... managed with Flux, Renovate and GitHub Actions 🤖
This repo is the sources of truth for a semi-hyperconverged k3s cluster that I maintain at home. To best of my ability, I've tried to document the cluster's configuration and the tools I use to manage it. I hope that it can serve as a reference for others who are interested in building their own cluster.
- Authentication
- authelia provides single-sign-on and multifactor authentication
- cert-manager requests and manages SSL certificates, both self-signed and from let's encrypt
- external-secrets provides secret management using:
- azure workload identity delegates token issuance to this cluster
- azure keyvault is the storage backend for secrets
- azure workload identity delegates token issuance to this cluster
- authelia provides single-sign-on and multifactor authentication
- Networking
- cilium CNI providing networking between pods, services and provides L2 loadbalancing
- ingress-nginx for reverse proxy ingress and loadbalancing
- multus enables pods to access seperate VLANs & physical networks using:
- sr-iov plugin attach pods to sr-iov capable interfaces & applicable VFs
- whereabouts to ensure consistent IP addressing across physical nodes
- sr-iov plugin attach pods to sr-iov capable interfaces & applicable VFs
- cilium CNI providing networking between pods, services and provides L2 loadbalancing
- Storage
- openebs provides ephemeral storage for pods
- rook-ceph manages a ceph cluster that provides replicated persistent storage
- azure blob storage cold storage for backups and volume snapshots
- Cluster Management
- actions-runner-controller runs GitHub Actions as self-hosted runners on this cluster
- flux GitOps operator that keeps this cluster in sync with this repository
- actions-runner-controller runs GitHub Actions as self-hosted runners on this cluster
- DNS Management
- external-dns publishes DNS records and automates split-horizon DNS between: - cloudflare for explicitly annotated ingress objects - pi-hole for all servies and ingress objects
- Backup
- volsync and snapscheduler enable restic backup and recovery of persistent volume claims to
| Name | Subnet | DHCP range | ARP reserved |
|---|---|---|---|
| LAN | 192.168.1.0/24 | 150-254 | 120-149 |
| TRUSTED | 192.168.10.0/24 | 150-254 | - |
| SERVERS | 192.168.42.0/24 | 150-254 | 120-149 |
| GUESTS | 192.168.50.0/24 | 150-254 | - |
| IOT | 192.168.70.0/24 | 150-254 | - |
| WIREGUARD | 192.168.80.0/28 | - | - |
A lot of inspiration for my cluster came from the members of the Home Operations Discord community. They are responsible for these great resources:
- Flux Cluster Template is a community driven template that provides a great starting point for anyone who has limited knowledge of Kubernetes and GitOps
- Kubsearch.dev is a search engine for apps deployed across the community's clusters. It's a great way to find inspiration or solve challenges for your own cluster
Specifc thanks to the following members for their contributions and where I drew inspiration from: