Device | Specs | OS | Purpose |
---|---|---|---|
Lenovo ThinkCentre M75q-1 | Ryzen 5 Pro 3400GE + 16GB RAM + 512GB NVMe SSD + 1TB SATA SSD | NixOS | k8s master & worker node |
Lenovo ThinkCentre M75q-2 | Ryzen 5 Pro 5650GE + 16GB RAM + 256GB NVMe SSD | NixOS | k8s worker node |
To access my apps, I expose them directly on the internet with port-forwarding on my router.
- Kubernetes cluster deployed with k0s
- GitOps deployment with ArgoCD and Helm
- Fully automated HTTPS exposition of my apps using cert-manager, external-dns and ingress-nginx
- Authentication of sensitive apps with oauth2-proxy with GitLab as an OAuth2 provider
- Secrets management with external-secrets and GitLab CI/CD variables
- Simple and cheap offsite backup of my important data using OpenEBS, Velero and Backblaze B2
- Observability with Prometheus, Grafana, Loki and Opentelemetry Collector
- Alerting with Alertmanager and a Telegram Bot
- Automated updates with Renovate
- Any app you'd want to host! Currently, Nextcloud, Immich, Paperless-ngx and more (see below)
This is an automatically updated list of the apps I have configured and/or deployed. Click on an app to check my Helm configuration.
App | Description | Is deployed |
---|---|---|
argocd | Declarative, GitOps continuous delivery tool for Kubernetes | ✅ |
authelia | The Single Sign-On Multi-Factor portal for web apps | ❌ |
blackbox-exporter | Allows blackbox probing of endpoints over HTTP, HTTPS, DNS, TCP, ICMP and gRPC | ✅ |
calibre-web | Web app for browsing, reading and downloading eBooks stored in a Calibre database | ✅ |
cert-manager | Automatically provision and manage TLS certificates in Kubernetes | ✅ |
cilium | eBPF-based Networking, Security, and Observability | ❌ |
cloudnative-pg | CloudNativePG is a comprehensive platform designed to seamlessly manage PostgreSQL databases within Kubernetes environments, covering the entire operational lifecycle from initial deployment to ongoing maintenance | ✅ |
convertx | Self-hosted online file converter | ✅ |
crossplane | The Cloud Native Control Plane | ❌ |
crowdsec | Open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI | ✅ |
dead-drop | My recreation of a dead drop application to securely share information | ❌ |
external-dns | Configure external DNS servers (AWS Route53, Google CloudDNS and others) for Kubernetes Ingresses and Services | ✅ |
external-secrets | External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets | ✅ |
ghost | Independent platform for publishing online by web and email newsletter | ❌ |
gitlab-runner | Run your CI/CD jobs and send the results back to GitLab | ❌ |
go-healthcheck | Simple HTTP healthchecks | ✅ |
gotify | A simple server for sending and receiving messages in real-time per WebSocket | ❌ |
headscale | An open source, self-hosted implementation of the Tailscale control server | ❌ |
home-assistant | Open source home automation that puts local control and privacy first | ✅ |
homepage | A highly customizable homepage (or startpage / application dashboard) with Docker and service API integrations | ✅ |
homer | A very simple static homepage for your server | ❌ |
httpbin | Echoes request data as JSON | ✅ |
immich | High performance self-hosted photo and video management solution | ✅ |
ingress-nginx | Ingress-NGINX Controller for Kubernetes | ✅ |
it-tools | Collection of handy online tools for developers | ✅ |
komoplane | Crossplane Troubleshooting Tool by Komodor | ❌ |
kube-prometheus-stack | kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator | ✅ |
kubecraft | Manage your pods in Minecraft | ❌ |
kyverno | Kubernetes native policy management | ❌ |
loki | Like Prometheus, but for logs | ✅ |
longhorn | Cloud-Native distributed storage built on and for Kubernetes | ✅ |
metallb | A network load-balancer implementation for Kubernetes using standard routing protocols | ✅ |
metrics-server | Scalable and efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines | ❌ |
minio-operator | MinIO Operator for Kubernetes | ❌ |
mosquitto | Open source MQTT broker | ✅ |
nextcloud | A safe home for all your data | ✅ |
nfs-server | Lightweight, robust, flexible, and containerized NFS server | ❌ |
ntfy | Send push notifications to your phone or desktop using PUT/POST | ❌ |
oauth2-proxy | A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers | ✅ |
openebs | Open Source Container Native Storage platform for Stateful Persistent Applications on Kubernetes | ❌ |
opentelemetry-collector | Vendor-agnostic implementation on how to receive, process and export telemetry data | ✅ |
opentelemetry-operator | Kubernetes Operator for OpenTelemetry Collector | ✅ |
paperless-ngx | Scan, index and archive all your physical documents | ✅ |
pihole | Network-wide Ad Blocking | ❌ |
qbittorrent | qBittorrent BitTorrent client | ❌ |
reloader | A Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig | ✅ |
satisfactory-server | Satisfactory server | ✅ |
silverbullet | Note-taking application optimized for people with a hacker mindset | ❌ |
tailout | Spawn an exit node for your tailnet anywhere | ❌ |
tailscale-operator | A Kubernetes Operator for Tailscale | ✅ |
thanos | Highly available Prometheus setup with long term storage capabilities | ❌ |
vaultwarden | Unofficial Bitwarden compatible server written in Rust | ✅ |
velero | Backup and migrate Kubernetes applications and their persistent volumes | ✅ |
velero-ui | A UI for Velero | ❌ |
zigbee2mqtt | Zigbee to MQTT bridge | ✅ |
zitadel | Identity infrastructure, simplified for you | ❌ |
The install assumes that all external secrets are already created in a GitLab project as CI/CD variables.
Start the k0s cluster:
cd ~/homelab-gitops
sudo k0s install controller --enable-worker -c ./k0s.yaml
sudo k0s start
sleep 5
sudo k0s status
sudo k0s kubeconfig admin > ~/.kube/config
kubectl taint nodes --all node-role.kubernetes.io/master-
Create the GitLab token secret used by external-secrets:
kubectl create ns external-secrets
kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: gitlab-secret
namespace: external-secrets
type: Opaque
stringData:
token: xxx
Change the token value and type <Ctrl+D>
<Enter>
to create the secret.
Deploy external-secrets and ArgoCD apps:
cd ../../k8s-apps/external-secrets && helm dependency update && helm template external-secrets -n external-secrets . | kubectl apply -n external-secrets -f -
kubectl create ns argocd
cd ../../k8s-apps/argocd && helm dependency update && helm template argocd . -n argocd | kubectl apply -n argocd -f -
kubectl apply -f ../../argocd-apps/app-of-apps.yaml -n argocd
Cluster should be ready!
Save the GitLab token secret
kubectl get secret -n external-secrets gitlab-secret -o yaml > gitlab-secret.yaml
Teardown the cluster
sudo k0s stop
sudo k0s reset -v -d