Showing preview only (412K chars total). Download the full file or copy to clipboard to get everything.
Repository: khuedoan/homelab
Branch: master
Commit: b7d8037fa876
Files: 218
Total size: 364.0 KB
Directory structure:
gitextract_plx_vs0m/
├── .envrc
├── .gitattributes
├── .gitignore
├── .pre-commit-config.yaml
├── .woodpecker/
│ ├── helm-diff.yaml
│ └── static-checks.yaml
├── .yamllint.yaml
├── LICENSE.md
├── Makefile
├── README.md
├── apps/
│ ├── actualbudget/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── blog/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── excalidraw/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── homepage/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── jellyfin/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── matrix/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── ollama/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── pairdrop/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── paperless/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ └── secret.yaml
│ │ └── values.yaml
│ ├── speedtest/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── tailscale/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ ├── role.yaml
│ │ │ ├── rolebinding.yaml
│ │ │ ├── secret.yaml
│ │ │ └── serviceaccount.yaml
│ │ └── values.yaml
│ └── wireguard/
│ ├── Chart.yaml
│ └── values.yaml
├── docs/
│ ├── .gitignore
│ ├── concepts/
│ │ ├── certificate-management.md
│ │ ├── development-shell.md
│ │ ├── pxe-boot.md
│ │ ├── secrets-management.md
│ │ └── testing.md
│ ├── getting-started/
│ │ ├── install-pre-commit-hooks.md
│ │ ├── user-onboarding.md
│ │ └── vpn-setup.md
│ ├── how-to-guides/
│ │ ├── add-or-remove-nodes.md
│ │ ├── alternate-dns-setup.md
│ │ ├── backup-and-restore.md
│ │ ├── disable-dhcp-proxy-in-dnsmasq.md
│ │ ├── expose-services-to-the-internet.md
│ │ ├── media-management.md
│ │ ├── run-commands-on-multiple-nodes.md
│ │ ├── single-node-cluster-adjustments.md
│ │ ├── troubleshooting/
│ │ │ └── pxe-boot.md
│ │ ├── updating-documentation.md
│ │ └── use-both-github-and-gitea.md
│ ├── index.md
│ ├── installation/
│ │ ├── post-installation.md
│ │ ├── production/
│ │ │ ├── configuration.md
│ │ │ ├── deployment.md
│ │ │ ├── external-resources.md
│ │ │ └── prerequisites.md
│ │ └── sandbox.md
│ └── reference/
│ ├── architecture/
│ │ ├── decision-records.md
│ │ ├── networking.md
│ │ └── overview.md
│ ├── changelog.md
│ ├── contributing.md
│ ├── faq.md
│ ├── license.md
│ └── roadmap.md
├── external/
│ ├── .gitignore
│ ├── Makefile
│ ├── main.tf
│ ├── modules/
│ │ ├── cloudflare/
│ │ │ ├── main.tf
│ │ │ ├── variables.tf
│ │ │ └── versions.tf
│ │ ├── extra-secrets/
│ │ │ ├── main.tf
│ │ │ ├── variables.tf
│ │ │ └── versions.tf
│ │ └── ntfy/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── namespaces.yml
│ ├── terraform.tfvars.example
│ ├── variables.tf
│ └── versions.tf
├── flake.nix
├── metal/
│ ├── Makefile
│ ├── ansible.cfg
│ ├── boot.yml
│ ├── cluster.yml
│ ├── group_vars/
│ │ └── all.yml
│ ├── inventories/
│ │ ├── prod.yml
│ │ └── stag.yml
│ ├── k3d-dev.yaml
│ └── roles/
│ ├── automatic_upgrade/
│ │ ├── files/
│ │ │ └── automatic.conf
│ │ └── tasks/
│ │ └── main.yml
│ ├── cilium/
│ │ ├── defaults/
│ │ │ └── main.yml
│ │ ├── tasks/
│ │ │ └── main.yml
│ │ └── templates/
│ │ ├── ciliuml2announcementpolicy.yaml
│ │ └── ciliumloadbalancerippool.yaml
│ ├── k3s/
│ │ ├── defaults/
│ │ │ └── main.yml
│ │ ├── files/
│ │ │ └── bin/
│ │ │ └── .gitignore
│ │ ├── tasks/
│ │ │ └── main.yml
│ │ └── templates/
│ │ ├── config.yaml.j2
│ │ ├── k3s.service.j2
│ │ └── kube-vip.yaml.j2
│ ├── prerequisites/
│ │ └── tasks/
│ │ └── main.yml
│ ├── pxe_server/
│ │ ├── defaults/
│ │ │ └── main.yml
│ │ ├── files/
│ │ │ ├── data/
│ │ │ │ ├── init-config/
│ │ │ │ │ └── .gitignore
│ │ │ │ ├── iso/
│ │ │ │ │ └── .gitignore
│ │ │ │ ├── os/
│ │ │ │ │ └── .gitignore
│ │ │ │ └── pxe-config/
│ │ │ │ └── .gitignore
│ │ │ ├── dnsmasq/
│ │ │ │ └── Dockerfile
│ │ │ ├── docker-compose.yml
│ │ │ └── http/
│ │ │ └── Dockerfile
│ │ ├── tasks/
│ │ │ └── main.yml
│ │ └── templates/
│ │ ├── dnsmasq.conf.j2
│ │ ├── grub.cfg.j2
│ │ └── kickstart.ks.j2
│ └── wake/
│ └── tasks/
│ └── main.yml
├── mkdocs.yml
├── platform/
│ ├── dex/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ └── secret.yaml
│ │ └── values.yaml
│ ├── external-secrets/
│ │ └── Chart.yaml
│ ├── gitea/
│ │ ├── Chart.yaml
│ │ ├── files/
│ │ │ └── config/
│ │ │ ├── config.yaml
│ │ │ ├── go.mod
│ │ │ ├── go.sum
│ │ │ └── main.go
│ │ ├── templates/
│ │ │ ├── admin-secret.yaml
│ │ │ ├── config-job.yaml
│ │ │ └── config-source.yaml
│ │ └── values.yaml
│ ├── global-secrets/
│ │ ├── Chart.yaml
│ │ ├── files/
│ │ │ └── secret-generator/
│ │ │ ├── config.yaml
│ │ │ ├── go.mod
│ │ │ ├── go.sum
│ │ │ └── main.go
│ │ └── templates/
│ │ ├── clustersecretstore/
│ │ │ ├── clustersecretstore.yaml
│ │ │ ├── role.yaml
│ │ │ ├── rolebinding.yaml
│ │ │ └── serviceaccount.yaml
│ │ └── secret-generator/
│ │ ├── configmap.yaml
│ │ ├── job.yaml
│ │ ├── role.yaml
│ │ ├── rolebinding.yaml
│ │ └── serviceaccount.yaml
│ ├── grafana/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ └── secret.yaml
│ │ └── values.yaml
│ ├── kanidm/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ ├── certificate.yaml
│ │ │ └── issuer.yaml
│ │ └── values.yaml
│ ├── renovate/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ └── secret.yaml
│ │ └── values.yaml
│ ├── woodpecker/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ └── secret.yaml
│ │ └── values.yaml
│ └── zot/
│ ├── Chart.yaml
│ ├── templates/
│ │ └── admin-secret.yaml
│ └── values.yaml
├── renovate.json5
├── scripts/
│ ├── argocd-admin-password
│ ├── backup
│ ├── configure
│ ├── get-dns-config
│ ├── get-status
│ ├── get-wireguard-config
│ ├── hacks
│ ├── helm-diff
│ ├── kanidm-reset-password
│ ├── new-service
│ ├── onboard-user
│ ├── pxe-logs
│ └── take-screenshots
├── system/
│ ├── Makefile
│ ├── argocd/
│ │ ├── Chart.yaml
│ │ ├── values-seed.yaml
│ │ └── values.yaml
│ ├── bootstrap.yml
│ ├── cert-manager/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ └── clusterissuer.yaml
│ │ └── values.yaml
│ ├── cloudflared/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── external-dns/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── ingress-nginx/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── kured/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── loki/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── monitoring-system/
│ │ ├── Chart.yaml
│ │ ├── files/
│ │ │ └── webhook-transformer/
│ │ │ └── alertmanager-to-ntfy.jsonnet
│ │ ├── templates/
│ │ │ └── configmap.yaml
│ │ └── values.yaml
│ ├── rook-ceph/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ └── volsync-system/
│ └── Chart.yaml
└── test/
├── Makefile
├── benchmark/
│ ├── security/
│ │ └── kube-bench.yaml
│ └── storage/
│ ├── dbench-rwo.yaml
│ └── dbench-rwx.yaml
├── external_test.go
├── go.mod
├── go.sum
├── integration_test.go
├── smoke_test.go
└── tools_test.go
================================================
FILE CONTENTS
================================================
================================================
FILE: .envrc
================================================
use flake
================================================
FILE: .gitattributes
================================================
external/** -linguist-vendored
================================================
FILE: .gitignore
================================================
.venv/
book/
*.iso
*.log
*.png
*.tgz
*kubeconfig.yaml
Chart.lock
================================================
FILE: .pre-commit-config.yaml
================================================
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.3.0
hooks:
- id: check-added-large-files
- id: check-executables-have-shebangs
- id: check-merge-conflict
- id: check-shebang-scripts-are-executable
- id: detect-private-key
- id: end-of-file-fixer
- id: mixed-line-ending
- id: trailing-whitespace
- repo: https://github.com/adrienverge/yamllint
rev: v1.27.1
hooks:
- id: yamllint
- repo: https://github.com/gruntwork-io/pre-commit
rev: v0.1.24
hooks:
- id: helmlint
- id: shellcheck
- repo: https://github.com/tofuutils/pre-commit-opentofu
rev: v2.1.0
hooks:
- id: tofu_fmt
================================================
FILE: .woodpecker/helm-diff.yaml
================================================
when:
branch: ${CI_REPO_DEFAULT_BRANCH}
matrix:
STACK:
- system
- platform
- apps
steps:
# TODO DRY with nix develop and custom entrypoint https://github.com/woodpecker-ci/woodpecker/pull/2985,
# but first we need a Nix cache. See the nix-cache branch for the WIP.
diff:
image: nixery.dev/shell/git/python3/kubernetes-helm/diffutils/dyff # TODO replace with nix develop
commands:
- ./scripts/helm-diff --repository "${CI_REPO_CLONE_URL}" --source "${CI_COMMIT_SOURCE_BRANCH}" --target "${CI_COMMIT_TARGET_BRANCH}" --subpath "${STACK}"
when:
- event: pull_request
path: '${STACK}/**'
depends_on: []
================================================
FILE: .woodpecker/static-checks.yaml
================================================
when:
branch: ${CI_REPO_DEFAULT_BRANCH}
steps:
# TODO DRY with nix develop and custom entrypoint https://github.com/woodpecker-ci/woodpecker/pull/2985,
# but first we need a Nix cache. See the nix-cache branch for the WIP.
tools-versions:
image: nixos/nix
commands:
- echo 'experimental-features = flakes nix-command' >> /etc/nix/nix.conf
# - echo 'trusted-substituters = http://nix-cache.nix-cache' >> /etc/nix/nix.conf
# - echo 'substituters = http://nix-cache.nix-cache' >> /etc/nix/nix.conf
- nix develop --command make -C test filter=ToolsVersions
when:
- event: pull_request
path:
include:
- 'flake.*'
depends_on: []
pre-commit:
image: nixery.dev/shell/git/pre-commit # TODO replace with nix develop
commands:
- pre-commit run --color=always
when:
- event: pull_request
depends_on: []
================================================
FILE: .yamllint.yaml
================================================
ignore: |
templates/
mkdocs.yml
extends: default
rules:
document-start: disable
line-length: disable
================================================
FILE: LICENSE.md
================================================
### GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc.
<https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
### Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom
to share and change all versions of a program--to make sure it remains
free software for all its users. We, the Free Software Foundation, use
the GNU General Public License for most of our software; it applies
also to any other work released this way by its authors. You can apply
it to your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you
have certain responsibilities if you distribute copies of the
software, or if you modify it: responsibilities to respect the freedom
of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the
manufacturer can do so. This is fundamentally incompatible with the
aim of protecting users' freedom to change the software. The
systematic pattern of such abuse occurs in the area of products for
individuals to use, which is precisely where it is most unacceptable.
Therefore, we have designed this version of the GPL to prohibit the
practice for those products. If such problems arise substantially in
other domains, we stand ready to extend this provision to those
domains in future versions of the GPL, as needed to protect the
freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish
to avoid the special danger that patents applied to a free program
could make it effectively proprietary. To prevent this, the GPL
assures that patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
### TERMS AND CONDITIONS
#### 0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds
of works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of
an exact copy. The resulting work is called a "modified version" of
the earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user
through a computer network, with no transfer of a copy, is not
conveying.
An interactive user interface displays "Appropriate Legal Notices" to
the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
#### 1. Source Code.
The "source code" for a work means the preferred form of the work for
making modifications to it. "Object code" means any non-source form of
a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users can
regenerate automatically from other parts of the Corresponding Source.
The Corresponding Source for a work in source code form is that same
work.
#### 2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not convey,
without conditions so long as your license otherwise remains in force.
You may convey covered works to others for the sole purpose of having
them make modifications exclusively for you, or provide you with
facilities for running those works, provided that you comply with the
terms of this License in conveying all material for which you do not
control copyright. Those thus making or running the covered works for
you must do so exclusively on your behalf, under your direction and
control, on terms that prohibit them from making any copies of your
copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under the
conditions stated below. Sublicensing is not allowed; section 10 makes
it unnecessary.
#### 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such
circumvention is effected by exercising rights under this License with
respect to the covered work, and you disclaim any intention to limit
operation or modification of the work as a means of enforcing, against
the work's users, your or third parties' legal rights to forbid
circumvention of technological measures.
#### 4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
#### 5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these
conditions:
- a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
- b) The work must carry prominent notices stating that it is
released under this License and any conditions added under
section 7. This requirement modifies the requirement in section 4
to "keep intact all notices".
- c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
- d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
#### 6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms of
sections 4 and 5, provided that you also convey the machine-readable
Corresponding Source under the terms of this License, in one of these
ways:
- a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
- b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the Corresponding
Source from a network server at no charge.
- c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
- d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
- e) Convey the object code using peer-to-peer transmission,
provided you inform other peers where the object code and
Corresponding Source of the work are being offered to the general
public at no charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal,
family, or household purposes, or (2) anything designed or sold for
incorporation into a dwelling. In determining whether a product is a
consumer product, doubtful cases shall be resolved in favor of
coverage. For a particular product received by a particular user,
"normally used" refers to a typical or common use of that class of
product, regardless of the status of the particular user or of the way
in which the particular user actually uses, or expects or is expected
to use, the product. A product is a consumer product regardless of
whether the product has substantial commercial, industrial or
non-consumer uses, unless such uses represent the only significant
mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to
install and execute modified versions of a covered work in that User
Product from a modified version of its Corresponding Source. The
information must suffice to ensure that the continued functioning of
the modified object code is in no case prevented or interfered with
solely because modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or
updates for a work that has been modified or installed by the
recipient, or for the User Product in which it has been modified or
installed. Access to a network may be denied when the modification
itself materially and adversely affects the operation of the network
or violates the rules and protocols for communication across the
network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
#### 7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders
of that material) supplement the terms of this License with terms:
- a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
- b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
- c) Prohibiting misrepresentation of the origin of that material,
or requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
- d) Limiting the use for publicity purposes of names of licensors
or authors of the material; or
- e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
- f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions
of it) with contractual assumptions of liability to the recipient,
for any liability that these contractual assumptions directly
impose on those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions; the
above requirements apply either way.
#### 8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your license
from a particular copyright holder is reinstated (a) provisionally,
unless and until the copyright holder explicitly and finally
terminates your license, and (b) permanently, if the copyright holder
fails to notify you of the violation by some reasonable means prior to
60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
#### 9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or run
a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
#### 10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
#### 11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims owned
or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within the
scope of its coverage, prohibits the exercise of, or is conditioned on
the non-exercise of one or more of the rights that are specifically
granted under this License. You may not convey a covered work if you
are a party to an arrangement with a third party that is in the
business of distributing software, under which you make payment to the
third party based on the extent of your activity of conveying the
work, and under which the third party grants, to any of the parties
who would receive the covered work from you, a discriminatory patent
license (a) in connection with copies of the covered work conveyed by
you (or copies made from those copies), or (b) primarily for and in
connection with specific products or compilations that contain the
covered work, unless you entered into that arrangement, or that patent
license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
#### 12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under
this License and any other pertinent obligations, then as a
consequence you may not convey it at all. For example, if you agree to
terms that obligate you to collect a royalty for further conveying
from those to whom you convey the Program, the only way you could
satisfy both those terms and this License would be to refrain entirely
from conveying the Program.
