Role: Connectivity & Naming

Responsibility

This role ensures that users and services can find each other. It handles DNS resolution and internal routing, maintaining a consistent namespace across local and remote connections.

Key Guarantees

Unified Namespace: Use of *.risu.tech globally.
Split-Horizon DNS: Internal names resolve to internal IPs; external names point to the Edge.
Service Discovery: Automatic detection and registration of “floating” workloads.
L4 Load Balancing (VIP): Providing stable virtual IPs for cluster-wide services (like Ingress) to ensure they are reachable even if nodes fail.

Current Stack Choice

OpenWRT as the bootstrap resolver, Technitium DNS as the internal authority, and ExternalDNS for Kubernetes-driven automation. Details and runbooks live in Connectivity & Naming Stack.

Implementation Options

Option	Best Fit	Good At	Costs / Risks	Integration Notes
CoreDNS + ExternalDNS	K8s, K3s, Talos	K8s-native, clean in-cluster discovery.	Split-horizon needs careful design.	Decide “source of truth” (Git/IaC) and VPN DNS view.
Pi-hole / AdGuard Home	Any (External)	Easy local DNS + blocking; great for split-horizon.	Another stateful service; HA takes effort.	Ensure VPN hands out this DNS; avoid public leaks.
WireGuard / Tailscale	Any	Stable remote access.	Tailscale is managed-ish; WireGuard is DIY.	DNS distribution over VPN is the key integration point.
MetalLB / Kube-vip	K8s, K3s, Talos	Provides L4 LoadBalancer IPs on bare-metal.	Requires network support (ARP/BGP); configuration overhead.	Essential for giving the Ingress Controller a stable IP in a cluster.
Consul	Nomad	First-class in Nomad ecosystems.	Adds a control plane component.	Decide how Consul names map to your DNS naming scheme.

Typical Stack Pairings

K8s: MetalLB/Kube-vip + CoreDNS + ExternalDNS + WireGuard/Tailscale
Nomad: Consul (+ DNS integration) + Traefik/Fabio + WireGuard/Tailscale
Hybrid: Pi-hole/AdGuard as “front” DNS for LAN/VPN regardless of orchestrator