... managed by Flux Renovate, and GitHub Actions
This is a mono repository for my home infrastructure and Kubernetes cluster implementing Infrastructure as Code (IaC) and GitOps practices using tools like Kubernetes, Flux, Renovate and GitHub Actions.
This repo generally attempts to follow the structure and practices of the excellent k8s-at-home/template-cluster-k3, check it out if you're uncomfortable starting out with an immutable operating system.
The cluster is running on Talos Linux, an immutable and ephemeral Linux distribution built around Kubernetes, deployed on bare-metal. Rook Ceph running hyper-converged with workloads provides persistent block and object storage, while a seperate server provides bulk (NFS) file storage.
This Git repository contains the following directories (kustomizatons) under cluster.
cluster # k8s cluster defined as code bootstrap # contains the initial kustomization used to install flux flux # flux, gitops operator, loaded before everything crds # custom resources, loaded before core and apps charts # helm repos, loaded before core and apps config # cluster config, loaded before core and apps core # crucial apps, namespaced dir tree, loaded before apps apps # regular apps, namespaced dir tree, loaded last
|Kubernetes external services (Cilium w/ BGP)||
Over WAN, I have port forwarded ports
443 to the load balancer IP of my ingress controller that's running in my Kubernetes cluster.
Cloudflare works as a proxy to hide my homes WAN IP and also as a firewall. When not on my home network, all the traffic coming into my ingress controller on port
443 comes from Cloudflare. In
VyOS I block all IPs not originating from Cloudflares list of IP ranges.
Cloudflare is also configured to GeoIP block all countries except a few I have whitelisted
Without much engineering of DNS @home, these options have made my
VyOS router a single point of failure for DNS. I believe this is ok though because my router should have the most uptime of all my systems.
external-dns is deployed in my cluster and configured to sync DNS records to Cloudflare. The only ingresses
external-dns looks at to gather DNS records to put in
Cloudflare are ones where I explicitly set an annotation of
|Device||Count||OS Disk Size||Data Disk Size||Ram||Operating System||Purpose|
|Dell R220||1||120GB SSD||N/A||16GB||VyOS 1.4||Router|
|HP S01-pf1000||3||120GB SSD||N/A||8GB||Talos Linux||Kubernetes Control Nodes|
|HP S01-pf1000||3||120GB SSD||1TB NVMe (rook-ceph)||32GB||Talos Linux||Kubernetes Workers|
|SuperMicro SC836||1||120GB SSD||16x8TB + 16x3TB ZFS RAIDZ2||192GB||Ubuntu 20.04||NFS|
|Brocade ICX 6610||1||N/A||N/A||N/A||N/A||Core Switch|
|Raspberry Pi 4B||1||32GB SD Card||N/A||4GB||PiKVM||Network KVM|
|TESmart 8 Port KVM Switch||1||N/A||N/A||N/A||N/A||Network KVM switch for PiKVM|
|APC SUA3000RMXL3U w/ NIC||1||N/A||N/A||N/A||N/A||UPS|
See commit history