#### 13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
#### 14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions
of the GNU General Public License from time to time. Such new versions
will be similar in spirit to the present version, but may differ in
detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies that a certain numbered version of the GNU General Public
License "or any later version" applies to it, you have the option of
following the terms and conditions either of that numbered version or
of any later version published by the Free Software Foundation. If the
Program does not specify a version number of the GNU General Public
License, you may choose any version ever published by the Free
Software Foundation.
If the Program specifies that a proxy can decide which future versions
of the GNU General Public License can be used, that proxy's public
statement of acceptance of a version permanently authorizes you to
choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
#### 15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
CORRECTION.
#### 16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR
CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT
NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
#### 17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
### How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these
terms.
To do so, attach the following notices to the program. It is safest to
attach them to the start of each source file to most effectively state
the exclusion of warranty; and each file should have at least the
"copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper
mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands \`show w' and \`show c' should show the
appropriate parts of the General Public License. Of course, your
program's commands might be different; for a GUI interface, you would
use an "about box".
You should also get your employer (if you work as a programmer) or
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. For more information on this, and how to apply and follow
the GNU GPL, see <https://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your
program into proprietary programs. If your program is a subroutine
library, you may consider it more useful to permit linking proprietary
applications with the library. If this is what you want to do, use the
GNU Lesser General Public License instead of this License. But first,
please read <https://www.gnu.org/licenses/why-not-lgpl.html>.
================================================
FILE: Makefile
================================================
.POSIX:
.PHONY: *
.EXPORT_ALL_VARIABLES:
KUBECONFIG = $(shell pwd)/metal/kubeconfig.yaml
KUBE_CONFIG_PATH = $(KUBECONFIG)
default: metal system external smoke-test post-install clean
configure:
./scripts/configure
git status
metal:
make -C metal
system:
make -C system
external:
make -C external
smoke-test:
make -C test filter=Smoke
post-install:
@./scripts/hacks
# TODO maybe there's a better way to manage backup with GitOps?
backup:
./scripts/backup --action setup --namespace=actualbudget --pvc=actualbudget-data
./scripts/backup --action setup --namespace=jellyfin --pvc=jellyfin-data
restore:
./scripts/backup --action restore --namespace=actualbudget --pvc=actualbudget-data
./scripts/backup --action restore --namespace=jellyfin --pvc=jellyfin-data
test:
make -C test
clean:
docker compose --project-directory ./metal/roles/pxe_server/files down
docs:
mkdocs serve
git-hooks:
pre-commit install
================================================
FILE: README.md
================================================
# Khue's Homelab
**[Features](#features) • [Get Started](#get-started) • [Documentation](https://homelab.khuedoan.com)**
[](https://github.com/khuedoan/homelab/tags)
[](https://homelab.khuedoan.com)
[](https://www.gnu.org/licenses/gpl-3.0.html)
[](https://github.com/khuedoan/homelab)
This project utilizes [Infrastructure as Code](https://en.wikipedia.org/wiki/Infrastructure_as_code) and [GitOps](https://www.weave.works/technologies/gitops) to automate provisioning, operating, and updating self-hosted services in my homelab.
It can be used as a highly customizable framework to build your own homelab.
> **What is a homelab?**
>
> Homelab is a laboratory at home where you can self-host, experiment with new technologies, practice for certifications, and so on.
> For more information, please see the [r/homelab introduction](https://www.reddit.com/r/homelab/wiki/introduction) and the
> [Home Operations Discord community](https://discord.gg/home-operations) (formerly known as [k8s-at-home](https://k8s-at-home.com)).
If you encounter an issue, please create [a bug report](https://github.com/khuedoan/homelab/issues/new?template=bug_report.md)
(avoid asking for support about issues specific to this project in other communication channels).
## Overview
Project status: **ALPHA**
This project is still in the experimental stage, and I don't use anything critical on it.
Expect breaking changes that may require a complete redeployment.
A proper upgrade path is planned for the stable release.
More information can be found in [the roadmap](#roadmap) below.
### Hardware
- 4 × NEC SFF `PC-MK26ECZDR` (Japanese version of the ThinkCentre M700):
- CPU: `Intel Core i5-6600T @ 2.70GHz`
- RAM: `16GB`
- SSD: `128GB`
- TP-Link `TL-SG108` switch:
- Ports: `8`
- Speed: `1000Mbps`
### Features
- [x] Common applications: Gitea, Jellyfin, Paperless...
- [x] Automated bare metal provisioning with PXE boot
- [x] Automated Kubernetes installation and management
- [x] Installing and managing applications using GitOps
- [x] Automatic rolling upgrade for OS and Kubernetes
- [x] Automatically update apps (with approval)
- [x] Modular architecture, easy to add or remove features/components
- [x] Automated certificate management
- [x] Automatically update DNS records for exposed services
- [x] VPN (Tailscale or Wireguard)
- [x] Expose services to the internet securely with [Cloudflare Tunnel](https://www.cloudflare.com/products/tunnel/)
- [x] CI/CD platform
- [x] Private container registry
- [x] Distributed storage
- [x] Support multiple environments (dev, prod)
- [x] Monitoring and alerting
- [x] Automated backup and restore
- [x] Single sign-on
- [x] Infrastructure testing
Some demo videos and screenshots are shown here.
They can't capture all the project's features, but they are sufficient to get a concept of it.
| Demo |
| :--: |
| [![][deploy-demo]](https://asciinema.org/a/xkBRkwC6e9RAzVuMDXH3nGHp7) |
| Deploy with a single command (after updating the configuration files) |
| [![][pxe-demo]](https://www.youtube.com/watch?v=y-d7btNNAT8) |
| PXE boot |
| [![][hubble-demo]][hubble-demo] |
| Observe network traffic with Hubble, built on top of [Cilium](https://cilium.io) and eBPF |
| [![][homepage-demo]][homepage-demo] |
| Homepage powered by... [Homepage](https://gethomepage.dev) |
| [![][grafana-demo]][grafana-demo] |
| Monitoring dashboard powered by [Grafana](https://grafana.com) |
| [![][gitea-demo]][gitea-demo] |
| Git server powered by [Gitea](https://gitea.io/en-us) |
| [![][matrix-demo]][matrix-demo] |
| [Matrix](https://matrix.org/) chat server |
| [![][woodpecker-demo]][woodpecker-demo] |
| Continuous integration with [Woodpecker CI](https://woodpecker-ci.org) |
| [![][argocd-demo]][argocd-demo] |
| Continuous deployment with [ArgoCD](https://argoproj.github.io/cd) |
| [![][alert-demo]][alert-demo] |
| [ntfy](https://ntfy.sh) displaying received alerts |
| [![][ai-demo]][ai-demo] |
| Self-hosted AI powered by [Ollama](https://ollama.com) (experimental, not very fast because I don't have a GPU) |
[deploy-demo]: https://asciinema.org/a/xkBRkwC6e9RAzVuMDXH3nGHp7.svg
[pxe-demo]: https://user-images.githubusercontent.com/27996771/157303477-df2e7410-8f02-4648-a86c-71e6b7e89e35.png
[hubble-demo]: https://github.com/khuedoan/homelab/assets/27996771/9c6677d0-3564-47c0-852b-24b6a554b4a3
[homepage-demo]: https://github.com/khuedoan/homelab/assets/27996771/d0eaf620-be08-48d8-8420-40bcaa86093b
[grafana-demo]: https://github.com/khuedoan/homelab/assets/27996771/ad937b26-e9bc-4761-83ae-1c7f512ea97f
[gitea-demo]: https://github.com/khuedoan/homelab/assets/27996771/c245534f-88d9-4565-bde8-b39f60ccee9e
[matrix-demo]: https://user-images.githubusercontent.com/27996771/149448510-7163310c-2049-4ccd-901d-f11f605bfc32.png
[woodpecker-demo]: https://github.com/khuedoan/homelab/assets/27996771/5d887688-d20a-44c8-8f77-0c625527dfe4
[argocd-demo]: https://github.com/khuedoan/homelab/assets/27996771/527e2529-4fe1-4664-ab8a-b9eb3c492d20
[alert-demo]: https://github.com/khuedoan/homelab/assets/27996771/c922f755-e911-4ca0-9d4a-6e552d387f18
[ai-demo]: https://github.com/khuedoan/homelab/assets/27996771/d77ba511-00b7-47c3-9032-55679a099e70
### Tech stack
<table>
<tr>
<th>Logo</th>
<th>Name</th>
<th>Description</th>
</tr>
<tr>
<td><img width="32" src="https://simpleicons.org/icons/ansible.svg"></td>
<td><a href="https://www.ansible.com">Ansible</a></td>
<td>Automate bare metal provisioning and configuration</td>
</tr>
<tr>
<td><img width="32" src="https://avatars.githubusercontent.com/u/30269780"></td>
<td><a href="https://argoproj.github.io/cd">ArgoCD</a></td>
<td>GitOps tool built to deploy applications to Kubernetes</td>
</tr>
<tr>
<td><img width="32" src="https://github.com/jetstack/cert-manager/raw/master/logo/logo.png"></td>
<td><a href="https://cert-manager.io">cert-manager</a></td>
<td>Cloud native certificate management</td>
</tr>
<tr>
<td><img width="32" src="https://avatars.githubusercontent.com/u/21054566?s=200&v=4"></td>
<td><a href="https://cilium.io">Cilium</a></td>
<td>eBPF-based Networking, Observability and Security (CNI, LB, Network Policy, etc.)</td>
</tr>
<tr>
<td><img width="32" src="https://avatars.githubusercontent.com/u/314135?s=200&v=4"></td>
<td><a href="https://www.cloudflare.com">Cloudflare</a></td>
<td>DNS and Tunnel</td>
</tr>
<tr>
<td><img width="32" src="https://www.docker.com/wp-content/uploads/2022/03/Moby-logo.png"></td>
<td><a href="https://www.docker.com">Docker</a></td>
<td>Ephemeral PXE server</td>
</tr>
<tr>
<td><img width="32" src="https://github.com/kubernetes-sigs/external-dns/raw/master/docs/img/external-dns.png"></td>
<td><a href="https://github.com/kubernetes-sigs/external-dns">ExternalDNS</a></td>
<td>Synchronizes exposed Kubernetes Services and Ingresses with DNS providers</td>
</tr>
<tr>
<td><img width="32" src="https://upload.wikimedia.org/wikipedia/commons/thumb/3/3f/Fedora_logo.svg/267px-Fedora_logo.svg.png"></td>
<td><a href="https://getfedora.org/en/server">Fedora Server</a></td>
<td>Base OS for Kubernetes nodes</td>
</tr>
<tr>
<td><img width="32" src="https://upload.wikimedia.org/wikipedia/commons/b/bb/Gitea_Logo.svg"></td>
<td><a href="https://gitea.com">Gitea</a></td>
<td>Self-hosted Git service</td>
</tr>
<tr>
<td><img width="32" src="https://grafana.com/static/img/menu/grafana2.svg"></td>
<td><a href="https://grafana.com">Grafana</a></td>
<td>Observability platform</td>
</tr>
<tr>
<td><img width="32" src="https://helm.sh/img/helm.svg"></td>
<td><a href="https://helm.sh">Helm</a></td>
<td>The package manager for Kubernetes</td>
</tr>
<tr>
<td><img width="32" src="https://avatars.githubusercontent.com/u/49319725"></td>
<td><a href="https://k3s.io">K3s</a></td>
<td>Lightweight distribution of Kubernetes</td>
</tr>
<tr>
<td><img width="32" src="https://kanidm.com/images/logo.svg"></td>
<td><a href="https://kanidm.com">Kanidm</a></td>
<td>Modern and simple identity management platform</td>
</tr>
<tr>
<td><img width="32" src="https://avatars.githubusercontent.com/u/13629408"></td>
<td><a href="https://kubernetes.io">Kubernetes</a></td>
<td>Container-orchestration system, the backbone of this project</td>
</tr>
<tr>
<td><img width="32" src="https://github.com/grafana/loki/blob/main/docs/sources/logo.png?raw=true"></td>
<td><a href="https://grafana.com/oss/loki">Loki</a></td>
<td>Log aggregation system</td>
</tr>
<tr>
<td><img width="32" src="https://avatars.githubusercontent.com/u/1412239?s=200&v=4"></td>
<td><a href="https://www.nginx.com">NGINX</a></td>
<td>Kubernetes Ingress Controller</td>
</tr>
<tr>
<td><img width="32" src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nix-snowflake-colours.svg"></td>
<td><a href="https://nixos.org">Nix</a></td>
<td>Convenient development shell</td>
</tr>
<tr>
<td><img width="32" src="https://ntfy.sh/_next/static/media/logo.077f6a13.svg"></td>
<td><a href="https://ntfy.sh">ntfy</a></td>
<td>Notification service to send notifications to your phone or desktop</td>
</tr>
<tr>
<td><img width="32" src="https://avatars.githubusercontent.com/u/3380462"></td>
<td><a href="https://prometheus.io">Prometheus</a></td>
<td>Systems monitoring and alerting toolkit</td>
</tr>
<tr>
<td><img width="32" src="https://docs.renovatebot.com/assets/images/logo.png"></td>
<td><a href="https://www.whitesourcesoftware.com/free-developer-tools/renovate">Renovate</a></td>
<td>Automatically update dependencies</td>
</tr>
<tr>
<td><img width="32" src="https://raw.githubusercontent.com/rook/artwork/master/logo/blue.svg"></td>
<td><a href="https://rook.io">Rook Ceph</a></td>
<td>Cloud-Native Storage for Kubernetes</td>
</tr>
<tr>
<td><img width="32" src="https://avatars.githubusercontent.com/u/48932923?s=200&v=4"></td>
<td><a href="https://tailscale.com">Tailscale</a></td>
<td>VPN without port forwarding</td>
</tr>
<tr>
<td><img width="32" src="https://avatars.githubusercontent.com/u/13991055?s=200&v=4"></td>
<td><a href="https://www.wireguard.com">Wireguard</a></td>
<td>Fast, modern, secure VPN tunnel</td>
</tr>
<tr>
<td><img width="32" src="https://avatars.githubusercontent.com/u/84780935?s=200&v=4"></td>
<td><a href="https://woodpecker-ci.org">Woodpecker CI</a></td>
<td>Simple yet powerful CI/CD engine with great extensibility</td>
</tr>
<tr>
<td><img width="32" src="https://zotregistry.dev/v2.0.2/assets/images/logo.svg"></td>
<td><a href="https://zotregistry.dev">Zot Registry</a></td>
<td>Private container registry</td>
</tr>
</table>
## Get Started
- [Try it out locally](https://homelab.khuedoan.com/installation/sandbox) without any hardware (just 4 commands!)
- [Deploy on real hardware](https://homelab.khuedoan.com/installation/production/prerequisites) for production workload
## Roadmap
See [roadmap](https://homelab.khuedoan.com/reference/roadmap) and [open issues](https://github.com/khuedoan/homelab/issues) for a list of proposed features and known issues.
## Contributing
Any contributions you make are greatly appreciated.
Please see [contributing guide](https://homelab.khuedoan.com/reference/contributing) for more information.
## License
Copyright © 2020 - 2024 Khue Doan
Distributed under the GPLv3 License.
See [license page](https://homelab.khuedoan.com/reference/license) or `LICENSE.md` file for more information.
