9 changed files with 1 additions and 167 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1,5 +1,4 @@
 *.secret filter=git-crypt diff=git-crypt
 *.secret.yaml filter=git-crypt diff=git-crypt
 *.secret.values filter=git-crypt diff=git-crypt
-*.secret.sh filter=git-crypt diff=git-crypt
+*.secret.sh filter=git-crypt diff=git-crypt
 *.secret.conf filter=git-crypt diff=git-crypt
--- a/fritzbox/README.md
+++ b/fritzbox/README.md
@ -1,51 +0,0 @@
 # FritzBox Wireguard Setup
 This folder contains configuration and documentation for connecting your FritzBox router (home network) to the Kubernetes cluster via a Wireguard Site-to-Site VPN.
 ## 1. Prerequisites
 - Your FritzBox must be running FRITZ!OS 7.50+ (Tested with 8.25).
 - The Kubernetes Wireguard endpoint (`k8s/wireguard`) must be deployed and running on `vpn.haumdaucher.de`.
 ## 2. Connecting the FritzBox
 The FritzBox will be configured to connect to the cluster via a "LAN-to-LAN" coupling. Since we prefer "infrastructure as code", we have pre-generated the exact configuration file. For FritzBox specifically, this requires a manual import step.
 1. Locate the file `fritzbox-wireguard.secret.conf` in this directory. 
 2. Ensure you have unlocked `git-crypt` so you can read its decrypted contents.
 3. Open your FritzBox Web Interface (usually `http://fritz.box`).
 4. Navigate to **Internet > Permit Access > VPN (WireGuard)**.
 5. Click on **Add Connection** (or "Verbindung hinzufügen").
 6. Select **Connect networks or establish special connections** (Netzwerke koppeln oder spezielle Verbindungen herstellen).
 7. Ask if it has been set up on the other side -> choose **Yes** (or choose to upload a config file directly).
 8. Choose **Upload a configuration file** and select the decrypted `fritzbox-wireguard.secret.conf` file.
 9. Finish the setup.
 The FritzBox will immediately try to connect to `vpn.haumdaucher.de:51820`.
 ## 3. Verifying the Connection
 ### From the Kubernetes Side
 Connect to your cluster and check the Wireguard pod logs:
 ```bash
 # Get the pod name
 kubectl get pods -n wireguard
 # Execute into the pod to check connection status
 kubectl exec -it <pod-name> -n wireguard -- wg show
 ```
 You should see a peer connected and the `latest handshake` timestamp indicating a successful connection.
 ### Bidirectional Ping Test
 1. **Cluster -> Home Network:**
   Exec into any pod in your cluster (e.g., a toolbox or home-assistant pod) and ping a device on your local network:
   ```bash
   ping 192.168.10.1  # Ping your FritzBox local IP
   ```
 2. **Home Network -> Cluster:**
   From your laptop at home, try to ping a known K8s Service IP (e.g., `10.233.0.1` for kubernetes default service, or a specific pod IP):
   ```bash
   ping 10.233.0.1
   ```
 ## Backups
 Any future manual configurations, firmware backups, or notes related to the FritzBox should be stored within this `fritzbox/` folder. Use `.secret` extensions for any files containing sensitive tokens or passwords.
--- a/fritzbox/dyndns_ovh.secret.yaml
+++ b/fritzbox/dyndns_ovh.secret.yaml
--- a/fritzbox/dyndns_ovh_setup.md
+++ b/fritzbox/dyndns_ovh_setup.md
@ -1,48 +0,0 @@
 # FritzBox OVH DynDNS (DynHost) Setup
 This document describes how to configure your FritzBox to automatically update an OVH DynHost record. 
 Since you have already set up `dyndns.moritzgraf.de` as a DynHost in your OVH control panel, the remaining step is to configure the FritzBox to push IP updates to OVH.
 ## OVH DynHost Settings (Reference)
 The credentials for the DynHost are securely stored in the encrypted `dyndns_ovh.secret.yaml` file located in this directory. 
