyZXNzICAgICAgOiA2NjI1IDE2Mm5kIHQKemlwY29kZSAgICAgIDogNTUwNjgKY2l0eSAgICAgICAgIDogTGFrZXZpbGxlCmNvdW50cnkgICAgICA6IFVuaXRlZCBTdGF0ZXMgb2YgQW1lcmljYQpwaG9uZSAgICAgICAgOiA5NTI5OTk2NDExCmZheCAgICAgICAgICA6IApzYWxlcyBjb250YWN0OiBBbmRyZXcgU3RvbHR6IChhc3RvbHR6QGlhbXdvcmsuaW4pCnRlY2ggY29udGFjdCA6IEFuZHJldyBTdG9sdHogKGFzdG9sdHpAaWFtd29yay5pbikKCnRzIHZlcnNpb24gICA6IDMKdHlwZSAgICAgICAgIDogQWN0aXZhdGlvbiBMaWNlbnNlCnN0YXJ0IGRhdGUgICA6IFN1biBNYXIgIDggMDA6MDA6MDAgMjAyNgplbmQgZGF0ZSAgICAgOiBNb24gTWFyICA4IDAwOjAwOjAwIDIwMjcKbWF4LiB2aXJ0dWFsIHNlcnZlcnM6IDEKbWF4LiBzbG90cyAgIDogMzIKZGVzY3JpcHRpb24gIDogVGVhbVNwZWFrIDMgQUwKCgo9PWtleTI9PQpDb0VDQ3NnQkFRQ3ZiSEZUUURZL3RlclBlaWxycC9FQ1U5eENINVUzeEM5MmxZVE5hWS8wS1FBSkZ1ZUFhemJzZ0FBQUFDVlVaV0Z0VTNCbFlXc2dVM2x6ZEdWdGN5QkhiV0pJQUFCTnozMW0vRVdKU2w4QjFtcjJ2anZvdjRIL2s2UE9KVGJLb2NzVnoxRTNCUUFZd1c3S1B0R0k4QUFBQUNSVVpXRnRVM0JsWVdzZ2MzbHpkR1Z0Y3lCSGJXSklBQUFXSlVXQkErRjQzTERsMzFxS0NpOWw4WWdpQmhyOXlIWW1rbTFvWVVTMlhnSVl5cFVBR3F2SWdBWUFBQUFBUVc1a2NtVjNJRk4wYjJ4MGVnQVNJTmp2OStDVDQwTTUvQWdlY0lLcW1Gb2hyZnAzd3dSbGVSL25Ia3kvdHRKcEdDQWdBU29PVkdWaGJWTndaV0ZySURNZ1FVd1N0UUVCQUs5c2NWTkFOaisxNnM5NktXdW44UUpUM0VJZmxUZkVMM2FWaE0xcGovUXBBQWtXNTRCck51eUFBQUFBSlZSbFlXMVRjR1ZoYXlCVGVYTjBaVzF6SUVkdFlrZ0FBRTNQZldiOFJZbEtYd0hXYXZhK08raS9nZitUbzg0bE5zcWh5eFhQVVRjRkFCakJic28rMFlqd0FBQUFKRlJsWVcxVGNHVmhheUJ6ZVhOMFpXMXpJRWR0WWtnQUFGTTFQT2YxY0VzclhjckFtMU9wS1RnN2cyaHlVNlROY093TFVJaXJpbnc4QlJqQmJzbyswWWp3R2tBRFpWRFRLVndEQTdqYWVFK0pqRFQ1WUFJc1hScWxpdlpTeTR1aUJSYlB0RUZ3d0VnVXR2RHg4TEJaQ29zOEhPTDI0bllBalZ0UFRCdHJnRWF0NHVBSgo9PWtleTI9PQoKPT1rZXk9PQpWRk16VEdsalpXNXpaV1l3WkFJd1JCL1VCTWQ0MnRnQmg4TkY0dnN4K2lsTmpFZHQzazdxbXZPamRYZUVtUWFjQ0J5S0tnelZ4T2MwMDlYanIrU09BakFjR2oxV1ZwTGpiNGxGYk1DaEpsU1FXZW5zYTJhNmJXK2JoN2lCdzF1Zk5WaXFnTk41YThpN1VFS29sNmhsSmExVFViQkVpTng2T1NjbHBBOENhNDhjVk5zS050N0wvandDaVhuZFBkV3BuUW5CdUlYeXFLUXkxM2ZsNDJWUWo0Rk90V2kzTHRoYkNpODlWWEQwYXRpNTNjQlRTWHN4QXdMUndzZFBqeWFobmFsNStXaiswUFdYOE4ySlEzMFZmalFQVnAyMFk2dmc0K29lcm1vV291QUc5RDFjQzRrQVJoQnlVRmU5VnUvM2VBTVRiNUlHbnllY1k0QUF0RjJmdTR1aG5NYUFYQ3Q3UWNHN1JSVEFLQnNjSVhyVlVLM1NnS3ZLR1p6T2RGeU0=
----
-# TeamSpeak 3 Deployment
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: teamspeak
-  namespace: teamspeak
-  labels:
-    app: teamspeak
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: teamspeak
-  template:
-    metadata:
-      labels:
-        app: teamspeak
-    spec:
-      initContainers:
-        - name: copy-license
-          image: busybox:latest
-          command: ['sh', '-c', 'cp /license/licensekey.dat /data/licensekey.dat']
-          volumeMounts:
-            - name: teamspeak-data
-              mountPath: /data
-            - name: license
-              mountPath: /license
-              readOnly: true
-      containers:
-        - name: teamspeak
-          image: teamspeak:latest
-          ports:
-            - containerPort: 9987
-              name: voice
-              protocol: UDP
-            - containerPort: 30033
-              name: filetransfer
-              protocol: TCP
-            - containerPort: 10011
-              name: serverquery
-              protocol: TCP
-          env:
-            - name: TS3SERVER_LICENSE
-              value: accept
-            - name: TS3SERVER_SERVERADMIN_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: teamspeak-credentials
-                  key: ServerQuery-Password
-          volumeMounts:
-            - name: teamspeak-data
-              mountPath: /var/ts3server
-          resources:
-            requests:
-              memory: 128Mi
-              cpu: 50m
-            limits:
-              memory: 512Mi
-              cpu: 500m
-          readinessProbe:
-            tcpSocket:
-              port: 10011
-            initialDelaySeconds: 30
-            periodSeconds: 10
-          livenessProbe:
-            tcpSocket:
-              port: 10011
-            initialDelaySeconds: 60
-            periodSeconds: 15
-      volumes:
-        - name: teamspeak-data
-          persistentVolumeClaim:
-            claimName: teamspeak-data
-        - name: license
-          secret:
-            secretName: teamspeak-license
----
-# TeamSpeak LoadBalancer Service
-apiVersion: v1
-kind: Service
-metadata:
-  name: teamspeak
-  namespace: teamspeak
-  annotations:
-    metallb.universe.tf/loadBalancerIPs: 10.0.56.205
-spec:
-  type: LoadBalancer
-  selector:
-    app: teamspeak
-  ports:
-    - port: 9987
-      targetPort: 9987
-      name: voice
-      protocol: UDP
-    - port: 30033
-      targetPort: 30033
-      name: filetransfer
-      protocol: TCP
-    - port: 10011
-      targetPort: 10011
-      name: serverquery
-      protocol: TCP
+# TeamSpeak 3 Server
+# ArgoCD managed - BlueJay Lab
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: teamspeak
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+---
+# 1Password secret sync - TeamSpeak credentials
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: teamspeak-credentials
+  namespace: teamspeak
+spec:
+  itemPath: "vaults/IAmWorkin/items/TeamSpeak 3"
+---
+# TeamSpeak data PVC
