Role: Edge & Boundary
Responsibility
The Edge & Boundary role is the first line of defense. It is responsible for terminating public traffic and enforcing the transition from untrusted networks (Internet) to trusted networks (Home Network/VPN).
Key Guarantees
- Traffic Termination: All public HTTPS traffic must terminate at the Edge.
- L7 Load Balancing: Spreading requests across multiple “floating” service instances regardless of their physical node location.
- Protocol Enforcement: Only authorized protocols (HTTPS, WireGuard) are permitted to cross the boundary.
- Isolation: Publicly reachable services must be logically isolated from the internal-only platform.
Related Models & Policies
- Trust Boundaries & Access Model
- Exposure Policy
- Network Model v1 (Power-Constrained Phase)
- Network Evolution Plan (VLANs and Ingress Separation)
Implementation Options
| Option | Best Fit | Good At | Costs / Risks | Integration Notes |
|---|---|---|---|---|
| Traefik | K3s, K8s, Nomad | Simple config, Let’s Encrypt, dynamic discovery, forward-auth. | Some features are Traefik-native; middleware sprawl. | Works with OIDC via forward-auth; requires standard headers. |
| NGINX Ingress | K8s, Talos | Very common, strong annotation ecosystem. | Auth relies on external proxies (oauth2-proxy); annotation-heavy. | Pairs well with oauth2-proxy; explicit ingress classes needed. |
| Caddy | Nomad, Small K8s | TLS automation; simple reverse proxy story. | Less “platformy” out of the box; varies by env. | Decide if identity is enforced here or at auth gateway. |
Typical Stack Pairings
- K3s: Traefik (native feel)
- Talos/K8s: NGINX Ingress (most common)
- Nomad: Traefik or Caddy