 Ensure you have unlocked `git-crypt` to view the `username` and `password`.
 *(Note: These are not your main OVH account credentials, but the specific credentials generated for the DynHost record!)*
 ## FritzBox Configuration Steps
 1. Log into your FritzBox Web Interface (usually `http://fritz.box`).
 2. Navigate to **Internet > Permit Access > DynDNS**.
 3. Check the box **Use DynDNS** (DynDNS benutzen).
 4. From the **Dynamic DNS provider** dropdown, select **User-defined** (Benutzerdefiniert).
 5. Fill out the fields exactly as follows:
   - **Update URL**:
     ```text
     https://www.ovh.com/nic/update?system=dyndns&hostname=<domain>&myip=<ipaddr>
     ```
     *(Make sure to copy exactly as written. The FritzBox will automatically replace `<domain>` and `<ipaddr>` with the actual values.)*
   - **Domain name**: 
     ```text
     dyndns.moritzgraf.de
     ```
   - **Username**: 
     *(Get the `username` value from `dyndns_ovh.secret.yaml`)*
   - **Password**: 
     *(Get the `password` value from `dyndns_ovh.secret.yaml`)*
 6. Click **Apply** (Übernehmen) to save the settings.
 ## Verifying the Update
 After saving, the FritzBox should attempt an immediate update.
 1. In the FritzBox interface, go to **Overview** (Übersicht).
 2. Look under the **Connections** (Verbindungen) section. It should say:
   `Dynamic DNS: enabled, <domain>, Status: successfully registered.`
 3. You can also manually ping `dyndns.moritzgraf.de` from an external network to verify it points to your router's current public IP.
 ## Important Note on CGNAT and IPv6
 Since your ISP uses Carrier Grade NAT (CGNAT) for IPv4, your public IPv4 address might not be directly reachable from the outside. 
 OVH's legacy DynHost system primarily updates A (IPv4) records. If you specifically need external access to your home network via this dyndns domain, the incoming connection might fail on IPv4 due to CGNAT. (This is why we set up the Wireguard Site-to-Site VPN to the K8s cluster!)
--- a/fritzbox/fritzbox-wireguard.secret.conf
+++ b/fritzbox/fritzbox-wireguard.secret.conf
--- a/k8s/wireguard/deployment.yaml
+++ b/k8s/wireguard/deployment.yaml
@ -1,53 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: wireguard
  namespace: wireguard
  labels:
    app: wireguard
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: wireguard
  template:
    metadata:
      labels:
        app: wireguard
    spec:
      hostNetwork: true
      containers:
      - name: wireguard
        image: alpine:latest
        command: ["/bin/sh", "-c"]
        args:
          - |
            apk add --no-cache wireguard-tools iptables
            cp /config/wg0.conf /etc/wireguard/wg0.conf
            chmod 600 /etc/wireguard/wg0.conf
            wg-quick up wg0
            echo "Wireguard is up"
            trap "wg-quick down wg0" SIGINT SIGTERM
            sleep infinity &
            wait
        securityContext:
          privileged: true
          capabilities:
            add:
              - NET_ADMIN
              - SYS_MODULE
        volumeMounts:
        - name: wg-config
          mountPath: /config/wg0.conf
          subPath: wg0.conf
          readOnly: true
        - name: lib-modules
          mountPath: /lib/modules
          readOnly: true
      volumes:
      - name: wg-config
        secret:
          secretName: wireguard-config
      - name: lib-modules
        hostPath:
          path: /lib/modules
--- a/k8s/wireguard/kustomization.yaml
+++ b/k8s/wireguard/kustomization.yaml
@ -1,9 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: wireguard
 resources:
  - namespace.yaml
  - secret.secret.yaml
  - deployment.yaml
--- a/k8s/wireguard/namespace.yaml
+++ b/k8s/wireguard/namespace.yaml
@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: wireguard
--- a/k8s/wireguard/secret.secret.yaml
+++ b/k8s/wireguard/secret.secret.yaml