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: teamspeak-data
+  namespace: teamspeak
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 1Gi
+---
+# TeamSpeak license key
+apiVersion: v1
+kind: Secret
+metadata:
+  name: teamspeak-license
+  namespace: teamspeak
+type: Opaque
+data:
+  licensekey.dat: Y29tcGFueSBuYW1lIDogQW5kcmV3IFN0b2x0egphZGRyZXNzICAgICAgOiA2NjI1IDE2Mm5kIHQKemlwY29kZSAgICAgIDogNTUwNjgKY2l0eSAgICAgICAgIDogTGFrZXZpbGxlCmNvdW50cnkgICAgICA6IFVuaXRlZCBTdGF0ZXMgb2YgQW1lcmljYQpwaG9uZSAgICAgICAgOiA5NTI5OTk2NDExCmZheCAgICAgICAgICA6IApzYWxlcyBjb250YWN0OiBBbmRyZXcgU3RvbHR6IChhc3RvbHR6QGlhbXdvcmsuaW4pCnRlY2ggY29udGFjdCA6IEFuZHJldyBTdG9sdHogKGFzdG9sdHpAaWFtd29yay5pbikKCnRzIHZlcnNpb24gICA6IDMKdHlwZSAgICAgICAgIDogQWN0aXZhdGlvbiBMaWNlbnNlCnN0YXJ0IGRhdGUgICA6IFN1biBNYXIgIDggMDA6MDA6MDAgMjAyNgplbmQgZGF0ZSAgICAgOiBNb24gTWFyICA4IDAwOjAwOjAwIDIwMjcKbWF4LiB2aXJ0dWFsIHNlcnZlcnM6IDEKbWF4LiBzbG90cyAgIDogMzIKZGVzY3JpcHRpb24gIDogVGVhbVNwZWFrIDMgQUwKCgo9PWtleTI9PQpDb0VDQ3NnQkFRQ3ZiSEZUUURZL3RlclBlaWxycC9FQ1U5eENINVUzeEM5MmxZVE5hWS8wS1FBSkZ1ZUFhemJzZ0FBQUFDVlVaV0Z0VTNCbFlXc2dVM2x6ZEdWdGN5QkhiV0pJQUFCTnozMW0vRVdKU2w4QjFtcjJ2anZvdjRIL2s2UE9KVGJLb2NzVnoxRTNCUUFZd1c3S1B0R0k4QUFBQUNSVVpXRnRVM0JsWVdzZ2MzbHpkR1Z0Y3lCSGJXSklBQUFXSlVXQkErRjQzTERsMzFxS0NpOWw4WWdpQmhyOXlIWW1rbTFvWVVTMlhnSVl5cFVBR3F2SWdBWUFBQUFBUVc1a2NtVjNJRk4wYjJ4MGVnQVNJTmp2OStDVDQwTTUvQWdlY0lLcW1Gb2hyZnAzd3dSbGVSL25Ia3kvdHRKcEdDQWdBU29PVkdWaGJWTndaV0ZySURNZ1FVd1N0UUVCQUs5c2NWTkFOaisxNnM5NktXdW44UUpUM0VJZmxUZkVMM2FWaE0xcGovUXBBQWtXNTRCck51eUFBQUFBSlZSbFlXMVRjR1ZoYXlCVGVYTjBaVzF6SUVkdFlrZ0FBRTNQZldiOFJZbEtYd0hXYXZhK08raS9nZitUbzg0bE5zcWh5eFhQVVRjRkFCakJic28rMFlqd0FBQUFKRlJsWVcxVGNHVmhheUJ6ZVhOMFpXMXpJRWR0WWtnQUFGTTFQT2YxY0VzclhjckFtMU9wS1RnN2cyaHlVNlROY093TFVJaXJpbnc4QlJqQmJzbyswWWp3R2tBRFpWRFRLVndEQTdqYWVFK0pqRFQ1WUFJc1hScWxpdlpTeTR1aUJSYlB0RUZ3d0VnVXR2RHg4TEJaQ29zOEhPTDI0bllBalZ0UFRCdHJnRWF0NHVBSgo9PWtleTI9PQoKPT1rZXk9PQpWRk16VEdsalpXNXpaV1l3WkFJd1JCL1VCTWQ0MnRnQmg4TkY0dnN4K2lsTmpFZHQzazdxbXZPamRYZUVtUWFjQ0J5S0tnelZ4T2MwMDlYanIrU09BakFjR2oxV1ZwTGpiNGxGYk1DaEpsU1FXZW5zYTJhNmJXK2JoN2lCdzF1Zk5WaXFnTk41YThpN1VFS29sNmhsSmExVFViQkVpTng2T1NjbHBBOENhNDhjVk5zS050N0wvandDaVhuZFBkV3BuUW5CdUlYeXFLUXkxM2ZsNDJWUWo0Rk90V2kzTHRoYkNpODlWWEQwYXRpNTNjQlRTWHN4QXdMUndzZFBqeWFobmFsNStXaiswUFdYOE4ySlEzMFZmalFQVnAyMFk2dmc0K29lcm1vV291QUc5RDFjQzRrQVJoQnlVRmU5VnUvM2VBTVRiNUlHbnllY1k0QUF0RjJmdTR1aG5NYUFYQ3Q3UWNHN1JSVEFLQnNjSVhyVlVLM1NnS3ZLR1p6T2RGeU0=
+---
+# TeamSpeak 3 Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: teamspeak
+  namespace: teamspeak
+  labels:
+    app: teamspeak
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: teamspeak
+  template:
+    metadata:
+      labels:
+        app: teamspeak
+    spec:
+      initContainers:
+        - name: copy-license
+          image: busybox:latest
+          command: ['sh', '-c', 'cp /license/licensekey.dat /data/licensekey.dat']
+          volumeMounts:
+            - name: teamspeak-data
+              mountPath: /data
+            - name: license
+              mountPath: /license
+              readOnly: true
+      containers:
+        - name: teamspeak
+          image: teamspeak:latest
+          ports:
+            - containerPort: 9987
+              name: voice
+              protocol: UDP
+            - containerPort: 30033
+              name: filetransfer
+              protocol: TCP
+            - containerPort: 10011
+              name: serverquery
+              protocol: TCP
+          env:
+            - name: TS3SERVER_LICENSE
+              value: accept
+            - name: TS3SERVER_SERVERADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: teamspeak-credentials
+                  key: ServerQuery-Password
+          volumeMounts:
+            - name: teamspeak-data
+              mountPath: /var/ts3server
+          resources:
+            requests:
+              memory: 128Mi
+              cpu: 50m
+            limits:
+              memory: 512Mi
+              cpu: 500m
+          readinessProbe:
+            tcpSocket:
+              port: 10011
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: 10011
+            initialDelaySeconds: 60
+            periodSeconds: 15
+      volumes:
+        - name: teamspeak-data
+          persistentVolumeClaim:
+            claimName: teamspeak-data
+        - name: license
+          secret:
+            secretName: teamspeak-license
+---
+# TeamSpeak LoadBalancer Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: teamspeak
+  namespace: teamspeak
+  annotations:
+    metallb.universe.tf/loadBalancerIPs: 10.0.56.205
+spec:
+  type: LoadBalancer
+  selector:
+    app: teamspeak
+  ports:
+    - port: 9987
+      targetPort: 9987
+      name: voice
+      protocol: UDP
+    - port: 30033
+      targetPort: 30033
+      name: filetransfer
+      protocol: TCP
+    - port: 10011
+      targetPort: 10011
+      name: serverquery
+      protocol: TCP
diff --git a/apps/voice/voice.yaml b/apps/voice/voice.yaml
index 1041542..5bbf22b 100644
--- a/apps/voice/voice.yaml
+++ b/apps/voice/voice.yaml
@@ -1,127 +1,127 @@
-# Twilio Voice Bridge - Traefik ingress to edge1
-# ArgoCD managed - BlueJay Lab
-# Routes voice.bluejay.dev (TwiML) and voice-ws.bluejay.dev (WebSocket)
-# to edge1 Pi5 at 10.0.57.15 (PROD VLAN)
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: voice
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
----
-# Cloudflare origin cert for *.bluejay.dev
-apiVersion: v1
-kind: Secret
-metadata:
-  name: cf-origin-bluejay-dev
-  namespace: voice
-type: kubernetes.io/tls
-data:
-  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVvakNDQTRxZ0F3SUJBZ0lVTkxnemZ4UVRzMElyWWRaZUZKUGN5TjRyNmFjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZc3hDekFKQmdOVkJBWVRBbFZUTVJrd0Z3WURWUVFLRXhCRGJHOTFaRVpzWVhKbExDQkpibU11TVRRdwpNZ1lEVlFRTEV5dERiRzkxWkVac1lYSmxJRTl5YVdkcGJpQlRVMHdnUTJWeWRHbG1hV05oZEdVZ1FYVjBhRzl5CmFYUjVNUll3RkFZRFZRUUhFdzFUWVc0Z1JuSmhibU5wYzJOdk1STXdFUVlEVlFRSUV3cERZV3hwWm05eWJtbGgKTUI0WERUSTJNRE14TURBMU1USXdNRm9YRFRReE1ETXdOakExTVRJd01Gb3dZakVaTUJjR0ExVUVDaE1RUTJ4dgpkV1JHYkdGeVpTd2dTVzVqTGpFZE1Cc0dBMVVFQ3hNVVEyeHZkV1JHYkdGeVpTQlBjbWxuYVc0Z1EwRXhKakFrCkJnTlZCQU1USFVOc2IzVmtSbXhoY21VZ1QzSnBaMmx1SUVObGNuUnBabWxqWVhSbE1JSUJJakFOQmdrcWhraUcKOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXlPODBJQ3dPV0RWTEpQNm9RenI3aXVENmtWMGNWZ01VbUx5VApKVnVYUlhZSEY3M2ZrM2pPbytCQVE1M2pmbERHUFVYc0UvNlV6VDRoUDVYTlVLaUNXaitvYy84eE1BSWsxcWwrClZnbFI1MDBUQ0FtZDliazNZVkxiZjBSejVMMUQ0WGJmOEVzamhOUVV2Z3Y0dTZoQzdnRmdrVGplc1dIZjg0K04KNERETDdmTjFQZHR4RVBiVWZrbGN1MUZSdXdlMk9QNkFEMlJvdkphNWZwODRHcVY2TDAzdjY2RjFtMnBST1VmRwpFdWpRNG4zSms2cUx5NHZTTENzOGJlOGRBRW5QcDgyZ2NRZk9mUVlIS2JTUWhiQnMwK01vK3lkTHpHSzFRdklRCnVPcDZRT1BtM0lac09Eb0VCdG5kMTh2amx6Y1JSdE94cjNzaFovdmNWY0o0YUJNZDVRSURBUUFCbzRJQkpEQ0MKQVNBd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjRApBVEFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCVHgyYmFCUGlvWjZUd2U3THhnaTViUS82cUFkakFmCkJnTlZIU01FR0RBV2dCUWs2Rk5YWFh3MFFJZXA2NVRidXVFV2VQd3BwREJBQmdnckJnRUZCUWNCQVFRME1ESXcKTUFZSUt3WUJCUVVITUFHR0pHaDBkSEE2THk5dlkzTndMbU5zYjNWa1pteGhjbVV1WTI5dEwyOXlhV2RwYmw5agpZVEFsQmdOVkhSRUVIakFjZ2cwcUxtSnNkV1ZxWVhrdVpHVjJnZ3RpYkhWbGFtRjVMbVJsZGpBNEJnTlZIUjhFCk1UQXZNQzJnSzZBcGhpZG9kSFJ3T2k4dlkzSnNMbU5zYjNWa1pteGhjbVV1WTI5dEwyOXlhV2RwYmw5allTNWoKY213d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDS0ZVRXhYbFB5KzlPRytJc1VWN1NXS09Udkk0b2JrUkd6bwpOckhudWZ3dGtxa0dzUGErUU5LbUk1UVNaYTVMS1YybWZJdWsrNE12U1FvZklmbUFUb1JEWEdQK041aWxEbWRSCk5rS2ttSUpZL242UzM3MGdZN0JQMjFwNjJKUnZkVUU5ZmV5RU1iMUdNbGNINjN6MUQxMzZZOWlvQ1FnYWNFZVUKOFZSVWFPZkJvby9sVzlYbXA1ZDZzcTBic2tybUhRN1ZSTjUxZCtsL0RvY2lkU2xZcHQxbXljSUN3c1F4U0dpMApYN1pMTXhHdCtDVG9jcFRFbkdrQ2t0NnhrKzVJUElXaHYvVnZuTnlQNUwxM0ZRN1d4QzFsaUIwcVdKMkEwcWpoCkR2cmxPNUpsclNWWEtNc0hwSWRFN3pJZ29JUUc2cnU1N1V4UjJyeko0d0VrSXcrd1ZyMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRREk3elFnTEE1WU5Vc2sKL3FoRE92dUs0UHFSWFJ4V0F4U1l2Sk1sVzVkRmRnY1h2ZCtUZU02ajRFQkRuZU4rVU1ZOVJld1QvcFROUGlFLwpsYzFRcUlKYVA2aHovekV3QWlUV3FYNVdDVkhuVFJNSUNaMzF1VGRoVXR0L1JIUGt2VVBoZHQvd1N5T0UxQlMrCkMvaTdxRUx1QVdDUk9ONnhZZC96ajQzZ01NdnQ4M1U5MjNFUTl0UitTVnk3VVZHN0I3WTQvb0FQWkdpOGxybCsKbnpnYXBYb3ZUZS9yb1hXYmFsRTVSOFlTNk5EaWZjbVRxb3ZMaTlJc0t6eHQ3eDBBU2MrbnphQnhCODU5QmdjcAp0SkNGc0d6VDR5ajdKMHZNWXJWQzhoQzQ2bnBBNCtiY2htdzRPZ1FHMmQzWHkrT1hOeEZHMDdHdmV5Rm4rOXhWCnduaG9FeDNsQWdNQkFBRUNnZ0VBRFpWeU9peVFTYkZNbzdNZGovSDRXR0t1UGM2RUlHSno3WUZ1Rnl2eWRZMHQKbkpMRy94Sy9NWC96Q0Q4dnhuWFNlUWoxbFVKMEw4M2Y5SXI5aHRMbGdSRmxvM1hnanVUT05iN2VuaFZpTnBkVQp6b25MNW5VL2c3SlV5VzFJd25GekdkWnQvREl3TkFZY1l0NnZVWXhsL2U0VTU2eG5EYW5XdUlIL2J1VU5uRWZtCjZNcnlIblhseDA0TzZzOElLSCtXNUxDam1ma1Jac0VveE9Damt6T2hucmdCTk4xSWxWSWhhMDhLOXBxRk5qM0wKaWd4MVNYZDhqaHNZUHJxaDNkak0rVUNKSitKMURuMjhaUmoyZUtqWDMvZmFDbGFpOEFzUVBtQTJScjZYZ3kzeApaR090dzRPL2Nxb1hnOUFDU05NanRNK3VtaXM3QzNncWp6VUZ4MWwvNFFLQmdRRFNvSGVDY1dXSUJQV3grR01hCnBSMENHejQ0eDNPRUhnNWYza2RvK3BDK0I3RnYxREV5bktqUUY4VFBYaWJXVGZVL1pBRG5DVmIvU1Z2L1QyNnkKT2NlaW44UGRqdXkraE05ZUxjWXU4QVZiK0VKOHFMUUsrZE5QZm1nYXZJMWR2V3U2Tm8wSTNSSzZWUkpiQXEyWgpLcjdsVEloMjdZMDRMajlaaUIxU01YZ0J0UUtCZ1FEME9EbEVCNHRHa1l2dTVLMkFoaDBmdnlIaUVoUTd5dWUzCmZXdG1VYnRxV0ZlM1R5UG9JTWJWMTM3MkNIdlh6MFNEMXRwYzJxa3hxN3c4d1BYM3RJZGk5NWxMbVMzZm8zWFoKdTNTYVo4enozTlAwR3JXK1Y0c3hHb1VnbWgwL2lzOXJoaWxXZGF5bU5SWEQ5U0MyUU5IdTU5NDY2UjFkczNnbgpiZlJlUkw4SmNRS0JnREptVjNLTk0rQmlYM0Jnb1VaRThEWUswczYvV3pMb0JrU0dhY3dDK1JPZnY2T2t3TWo5Cmw1K0RzSUoyWXhDd3d0aVNVMnoxWFMzbEhmQnZ6MnN5VEVUcnVmQ1FQTEl5RVhUVnV6Q01HcHd4UWFlV3JzNVoKaldqZU5JY0JTMHA5QXdRaC9ZbDdiUG5OVllFVm1QaW5zOW9tZ0JrRkt0K2dvV1FKSUFzRTcxUnBBb0dCQUxNSgphTW43c2RuNUo1bnA0VnhBZGFkcGFvQ2VlbURmUG9KaEd0UTNCT3RRZW5Xek9nS1p6TXJHSVpoaTNjOTNicVlzClk0Y0E4bHFzcU9IdElDVUpIdHVwNHFMdVdCZ0VjSWcvaVpzTWo4OFRTL3MvZlk5ZUJIZnFGa0N4V3RIVGhINHkKSzZucnVMZGNZV2w0RWhRcWJ2enkxUk5oQkp0Rno4Y3dMNTdRVFRDeEFvR0FjZFFkbzk3bzZmS0dQa3kvREpnNApoTGlLbHVkTjF3bmJaTHFVM0UwNzBwVDhJQkx3TFNpTUNpYXRXWWtScHFpdUQyMSsya1p4SE1NdnNoZWJXQmFmCmVqWU9jcHVvQ3VWdWc1K1dlbmc0cmUxSTl2c2czUE5WYkdrNW1xNmZDbndsbGFnMkEvSVBVRFFOaUpCVGM1WUQKc25udzhVTjNBTFBMSTlPVVd1eXJUckk9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
----
-# Service (no selector) pointing to external edge1
-apiVersion: v1
-kind: Service
-metadata:
-  name: voice-bridge