## Acknowledgements
References:
- [Ephemeral PXE server inspired by Minimal First Machine in the DC](https://speakerdeck.com/amcguign/minimal-first-machine-in-the-dc)
- [ArgoCD usage and monitoring configuration in locmai/humble](https://github.com/locmai/humble)
- [README template](https://github.com/othneildrew/Best-README-Template)
- [Run the same Cloudflare Tunnel across many `cloudflared` processes](https://developers.cloudflare.com/cloudflare-one/tutorials/many-cfd-one-tunnel)
- [MAC address environment variable in GRUB config](https://askubuntu.com/questions/1272400/how-do-i-automate-network-installation-of-many-ubuntu-18-04-systems-with-efi-and)
- [Official k3s systemd service file](https://github.com/k3s-io/k3s/blob/master/k3s.service)
- [Official Cloudflare Tunnel examples](https://github.com/cloudflare/argo-tunnel-examples)
- [Initialize GitOps repository on Gitea and integrate with Tekton by RedHat](https://github.com/redhat-scholars/tekton-tutorial/tree/master/triggers)
- [SSO configuration from xUnholy/k8s-gitops](https://github.com/xUnholy/k8s-gitops)
- [Pre-commit config from k8s-at-home/flux-cluster-template](https://github.com/k8s-at-home/flux-cluster-template)
- [Diátaxis technical documentation framework](https://diataxis.fr)
- [Official Terratest examples](https://github.com/gruntwork-io/terratest/tree/master/test)
- [Self-host an automated Jellyfin media streaming stack](https://zerodya.net/self-host-jellyfin-media-streaming-stack)
- [App Template Helm chart by bjw-s](https://bjw-s-labs.github.io/helm-charts/docs/app-template)
- [Various application configurations in onedr0p/home-ops](https://github.com/onedr0p/home-ops)
Here is a list of the contributors who have helped to improve this project.
Big shout-out to them!
- <img width="24" height="24" src="https://github.com/locmai.png?size=24" /> [@locmai](https://github.com/locmai)
- <img width="24" height="24" src="https://github.com/MatthewJohn.png?size=24" /> [@MatthewJohn](https://github.com/MatthewJohn)
- <img width="24" height="24" src="https://github.com/karpfediem.png?size=24" /> [@karpfediem](https://github.com/karpfediem)
- <img width="24" height="24" src="https://github.com/linhng98.png?size=24" /> [@linhng98](https://github.com/linhng98)
- <img width="24" height="24" src="https://github.com/elliotblackburn.png?size=24" /> [@elliotblackburn](https://github.com/elliotblackburn)
- <img width="24" height="24" src="https://github.com/dotdiego.png?size=24" /> [@dotdiego](https://github.com/dotdiego)
- <img width="24" height="24" src="https://github.com/Crimrose.png?size=24" /> [@Crimrose](https://github.com/Crimrose)
- <img width="24" height="24" src="https://github.com/eventi.png?size=24" /> [@eventi](https://github.com/eventi)
- <img width="24" height="24" src="https://github.com/Bourne-ID.png?size=24" /> [@Bourne-ID](https://github.com/Bourne-ID)
- <img width="24" height="24" src="https://github.com/akwan.png?size=24" /> [@akwan](https://github.com/akwan)
- <img width="24" height="24" src="https://github.com/trangmaiq.png?size=24" /> [@trangmaiq](https://github.com/trangmaiq)
- <img width="24" height="24" src="https://github.com/tangowithfoxtrot.png?size=24" /> [@tangowithfoxtrot](https://github.com/tangowithfoxtrot)
- <img width="24" height="24" src="https://github.com/raedkit.png?size=24" /> [@raedkit](https://github.com/raedkit)
- <img width="24" height="24" src="https://github.com/ClashTheBunny.png?size=24" /> [@ClashTheBunny](https://github.com/ClashTheBunny)
- <img width="24" height="24" src="https://github.com/retX0.png?size=24" /> [@retX0](https://github.com/retX0)
- <img width="24" height="24" src="https://github.com/zalsader.png?size=24" /> [@zalsader](https://github.com/zalsader)
- <img width="24" height="24" src="https://github.com/serpro69.png?size=24" /> [@serpro69](https://github.com/serpro69)
- <img width="24" height="24" src="https://github.com/llajas.png?size=24" /> [@llajas](https://github.com/llajas)
- <img width="24" height="24" src="https://github.com/zalsader.png?size=24" /> [@zalsader](https://github.com/zalsader)
If you feel you're missing from this list, please feel free to add yourself in a PR.
## Stargazers over time
[](https://starchart.cc/khuedoan/homelab)
================================================
FILE: apps/actualbudget/Chart.yaml
================================================
apiVersion: v2
name: actualbudget
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/actualbudget/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: docker.io/actualbudget/actual-server
tag: 24.12.0-alpine
service:
main:
ports:
http:
port: 5006
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &host budget.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: actualbudget-tls-certificate
persistence:
data:
accessMode: ReadWriteOnce
size: 1Gi
globalMounts:
- path: /data
================================================
FILE: apps/blog/Chart.yaml
================================================
apiVersion: v2
name: blog
version: 0.0.0
dependencies:
- name: app-template
version: 2.2.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/blog/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: registry.khuedoan.com/blog
tag: latest
service:
main:
ports:
http:
port: 3000
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
external-dns.alpha.kubernetes.io/target: homelab-tunnel.khuedoan.com
external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true'
hosts:
- host: &host www.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: blog-tls-certificate
================================================
FILE: apps/excalidraw/Chart.yaml
================================================
apiVersion: v2
name: excalidraw
version: 0.0.0
dependencies:
- name: app-template
version: 2.2.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/excalidraw/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: docker.io/excalidraw/excalidraw
tag: latest
service:
main:
ports:
http:
port: 80
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
external-dns.alpha.kubernetes.io/target: homelab-tunnel.khuedoan.com
external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true'
hosts:
- host: &host draw.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: excalidraw-tls-certificate
================================================
FILE: apps/homepage/Chart.yaml
================================================
apiVersion: v2
name: homepage
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/homepage/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: ghcr.io/gethomepage/homepage
tag: v0.8.8
service:
main:
ports:
http:
port: 3000
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &host home.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: homepage-tls-certificate
persistence:
config:
enabled: true
type: configMap
name: homepage-config
globalMounts:
- path: /app/config/settings.yaml
subPath: settings.yaml
- path: /app/config/widgets.yaml
subPath: widgets.yaml
- path: /app/config/services.yaml
subPath: services.yaml
- path: /app/config/bookmarks.yaml
subPath: bookmarks.yaml
configMaps:
config:
enabled: true
data:
settings.yaml: |
background: https://images.unsplash.com/photo-1502790671504-542ad42d5189?auto=format&fit=crop&w=2560&q=80
cardBlur: md
theme: dark
headerStyle: boxed
hideVersion: true
widgets.yaml: |
- search:
provider: google
target: _blank
services.yaml: |
- Popular:
- Matrix:
href: https://chat.khuedoan.com
description: Chat client
icon: element.svg
- Jellyfin:
href: https://jellyfin.khuedoan.com
description: Media system (movies, music, etc.)
icon: jellyfin.svg
- Jellyseerr:
href: https://jellyseerr.khuedoan.com
description: Request media
icon: jellyseerr.svg
- Paperless:
href: https://paperless.khuedoan.com
description: Document management system
icon: paperless.svg
- Management:
- Transmission:
href: https://transmission.khuedoan.com
description: Bittorrent client
icon: transmission.svg
- Prowlarr:
href: https://prowlarr.khuedoan.com
description: Indexer manager
icon: prowlarr.svg
- Radarr:
href: https://radarr.khuedoan.com
description: Movie manager
icon: radarr.svg
- Sonarr:
href: https://sonarr.khuedoan.com
description: TV show manager
icon: sonarr.svg
- Kanidm:
href: https://auth.khuedoan.com
description: Identity management
icon: https://auth.khuedoan.com/pkg/img/logo-square.svg
- Development:
- Gitea:
href: https://git.khuedoan.com
description: Git forge
icon: gitea.svg
- Woodpecker:
href: https://ci.khuedoan.com
description: Continuous integration
icon: woodpecker-ci.svg
- ArgoCD:
href: https://argocd.khuedoan.com
description: Continuous deployment
icon: argocd.svg
- Registry:
href: https://registry.khuedoan.com
description: Container registry
icon: docker.svg
- Grafana:
href: https://grafana.khuedoan.com
description: Observability dashboards
icon: grafana.svg
- Utilities:
- Excalidraw:
href: https://draw.khuedoan.com
description: Virtual whiteboard
icon: excalidraw.svg
- Speedtest:
href: https://speedtest.khuedoan.com
description: Internal network speed test
icon: openspeedtest.png
bookmarks.yaml: |
- Homelab:
- Documentation:
- href: https://homelab.khuedoan.com
icon: google-docs.svg
- Public homelab repository:
- href: https://github.com/khuedoan/homelab
icon: github.svg
- Managed services:
- Cloudflare:
- href: https://dash.cloudflare.com
icon: cloudflare.svg
- Terraform Cloud:
- href: https://app.terraform.io
icon: terraform.svg
- Infrastructure:
- Router:
- href: https://192.168.1.1
icon: router.svg
- Proxmox:
- href: https://proxmox:8006
icon: proxmox.svg
- Google Cloud:
- href: https://console.cloud.google.com
icon: google-cloud-platform.svg
- Oracle Cloud:
- href: https://cloud.oracle.com
icon: oracle-cloud.svg
================================================
FILE: apps/jellyfin/Chart.yaml
================================================
apiVersion: v2
name: jellyfin
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/jellyfin/values.yaml
================================================
app-template:
defaultPodOptions:
securityContext:
fsGroup: 1000
controllers:
main:
containers:
main:
image:
repository: docker.io/jellyfin/jellyfin
tag: 10.8.13
transmission:
image:
repository: lscr.io/linuxserver/transmission
tag: 4.0.5
prowlarr:
image:
repository: lscr.io/linuxserver/prowlarr
tag: 1.13.3
radarr:
image:
repository: lscr.io/linuxserver/radarr
tag: 5.3.6
sonarr:
image:
repository: lscr.io/linuxserver/sonarr
tag: 4.0.2
jellyseerr:
image:
repository: docker.io/fallenbagel/jellyseerr
tag: 1.7.0
service:
main:
ports:
http:
port: 8096
protocol: HTTP
transmission:
port: 9091
protocol: HTTP
prowlarr:
port: 9696
protocol: HTTP
radarr:
port: 7878
protocol: HTTP
sonarr:
port: 8989
protocol: HTTP
jellyseerr:
port: 5055
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &jellyfinHost jellyfin.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
- host: &transmissionHost transmission.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: transmission
- host: &prowlarrHost prowlarr.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: prowlarr
- host: &radarrHost radarr.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: radarr
- host: &sonarrHost sonarr.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: sonarr
- host: &jellyseerrHost jellyseerr.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: jellyseerr
tls:
- secretName: jellyfin-tls-certificate
hosts:
- *jellyfinHost
- *transmissionHost
- *prowlarrHost
- *radarrHost
- *sonarrHost
- *jellyseerrHost
persistence:
data:
accessMode: ReadWriteOnce
size: 50Gi
advancedMounts:
main:
main:
- path: /config
subPath: jellyfin/config
- path: /media/movies
subPath: movies
- path: /media/shows
subPath: shows
transmission:
- path: /config
subPath: transmission/config
- path: /downloads
subPath: transmission/downloads
prowlarr:
- path: /config
subPath: prowlarr/config
radarr:
- path: /config
subPath: radarr/config
- path: /downloads/complete
subPath: transmission/downloads/complete
- path: /movies
subPath: movies
sonarr:
- path: /config
subPath: sonarr/config
- path: /downloads/complete
subPath: transmission/downloads/complete
- path: /shows
subPath: shows
jellyseerr:
- path: /app/config
subPath: jellyseerr/config
================================================
FILE: apps/matrix/Chart.yaml
================================================
apiVersion: v2
name: elementweb
version: 0.0.0
dependencies:
- name: elementweb
version: 0.0.6
repository: https://locmai.github.io/charts # TODO switch to official chart
- name: dendrite
version: 0.13.5
repository: https://matrix-org.github.io/dendrite
================================================
FILE: apps/matrix/values.yaml
================================================
elementweb:
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
external-dns.alpha.kubernetes.io/target: "homelab-tunnel.khuedoan.com"
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
hosts:
- host: &frontend_host chat.khuedoan.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: element-tls-certificate
hosts:
- *frontend_host
config:
default:
base_url: https://matrix.khuedoan.com
server_name: khuedoan.com
dendrite:
dendrite_config:
global:
server_name: matrix.khuedoan.com
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hostName: matrix.khuedoan.com
tls:
- hosts:
- matrix.khuedoan.com
secretName: matrix-tls-certificate
postgresql:
enabled: true
================================================
FILE: apps/ollama/Chart.yaml
================================================
apiVersion: v2
name: ollama
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/ollama/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: docker.io/ollama/ollama
tag: 0.1.29
ui:
containers:
main:
image:
repository: ghcr.io/open-webui/open-webui
tag: latest
env:
OLLAMA_BASE_URL: http://ollama:11434
service:
main:
ports:
http:
port: 11434
protocol: HTTP
ui:
controller: ui
ports:
http:
port: 8080
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &ollamaHost ollama.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
- host: &uiHost ai.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: ui
port: http
tls:
- hosts:
- *ollamaHost
- *uiHost
secretName: ollama-tls-certificate
persistence:
data:
accessMode: ReadWriteOnce
size: 10Gi
advancedMounts:
main:
main:
- path: /root/.ollama
================================================
FILE: apps/pairdrop/Chart.yaml
================================================
apiVersion: v2
name: pairdrop
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/pairdrop/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: lscr.io/linuxserver/pairdrop
tag: 1.10.7
service:
main:
ports:
http:
port: 3000
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &host drop.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: pairdrop-tls-certificate
================================================
FILE: apps/paperless/Chart.yaml
================================================
apiVersion: v2
name: paperless
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/paperless/templates/secret.yaml
================================================
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ .Release.Name }}-secret
namespace: {{ .Release.Namespace }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: global-secrets
dataFrom:
- extract:
key: paperless.admin
================================================
FILE: apps/paperless/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: ghcr.io/paperless-ngx/paperless-ngx
tag: 2.5.4
env:
PAPERLESS_PORT: 8000
PAPERLESS_ADMIN_USER: admin
PAPERLESS_URL: https://paperless.khuedoan.com
envFrom:
- secret: "{{ .Release.Name }}-secret"
redis:
image:
repository: docker.io/library/redis
tag: 7.2.4
service:
main:
ports:
http:
port: 8000
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &host paperless.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: paperless-tls-certificate
persistence:
data:
accessMode: ReadWriteOnce
size: 10Gi
advancedMounts:
main:
main:
- path: /usr/src/paperless/data
subPath: data
- path: /usr/src/paperless/media
subPath: media
================================================
FILE: apps/speedtest/Chart.yaml
================================================
apiVersion: v2
name: speedtest
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/speedtest/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: docker.io/openspeedtest/latest
tag: latest
service:
main:
ports:
http:
port: 3000
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 50m
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &host speedtest.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: speedtest-tls-certificate
================================================
FILE: apps/tailscale/Chart.yaml
================================================
apiVersion: v2
name: tailscale
version: 0.0.0
dependencies:
- name: app-template
version: 3.1.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/tailscale/templates/role.yaml
================================================
# https://github.com/tailscale/tailscale/blob/main/docs/k8s/role.yaml
# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tailscale
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
- apiGroups: [""]
resourceNames: ["tailscale"]
resources: ["secrets"]
verbs: ["get", "update", "patch"]
================================================
FILE: apps/tailscale/templates/rolebinding.yaml
================================================
# https://github.com/tailscale/tailscale/blob/main/docs/k8s/rolebinding.yaml
# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tailscale
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: tailscale
roleRef:
kind: Role
name: tailscale
apiGroup: rbac.authorization.k8s.io
================================================
FILE: apps/tailscale/templates/secret.yaml
================================================
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tailscale-auth
namespace: {{ .Release.Namespace }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: global-secrets
data:
- secretKey: TS_AUTHKEY
remoteRef:
key: external
property: tailscale-auth-key
================================================
FILE: apps/tailscale/templates/serviceaccount.yaml
================================================
# https://github.com/tailscale/tailscale/blob/main/docs/k8s/sa.yaml
# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause
apiVersion: v1
kind: ServiceAccount
metadata:
name: tailscale
namespace: {{ .Release.Namespace }}
================================================
FILE: apps/tailscale/values.yaml
================================================
app-template:
serviceAccount:
name: tailscale
controllers:
tailscale:
containers:
app:
image:
repository: ghcr.io/tailscale/tailscale
tag: latest
env:
TS_HOSTNAME: homelab-router
TS_USERSPACE: false
TS_KUBE_SECRET: tailscale
TS_ROUTES: 192.168.1.224/27
TS_AUTHKEY:
valueFrom:
secretKeyRef:
name: tailscale-auth
key: TS_AUTHKEY
securityContext:
capabilities:
add:
- NET_ADMIN
================================================
FILE: apps/wireguard/Chart.yaml
================================================
apiVersion: v2
name: wireguard
version: 0.0.0
dependencies:
- name: app-template
version: 3.5.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/wireguard/values.yaml
================================================
app-template:
controllers:
wireguard:
containers:
app:
image:
repository: lscr.io/linuxserver/wireguard
tag: latest
env:
LOG_CONFS: false
USE_COREDNS: true
securityContext:
capabilities:
add:
- NET_ADMIN
service:
wireguard:
controller: wireguard
type: LoadBalancer
ports:
http:
port: 51820
protocol: UDP
persistence:
config:
type: secret
name: "{{ .Release.Name }}-secret"
globalMounts:
- path: /config/wg_confs
rawResources:
secret:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
spec:
spec:
secretStoreRef:
kind: ClusterSecretStore
name: global-secrets
data:
- secretKey: WIREGUARD_PRIVATE_KEY
remoteRef:
key: external
property: wireguard-private-key
target:
template:
data:
wg0.conf: |
[Interface]
Address = 172.16.0.1/32
ListenPort = 51820
PrivateKey = {{ `{{ .WIREGUARD_PRIVATE_KEY }}` }}
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
# Note that WireGuard will ignore a peer whose public key matches
# the interface's private key. So you can distribute a single
# list of peers everywhere.
# https://lists.zx2c4.com/pipermail/wireguard/2018-December/003703.html
# Servers
[Peer]
# homelab
PublicKey = sSAZS1Z3vB7Wx8e2yVqXfeHjgWTa80wnSYoma3mZkiU=
AllowedIPs = 172.16.0.1/32, 192.168.1.100/32, 192.168.1.224/27
[Peer]
# horus
PublicKey = zVwYqwvGn/IL7o6CD84y4/Y/OnRAUl/jw6T7DtNqWGM=
Endpoint = horus.khuedoan.com:51820
PersistentKeepalive = 25
AllowedIPs = 172.16.0.2/32
# Clients
[Peer]
# khuedoan-ryzentower
PublicKey = qnDY23ZWUOlCRUmB8anpXH1uzX0A17F1YtQJmVi7GWM=
AllowedIPs = 172.16.0.10/32
[Peer]
# khuedoan-thinkpadz13
PublicKey = hSVWn2lBasJeueHApQYmYR0s2zNpXrqZX6F8gyEqpy0=
AllowedIPs = 172.16.0.11/32
[Peer]
# khuedoan-phone
PublicKey = nITHFdgTkNZOTWeSWqnGXjgwlCJMKRCnnUsjMx2yp2U=
AllowedIPs = 172.16.0.12/32
================================================
FILE: docs/.gitignore
================================================
mermaid*.js
================================================
FILE: docs/concepts/certificate-management.md
================================================
# Certificate management
Certificates are generated and managed by [cert-manager](https://cert-manager.io) with [Let's Encrypt](https://letsencrypt.org).
By default certificates are valid for 90 days and will be renewed after 60 days.
cert-manager watches `Ingress` resources across the cluster. When you create an `Ingress` with a [supported annotation](https://cert-manager.io/docs/usage/ingress/#supported-annotations):
```yaml hl_lines="5 13 14"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
name: foo
spec:
rules:
- host: foo.example.com
# ...
tls:
- hosts:
- foo.example.com
secretName: foo-tls-certificate
```
```mermaid
flowchart LR
User -- 6 --> Ingress
subgraph cluster[Homelab cluster]
Ingress --- Secret
Ingress -. 1 .-> Certificate
Certificate -. 5 .-> Secret
Certificate -- 2 --> CertificateRequest -- 3 --> Order -- 4 --> Challenge
end
Order -.- ACMEServer[ACME server]
subgraph dnsprovider[DNS provider]
TXT
end
Challenge -- 4.a --> TXT
ACMEServer -.- Challenge
ACMEServer -. 4.b .-> TXT
```
1. cert-manager creates a corresponding `Certificate` resources
2. Based on the `Certificate` resource, cert-manager creates a `CertificateRequest` resource to request a signed certificate from the configured `ClusterIssuer`
3. The `CertificateRequest` will create an order with an ACME server (we use Let's Encrypt), which is represented by the `Order` resource
4. Then cert-manager will perform a [DNS-01](https://cert-manager.io/docs/configuration/acme/dns01) `Challenge`:
1. Create a DNS TXT record (contains a computed key)
2. The ACME server retrieve this key via a DNS lookup and validate that we own the domain for the requested certificate
7. cert-manager stores the certificate (typically `tls.crt` and `tls.key`) in the `Secret` specified in the `Ingress` configuration
8. Now you can access the HTTPS website with a valid certificate
A much more detailed diagram can be found in the official documentation under [certificate lifecycle](https://cert-manager.io/docs/concepts/certificate/#certificate-lifecycle).
================================================
FILE: docs/concepts/development-shell.md
================================================
# Development shell
The development shell makes it easy to get all of the dependencies needed to interact with the homelab.
## Prerequisites
!!! info
NixOS users can skip this step.
Install Nix using one of the following methods:
- [Official Nix installer](https://nixos.org/download)
- [Determinate Nix Installer](https://docs.determinate.systems/getting-started/#installer)
If you're using the official installer, add the following to your
`~/.config/nix/nix.conf` to enable [Flakes](https://nixos.wiki/wiki/Flakes):
```conf
experimental-features = nix-command flakes
```
## How to open it
Run the following command:
```sh
nix develop
```
It will open a shell with all the dependencies defined in `./flake.nix`:
```
[khuedoan@ryzentower:~/Documents/homelab]$ which kubectl
/nix/store/0558zzzqynzw7rx9dp2i7jymvznd1cqx-kubectl-1.30.1/bin/kubectl
```
!!! tip
If you have [`direnv`](https://direnv.net) installed, you can run `direnv
allow` once and it will automatically enter the Nix shell every time you
`cd` into the project.
================================================
FILE: docs/concepts/pxe-boot.md
================================================
# PXE boot
```mermaid
flowchart TD
subgraph controller[Initial controller]
Ansible
dhcp[DHCP server]
tftp[TFTP server]
http[HTTP server]
end
machine[Bare metal machine]
Ansible -. 1 .-> machine
machine <-. 2, 3 .-> dhcp
machine <-. 4, 5 .-> tftp
machine <-. 6, 7 .-> http
```
1. Ansible: Hey MAC address `xx:xx:xx:xx:xx:xx`, wake up!
2. Machine: Hello everyone, I just woke up in network mode, could someone please show me how to boot?
3. DHCP server: I hear you, here's your IP address, proceed to the next server to obtain your bootloader.
4. Machine: Hello, could you please send me my bootloader?
5. TFTP server: Here you go. Grab your boot configuration, kernel, and initial ramdisk as well.
6. Machine: Hi, I just booted into my bootloader, and my boot parameters instructed me to get the installation instructions, packages, etc. from this site.
7. HTTP server: It's all yours.
8. Machine: Great, now I can install the OS and reboot!
Here's how it looks like in action:
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/y-d7btNNAT8" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
================================================
FILE: docs/concepts/secrets-management.md
================================================
# Secrets management
## Overview
- Global secrets are stored in the `global-secrets` namespace.
- Integrate with GitOps using [External Secrets Operator](https://external-secrets.io).
- Secrets that can be generated are automatically generated and stored in the `global-secrets` namespace.
!!! info
Despite the name _External_ Secrets Operator, global secrets are created in the same cluster and synced
to other namespaces using the [Kubernetes provider](https://external-secrets.io/latest/provider/kubernetes).
While not supported by default in this project, you can also use other external providers such as HashiCorp Vault,
AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, 1Password, etc.
```mermaid
flowchart TD
subgraph global-secrets-namespace[global-secrets namespace]
secret-generator[Secret Generator] -- generate if not exist --> source-secrets[Source Secrets]
end
subgraph app-namespace[application namespace]
ExternalSecret -- create --> Secret
App -- read --> Secret
end
ClusterSecretStore -- read --> source-secrets
ExternalSecret --- ClusterSecretStore
```
## Randomly generated secrets
This is useful when you want to generate random secrets like admin password and store in global secrets.
```yaml title="./platform/global-secrets/files/secret-generator/config.yaml" hl_lines="2-6"
--8<--
./platform/global-secrets/files/secret-generator/config.yaml
--8<--
```
## Extra third-party secrets
For third-party secrets that you don't control, add them to `external/terraform.tfvars` under the `extra_secrets` key,
then run `make external`.
They will be available as a Secret named `external` in the `global-secrets` namespace.
You can use it with `ExternalSecret` just like any other global secret.
## How secrets are pulled from global secrets to other namespaces
When you apply an `ExternalSecret` object, for example:
```yaml hl_lines="4 21-23"
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-admin-secret
namespace: gitea
spec:
data:
- remoteRef:
conversionStrategy: Default
key: gitea.admin
property: password
secretKey: password
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: global-secrets
target:
creationPolicy: Owner
deletionPolicy: Retain
template:
data:
password: '{{ .password }}'
username: gitea_admin
engineVersion: v2
```
This will create a corresponding Kubernetes secret:
`kubectl describe secrets -n gitea gitea-admin-secret`
```yaml hl_lines="1 8-11"
Name: gitea-admin-secret
Namespace: gitea
Labels: <none>
Annotations: reconcile.external-secrets.io/data-hash: <REDACTED>
Type: Opaque
Data
====
password: 32 bytes
username: 11 bytes
```
Please see the official documentation for more information:
- [External Secrets Operator](https://external-secrets.io)
- [API specification](https://external-secrets.io/latest/spec)
================================================
FILE: docs/concepts/testing.md
================================================
# Testing infrastructure code
We use [Terratest](https://terratest.gruntwork.io) for automated tests.
The tests are written in Go and can be found at `./test`.
TODO: more docs here (PR welcomed)
================================================
FILE: docs/getting-started/install-pre-commit-hooks.md
================================================
# Install pre-commit hooks
Git hook scripts are useful for identifying simple issues before commiting changes.
Install [pre-commit](https://pre-commit.com/#install) first, one-liner for Arch users:
```sh
sudo pacman -S python-pre-commit
```
Then install git hook scripts:
```sh
make git-hooks
```
If you want to enable pre-commit on all repositories without enabling it manually, see [automatically enabling pre-commit on repositories](https://pre-commit.com/#automatically-enabling-pre-commit-on-repositories).
================================================
FILE: docs/getting-started/user-onboarding.md
================================================
# User onboarding
=== "For user"
## Create user
Ask an admin to create your account, provide the following information:
- [ ] Full name (John Doe)
- [ ] Select a username (`johndoe`)
- [ ] Email address (`johndoe@example.com`)
## Install companion apps
For all users:
- [ ] A password manager (I personally recommend [Bitwarden](https://bitwarden.com/download))
- [ ] A [Matrix chat client](https://matrix.org/clients) (optional, you can use the web version)
For technical users:
- [ ] [Docker](https://docs.docker.com/engine/install)
- [ ] [Nix](https://nixos.org/download) and [direnv](https://direnv.net) (optional, but highly recommended)
- [ ] [Lens](https://k8slens.dev) (optional, you can use the included `kubectl` or `k9s` command in the tools container)
=== "For admin"
Run the following script:
```sh
./scripts/onboard-user johndoe "John Doe" "johndoe@example.com"
```
Let the user scan the QR code or follow the link to set up passkeys or password + TOTP.
================================================
FILE: docs/getting-started/vpn-setup.md
================================================
# VPN setup
You can choose between [Tailscale](https://tailscale.com),
[Wireguard](https://www.wireguard.com), or use both like me. I primarily use
WireGuard but keep Tailscale as a backup for when the WireGuard server is down.
## Tailscale (requires third-party account)
Get an [auth key](https://tailscale.com/kb/1085/auth-keys) from [Tailscale admin console](https://login.tailscale.com/admin/authkeys):
- Description: homelab
- Reusable: optionally set this to true
Add it to `external/terraform.tfvars` as an extra secret:
```hcl
extra_secrets = {
tailscale-auth-key = "tskey-auth-myauthkeyhere"
}
```
You may want to back up the `external/terraform.tfvars` file to a secure location.
Apply the secret:
```sh
make external
```
Finally, [enable subnet routes](https://tailscale.com/kb/1019/subnets#step-3-enable-subnet-routes-from-the-admin-console) for `homelab-router`
from the [admin console](https://login.tailscale.com/admin/machines).
You can now connect to your homelab via Tailscale and [invite user to your Tailscale network](https://tailscale.com/kb/1371/invite-users).
## Wireguard (requires port-forwarding)
### Prerequisites
Find your public IP address using:
```sh
curl -4 ifconfig.me
```
If you don’t have a static IP address, use dynamic DNS and replace the IP with
your domain name.
Next, configure port forwarding in your router for the WireGuard service.
!!! example
Each router is different, here's mine for reference:
- Protocol: `UDP`
- Start Port: `51820`
- End Port: `51820`
- Local IP Address: `192.168.1.226` (find it with `kubectl get service -n wireguard wireguard`)
- Start Port Local: `51820`
- End Port Local: `51820`
Generate a key pair for the server:
```sh
wg genkey | tee /dev/tty | wg pubkey
```
This will generate a private key and a public key, in that order. Add the
private key to `external/terraform.tfvars` as an extra secret:
```hcl
extra_secrets = {
wireguard-private-key = "privatekeyhere"
}
```
You may want to back up the `external/terraform.tfvars` file to a secure location.
Apply the secret:
```sh
make external
```
I use `172.16.0.0/12` as the private IP range for WireGuard, but you can choose
any private IP address range you prefer in `./apps/wireguard/values.yaml`. I
also recommend removing my peers and adding your own.
### Add a new device to the server
!!! info
Each device requires its own configuration.
Generate a new key pair for the device. You can generate it for the user, or
they can generate it themselves if they prefer to keep the private key
confidential:
```sh
wg genkey | tee /dev/tty | wg pubkey
```
This will generate a private key and a public key, in that order. The private
key must be saved in a secure password manager, and save the public key for the
next step.
Update the list of peers in `./apps/wireguard/values.yaml`, make sure you
replace all of my peers with yours.
!!! example
Example configuration for my phone:
```ini
[Peer]
PublicKey = nITHFdgTkNZOTWeSWqnGXjgwlCJMKRCnnUsjMx2yp2U=
AllowedIPs = 172.16.0.12/32
```
- The public key is the one generated in the previous step.
- `172.16.0.12/32` is the device's private IP address, manually selected from
the `172.16.0.0/12` range mentioned above.
### Add the Wireguard config to the device
Create a new configuration file for the device:
```ini
[Interface]
Address = <CLIENT PRIVATE IP>/32
PrivateKey = <CLIENT PRIVATE KEY>
[Peer]
PublicKey = <SERVER PUBLIC KEY>
Endpoint = <SERVER PUBLIC IP>:51820
AllowedIPs = <SERVER PRIVATE IP>/32, <LOAD BALANCER IP RANGE>
```
Replace placeholders with actual values and save as `wg0.conf`.
!!! example
Example configuration for my phone:
```ini
[Interface]
Address = 172.16.0.12/32
PrivateKey = <REDACTED>
[Peer]
PublicKey = sSAZS1Z3vB7Wx8e2yVqXfeHjgWTa80wnSYoma3mZkiU
Endpoint = <HOME IP>:51820
AllowedIPs = 172.16.0.1/32, 192.168.1.224/27
```
The client can now import this configuration and connect to your WireGuard
mesh. Make sure you clean up the `wg0.conf` file after importing it to the
client.
=== "Mobile"
Generate a QR code from the configuration file:
```sh
qrencode -t ansiutf8 -r wg0.conf
```
Then scan the QR code using the official WireGuard app.
=== "Linux"
Import the WireGuard configuration using NetworkManager:
```sh
nmcli connection import type wireguard file wg0.conf
```
Activate the connection:
```sh
nmcli connection up wg0
```
## Headscale
[Headscale](https://headscale.net) is a self-hosted implementation of the
Tailscale control server that does not require a third-party account. To set it
up, take a look at the changes proposed by [this PR](https://github.com/khuedoan/homelab/pull/190).
================================================
FILE: docs/how-to-guides/add-or-remove-nodes.md
================================================
# Add or remove nodes
Or how to scale vertically. To replace the same node with a clean OS, remove it and add it again.
## Add new nodes
!!! tip
You can add multiple nodes at the same time
Add its details to the inventory **at the end of the group** (masters or workers):
```diff title="metal/inventories/prod.yml"
diff --git a/metal/inventories/prod.yml b/metal/inventories/prod.yml
index 7f6474a..1bb2cbc 100644
--- a/metal/inventories/prod.yml
+++ b/metal/inventories/prod.yml
@@ -8,3 +8,4 @@ metal:
workers:
hosts:
metal3: {ansible_host: 192.168.1.113, mac: '00:23:24:d1:f5:69', disk: sda, network_interface: eno1}
+ metal4: {ansible_host: 192.168.1.114, mac: '00:11:22:33:44:55', disk: sda, network_interface: eno1}
```
Install the OS and join the cluster:
```
make metal
```
That's it!
## Remove a node
!!! danger
It is recommended to remove nodes one at a time
Remove it from the inventory:
```diff title="metal/inventories/prod.yml"
diff --git a/metal/inventories/prod.yml b/metal/inventories/prod.yml
index 7f6474a..d12b50a 100644
--- a/metal/inventories/prod.yml
+++ b/metal/inventories/prod.yml
@@ -4,7 +4,6 @@ metal:
hosts:
metal0: {ansible_host: 192.168.1.110, mac: '00:23:24:d1:f3:f0', disk: sda, network_interface: eno1}
metal1: {ansible_host: 192.168.1.111, mac: '00:23:24:d1:f4:d6', disk: sda, network_interface: eno1}
- metal2: {ansible_host: 192.168.1.112, mac: '00:23:24:e7:04:60', disk: sda, network_interface: eno1}
workers:
hosts:
metal3: {ansible_host: 192.168.1.113, mac: '00:23:24:d1:f5:69', disk: sda, network_interface: eno1}
```
Drain the node:
```sh
kubectl drain ${NODE_NAME} --delete-emptydir-data --ignore-daemonsets --force
```
Remove the node from the cluster
```sh
kubectl delete node ${NODE_NAME}
```
Shutdown the node:
```
ssh root@${NODE_IP} poweroff
```
================================================
FILE: docs/how-to-guides/alternate-dns-setup.md
================================================
# Alternate DNS setup
!!! info
Skip this step if you already use the included Cloudflare setup
Before you can access the home page at <https://home.example.com>, you'll need to update your DNS config.
Some options for DNS config (choose one):
- Change the DNS config at your domain registrar (already included and automated)
- Change the DNS config in your router (also works if you don't own a domain)
- Use [nip.io](https://nip.io) (suitable for a test environment)
## At your domain registrar (recommended)
The default configuration is for Cloudflare DNS, but you can change the code to use other providers.
## In your router
!!! tip
If you don't have a domain, you can use the `home.arpa` domain (according to [RFC-8375](https://datatracker.ietf.org/doc/html/rfc8375)).
You can add each subdomain one by one, or use a wildcard `*.example.com` and point it to the IP address of the load balancer.
To acquire a list of subdomains and their addresses, use this command:
```sh
./scripts/get-dns-config
```
## Use [nip.io](https://nip.io)
Preconfigured in the `dev` branch.
================================================
FILE: docs/how-to-guides/backup-and-restore.md
================================================
# Backup and restore
## Prerequisites
Create an S3 bucket to store backups. You can use AWS S3, Minio, or
any other S3-compatible provider.
- For AWS S3, your bucket URL might look something like this:
`https://s3.amazonaws.com/my-homelab-backup`.
- For Minio, your bucket URL might look something like this:
`https://my-s3-host.example.com/homelab-backup`.
Follow your provider's documentation to create a service account with the
following policy (replace `my-homelab-backup` with your actual bucket name):
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-homelab-backup",
"arn:aws:s3:::my-homelab-backup/*"
]
}
]
}
```
Save the access key and secret key to a secure location, such as a password
manager. While you're at it, generate a new password for Restic encryption and
save it there as well.
!!! example
I use Minio for my homelab backups. Here's how I set it up:
- Create a bucket named `homelab-backup`.
- Create a service account under Identity -> Service Accounts -> Create
Service Account:
- Enable Restrict beyond user policy.
- Paste the policy above.
- Click Create and copy the access key and secret key
- I also set up Minio replication to store backups in two locations: one in
my house and one remotely.
## Add backup credentials to global secrets
Add the following to `external/terraform.tfvars`:
```hcl
extra_secrets = {
restic-password = "xxxxxxxxxxxxxxxxxxxxxxxx"
restic-s3-bucket = "https://s3.amazonaws.com/my-homelab-backup-xxxxxxxxxx"
restic-s3-access-key = "xxxxxxxxxxxxxxxx"
restic-s3-secret-key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
```
Then apply the changes:
```sh
make external
```
You may want to back up the `external/terraform.tfvars` file to a secure location as well.
## Add backup configuration for volumes
!!! warning
Do not run the backup command when building a new cluster where you intend
to restore backups, as it may overwrite existing backup data. To restore
data on a new cluster, refer to the [restore from
backup](#restore-from-backup) section.
For now, you need to run a command to opt-in volumes until we have a better
GitOps solution:
```sh
make backup
```
This command will set up Restic repositories and back up the volumes configured
in `./Makefile`. You can adjust the list there to add or remove volumes from the
backup. You only need to run this command once, the backup configuration will
be stored in the cluster and run on a schedule.
## Restore from backup
The restore process is ad-hoc, you need to run a command to restore application volumes:
```sh
make restore
```
The command above will restore the latest backup of recommended volumes. Like
with backups, you can modify `./Makefile` to adjust the list of volumes you
want to restore.
================================================
FILE: docs/how-to-guides/disable-dhcp-proxy-in-dnsmasq.md
================================================
# Disable DHCP proxy in dnsmasq
## Overview
Dnsmasq is used as either a DHCP server or DHCP proxy server for PXE metal provisioning.
Proxy mode is enabled by default allowing the use of existing DHCP servers on the network.
A good description on how DHCP Proxy works can be found on the related [FOG project wiki page](https://wiki.fogproject.org/wiki/index.php?title=ProxyDHCP_with_dnsmasq).
## Disabling Proxy mode
Certain scenarios will require this project to use a DHCP server, such as an air-gap deployment or dedicated VLAN.
To disable proxy mode thereby using dnsmasq as a DHCP server, modify `metal/roles/pxe_server/defaults/main.yml` and set `dhcp_proxy` to `false`.
================================================
FILE: docs/how-to-guides/expose-services-to-the-internet.md
================================================
# Expose services to the internet
!!! info
This tutorial is for Cloudflare Tunnel users, please skip if you use port forwarding.
Apply the `./external` layer to create a tunnel if you haven't already,
then add the following annotations to your `Ingress` object (replace `example.com` with your domain):
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
external-dns.alpha.kubernetes.io/target: "homelab-tunnel.example.com"
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
# ...
```
================================================
FILE: docs/how-to-guides/media-management.md
================================================
# Media management
!!! warning
This is for educational purposes only :wink: Use it at your own risk!
## Initial setup
- Jellyfin `https://jellyfin.example.com`:
- Create an `admin` user and save the credentials to your password manager
- Add media libraries:
- Movies at `/media/movies`
- Shows at `/media/shows`
- Radarr `https://radarr.example.com`:
- Authentication method: Forms
- Create an `admin` user and save the credentials to your password manager
- Navigate to Settings -> Download Clients -> Add -> Transmission (you can keep the default address and port)
- Navigate to Settings -> Media Management -> Add Root Folder `/movies`
- Navigate to Settings -> General -> API Key -> copy it for the next steps (or save it to your password manager)
- Sonarr `https://sonarr.example.com`: same as Radarr but use `/shows` for the root folder
- Prowlarr `https://prowlarr.example.com`:
- Authentication method: Forms
- Create an `admin` user and save the credentials to your password manager
- Navigate to Settings -> Apps -> Add:
- Radarr: paste the API key (you can keep the default address and port)
- Sonarr: same as Radarr
- Go back to Indexers -> Add New Indexers
- Jellyseerr `https://jellyseerr.example.com`:
- Sign In
- Use your Jellyfin account
- URL: `https://jellyfin.example.com`
- Email: you can enter anything
- Username: `admin`
- Password: same as Jellyfin
- Configure Media Server
- Enable Movies and Shows
- Configure Services:
- Add Radarr Server:
- Default Server: true
- Name: Radarr
- Hostname: localhost
- Port: use default
- API Key: from previous step
- Click Test
- Quality Profile: choose whatever suits you
- Root folder: `/movies`
- External URL: `https://radarr.example.com`
- Enable Scan: true
- Add Sonarr Server: similar to Radarr
Optionally, for convenience, you can add a `guest` account without a password in Jellyfin,
allow access to all libraries, and allow that account to manage requests in Jellyseerr.
## Usage
Here's a suggested flow:
- Users using the `guest` account can request media in Jellyseerr
- Admins approve the request (or you can enable auto-approve)
- Wait for the media to be downloaded
- Watch on Jellyfin
You may need to increase the volume size depending on your usage.
================================================
FILE: docs/how-to-guides/run-commands-on-multiple-nodes.md
================================================
# Run commands on multiple nodes
Use [ansible-console](https://docs.ansible.com/ansible/latest/cli/ansible-console.html):
```sh
cd metal
make console
```
Then enter the command(s) you want to run.
!!! example
`root@all (4)[f:5]$ uptime`
```console
metal0 | CHANGED | rc=0 >>
10:52:02 up 2 min, 1 user, load average: 0.17, 0.15, 0.06
metal1 | CHANGED | rc=0 >>
10:52:02 up 2 min, 1 user, load average: 0.14, 0.11, 0.04
metal3 | CHANGED | rc=0 >>
10:52:02 up 2 min, 1 user, load average: 0.03, 0.02, 0.00
metal2 | CHANGED | rc=0 >>
10:52:02 up 2 min, 1 user, load average: 0.06, 0.06, 0.02
```
================================================
FILE: docs/how-to-guides/single-node-cluster-adjustments.md
================================================
# Single node cluster adjustments
!!! danger
This is not officially supported and I don't regularly test it,
I highly recommend using multiple nodes.
Using a single node could lead to data loss unless your backup strategy is rock solid,
make sure you are **ABSOLUTELY CERTAIN** this is what you want.
Update the following changes, then commit and push.
## Remove storage redundancy
Set pod counts and number of data copies to `1`:
```yaml title="system/rook-ceph/values.yaml" hl_lines="4 6 11 12 18 22 25"
rook-ceph-cluster:
cephClusterSpec:
mon:
count: 1
mgr:
count: 1
cephBlockPools:
- name: standard-rwo
spec:
replicated:
size: 1
requireSafeReplicaSize: false
cephFileSystems:
- name: standard-rwx
spec:
metadataPool:
replicated:
size: 1
dataPools:
- name: data0
replicated:
size: 1
metadataServer:
activeCount: 1
activeStandby: false
```
## Disable automatic upgrade
Because they will try to drain the only node, the pods will have no place to go.
Remove them entirely:
```sh
rm -rf system/kured
```
Commit and push the change.
You can revert it later when you add more nodes.
================================================
FILE: docs/how-to-guides/troubleshooting/pxe-boot.md
================================================
# PXE boot
## PXE server logs
To view PXE server (includes DHCP, TFTP and HTTP server) logs:
```sh
./scripts/pxe-logs
```
!!! tip
You can view the logs of one or more containers selectively, for example:
```sh
./scripts/pxe-logs dnsmasq
./scripts/pxe-logs http
```
## Nodes not booting from the network
- Plug a monitor and a keyboard to one of the bare metal node if possible to make the debugging process easier
- Check if the controller (PXE server) is on the same subnet with bare metal nodes (sometimes Wifi will not work or conflict with wired Ethernet, try to turn it off)
- Check if bare metal nodes are configured to boot from the network
- Check if Wake-on-LAN is enabled
- Check if the operating system ISO file is mounted
- Check the controller's firewall config to make sure that the following ports are open:
- DHCP (67/68)
- TFTP (69)
- HTTP (80)
- Check PXE server Docker logs
- Check if the servers are booting to the correct OS (Fedora Server installer instead of the previously installed OS), if not try to select it manually or remove the previous OS boot entry
- Examine the network boot process with [Wireshark](https://www.wireshark.org) or [Termshark](https://termshark.io)
================================================
FILE: docs/how-to-guides/updating-documentation.md
================================================
# Updating documentation (this website)
This project uses the [Diátaxis](https://diataxis.fr) technical documentation framework.
The website is generated using [Material for MkDocs](https://squidfunk.github.io/mkdocs-material) and can be viewed at [homelab.khuedoan.com](https://homelab.khuedoan.com).
There are 4 main parts:
- [Getting started (tutorials)](https://diataxis.fr/tutorials): learning-oriented
- [Concepts (explanation)](https://diataxis.fr/explanation): understanding-oriented
- [How-to guides](https://diataxis.fr/how-to-guides): goal-oriented
- [Reference](https://diataxis.fr/reference): information-oriented
## Local development
To edit and view locally, run:
```sh
make docs
```
Then visit [localhost:8000](http://localhost:8000)
## Deployment
It's running on my other cluster in the [khuedoan/horus](https://github.com/khuedoan/horus) project
(so if the homelab goes down everyone can still read the documentation).
<!-- TODO -->
<!-- This website is running in both my homelab cluster and on my other cluster in the [khuedoan/horus](https://github.com/khuedoan/horus) project (both in `apps/homelab-docs`), -->
<!-- with manual DNS switch over in case I want to rebuild either of them (this is the most cost effective way to do this that I can think of). -->
<!-- You don't have to do this, you can host it on 1 cluster just fine. -->
<!-- But for 0.000000000001% of you who have 2 clusters like me, here's how to switch between them: -->
<!-- - Add the following annotation to the Ingress on the new cluster: `TODO` -->
<!-- - Go to DNS config on Cloudflare dashboard -->
<!-- - Find the TXT record for `homelab.khuedoan.com` and switch the `ownerID` between `homelab` and `horus` -->
<!-- - Wait for the matching CNAME or A record to change -->
<!-- - Check if you can still access the website -->
<!-- - Do what ever you want to do -->
<!-- - (Optional) Switch back to the previous cluster -->
================================================
FILE: docs/how-to-guides/use-both-github-and-gitea.md
================================================
# Use both GitHub and Gitea
Even though we self-host Gitea, you may still want to use GitHub as a backup and for discovery.
Add both push URLs (replace my repositories with yours):
```sh
git remote set-url --add --push origin git@git.khuedoan.com:ops/homelab
git remote set-url --add --push origin git@github.com:khuedoan/homelab
```
Now you can just run `git push` like usual and it will push to both GitHub and Gitea.
================================================
FILE: docs/index.md
================================================
--8<--
README.md
--8<--
================================================
FILE: docs/installation/post-installation.md
================================================
# Post-installation
## Backup secrets
Save the following files to a safe location like a password manager (if you're using the sandbox, you can skip this step):
- `~/.ssh/id_ed25519`
- `~/.ssh/id_ed25519.pub`
- `./metal/kubeconfig.yaml`
- `~/.terraform.d/credentials.tfrc.json`
- `./external/terraform.tfvars`
## Admin credentials
- ArgoCD:
- Username: `admin`
- Password: run `./scripts/argocd-admin-password`
- Gitea:
- Username: `gitea_admin`
- Password: get from `global-secrets` namespace
- Kanidm:
- Usernames: `admin` and `idm_admin`
- Password: run `./scripts/kanidm-reset-password admin` and `./scripts/kanidm-reset-password idm_admin`
- Jellyfin and other applications in the \*arr stack: see the [dedicated guide for media management](../how-to-guides/media-management.md)
- Other apps:
- Username: `admin`
- Password: get from `global-secrets` namespace
## Backup
Now is a good time to set up backups for your homelab.
Follow the [backup and restore guide](../how-to-guides/backup-and-restore.md) to get started.
## Run the full test suite
After the homelab has been stabilized, you can run the full test suite to ensure that everything is working properly:
```sh
make test
```
!!! info
The "full" test suit is still in its early stages, so any contribution is greatly appreciated.
================================================
FILE: docs/installation/production/configuration.md
================================================
# Configuration
Open the [development shell](../../concepts/development-shell.md), which includes all the tools needed:
```sh
nix develop
```
Run the following script to configure the homelab:
```sh
make configure
```
!!! example
<!-- TODO update example input -->
```
Text editor (nvim):
Enter seed repo (github.com/khuedoan/homelab): github.com/example/homelab
Enter your domain (khuedoan.com): example.com
```
It will prompt you to edit the inventory:
- IP address: the desired one, not the current one, since your servers have no operating system installed yet
- Disk: based on `/dev/$DISK`, in my case it's `sda`, but yours can be `sdb`, `nvme0n1`...
