My Kubernetes cluster state managed by ArgoCD.
| Device | Specs | OS | Purpose |
|---|---|---|---|
| Lenovo ThinkCentre M75q-1 | Ryzen 5 Pro 3400GE + 16GB RAM + 512GB NVMe SSD + 1TB SATA SSD | NixOS | k8s master & worker node |
| Lenovo ThinkCentre M75q-2 | Ryzen 5 Pro 5650GE + 16GB RAM + 256GB NVMe SSD | NixOS | k8s worker node |
To access my apps, I expose them directly on the internet with port-forwarding on my router.
- Kubernetes cluster deployed with k0s
- GitOps deployment with ArgoCD and Helm
- Fully automated HTTPS exposition of my apps using cert-manager, external-dns and ingress-nginx
- Authentication of sensitive apps with oauth2-proxy with GitLab as an OAuth2 provider
- Secrets management with external-secrets and GitLab CI/CD variables
- Simple and cheap offsite backup of my important data using OpenEBS, Velero and Backblaze B2
- Observability with Prometheus, Grafana, Loki and Opentelemetry Collector
- Alerting with Alertmanager and a Telegram Bot
- Automated updates with Renovate
- Any app you'd want to host! Currently, Nextcloud, Immich, Paperless-ngx and more (see below)
This is an automatically updated list of the apps I have configured and/or deployed. Click on an app to check my Helm configuration.
| App | Description | Is deployed |
|---|---|---|
| argocd | Declarative, GitOps continuous delivery tool for Kubernetes | ✅ |
| authelia | The Single Sign-On Multi-Factor portal for web apps | ❌ |
| blackbox-exporter | Allows blackbox probing of endpoints over HTTP, HTTPS, DNS, TCP, ICMP and gRPC | ✅ |
| calibre-web | Web app for browsing, reading and downloading eBooks stored in a Calibre database | ✅ |
| cert-manager | Automatically provision and manage TLS certificates in Kubernetes | ✅ |
| cilium | eBPF-based Networking, Security, and Observability | ❌ |
| cloudnative-pg | CloudNativePG is a comprehensive platform designed to seamlessly manage PostgreSQL databases within Kubernetes environments, covering the entire operational lifecycle from initial deployment to ongoing maintenance | ✅ |
| convertx | Self-hosted online file converter | ✅ |
| crossplane | The Cloud Native Control Plane | ❌ |
| crowdsec | Open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI | ✅ |
| dead-drop | My recreation of a dead drop application to securely share information | ✅ |
| external-dns | Configure external DNS servers (AWS Route53, Google CloudDNS and others) for Kubernetes Ingresses and Services | ✅ |
| external-secrets | External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets | ✅ |
| ghost | Independent platform for publishing online by web and email newsletter | ❌ |
| gitlab-runner | Run your CI/CD jobs and send the results back to GitLab | ❌ |
| gotify | A simple server for sending and receiving messages in real-time per WebSocket | ❌ |
| headscale | An open source, self-hosted implementation of the Tailscale control server | ❌ |
| homepage | A highly customizable homepage (or startpage / application dashboard) with Docker and service API integrations | ✅ |
| homer | A very simple static homepage for your server | ❌ |
| httpbin | Echoes request data as JSON | ✅ |
| immich | High performance self-hosted photo and video management solution | ✅ |
| ingress-nginx | Ingress-NGINX Controller for Kubernetes | ✅ |
| it-tools | Collection of handy online tools for developers | ✅ |
| komoplane | Crossplane Troubleshooting Tool by Komodor | ❌ |
| kube-prometheus-stack | kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator | ✅ |
| kubecraft | Manage your pods in Minecraft | ❌ |
| kyverno | Kubernetes native policy management | ❌ |
| loki | Like Prometheus, but for logs | ✅ |
| longhorn | Cloud-Native distributed storage built on and for Kubernetes | ✅ |
| metallb | A network load-balancer implementation for Kubernetes using standard routing protocols | ✅ |
| metrics-server | Scalable and efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines | ❌ |
| minio-operator | MinIO Operator for Kubernetes | ✅ |
| nextcloud | A safe home for all your data | ✅ |
| nfs-server | Lightweight, robust, flexible, and containerized NFS server | ❌ |
| ntfy | Send push notifications to your phone or desktop using PUT/POST | ❌ |
| oauth2-proxy | A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers | ✅ |
| openebs | Open Source Container Native Storage platform for Stateful Persistent Applications on Kubernetes | ✅ |
| opentelemetry-collector | Vendor-agnostic implementation on how to receive, process and export telemetry data | ✅ |
| opentelemetry-operator | Kubernetes Operator for OpenTelemetry Collector | ✅ |
| paperless-ngx | Scan, index and archive all your physical documents | ✅ |
| pihole | Network-wide Ad Blocking | ❌ |
| qbittorrent | qBittorrent BitTorrent client | ❌ |
| reloader | A Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig | ✅ |
| silverbullet | Note-taking application optimized for people with a hacker mindset | ✅ |
| tailout | Spawn an exit node for your tailnet anywhere | ✅ |
| tailscale-operator | A Kubernetes Operator for Tailscale | ✅ |
| thanos | Highly available Prometheus setup with long term storage capabilities | ❌ |
| vaultwarden | Unofficial Bitwarden compatible server written in Rust | ✅ |
| velero | Backup and migrate Kubernetes applications and their persistent volumes | ✅ |
| velero-ui | A UI for Velero | ❌ |
| zitadel | Identity infrastructure, simplified for you | ❌ |
The install assumes that all external secrets are already created in a GitLab project as CI/CD variables.
Start the k0s cluster:
cd ~/homelab-gitops
sudo k0s install controller --enable-worker -c ./k0s.yaml
sudo k0s start
sleep 5
sudo k0s status
sudo k0s kubeconfig admin > ~/.kube/config
kubectl taint nodes --all node-role.kubernetes.io/master-Create the GitLab token secret used by external-secrets:
kubectl create ns external-secrets
kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: gitlab-secret
namespace: external-secrets
type: Opaque
stringData:
token: xxxChange the token value and type <Ctrl+D> <Enter> to create the secret.
Deploy external-secrets and ArgoCD apps:
cd ../../k8s-apps/external-secrets && helm dependency update && helm template external-secrets -n external-secrets . | kubectl apply -n external-secrets -f -
kubectl create ns argocd
cd ../../k8s-apps/argocd && helm dependency update && helm template argocd . -n argocd | kubectl apply -n argocd -f -
kubectl apply -f ../../argocd-apps/app-of-apps.yaml -n argocdCluster should be ready!
Save the GitLab token secret
kubectl get secret -n external-secrets gitlab-secret -o yaml > gitlab-secret.yamlTeardown the cluster
sudo k0s stop
sudo k0s reset -v -d