-  namespace: voice
-spec:
-  ports:
-    - name: twiml
-      port: 8766
-      targetPort: 8766
-      protocol: TCP
-    - name: websocket
-      port: 8765
-      targetPort: 8765
-      protocol: TCP
----
-# Manual Endpoints for edge1 (outside K8s)
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: voice-bridge
-  namespace: voice
-subsets:
-  - addresses:
-      - ip: 10.0.57.15
-    ports:
-      - name: twiml
-        port: 8766
-        protocol: TCP
-      - name: websocket
-        port: 8765
-        protocol: TCP
----
-# TwiML webhook: voice.bluejay.dev -> edge1:8766
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: voice-twiml
-  namespace: voice
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - kind: Rule
-      match: Host(`voice.bluejay.dev`)
-      services:
-        - name: voice-bridge
-          port: 8766
-  tls:
-    secretName: cf-origin-bluejay-dev
----
-# WebSocket media stream: voice-ws.bluejay.dev -> edge1:8765
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: voice-ws
-  namespace: voice
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - kind: Rule
-      match: Host(`voice-ws.bluejay.dev`)
-      services:
-        - name: voice-bridge
-          port: 8765
-  tls:
-    secretName: cf-origin-bluejay-dev
----
-# NetworkPolicy: allow Traefik ingress only
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: voice-netpol
-  namespace: voice
-spec:
-  podSelector: {}
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: traefik-system
-  egress:
-    - to:
-        - ipBlock:
-            cidr: 10.0.57.15/32
-      ports:
-        - port: 8765
-          protocol: TCP
-        - port: 8766
-          protocol: TCP
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: kube-system
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
+# Twilio Voice Bridge - Traefik ingress to edge1
+# ArgoCD managed - BlueJay Lab
+# Routes voice.bluejay.dev (TwiML) and voice-ws.bluejay.dev (WebSocket)
+# to edge1 Pi5 at 10.0.57.15 (PROD VLAN)
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: voice
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+---
+# Cloudflare origin cert for *.bluejay.dev
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cf-origin-bluejay-dev
+  namespace: voice
+type: kubernetes.io/tls
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVvakNDQTRxZ0F3SUJBZ0lVTkxnemZ4UVRzMElyWWRaZUZKUGN5TjRyNmFjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZc3hDekFKQmdOVkJBWVRBbFZUTVJrd0Z3WURWUVFLRXhCRGJHOTFaRVpzWVhKbExDQkpibU11TVRRdwpNZ1lEVlFRTEV5dERiRzkxWkVac1lYSmxJRTl5YVdkcGJpQlRVMHdnUTJWeWRHbG1hV05oZEdVZ1FYVjBhRzl5CmFYUjVNUll3RkFZRFZRUUhFdzFUWVc0Z1JuSmhibU5wYzJOdk1STXdFUVlEVlFRSUV3cERZV3hwWm05eWJtbGgKTUI0WERUSTJNRE14TURBMU1USXdNRm9YRFRReE1ETXdOakExTVRJd01Gb3dZakVaTUJjR0ExVUVDaE1RUTJ4dgpkV1JHYkdGeVpTd2dTVzVqTGpFZE1Cc0dBMVVFQ3hNVVEyeHZkV1JHYkdGeVpTQlBjbWxuYVc0Z1EwRXhKakFrCkJnTlZCQU1USFVOc2IzVmtSbXhoY21VZ1QzSnBaMmx1SUVObGNuUnBabWxqWVhSbE1JSUJJakFOQmdrcWhraUcKOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXlPODBJQ3dPV0RWTEpQNm9RenI3aXVENmtWMGNWZ01VbUx5VApKVnVYUlhZSEY3M2ZrM2pPbytCQVE1M2pmbERHUFVYc0UvNlV6VDRoUDVYTlVLaUNXaitvYy84eE1BSWsxcWwrClZnbFI1MDBUQ0FtZDliazNZVkxiZjBSejVMMUQ0WGJmOEVzamhOUVV2Z3Y0dTZoQzdnRmdrVGplc1dIZjg0K04KNERETDdmTjFQZHR4RVBiVWZrbGN1MUZSdXdlMk9QNkFEMlJvdkphNWZwODRHcVY2TDAzdjY2RjFtMnBST1VmRwpFdWpRNG4zSms2cUx5NHZTTENzOGJlOGRBRW5QcDgyZ2NRZk9mUVlIS2JTUWhiQnMwK01vK3lkTHpHSzFRdklRCnVPcDZRT1BtM0lac09Eb0VCdG5kMTh2amx6Y1JSdE94cjNzaFovdmNWY0o0YUJNZDVRSURBUUFCbzRJQkpEQ0MKQVNBd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjRApBVEFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCVHgyYmFCUGlvWjZUd2U3THhnaTViUS82cUFkakFmCkJnTlZIU01FR0RBV2dCUWs2Rk5YWFh3MFFJZXA2NVRidXVFV2VQd3BwREJBQmdnckJnRUZCUWNCQVFRME1ESXcKTUFZSUt3WUJCUVVITUFHR0pHaDBkSEE2THk5dlkzTndMbU5zYjNWa1pteGhjbVV1WTI5dEwyOXlhV2RwYmw5agpZVEFsQmdOVkhSRUVIakFjZ2cwcUxtSnNkV1ZxWVhrdVpHVjJnZ3RpYkhWbGFtRjVMbVJsZGpBNEJnTlZIUjhFCk1UQXZNQzJnSzZBcGhpZG9kSFJ3T2k4dlkzSnNMbU5zYjNWa1pteGhjbVV1WTI5dEwyOXlhV2RwYmw5allTNWoKY213d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDS0ZVRXhYbFB5KzlPRytJc1VWN1NXS09Udkk0b2JrUkd6bwpOckhudWZ3dGtxa0dzUGErUU5LbUk1UVNaYTVMS1YybWZJdWsrNE12U1FvZklmbUFUb1JEWEdQK041aWxEbWRSCk5rS2ttSUpZL242UzM3MGdZN0JQMjFwNjJKUnZkVUU5ZmV5RU1iMUdNbGNINjN6MUQxMzZZOWlvQ1FnYWNFZVUKOFZSVWFPZkJvby9sVzlYbXA1ZDZzcTBic2tybUhRN1ZSTjUxZCtsL0RvY2lkU2xZcHQxbXljSUN3c1F4U0dpMApYN1pMTXhHdCtDVG9jcFRFbkdrQ2t0NnhrKzVJUElXaHYvVnZuTnlQNUwxM0ZRN1d4QzFsaUIwcVdKMkEwcWpoCkR2cmxPNUpsclNWWEtNc0hwSWRFN3pJZ29JUUc2cnU1N1V4UjJyeko0d0VrSXcrd1ZyMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRREk3elFnTEE1WU5Vc2sKL3FoRE92dUs0UHFSWFJ4V0F4U1l2Sk1sVzVkRmRnY1h2ZCtUZU02ajRFQkRuZU4rVU1ZOVJld1QvcFROUGlFLwpsYzFRcUlKYVA2aHovekV3QWlUV3FYNVdDVkhuVFJNSUNaMzF1VGRoVXR0L1JIUGt2VVBoZHQvd1N5T0UxQlMrCkMvaTdxRUx1QVdDUk9ONnhZZC96ajQzZ01NdnQ4M1U5MjNFUTl0UitTVnk3VVZHN0I3WTQvb0FQWkdpOGxybCsKbnpnYXBYb3ZUZS9yb1hXYmFsRTVSOFlTNk5EaWZjbVRxb3ZMaTlJc0t6eHQ3eDBBU2MrbnphQnhCODU5QmdjcAp0SkNGc0d6VDR5ajdKMHZNWXJWQzhoQzQ2bnBBNCtiY2htdzRPZ1FHMmQzWHkrT1hOeEZHMDdHdmV5Rm4rOXhWCnduaG9FeDNsQWdNQkFBRUNnZ0VBRFpWeU9peVFTYkZNbzdNZGovSDRXR0t1UGM2RUlHSno3WUZ1Rnl2eWRZMHQKbkpMRy94Sy9NWC96Q0Q4dnhuWFNlUWoxbFVKMEw4M2Y5SXI5aHRMbGdSRmxvM1hnanVUT05iN2VuaFZpTnBkVQp6b25MNW5VL2c3SlV5VzFJd25GekdkWnQvREl3TkFZY1l0NnZVWXhsL2U0VTU2eG5EYW5XdUlIL2J1VU5uRWZtCjZNcnlIblhseDA0TzZzOElLSCtXNUxDam1ma1Jac0VveE9Damt6T2hucmdCTk4xSWxWSWhhMDhLOXBxRk5qM0wKaWd4MVNYZDhqaHNZUHJxaDNkak0rVUNKSitKMURuMjhaUmoyZUtqWDMvZmFDbGFpOEFzUVBtQTJScjZYZ3kzeApaR090dzRPL2Nxb1hnOUFDU05NanRNK3VtaXM3QzNncWp6VUZ4MWwvNFFLQmdRRFNvSGVDY1dXSUJQV3grR01hCnBSMENHejQ0eDNPRUhnNWYza2RvK3BDK0I3RnYxREV5bktqUUY4VFBYaWJXVGZVL1pBRG5DVmIvU1Z2L1QyNnkKT2NlaW44UGRqdXkraE05ZUxjWXU4QVZiK0VKOHFMUUsrZE5QZm1nYXZJMWR2V3U2Tm8wSTNSSzZWUkpiQXEyWgpLcjdsVEloMjdZMDRMajlaaUIxU01YZ0J0UUtCZ1FEME9EbEVCNHRHa1l2dTVLMkFoaDBmdnlIaUVoUTd5dWUzCmZXdG1VYnRxV0ZlM1R5UG9JTWJWMTM3MkNIdlh6MFNEMXRwYzJxa3hxN3c4d1BYM3RJZGk5NWxMbVMzZm8zWFoKdTNTYVo4enozTlAwR3JXK1Y0c3hHb1VnbWgwL2lzOXJoaWxXZGF5bU5SWEQ5U0MyUU5IdTU5NDY2UjFkczNnbgpiZlJlUkw4SmNRS0JnREptVjNLTk0rQmlYM0Jnb1VaRThEWUswczYvV3pMb0JrU0dhY3dDK1JPZnY2T2t3TWo5Cmw1K0RzSUoyWXhDd3d0aVNVMnoxWFMzbEhmQnZ6MnN5VEVUcnVmQ1FQTEl5RVhUVnV6Q01HcHd4UWFlV3JzNVoKaldqZU5JY0JTMHA5QXdRaC9ZbDdiUG5OVllFVm1QaW5zOW9tZ0JrRkt0K2dvV1FKSUFzRTcxUnBBb0dCQUxNSgphTW43c2RuNUo1bnA0VnhBZGFkcGFvQ2VlbURmUG9KaEd0UTNCT3RRZW5Xek9nS1p6TXJHSVpoaTNjOTNicVlzClk0Y0E4bHFzcU9IdElDVUpIdHVwNHFMdVdCZ0VjSWcvaVpzTWo4OFRTL3MvZlk5ZUJIZnFGa0N4V3RIVGhINHkKSzZucnVMZGNZV2w0RWhRcWJ2enkxUk5oQkp0Rno4Y3dMNTdRVFRDeEFvR0FjZFFkbzk3bzZmS0dQa3kvREpnNApoTGlLbHVkTjF3bmJaTHFVM0UwNzBwVDhJQkx3TFNpTUNpYXRXWWtScHFpdUQyMSsya1p4SE1NdnNoZWJXQmFmCmVqWU9jcHVvQ3VWdWc1K1dlbmc0cmUxSTl2c2czUE5WYkdrNW1xNmZDbndsbGFnMkEvSVBVRFFOaUpCVGM1WUQKc25udzhVTjNBTFBMSTlPVVd1eXJUckk9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+---
+# Service (no selector) pointing to external edge1
+apiVersion: v1
+kind: Service
+metadata:
+  name: voice-bridge
+  namespace: voice
+spec:
+  ports:
+    - name: twiml
+      port: 8766
+      targetPort: 8766
+      protocol: TCP
+    - name: websocket
+      port: 8765
+      targetPort: 8765
+      protocol: TCP
+---
+# Manual Endpoints for edge1 (outside K8s)
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: voice-bridge
+  namespace: voice
+subsets:
+  - addresses:
+      - ip: 10.0.57.15
+    ports:
+      - name: twiml
+        port: 8766
+        protocol: TCP
+      - name: websocket
+        port: 8765
+        protocol: TCP
+---
+# TwiML webhook: voice.bluejay.dev -> edge1:8766
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: voice-twiml
+  namespace: voice
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`voice.bluejay.dev`)
+      services:
+        - name: voice-bridge
+          port: 8766
+  tls:
+    secretName: cf-origin-bluejay-dev
+---
+# WebSocket media stream: voice-ws.bluejay.dev -> edge1:8765
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: voice-ws
+  namespace: voice
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`voice-ws.bluejay.dev`)
+      services:
+        - name: voice-bridge
+          port: 8765
+  tls:
+    secretName: cf-origin-bluejay-dev
+---
+# NetworkPolicy: allow Traefik ingress only
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: voice-netpol
+  namespace: voice
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 10.0.57.15/32
+      ports:
+        - port: 8765
+          protocol: TCP
+        - port: 8766
+          protocol: TCP
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
diff --git a/apps/zabbix/zabbix.yaml b/apps/zabbix/zabbix.yaml
index 4a6053b..2503d7a 100644
--- a/apps/zabbix/zabbix.yaml
+++ b/apps/zabbix/zabbix.yaml
@@ -1,360 +1,360 @@
-# Zabbix 7.2 Monitoring Stack
-# PostgreSQL 16 + Zabbix Server + Zabbix Web (nginx)
-# ArgoCD managed - BlueJay Lab
-# Credentials sourced from 1Password via OnePasswordItem CRD (zabbix-credentials)
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: zabbix
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
----
-# PostgreSQL 16 StatefulSet
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: zabbix-postgres
-  namespace: zabbix
-  labels:
-    app: zabbix-postgres
-spec:
-  serviceName: zabbix-postgres
-  replicas: 1
-  selector:
-    matchLabels:
-      app: zabbix-postgres
-  template:
-    metadata:
-      labels:
-        app: zabbix-postgres
-    spec:
-      containers:
-        - name: postgres
-          image: postgres:16-alpine
-          args:
-            - "-c"
-            - "shared_buffers=256MB"
-            - "-c"
-            - "effective_cache_size=512MB"
-            - "-c"
-            - "work_mem=16MB"
-            - "-c"
-            - "maintenance_work_mem=128MB"
-            - "-c"
-            - "random_page_cost=1.1"
-            - "-c"
-            - "effective_io_concurrency=200"
-            - "-c"
-            - "max_connections=50"
-            - "-c"
-            - "checkpoint_completion_target=0.9"
-            - "-c"
-            - "wal_buffers=8MB"
-          ports:
-            - containerPort: 5432
-              name: postgres
-          env:
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  name: zabbix-credentials
-                  key: DB-User
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: zabbix-credentials
-                  key: DB-Password
-            - name: POSTGRES_DB
-              value: zabbix
-          volumeMounts:
-            - name: zabbix-postgres-data
-              mountPath: /var/lib/postgresql/data
-              subPath: pgdata
-          resources:
-            requests:
-              memory: 512Mi
-              cpu: 200m
-            limits:
-              memory: 1Gi
-              cpu: "1"
-          livenessProbe:
-            exec:
-              command:
-                - pg_isready
-                - -U
-                - zabbix
-            initialDelaySeconds: 30
-            periodSeconds: 10
-          readinessProbe:
-            exec:
-              command:
-                - pg_isready
-                - -U
-                - zabbix
-            initialDelaySeconds: 5
-            periodSeconds: 5
-  volumeClaimTemplates:
-    - metadata:
-        name: zabbix-postgres-data
-      spec:
-        accessModes: [ReadWriteOnce]
-        resources:
-          requests:
-            storage: 10Gi
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: zabbix-postgres
-  namespace: zabbix
-spec:
-  selector:
-    app: zabbix-postgres
-  ports:
-    - port: 5432
-      targetPort: 5432
-      name: postgres
-  clusterIP: None
----
-# Zabbix Server
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: zabbix-server
-  namespace: zabbix
-  labels:
-    app: zabbix-server
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: zabbix-server
-  template:
-    metadata:
-      labels:
-        app: zabbix-server
-    spec:
-      containers:
-        - name: zabbix-server
-          image: zabbix/zabbix-server-pgsql:7.2-alpine-latest
-          ports:
-            - containerPort: 10051
-              name: trapper
-          env:
-            - name: DB_SERVER_HOST
-              value: zabbix-postgres
-            - name: DB_SERVER_PORT
-              value: "5432"
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  name: zabbix-credentials
-                  key: DB-User
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: zabbix-credentials
-                  key: DB-Password
-            - name: POSTGRES_DB
-              value: zabbix
-            - name: ZBX_CACHESIZE
-              value: "64M"
-            - name: ZBX_VALUECACHESIZE
-              value: "64M"
-            - name: ZBX_HISTORYCACHESIZE
-              value: "32M"
-            - name: ZBX_TRENDCACHESIZE
-              value: "8M"
-            - name: ZBX_STARTPOLLERS
-              value: "10"
-            - name: ZBX_STARTPOLLERSUNREACHABLE
-              value: "3"
-          resources:
-            requests:
-              memory: 256Mi
-              cpu: 100m
-            limits:
-              memory: 1Gi
-              cpu: "1"
-          livenessProbe:
-            tcpSocket:
-              port: 10051
-            initialDelaySeconds: 60
-            periodSeconds: 10
-          readinessProbe:
-            tcpSocket:
-              port: 10051
-            initialDelaySeconds: 30
-            periodSeconds: 5
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: zabbix-server
-  namespace: zabbix
-spec:
-  selector:
-    app: zabbix-server
-  ports:
-    - port: 10051
-      targetPort: 10051
-      name: trapper
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: zabbix-trapper
-  namespace: zabbix
-  annotations:
-    metallb.universe.tf/loadBalancerIPs: 10.0.56.203
-spec:
-  type: LoadBalancer
-  selector:
-    app: zabbix-server
-  ports:
-    - port: 10051
-      targetPort: 10051
-      name: trapper
-      protocol: TCP
----
-# Zabbix Web (nginx + PostgreSQL)
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: zabbix-web
-  namespace: zabbix
-  labels:
-    app: zabbix-web
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: zabbix-web
-  template:
-    metadata:
-      labels:
-        app: zabbix-web
-    spec:
-      containers:
-        - name: zabbix-web
-          image: zabbix/zabbix-web-nginx-pgsql:7.2-alpine-latest
-          ports:
-            - containerPort: 8080
-              name: http
-          env:
-            - name: ZBX_SERVER_HOST
-              value: zabbix-server
-            - name: ZBX_SERVER_NAME
-              value: "BlueJay NOC"
-            - name: PHP_TZ
-              value: America/Chicago
-            - name: DB_SERVER_HOST
-              value: zabbix-postgres
-            - name: DB_SERVER_PORT
-              value: "5432"
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  name: zabbix-credentials
-                  key: DB-User
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: zabbix-credentials
-                  key: DB-Password
-            - name: POSTGRES_DB
-              value: zabbix
-            - name: ZBX_ADMIN_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: zabbix-credentials
-                  key: password
-            - name: ZBX_MEMORYLIMIT
-              value: "256M"