- Network interface: usually it's `eth0`, mine is `eno1`
- MAC address: the **lowercase, colon separated** MAC address of the above network interface
!!! example
```yaml title="metal/inventories/prod.yml"
--8<--
metal/inventories/prod.yml
--8<--
```
At the end it will show what has changed. After examining the diff, commit and push the changes.
================================================
FILE: docs/installation/production/deployment.md
================================================
# Deployment
Open the development shell if you haven't already:
```sh
nix develop
```
Build the lab:
```sh
make
```
Yes it's that simple!
!!! example
<script id="asciicast-xkBRkwC6e9RAzVuMDXH3nGHp7" src="https://asciinema.org/a/xkBRkwC6e9RAzVuMDXH3nGHp7.js" async></script>
It will take a while to download everything,
you can read the [architecture document](../../reference/architecture/overview.md) while waiting for the deployment to complete.
================================================
FILE: docs/installation/production/external-resources.md
================================================
# External resources
!!! info
These resources are optional, the homelab still works without them but will lack some features like trusted certificates and offsite backup
Although I try to keep the amount of external resources to the minimum, there's still need for a few of them.
Below is a list of external resources and why we need them (also see some [alternatives](#alternatives) below).
| Provider | Resource | Purpose |
| -------- | -------- | ------- |
| Terraform Cloud | Workspace | Terraform state backend |
| Cloudflare | DNS | DNS and [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) for certificates |
| Cloudflare | Tunnel | Public services to the internet without port forwarding |
| ntfy | Topic | External notification service to receive alerts |
## Create credentials
You'll be asked to provide these credentials on first build.
### Create Terraform workspace
Terraform is stateful, which means it needs somewhere to store its state. Terraform Cloud is one option for a state backend with a generous free tier, perfect for a homelab.
1. Sign up for a [Terraform Cloud](https://cloud.hashicorp.com/products/terraform) account
2. Create a workspace named `homelab-external`, this is the workspace where your homelab state will be stored.
3. Change the "Execution Mode" from "Remote" to "Local". This will ensure your local machine, which can access your lab, is the one executing the Terraform plan rather than the cloud runners.
If you decide to use a [different Terraform backend](https://www.terraform.io/language/settings/backends#available-backends), you'll need to edit the `external/versions.tf` file as required.
### Cloudflare
- Buy a domain and [transfer it to Cloudflare](https://developers.cloudflare.com/registrar/get-started/transfer-domain-to-cloudflare) if you haven't already
- Get Cloudflare email and account ID
- Global API key: <https://dash.cloudflare.com/profile/api-tokens>
<!-- TODO switch to API token instead of API key? -->
<!-- Terraform API token summary: -->
<!-- ``` -->
<!-- This API token will affect the below accounts and zones, along with their respective permissions -->
<!-- └── Khue Doan - Argo Tunnel:Edit, Account Settings:Read -->
<!-- └── khuedoan.com - Zone:Read, DNS:Edit -->
<!-- Client IP Address Filtering -->
<!-- └── Is in - 117.xxx.xxx.xxx, 2402:xxx:xxx:xxx:xxx:xxx:xxx:xxx -->
<!-- ``` -->
<!-- ### Create Minio keys -->
<!-- TODO: skip this for now -->
<!-- ### Create AWS API key -->
<!-- TODO: skip this for now -->
### ntfy
- Choose a topic name like <https://ntfy.sh/random_topic_name_here_a8sd7fkjxlkcjasdw33813> (treat it like you password)
## Alternatives
To avoid vendor lock-in, each external provider must have an equivalent alternative that is easy to replace:
- Terraform Cloud:
- Any other [Terraform backends](https://www.terraform.io/language/settings/backends)
- Cloudflare DNS:
- Update cert-manager and external-dns to use a different provider
- [Alternate DNS setup](../../how-to-guides/alternate-dns-setup.md)
- Cloudflare Tunnel:
- Use port forwarding if it's available
- Create a small VPS in the cloud and utilize Wireguard to route traffic via it
- Access everything via VPN
- See also [awesome tunneling](https://github.com/anderspitman/awesome-tunneling)
- ntfy:
- [Self-host your own ntfy server](https://docs.ntfy.sh/install)
- Any other [integration supported by Grafana Alerting](https://grafana.com/docs/grafana/latest/alerting/alerting-rules/manage-contact-points/integrations/#list-of-supported-integrations)
================================================
FILE: docs/installation/production/prerequisites.md
================================================
# Prerequisites
## Fork this repository
Because [this project](https://github.com/khuedoan/homelab) applies GitOps practices,
it's the source of truth for _my_ homelab, so you'll need to fork it to make it yours:
[:fontawesome-solid-code-fork: Fork khuedoan/homelab](https://github.com/khuedoan/homelab/fork){ .md-button }
By using this project you agree to [the license](../../reference/license.md).
!!! summary "License TL;DR"
- This project is free to use for any purpose, but it comes with no warranty
- You must use the same [GPLv3 license](https://www.gnu.org/licenses/gpl-3.0.en.html) in `LICENSE.md`
- You must keep the copy right notice and/or include an acknowledgement
- Your project must remain open-source
## Hardware requirements
### Initial controller
!!! info
The initial controller is the machine used to bootstrap the cluster, we only need it once, you can use your laptop or desktop
- A **Linux** machine that can run Docker (because the `host` networking driver used for PXE boot [only supports Linux](https://docs.docker.com/network/host/), you can use a Linux virtual machine with bridged networking if you're on macOS or Windows).
### Servers
Any modern `x86_64` computer(s) should work, you can use old PCs, laptops or servers.
!!! info
This is the requirements for _each_ node
| Component | Minimum | Recommended |
| :-- | :-- | :-- |
| CPU | 2 cores | 4 cores |
| RAM | 8 GB | 16 GB |
| Hard drive | 128 GB | 512 GB (depending on your storage usage, the base installation will not use more than 128GB) |
| Node count | 1 (checkout the [single node cluster adjustments](../../how-to-guides/single-node-cluster-adjustments.md) tutorial) | 3 or more for high availability |
Additional capabilities:
- Ability to boot from the network (PXE boot)
- Wake-on-LAN capability, used to wake the machines up automatically without physically touching the power button
### Network setup
- All servers must be connected to the same **wired** network with the initial controller
- You have the access to change DNS config (on your router or at your domain registrar)
## Domain
Buying a domain is highly recommended, but if you don't have one, see [alternate DNS setup](../../how-to-guides/alternate-dns-setup.md).
## BIOS setup
!!! info
You need to do it once per machine if the default config is not sufficent,
usually for consumer hardware this can not be automated
(it requires something like [IPMI](https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface) to automate).
Common settings:
- Enable Wake-on-LAN (WoL) and network boot
- Use UEFI mode and disable CSM (legacy) mode
- Disable secure boot
Boot order options (select one, each has their pros and cons):
1. Only boot from the network if no operating system found: works on most hardware but you need to manually wipe your hard drive or delete the existing boot record for the current OS
2. Prefer booting from the network if turned on via WoL: more convenience but your BIOS must support it, and you must test it throughly to ensure you don't accidentally wipe your servers
!!! example
Below is my BIOS setup for reference. Your motherboard may have a different name for the options, so you'll need to adapt it to your hardware.
```yaml
Devices:
NetworkSetup:
PXEIPv4: true
PXEIPv6: false
Advanced:
CPUSetup:
VT-d: true
Power:
AutomaticPowerOn:
WoL: Automatic # Use network boot if Wake-on-LAN
Security:
SecureBoot: false
Startup:
CSM: false
```
## Gather information
- [ ] MAC address for each machine
- [ ] OS disk name (for example `/dev/sda`)
- [ ] Network interface name (for example `eth0`)
- [ ] Choose a static IP address for each machine (just the desired address, we don't set anything up yet)
================================================
FILE: docs/installation/sandbox.md
================================================
# Development sandbox
The sandbox is intended for trying out the homelab without any hardware or testing changes before applying them to the production environment.
## Prerequisites
Host machine:
- Recommended hardware specifications:
- CPU: 4 cores
- RAM: 16 GiB
- OS: Linux (Windows and macOS are untested, please let me know if it works)
- Available ports: `80` and `443`
Install the following packages:
- `docker`
- `nix` (see [development shell](../concepts/development-shell.md) for the installation guide)
Clone the repository and checkout the development branch:
```sh
git clone https://github.com/khuedoan/homelab
git checkout dev
```
## Build
Open the development shell, which includes all the tools needed:
```sh
nix develop
```
Build a development cluster and bootstrap it:
```
make
```
!!! note
It will take about 15 to 30 minutes to build depending on your internet connection
## Explore
The homepage should be available at <https://home.127-0-0-1.nip.io> (ignore the security warning because we don't have valid certificates).
See [admin credentials](../post-installation/#admin-credentials) for default passwords.
If you want to make some changes, simply commit to the local `dev` branch and push it to Gitea in the sandbox:
```sh
git remote add sandbox https://git.127-0-0-1.nip.io/ops/homelab
git config http.https://git.127-0-0-1.nip.io.sslVerify false
git add foobar.txt
git commit -m "feat: harness the power of the sun"
git push sandbox # you can use the gitea_admin account
```
## Clean up
Delete the cluster:
```sh
k3d cluster delete homelab-dev
```
## Caveats compare to production environment
The development cluster doesn't have the following features:
- There is no valid domain name, hence no SSL certificates (some services require valid SSL certificates)
- Only accessible on the host machine
- No backup
Please keep in mind that the development cluster may be unstable and things may break (it's for development after all).
================================================
FILE: docs/reference/architecture/decision-records.md
================================================
# Decision records
These are the records of design decisions for future reference in order to understand why things are the way they are.
They are not permanent, we can change them in the future if better alternatives become available.
??? Template
## Description of the the change
**Context**
CHANGEME
**Decision**
CHANGEME
**Consequences**
- CHANGEME
## Remove the Docker wrapper for Nix shell
**Context**
The Docker wrapper was originally added because not everyone has Nix installed.
However, it is not a good abstraction. Depending on how Docker (or Podman) was
installed, there may be permission issues, and it is slower than running Nix
directly on the host.
**Decision**
Remove the Docker wrapper and run the Nix development shell directly. While not
everyone has Nix installed, not everyone has the same Docker setup either.
**Consequences**
- Requires an additional step to install Nix, but this is a one-time setup.
- The `make tools` command has been removed, you now need to run `nix develop`
directly. Although it can be added to the `Makefile`, this requires `make` to
be installed, and not everyone has the same version of `make`.
## Remove HashiCorp Vault
**Context**
- HashiCorp changed their license, and it's no longer free/libre software.
One of the highest priorities of this project is to minimize
the usage of non-free software as much as possible, so I don't really
want to keep Vault, especially considering the next point.
- Vault is fairly complex to maintain properly. This project only uses
Vault for two things: basic key-value secret store and its API to
create and manage secrets dynamically. With the new Kubernetes secret
provider in External Secrets, both features can be replaced with
Kubernetes's built-in secrets and API server.
- A related goal of using Vault as an identity provider for SSO will be
discarded, and we'll use Authelia instead, which has a beta identity
provider feature (or use another alternative).
**Decision**
Replace Vault with a simplier in-cluster global secret store.
**Consequences**
Unlike secret path in Vault, Kubernetes does not support `/` in object name.
We need to change secret convention from `path` to `name` and replace `/` with `.`.
Update secret generator config:
```diff
-- path: gitea/admin
+- name: gitea.admin
data:
- key: password
length: 32
```
Update secret references in `kind: ExternalSecret`:
```diff
remoteRef:
- key: /gitea/admin
+ key: gitea.admin
```
## Manage package versions in development shell
**Context**
While Nix is reproducible, we need a way to control the versions of the tools and keep them up-to-date.
For example, if we update the nixpkgs hash (in `flake.nix`) from `abcd1234` to `defa5678`:
- `ansible`: 2.12.1 -> 2.12.6
- `terraform`: 1.2.0 -> 1.2.2
- `foobar`: 1.8.0 -> 1.9.0
That looks good. But when we update it from `defa5678` to `cdef9012`:
- `ansible`: 2.12.6 -> 2.13.0
- `terraform`: 1.2.2 -> 1.3.1
- `foobar`: 1.9.0 -> 2.0.0
This time it breaks `foobar` because the new major version contains a breaking change.
We can pin the specific version of each dependency in `flake.nix`,
however, the maintenance burden is too high (even with Renovate) because we need to update the version of each package regularly rather than just the nixpkgs hash.
Instead, we can just bump the nixpkgs hash and run some tests to ensure there is no breaking change.
**Decision**
Update the tests to ensure that the versions remain within the desired range (i.e. no breaking change).
**Consequences**
We have the rail guard from the tests to ensure that we don't upgrade to a new major version with breaking changes,
and we can make a conscious decision to take the necessary steps prior to upgrading to the new major version.
## Refactor the tools container from plain Dockerfile to [Nix](https://nixos.org)
**Context**
The previous implementation of the tools container is not reproducible, if someone builds it a few weeks after me, they will receive different versions of the tools.
Also, if you change something in the tool list, everything will be downloaded again, with no caching.
**Decision**
Move to Nix shell with a Docker wrapper, in case Nix is not available (see commit `adbaf32`).
**Consequences**
- All versions are pinned
- When you change the list of tools, rebuilding is much faster
## Combine dhcpd and tftpd to dnsmasq in PXE server
**Context**
[Original proposal from @Bourne-ID](https://github.com/khuedoan/homelab/issues/70):
> **Issue statement**
>
> The use of dhcpd is great for air-gap solutions where a new DHCP is required. However for some home networks which does not have the VLAN capability or for users who would like to use common router DHCP services, the use of DHCPD will cause duplicate DHCP servers and will result in potential network disruption, or will limit the ability to auto-provision the Metal stage of this project.
>
> **Proposed Solution: DHCP Proxy**
>
> Use DHCP Proxy services to add PXE features such as Next Server into this project. This allows for users to use the existing DHCP servers which may be locked down or incapable of using Next Server/PXE settings on their network to be able to auto-provision hardware through PXE (with certain common configurations, like static IP allocation or reduction in DHCP request ranges on the DHCP server)
>
> **Proposed Application: DNSMasq**
>
> DNSMasq in Proxy mode interoperates with existing DHCP servers over IPv4 to add features such as next-server, TFTP, etc. where such hardware is either locked or unconfigurable for such services. This would be an opt-in change, configurable through the pxe_server defaults file.
>
> **Proposed Target Audience**
>
> Users who either do not want to create their own VLAN or lack the hardware to configure such services. Users who want to use common router services for DHCP and have router access to configure static IP and/or DHCP allocation ranges.
>
> **Additional Risks with Proposed Change**
>
> - Additional Surface Area for Break-Out Attacks: Originally this project is locked to its own DHCP/VLAN, so any break-outs should be contained accordingly. Using common home networks increases the surface area of break-out attacks if the deployment is compromised.
> - Mitigation: Enrolment into this change is opt in only.
>
> **Proposed Next Steps**
>
> 1. Trial/Adopt/Halt - A discussion with all or a decision by the project maintainers to identify if this change should exist in this project or live on a fork.
> 2. Documentation (This is in flight in any situation).
**Decision**
Migrate to dnsmasq (see commit `f650c89`, thanks to [@Bourne-ID](https://github.com/Bourne-ID))
**Consequences**
- DHCP proxy is enabled by default because most people have a standard home network with existing DHCP server, but it can still be disabled to restore the previous behavior
## Migrate documentation from [mdBook](https://rust-lang.github.io/mdBook) to [MkDocs](https://squidfunk.github.io/mkdocs-material)
**Context**
mdBook is very minimal and light weight, which I personally prefer.
However, [Backstage TechDocs](https://backstage.io/docs/features/techdocs/techdocs-overview) which I plan to use currently only supports mkDocs.
**Decision**
Migrate documentation from mdBook to MkDocs (see commit `cd41343`).
**Consequences**
- We can no longer include only a portion of a file, see [facelessuser/pymdown-extensions#1462](https://github.com/facelessuser/pymdown-extensions/issues/1462).
## Choosing the base OS
**Context**
I've tried several distributions, and each has advantages and disadvantages.
Fedora has a good (enough) balance between stability and new features.
