Add a "Managing the OPNsense routers" note to generic.md §11 (Network):
opn-cli talks to a site's OPNsense over its API, credentials in a per-site
~/.opn-cli/<site>.yml (api_key/secret + url + internal-CA ca:), --config is
required. The split-horizon .internal records and public-name host-overrides
live in each router's Unbound, so `unbound host list/create/update/delete` is
how you inspect and fix them:
opn-cli --config ~/.opn-cli/hanzalova.yml unbound host list
opn-cli --config ~/.opn-cli/kosherinata.yml unbound host list
Cross-referenced from reverse-proxies.md §2 as the tool to reach for when a
mesh client resolves a name to the wrong host — exactly the rob.fyi case.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016fKZzDpvjiJ9eYbPGgJvUP
Capture the cert + edge-proxy conventions worked through deploying the
helexa-bench UI:
- external-tls.md — publicly-trusted certs via Let's Encrypt (certbot,
Cloudflare DNS-01, ECDSA, /root/.certbot-internal); the external
counterpart to internal-tls.md. Decision rule: public name → LE,
*.internal → internal CA.
- reverse-proxies.md — names the per-site edge proxies (oolon for
kosherinata, hanzalova.internal for the office) and what sits behind
each, the public-vs-mesh access paths + the "public names don't
hairpin from inside the mesh" gotcha, per-vhost cert choice, nginx
conventions, and the bench (bench.helexa.ai + bench.internal) worked
example.
- readme + generic.md §11 cross-reference both.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>