From a5813d7decab88ca9604f6e45c6e398c7eaeeb8d Mon Sep 17 00:00:00 2001
From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com>
Date: Mon, 2 Feb 2026 14:13:04 +0100
Subject: [PATCH] feat: Add network readme

---
 NETWORK.md | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 NETWORK.md

diff --git a/NETWORK.md b/NETWORK.md
new file mode 100644
index 0000000..c99587c
--- /dev/null
+++ b/NETWORK.md
@@ -0,0 +1,65 @@
+# Infrastructure Overview – Wheatley
+
+This document describes the network and infrastructure architecture of the *Wheatley* environment. Its purpose is to clearly document **connectivity, routing, and responsibilities per site**, enabling predictable operations, troubleshooting, and future expansion.
+
+---
+
+## Overview
+
+The infrastructure consists of three primary sites:
+
+| Site | Role | Subnet |
+|------|------|--------|
+| **Hobbyrack** | Central hub, homelab, workloads | `10.13.37.0/24` |
+| **MAPPS** | Externally managed platform services | `10.7.65.192/26` |
+| **Home** | Client network | `192.168.1.0/24` |
+
+Connectivity between sites is provided via **IPSec** and **WireGuard**, with *Hobbyrack* acting as the central routing and transit hub.
+
+---
+
+## Network Diagram
+
+```mermaid
+flowchart LR
+    %% Hobbyrack
+    subgraph HR["Hobbyrack"]
+        HR_OPN["OPNsense Gateway
+10.13.37.1"]
+        HR_LAN["10.13.37.0/24"]
+        HR_CLUSTER["k8s-wheatley
+(Servarr stack)"]
+        HR_OPN --- HR_LAN
+        HR_LAN --- HR_CLUSTER
+    end
+
+    %% Managed Apps
+    subgraph MA["Forti – Managed"]
+        MA_GW["Gateway
+10.7.65.193"]
+        MA_LAN["10.7.65.192/26"]
+        MA_CLUSTER["MAPPS Cluster
+(Mimir, Loki, Vault)"]
+        MA_CLUSTER2["k8s-peterg
+(ArgoCD)"]
+        MA_GW --- MA_LAN
+        MA_LAN --- MA_CLUSTER
+        MA_LAN --- MA_CLUSTER2
+    end
+
+    %% Home
+    subgraph TH["Home"]
+        TH_GW["UniFi Gateway
+192.168.1.1"]
+        TH_LAN["192.168.1.0/24"]
+        TH_CLIENTS["Clients"]
+        TH_GW --- TH_LAN
+        TH_LAN --- TH_CLIENTS
+    end
+
+    %% Tunnels
+    HR_OPN <==>|"IPSec
+10.13.37.0/24 ↔ 10.7.65.192/26"| MA_GW
+    HR_OPN <==>|"WireGuard Hub
+10.167.84.0/24"| TH_GW
+