Alternatives considered:
- Fedora CoreOS (moved to Rocky in `7667254`):
- Pros: automatic and atomic upgrade, immutable, quick installation
- Cons: hard to run Ansible on (Python is not included)
- CentOS/Rocky Linux (moved to Fedora in `022b816`):
- Pros: relatively stable (however we did encounter a breaking change [#63](https://github.com/khuedoan/homelab/issues/63), still not sure why)
- Cons: kernel and packages are too old
- Debian: couldn't get it to work with PXE boot and Rocky Linux was sufficient so I didn't push any further
- Cluster API (previous attempt in ` a8e4a85`, I hope to get this to work someday):
- Pros: control bare metal machines via Kubernetes API, open the possibility for autoscaling and autohealing
- Cons: doesn't support simple WoL and shutdown via SSH (or similar)
**Decision**
Use Fedora as the base OS.
**Consequences**
`¯\_(ツ)_/¯`
================================================
FILE: docs/reference/architecture/networking.md
================================================
# Networking
```mermaid
flowchart TD
subgraph LAN
laptop/desktop/phone <--> LoadBalancer
subgraph k8s[Kubernetes cluster]
Pod --> Service
Service --> Ingress
LoadBalancer
cloudflared
cloudflared <--> Ingress
end
LoadBalancer <--> Ingress
end
cloudflared -- outbound --> Cloudflare
Internet -- inbound --> Cloudflare
```
TODO (PR welcomed)
================================================
FILE: docs/reference/architecture/overview.md
================================================
# Overview
## Components
```
+--------------+
| ./apps |
|--------------|
| ./platform |
|--------------| +------------+
| ./system |- - - -| ./external |
|--------------| +------------+
| ./metal |
|--------------|
| HARDWARE |
+--------------+
```
Main components:
- `./metal`: bare metal management, install Linux and Kubernetes
- `./system`: critical system components for the cluster (load balancer, storage, ingress, operation tools...)
- `./platform`: essential components for service hosting platform (git, build runners, dashboards...)
- `./apps`: user facing applications
- `./external` (optional): externally managed services
Support components:
- `./docs`: all documentation go here, this will generate a searchable web UI
- `./scripts`: scripts to automate common tasks
## Provisioning flow
Everything is automated, after you edit the configuration files, you just need to run a single `make` command and it will:
- (1) Build the `./metal` layer:
- Create an ephemeral, stateless PXE server
- Install Linux on all servers in parallel
- Build a Kubernetes cluster (based on k3s)
- (2) Bootstrap the `./system` layer:
- Install ArgoCD and the root app to manage itself and other layers, from now on ArgoCD will do the rest
- Install the remaining components (storage, monitoring, etc)
- (3) Build the `./platform` layer (Gitea, Grafana, SSO, etc)
- (4) Deploy applications in the `./apps` layer
```mermaid
flowchart TD
subgraph metal[./metal]
pxe[PXE Server] -.-> linux[Fedora Server] --> k3s
end
subgraph system[./system]
argocd[ArgoCD and root app]
nginx[NGINX]
rook-ceph[Rook Ceph]
cert-manager
external-dns[External DNS]
cloudflared
end
subgraph external[./external]
letsencrypt[Let's Encrypt]
cloudflare[Cloudflare]
end
letsencrypt -.-> cert-manager
cloudflare -.-> cert-manager
cloudflare -.-> external-dns
cloudflare -.-> cloudflared
subgraph platform[./platform]
Gitea
Woodpecker
Grafana
end
subgraph apps[./apps]
homepage[Homepage]
jellyfin[Jellyfin]
matrix[Matrix]
paperless[Paperless]
end
make[Run make] -- 1 --> metal -- 2 --> system -. 3 .-> platform -. 4 .-> apps
```
================================================
FILE: docs/reference/changelog.md
================================================
# Changelog
## v0.0.8
Notable changes:
- **build:** run post install scripts by default
- **build:** set `KUBECONFIG` from global Makefile
- **feat(external-dns)!:** add cluster name as owner ID
- **feat(tools):** install `yamllint`, `ansible-lint` and `k9s`
- **feat(tools):** set `KUBECONFIG` by default
- **feat:** add pre-commit hooks
- **feat:** add script to setup Gitea tokens and OAuth apps
- **perf(argocd):** turning on selective sync
- **refactor(docs):** migrate to [mkdocs](https://squidfunk.github.io/mkdocs-material)
- **refactor(metal):** migrate to Fedora 36 for newer packages
- **refactor(pxe)!:** combine dhcpd and tftpd to dnsmasq
- Many bug fixes
Please see git log for full change log.
## 0.0.7-alpha
- Replace standard Vault with Vault Operator
- Automatically initialize and unseal Vault
- Declarative secret generation and management
- Declarative Gitea configuration with YAML
- Automatic OS rolling upgrade
- Automatic Kubernetes rolling upgrade
- Automatic application updates using Renovate (still require manual token generation)
- Add script to wait for essential services after deployment
- Add icons and bookmarks to the home page
- Deploy Matrix chat
- Replace Authentik with Dex for SSO (still require manual token generation)
- Switch to Mermaid for diagrams in documentation
- Replace Vagrant with k3d for development environment
- Use nip.io domain for development environment
- Remove Backblaze (S3 Glacier and/or Minio will be added in future version)
- Enable monitor for the majority of applications
- Many code refactorings and bug fixes
## 0.0.6-alpha
- Upgrade to Kubernetes 1.23
- Support external resources:
- Cloudflare DNS and Tunnel
- Backblaze for backup
- Auto inject secrets to required namespaces
- Replace self-signed certificates with Let's Encrypt production (with API token injected from the `external` layer)
- Add DNS records automatically using external-dns
- Easy Cloudflare Tunnel configuration with annotations
- Offsite backup to Backblaze B2 bucket using k8up-operator
- Add private container registry
- Remove Knative to save resources (temporarily)
- Enable encryption at rest for Kubernetes Secrets
- Add more Tekton tasks and pipelines
- Initialize GitOps repository on Gitea automatically after install
- Generate MetalLB address pool automatically (default to the last `/27` subnet)
- Some bug fixes
## 0.0.5-alpha
- Add convenience scripts
- Add Loki for logging
- Add custom health check for Application and ApplicationSet
- Use Vault with dev mode on (temporarily until we hit beta)
- Replace Authelia with Authentik
- Upgrade to Kubernetes 1.22
- Upgrade most services to the latest version
- Set ingress class and storage class explicitly
- Initial Linkerd and Knative setup (not working yet)
- Set up Hajimari for home page with automatic ingress discovery
- Add dev VM for local development or evaluation
- Optimize bare metal provisioning performance
- Replace Syncthing with Seafile (may use both in the feature)
- Enable Gitea SSH cloning via Ingress
- Various code clean up
- Add more documents
## 0.0.4-alpha
- Switch to Rocky Linux
- Some optimization for bare metal provisioning
- Switch to k3s and combine Kubernetes cluster config in `./infra` layer to `./metal` layer (because k3s is also configured using Ansible)
- Split boostrap Helm charts in `./infra` layer to `./bootstrap` layer (with new ArgoCD pattern) and `./system` layer
- Add `./platform` layer for some applications like Gitea, Tekton...
- User only need to provision `./metal` and `bootstrap` layer, the `./bootstrap` layer will deploy the remaining layers
- Provisioning time from empty disk to running services is significantly reduced (thanks to k3s and new bootstrap pattern)
- Use [mdBook](https://rust-lang.github.io/mdBook/) for documents
- Replace Drone CI with Tekton
- Enable TLS on all Ingresses (using [cert-manager](https://cert-manager.io))
- Add some new applications
## 0.0.3-alpha
- Generate Terraform backend config automatically
- Switch to CoreOS
- Better PXE boot setup
- Diagrams as code
## 0.0.2-alpha
- Ensure idempotency for bare metal provisioning
- Extract instead of mounting the OS ISO file
- Easy initial controller setup (with only Docker)
- Switch to Fedora
- Remove LXD
- Move etcd (Terraform state backend) back to Docker
## 0.0.1-alpha
- Bare metal provisioning with PXE
- LXD cluster
- Terraform state backend (etcd)
- RKE cluster
- Core services (Vault, Gitea, ArgoCD,...)
- Public services to the internet (via port forwarding or Cloudflare Tunnel)
================================================
FILE: docs/reference/contributing.md
================================================
# Contributing
## How to contribute
### Bug report
You can [create a new GitHub issue](https://github.com/khuedoan/homelab/issues/new/choose) with the bug report template.
### Submitting patches
Because you may have a lot of changes in your fork, you can't create a pull request directly from your `master` branch.
Instead, create a branch from the upstream repository and commit your changes there:
```sh
git remote add upstream https://github.com/khuedoan/homelab
git fetch upstream
git checkout upstream/master
git checkout -b contrib-fix-something
# Make your changes here
#
# nvim README.md
# git cherry-pick a1b2c3
#
# commit, push, etc. as usual
```
Then you can send the patch using [GitHub pull request](https://github.com/khuedoan/homelab/pulls) or `git send-email` to <mail@khuedoan.com>.
================================================
FILE: docs/reference/faq.md
================================================
# FAQ
## Is it necessary to install Linux on my servers before setting up the homelab?
No, and that's the beauty of this setup.
You start with empty hard drives, type a single command on your laptop/PC,
and it will install the operating system for you automatically and in parallel over the network.
## Is it necessary to keep the PXE server running?
No, the ephemeral PXE server is stateless, once Linux is installed on your servers,
you can shut it down (or not, ideally, you don't even need to be aware of its existence).
The Ansible setup in `./metal` is idempotent and will start the PXE server if needed.
================================================
FILE: docs/reference/license.md
================================================
Copyright © 2020 - 2024 Khue Doan
--8<--
LICENSE.md
--8<--
================================================
FILE: docs/reference/roadmap.md
================================================
# Roadmap
!!! info
Current status: **ALPHA**
## Alpha requirements
Literally anything that works.
## Beta requirements
Good enough for tinkering and personal usage, and reasonably secure.
- [x] Automated bare metal provisioning
- [x] Controller set up (Docker)
- [x] OS installation (PXE boot)
- [x] Automated cluster creation (k3s)
- [x] Automated application deployment (ArgoCD)
- [x] Automated DNS management
- [x] Initialize GitOps repository on Gitea automatically
- [x] Observability
- [x] Monitoring
- [x] Logging
- [x] Alerting
- [x] SSO
- [ ] Reasonably secure
- [x] Automated certificate management
- [x] Declarative secret management
- [ ] Replace all default passwords with randomly generated ones
- [x] Expose services to the internet securely with Cloudflare Tunnel
- [x] Only use open-source technologies (except external managed services in `./external`)
- [x] Everything is defined as code
- [ ] Backup solution (3 copies, 2 seperate devices, 1 offsite)
- [ ] Define [SLOs](https://en.wikipedia.org/wiki/Service-level_objective):
- [ ] 70% availability (might break in the weekend due to new experimentation)
- [x] Core applications
- [x] Gitea
- [x] Woodpecker
- [x] Private container registry
- [x] Homepage
## Stable requirements
Can be used in "production" (for family or even small scale businesses).
- [x] A single command to deploy everything
- [x] Fast deployment time (from empty hard drive to running services in under 1 hour)
- [ ] Fully _automatic_, not just _automated_
- [x] Bare-metal OS rolling upgrade
- [x] Kubernetes version rolling upgrade
- [x] Application version upgrade
- [ ] Encrypted backups
- [ ] Secrets rotation
- [x] Self healing
- [ ] Secure by default
- [ ] SELinux
- [ ] Network policies
- [ ] Static code analysis
- [ ] Chaos testing
- [x] Minimal dependency on external services
- [ ] Complete documentation
- [x] Diagram as code
- [x] Book (this book)
- [ ] Walkthrough tutorial and feature demo (video)
- [x] Configuration script for new users
- [ ] More dashboards and alert rules
- [ ] SLOs:
- [ ] 99,9% availability (less than 9 hours of downtime per year)
- [ ] 99,99% data durability
- [ ] Clear upgrade path
- [ ] Additional applications
- [ ] Matrix with bridges
- [ ] VPN server
- [ ] PeerTube
- [x] Blog
- [ ] [Development dashboard](https://github.com/khuedoan/homelab-backstage)
## Unplanned
Nice to have
- [ ] Addition applications
- [ ] Mail server
- [ ] Air-gap install
- [ ] Automated testing
- [ ] Security audit
- [ ] Cluster API ([last attempt](https://github.com/khuedoan/homelab/pull/2))
- [ ] Split DNS (requires a better router)
================================================
FILE: external/.gitignore
================================================
.terraform*
terraform.tfstate
terraform.tfvars
================================================
FILE: external/Makefile
================================================
.POSIX:
default: apply
~/.terraform.d/credentials.tfrc.json:
tofu login
terraform.tfvars:
cp terraform.tfvars.example ${@}
nvim ${@}
.terraform.lock.hcl: ~/.terraform.d/credentials.tfrc.json versions.tf terraform.tfvars
tofu init
touch ${@}
namespaces:
ansible-playbook namespaces.yml
plan: .terraform.lock.hcl
tofu plan
apply: .terraform.lock.hcl namespaces
tofu apply -auto-approve
================================================
FILE: external/main.tf
================================================
module "cloudflare" {
source = "./modules/cloudflare"
cloudflare_account_id = var.cloudflare_account_id
cloudflare_email = var.cloudflare_email
cloudflare_api_key = var.cloudflare_api_key
}
module "ntfy" {
source = "./modules/ntfy"
auth = var.ntfy
}
module "extra_secrets" {
source = "./modules/extra-secrets"
data = var.extra_secrets
}
================================================
FILE: external/modules/cloudflare/main.tf
================================================
data "cloudflare_zone" "zone" {
name = "khuedoan.com"
}
data "cloudflare_api_token_permission_groups" "all" {}
resource "random_password" "tunnel_secret" {
length = 64
special = false
}
resource "cloudflare_tunnel" "homelab" {
account_id = var.cloudflare_account_id
name = "homelab"
secret = base64encode(random_password.tunnel_secret.result)