-            - name: PHP_FPM_PM_MAX_CHILDREN
-              value: "10"
-            - name: PHP_FPM_PM_START_SERVERS
-              value: "3"
-            - name: PHP_FPM_PM_MIN_SPARE_SERVERS
-              value: "2"
-            - name: PHP_FPM_PM_MAX_SPARE_SERVERS
-              value: "5"
-            - name: PHP_FPM_PM_MAX_REQUESTS
-              value: "500"
-          resources:
-            requests:
-              memory: 256Mi
-              cpu: 100m
-            limits:
-              memory: 768Mi
-              cpu: 500m
-          livenessProbe:
-            httpGet:
-              path: /
-              port: 8080
-            initialDelaySeconds: 60
-            timeoutSeconds: 5
-            periodSeconds: 10
-          readinessProbe:
-            httpGet:
-              path: /
-              port: 8080
-            initialDelaySeconds: 30
-            periodSeconds: 5
-            timeoutSeconds: 5
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: zabbix-web
-  namespace: zabbix
-spec:
-  selector:
-    app: zabbix-web
-  ports:
-    - port: 8080
-      targetPort: 8080
-      name: http
----
-# TLS Certificate via cert-manager
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: zabbix-tls
-  namespace: zabbix
-spec:
-  secretName: zabbix-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - zabbix.iamworkin.lan
----
-# Traefik IngressRoute
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: zabbix-web
-  namespace: zabbix
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`zabbix.iamworkin.lan`)
-      kind: Rule
-      services:
-        - name: zabbix-web
-          port: 8080
-  tls:
-    secretName: zabbix-tls
----
-# 1Password secret sync — creates zabbix-credentials K8s Secret
-# Fields: DB-User, DB-Password, username, password, URL
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: zabbix-credentials
-  namespace: zabbix
-spec:
-  itemPath: vaults/IAmWorkin/items/Zabbix Admin
+# Zabbix 7.2 Monitoring Stack
+# PostgreSQL 16 + Zabbix Server + Zabbix Web (nginx)
+# ArgoCD managed - BlueJay Lab
+# Credentials sourced from 1Password via OnePasswordItem CRD (zabbix-credentials)
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: zabbix
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+---
+# PostgreSQL 16 StatefulSet
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: zabbix-postgres
+  namespace: zabbix
+  labels:
+    app: zabbix-postgres
+spec:
+  serviceName: zabbix-postgres
+  replicas: 1
+  selector:
+    matchLabels:
+      app: zabbix-postgres
+  template:
+    metadata:
+      labels:
+        app: zabbix-postgres
+    spec:
+      containers:
+        - name: postgres
+          image: postgres:16-alpine
+          args:
+            - "-c"
+            - "shared_buffers=256MB"
+            - "-c"
+            - "effective_cache_size=512MB"
+            - "-c"
+            - "work_mem=16MB"
+            - "-c"
+            - "maintenance_work_mem=128MB"
+            - "-c"
+            - "random_page_cost=1.1"
+            - "-c"
+            - "effective_io_concurrency=200"
+            - "-c"
+            - "max_connections=50"
+            - "-c"
+            - "checkpoint_completion_target=0.9"
+            - "-c"
+            - "wal_buffers=8MB"
+          ports:
+            - containerPort: 5432
+              name: postgres
+          env:
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: zabbix-credentials
+                  key: DB-User
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: zabbix-credentials
+                  key: DB-Password
+            - name: POSTGRES_DB
+              value: zabbix
+          volumeMounts:
+            - name: zabbix-postgres-data
+              mountPath: /var/lib/postgresql/data
+              subPath: pgdata
+          resources:
+            requests:
+              memory: 512Mi
+              cpu: 200m
+            limits:
+              memory: 1Gi
+              cpu: "1"
+          livenessProbe:
+            exec:
+              command:
+                - pg_isready
+                - -U
+                - zabbix
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          readinessProbe:
+            exec:
+              command:
+                - pg_isready
+                - -U
+                - zabbix
+            initialDelaySeconds: 5
+            periodSeconds: 5
+  volumeClaimTemplates:
+    - metadata:
+        name: zabbix-postgres-data
+      spec:
+        accessModes: [ReadWriteOnce]
+        resources:
+          requests:
+            storage: 10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: zabbix-postgres
+  namespace: zabbix
+spec:
+  selector:
+    app: zabbix-postgres
+  ports:
+    - port: 5432
+      targetPort: 5432
+      name: postgres
+  clusterIP: None
+---
+# Zabbix Server
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: zabbix-server
+  namespace: zabbix
+  labels:
+    app: zabbix-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: zabbix-server
+  template:
+    metadata:
+      labels:
+        app: zabbix-server
+    spec:
+      containers:
+        - name: zabbix-server
+          image: zabbix/zabbix-server-pgsql:7.2-alpine-latest
+          ports:
+            - containerPort: 10051
+              name: trapper
+          env:
+            - name: DB_SERVER_HOST
+              value: zabbix-postgres
+            - name: DB_SERVER_PORT
+              value: "5432"
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: zabbix-credentials
+                  key: DB-User
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: zabbix-credentials
+                  key: DB-Password
+            - name: POSTGRES_DB
+              value: zabbix
+            - name: ZBX_CACHESIZE
+              value: "64M"
+            - name: ZBX_VALUECACHESIZE
+              value: "64M"
+            - name: ZBX_HISTORYCACHESIZE
+              value: "32M"
+            - name: ZBX_TRENDCACHESIZE
+              value: "8M"
+            - name: ZBX_STARTPOLLERS
+              value: "10"
+            - name: ZBX_STARTPOLLERSUNREACHABLE
+              value: "3"
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 100m
+            limits:
+              memory: 1Gi
+              cpu: "1"
+          livenessProbe:
+            tcpSocket:
+              port: 10051
+            initialDelaySeconds: 60
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: 10051
+            initialDelaySeconds: 30
+            periodSeconds: 5
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: zabbix-server
+  namespace: zabbix
+spec:
+  selector:
+    app: zabbix-server
+  ports:
+    - port: 10051
+      targetPort: 10051
+      name: trapper
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: zabbix-trapper
+  namespace: zabbix
+  annotations:
+    metallb.universe.tf/loadBalancerIPs: 10.0.56.203
+spec:
+  type: LoadBalancer
+  selector:
+    app: zabbix-server
+  ports:
+    - port: 10051
+      targetPort: 10051
+      name: trapper
+      protocol: TCP
+---
+# Zabbix Web (nginx + PostgreSQL)
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: zabbix-web
+  namespace: zabbix
+  labels:
+    app: zabbix-web
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: zabbix-web
+  template:
+    metadata:
+      labels:
+        app: zabbix-web
+    spec:
+      containers:
+        - name: zabbix-web
+          image: zabbix/zabbix-web-nginx-pgsql:7.2-alpine-latest
+          ports:
+            - containerPort: 8080
+              name: http
+          env:
+            - name: ZBX_SERVER_HOST
+              value: zabbix-server
+            - name: ZBX_SERVER_NAME
+              value: "BlueJay NOC"
+            - name: PHP_TZ
+              value: America/Chicago
+            - name: DB_SERVER_HOST
+              value: zabbix-postgres
+            - name: DB_SERVER_PORT
+              value: "5432"
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: zabbix-credentials
+                  key: DB-User
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: zabbix-credentials
+                  key: DB-Password
+            - name: POSTGRES_DB
+              value: zabbix
+            - name: ZBX_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: zabbix-credentials
+                  key: password
+            - name: ZBX_MEMORYLIMIT
+              value: "256M"
+            - name: PHP_FPM_PM_MAX_CHILDREN
+              value: "10"
+            - name: PHP_FPM_PM_START_SERVERS
+              value: "3"
+            - name: PHP_FPM_PM_MIN_SPARE_SERVERS
+              value: "2"
+            - name: PHP_FPM_PM_MAX_SPARE_SERVERS
+              value: "5"
+            - name: PHP_FPM_PM_MAX_REQUESTS
+              value: "500"
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 100m
+            limits:
+              memory: 768Mi
+              cpu: 500m
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8080
+            initialDelaySeconds: 60
+            timeoutSeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 8080
+            initialDelaySeconds: 30
+            periodSeconds: 5
+            timeoutSeconds: 5
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: zabbix-web
+  namespace: zabbix
+spec:
+  selector:
+    app: zabbix-web
+  ports:
+    - port: 8080
+      targetPort: 8080
+      name: http
+---
+# TLS Certificate via cert-manager
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: zabbix-tls
+  namespace: zabbix
+spec:
+  secretName: zabbix-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - zabbix.iamworkin.lan
+---
+# Traefik IngressRoute
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: zabbix-web
+  namespace: zabbix
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`zabbix.iamworkin.lan`)
+      kind: Rule
+      services:
+        - name: zabbix-web
+          port: 8080
+  tls:
+    secretName: zabbix-tls
+---
+# 1Password secret sync — creates zabbix-credentials K8s Secret
+# Fields: DB-User, DB-Password, username, password, URL
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: zabbix-credentials
+  namespace: zabbix
+spec:
+  itemPath: vaults/IAmWorkin/items/Zabbix Admin