}
# Not proxied, not accessible. Just a record for auto-created CNAMEs by external-dns.
resource "cloudflare_record" "tunnel" {
zone_id = data.cloudflare_zone.zone.id
type = "CNAME"
name = "homelab-tunnel"
value = "${cloudflare_tunnel.homelab.id}.cfargotunnel.com"
proxied = false
ttl = 1 # Auto
}
resource "kubernetes_secret" "cloudflared_credentials" {
metadata {
name = "cloudflared-credentials"
namespace = "cloudflared"
annotations = {
"app.kubernetes.io/managed-by" = "Terraform"
}
}
data = {
"credentials.json" = jsonencode({
AccountTag = var.cloudflare_account_id
TunnelName = cloudflare_tunnel.homelab.name
TunnelID = cloudflare_tunnel.homelab.id
TunnelSecret = base64encode(random_password.tunnel_secret.result)
})
}
}
resource "cloudflare_api_token" "external_dns" {
name = "homelab_external_dns"
policy {
permission_groups = [
data.cloudflare_api_token_permission_groups.all.zone["Zone Read"],
data.cloudflare_api_token_permission_groups.all.zone["DNS Write"]
]
resources = {
"com.cloudflare.api.account.zone.*" = "*"
}
}
}
resource "kubernetes_secret" "external_dns_token" {
metadata {
name = "cloudflare-api-token"
namespace = "external-dns"
annotations = {
"app.kubernetes.io/managed-by" = "Terraform"
}
}
data = {
"value" = cloudflare_api_token.external_dns.value
}
}
resource "cloudflare_api_token" "cert_manager" {
name = "homelab_cert_manager"
policy {
permission_groups = [
data.cloudflare_api_token_permission_groups.all.zone["Zone Read"],
data.cloudflare_api_token_permission_groups.all.zone["DNS Write"]
]
resources = {
"com.cloudflare.api.account.zone.*" = "*"
}
}
}
resource "kubernetes_secret" "cert_manager_token" {
metadata {
name = "cloudflare-api-token"
namespace = "cert-manager"
annotations = {
"app.kubernetes.io/managed-by" = "Terraform"
}
}
data = {
"api-token" = cloudflare_api_token.cert_manager.value
}
}
================================================
FILE: external/modules/cloudflare/variables.tf
================================================
variable "cloudflare_email" {
type = string
}
variable "cloudflare_api_key" {
type = string
sensitive = true
}
variable "cloudflare_account_id" {
type = string
}
================================================
FILE: external/modules/cloudflare/versions.tf
================================================
terraform {
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 4.30.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.26.0"
}
http = {
source = "hashicorp/http"
version = "~> 3.4.0"
}
}
}
provider "cloudflare" {
email = var.cloudflare_email
api_key = var.cloudflare_api_key
}
================================================
FILE: external/modules/extra-secrets/main.tf
================================================
resource "kubernetes_secret" "external" {
metadata {
name = var.name
namespace = var.namespace
annotations = {
"app.kubernetes.io/managed-by" = "Terraform"
}
}
data = var.data
}
================================================
FILE: external/modules/extra-secrets/variables.tf
================================================
variable "name" {
type = string
default = "external"
}
variable "namespace" {
type = string
default = "global-secrets"
}
variable "data" {
type = map(string)
}
================================================
FILE: external/modules/extra-secrets/versions.tf
================================================
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.26.0"
}
}
}
================================================
FILE: external/modules/ntfy/main.tf
================================================
resource "kubernetes_secret" "ntfy_auth" {
metadata {
name = "webhook-transformer"
namespace = "monitoring-system"
annotations = {
"app.kubernetes.io/managed-by" = "Terraform"
}
}
data = {
NTFY_URL = var.auth.url
NTFY_TOPIC = var.auth.topic
}
}
================================================
FILE: external/modules/ntfy/variables.tf
================================================
variable "auth" {
type = object({
url = string
topic = string
})
}
================================================
FILE: external/modules/ntfy/versions.tf
================================================
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.26.0"
}
}
}
================================================
FILE: external/namespaces.yml
================================================
- hosts: localhost
tasks:
- name: Ensure required namespaces exist
kubernetes.core.k8s:
api_version: v1
kind: Namespace
name: "{{ item }}"
state: present
loop:
- cert-manager
- cloudflared
- external-dns
- global-secrets
- k8up-operator
- monitoring-system
================================================
FILE: external/terraform.tfvars.example
================================================
# https://dash.cloudflare.com/profile
cloudflare_email = "myaccount@example.com"
# https://developers.cloudflare.com/fundamentals/setup/find-account-and-zone-ids
cloudflare_account_id = "foobarid"
# https://dash.cloudflare.com/profile/api-tokens
cloudflare_api_key = "foobarkey"
ntfy = {
# https://ntfy.sh or your own instance
url = "https://ntfy.sh"
# Your topic name
topic = "random_topic_name_here_a8sd7fkjxlkcjasdw33813"
}
extra_secrets = {
# Try to keep this to a minimum with third-party secrets
# Consider using the secret generator if possible
# ../platform/global-secrets/files/secret-generator/config.yaml
# Here's some examples of what you might want to add:
#
# wireguard-private-key = "wg genkey output here"
# tailscale-auth-key = "tskey-auth-xxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# restic-password = "xxxxxxxxxxxxxxxxxxxxxxxx"
# restic-s3-bucket = "https://s3.amazonaws.com/my-homelab-backup-xxxxxxxxxx"
# restic-s3-access-key = "xxxxxxxxxxxxxxxx"
# restic-s3-secret-key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
================================================
FILE: external/variables.tf
================================================
variable "cloudflare_email" {
type = string
}
variable "cloudflare_api_key" {
type = string
sensitive = true
}
variable "cloudflare_account_id" {
type = string
}
variable "ntfy" {
type = object({
url = string
topic = string
})
sensitive = true
}
variable "extra_secrets" {
type = map(string)
description = "Key-value pairs of extra secrets that cannot be randomly generated (e.g. third party API tokens)"
sensitive = true
default = {}
}
================================================
FILE: external/versions.tf
================================================
terraform {
required_version = "~> 1.7"
backend "remote" {
hostname = "app.terraform.io"
organization = "khuedoan"
workspaces {
name = "homelab-external"
}
}
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 4.30.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.26.0"
}
http = {
source = "hashicorp/http"
version = "~> 3.4.0"
}
}
}
provider "cloudflare" {
email = var.cloudflare_email
api_key = var.cloudflare_api_key
}
provider "kubernetes" {
# Use KUBE_CONFIG_PATH environment variables
# Or in cluster service account
}
================================================
FILE: flake.nix
================================================
{
description = "Homelab";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
flake-utils.url = "github:numtide/flake-utils";
};
outputs = { self, nixpkgs, flake-utils }:
flake-utils.lib.eachDefaultSystem (system:
let
pkgs = import nixpkgs { inherit system; };
in
with pkgs;
{
devShells.default = mkShell {
packages = [
ansible
ansible-lint
bmake
diffutils
docker
docker-compose
dyff
git
glibcLocales
go
gotestsum
iproute2
jq
k9s
kanidm
kube3d
kubectl
kubernetes-helm
kustomize
libisoburn
neovim
openssh_gssapi
opentofu # Drop-in replacement for Terraform
p7zip
pre-commit
qrencode
shellcheck
wireguard-tools
yamllint
(python3.withPackages (p: with p; [
jinja2
kubernetes
mkdocs-material
netaddr
pexpect
rich
]))
];
};
}
);
}
================================================
FILE: metal/Makefile
================================================
.POSIX:
env ?= prod
export KUBECONFIG = $(shell pwd)/kubeconfig.yaml
default: boot cluster
~/.ssh/id_ed25519:
ssh-keygen -t ed25519 -P '' -f "$@"
boot: ~/.ssh/id_ed25519
ansible-playbook \
--inventory inventories/${env}.yml \
boot.yml
cluster:
ansible-playbook \
--inventory inventories/${env}.yml \
cluster.yml
console:
ansible-console \
--inventory inventories/${env}.yml
================================================
FILE: metal/ansible.cfg
================================================
[defaults]
host_key_checking=false
stdout_callback=debug
stderr_callback=debug
force_color=true
================================================
FILE: metal/boot.yml
================================================
- name: Start PXE server
hosts: localhost
roles:
- pxe_server
- name: Provision bare metal machines
hosts: metal
gather_facts: false
roles:
- wake
================================================
FILE: metal/cluster.yml
================================================
- name: Create Kubernetes cluster
hosts: metal
roles:
- prerequisites
- k3s
- automatic_upgrade
- name: Install Kubernetes addons
hosts: localhost
roles:
- cilium
================================================
FILE: metal/group_vars/all.yml
================================================
ansible_user: root
ansible_ssh_private_key_file: ~/.ssh/id_ed25519
ssh_public_key: "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}"
dns_server: "8.8.8.8"
================================================
FILE: metal/inventories/prod.yml
================================================
all:
vars:
control_plane_endpoint: 192.168.1.100
load_balancer_ip_pool:
- 192.168.1.224/27
metal:
children:
masters:
hosts:
metal0: {ansible_host: 192.168.1.110, mac: '00:23:24:d1:f5:69', disk: sda, network_interface: eno1}
metal1: {ansible_host: 192.168.1.111, mac: '00:23:24:d1:f3:f0', disk: sda, network_interface: eno1}
metal2: {ansible_host: 192.168.1.112, mac: '00:23:24:e7:04:60', disk: sda, network_interface: eno1}
workers:
hosts:
metal3: {ansible_host: 192.168.1.113, mac: '00:23:24:d1:f4:d6', disk: sda, network_interface: eno1}
================================================
FILE: metal/inventories/stag.yml
================================================
metal:
children:
masters:
hosts:
proxmox0: {ansible_host: 192.168.1.169, mac: 'c2:f5:cf:1f:3e:c0', disk: sda, network_interface: ens18}
workers:
hosts: {}
================================================
FILE: metal/k3d-dev.yaml
================================================
apiVersion: k3d.io/v1alpha4
kind: Simple
metadata:
name: homelab-dev
image: docker.io/rancher/k3s:v1.27.1-k3s1
servers: 1
agents: 0
options:
k3s:
extraArgs:
- arg: --disable=traefik
nodeFilters:
- server:*
- arg: --disable-cloud-controller
nodeFilters:
- server:*
ports:
- port: 80:80
nodeFilters:
- loadbalancer
- port: 443:443
nodeFilters:
- loadbalancer
================================================
FILE: metal/roles/automatic_upgrade/files/automatic.conf
================================================
[commands]
upgrade_type = default
apply_updates = yes
================================================
FILE: metal/roles/automatic_upgrade/tasks/main.yml
================================================
- name: Install packages for automatic upgrade
ansible.builtin.dnf:
name:
- dnf-automatic
- dnf-utils
- name: Copy automatic upgrade config file
ansible.builtin.copy:
src: automatic.conf
dest: /etc/dnf/automatic.conf
mode: 0644
- name: Enable automatic upgrade service
ansible.builtin.systemd:
name: dnf-automatic.timer
state: started
enabled: true
================================================
FILE: metal/roles/cilium/defaults/main.yml
================================================
cilium_repo_url: https://helm.cilium.io
cilium_version: 1.16.1
cilium_namespace: kube-system
cilium_values:
operator:
replicas: 1
kubeProxyReplacement: true
l2announcements:
enabled: true
# TODO the host and port are k3s-specific, generic solution is in progress
# https://github.com/cilium/cilium/issues/19038
# https://github.com/cilium/cilium/pull/28741
k8sServiceHost: 127.0.0.1
k8sServicePort: 6444
hubble:
relay:
enabled: true
ui:
enabled: true
================================================
FILE: metal/roles/cilium/tasks/main.yml
================================================
- name: Install Cilium
kubernetes.core.helm:
name: cilium
chart_ref: cilium
chart_repo_url: "{{ cilium_repo_url }}"
chart_version: "{{ cilium_version }}"
release_namespace: "{{ cilium_namespace }}"
values: "{{ cilium_values }}"
- name: Wait for Cilium CRDs
kubernetes.core.k8s_info:
kind: CustomResourceDefinition
name: "{{ item }}"
loop:
- ciliuml2announcementpolicies.cilium.io
- ciliumloadbalancerippools.cilium.io
register: crd
until: crd.resources | length > 0
retries: 5
delay: 10
- name: Apply Cilium resources
kubernetes.core.k8s:
template: "{{ item }}"
loop:
- ciliuml2announcementpolicy.yaml
- ciliumloadbalancerippool.yaml
================================================
FILE: metal/roles/cilium/templates/ciliuml2announcementpolicy.yaml
================================================
apiVersion: cilium.io/v2alpha1
kind: CiliumL2AnnouncementPolicy
metadata:
name: default
spec:
externalIPs: true
loadBalancerIPs: true
================================================
FILE: metal/roles/cilium/templates/ciliumloadbalancerippool.yaml
================================================
apiVersion: cilium.io/v2alpha1
kind: CiliumLoadBalancerIPPool
metadata:
name: default
spec:
blocks:
{% for cidr in load_balancer_ip_pool %}
- cidr: {{ cidr }}
{% endfor %}
================================================
FILE: metal/roles/k3s/defaults/main.yml
================================================
k3s_version: v1.30.4+k3s1
k3s_config_file: /etc/rancher/k3s/config.yaml
k3s_token_file: /etc/rancher/node/password
k3s_service_file: /etc/systemd/system/k3s.service
k3s_data_dir: /var/lib/rancher/k3s
k3s_kubeconfig_file: /etc/rancher/k3s/k3s.yaml
k3s_server_config:
tls-san:
- "{{ control_plane_endpoint }}"
disable:
- local-storage
- servicelb
- traefik
disable-helm-controller: true
disable-kube-proxy: true
disable-network-policy: true
flannel-backend: none
secrets-encryption: true
================================================
FILE: metal/roles/k3s/files/bin/.gitignore
================================================
*
!.gitignore
================================================
FILE: metal/roles/k3s/tasks/main.yml
================================================
- name: Download k3s binary
ansible.builtin.get_url:
url: https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/k3s
checksum: sha256:https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/sha256sum-amd64.txt
dest: "{{ role_path }}/files/bin/k3s"
mode: 0755
delegate_to: localhost
run_once: true
register: k3s_binary
- name: Copy k3s binary to nodes
ansible.builtin.copy:
src: bin/k3s
dest: /usr/local/bin/k3s
owner: root
group: root
mode: 0755
- name: Ensure config directories exist
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: 0755
loop:
- /etc/rancher/k3s
- /etc/rancher/node
- "{{ k3s_data_dir }}/agent/pod-manifests"
- name: Check if k3s token file exists on the first node
run_once: true
ansible.builtin.stat:
path: "{{ k3s_token_file }}"
register: k3s_token_file_stat
- name: Generate k3s token file on the first node if not exist yet
run_once: true
when: not k3s_token_file_stat.stat.exists
ansible.builtin.copy:
content: "{{ lookup('community.general.random_string', length=32) }}"
dest: "{{ k3s_token_file }}"
mode: 0600
- name: Get k3s token from the first node
run_once: true
ansible.builtin.slurp:
src: "{{ k3s_token_file }}"
register: k3s_token_base64
- name: Ensure all nodes has the same token
ansible.builtin.copy:
content: "{{ k3s_token_base64.content | b64decode }}"
dest: "{{ k3s_token_file }}"
mode: 0600
- name: Copy k3s config files
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
loop:
- src: config.yaml.j2
dest: "{{ k3s_config_file }}"
- src: k3s.service.j2
dest: "{{ k3s_service_file }}"
- name: Copy kube-vip manifests
when: "'masters' in group_names"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
loop:
- src: kube-vip.yaml.j2
dest: "{{ k3s_data_dir }}/agent/pod-manifests/kube-vip.yaml"
- name: Enable k3s service
ansible.builtin.systemd:
name: k3s
enabled: true
state: started
register: k3s_service
until: k3s_service is succeeded
retries: 5
- name: Get Kubernetes config file
run_once: true
ansible.builtin.slurp:
src: "{{ k3s_kubeconfig_file }}"
register: kubeconfig_base64
- name: Write Kubernetes config file with the correct cluster address
ansible.builtin.copy:
content: "{{ kubeconfig_base64.content | b64decode | replace('127.0.0.1', control_plane_endpoint) }}"
dest: "{{ playbook_dir }}/kubeconfig.yaml"
mode: 0600
delegate_to: localhost
run_once: true
================================================
FILE: metal/roles/k3s/templates/config.yaml.j2
================================================
{% if inventory_hostname == groups['masters'][0] %}
cluster-init: true
{% else %}
server: https://{{ control_plane_endpoint }}:6443
{% endif %}
token-file: {{ k3s_token_file }}
{% if 'masters' in group_names %}
{{ k3s_server_config | to_nice_yaml }}
{% endif %}
snapshotter: stargz
================================================
FILE: metal/roles/k3s/templates/k3s.service.j2
================================================
[Unit]
Description=Lightweight Kubernetes
Documentation=https://k3s.io
After=network-online.target
[Service]
Type=notify
ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s {{ 'server' if 'masters' in group_names else 'agent' }}
KillMode=process
Delegate=yes
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=1048576
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
TimeoutStartSec=0
Restart=always
RestartSec=5s
[Install]
WantedBy=multi-user.target
================================================
FILE: metal/roles/k3s/templates/kube-vip.yaml.j2
================================================
apiVersion: v1
kind: Pod
metadata:
name: kube-vip
namespace: kube-system
spec:
containers:
- name: kube-vip
image: ghcr.io/kube-vip/kube-vip:v0.6.4
args:
- manager
env:
- name: address
value: {{ control_plane_endpoint }}
- name: vip_arp
value: "true"
- name: cp_enable
value: "true"
- name: vip_leaderelection
value: "true"
- name: lb_enable
value: "true"
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
volumeMounts:
- mountPath: /etc/kubernetes/admin.conf
name: kubeconfig
hostAliases:
- hostnames:
- kubernetes
ip: 127.0.0.1
hostNetwork: true
volumes:
- hostPath:
path: {{ k3s_kubeconfig_file }}
name: kubeconfig
================================================
FILE: metal/roles/prerequisites/tasks/main.yml
================================================
- name: Adjust kernel parameters
ansible.posix.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
loop:
- {name: "fs.inotify.max_queued_events", value: 16384}
- {name: "fs.inotify.max_user_instances", value: 8192}
- {name: "fs.inotify.max_user_watches", value: 524288}
================================================
FILE: metal/roles/pxe_server/defaults/main.yml
================================================
iso_url: "https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/39/Server/x86_64/iso/Fedora-Server-dvd-x86_64-39-1.5.iso"
iso_checksum: "sha256:2755cdff6ac6365c75be60334bf1935ade838fc18de53d4c640a13d3e904f6e9"
timezone: Asia/Ho_Chi_Minh
dhcp_proxy: true
================================================
FILE: metal/roles/pxe_server/files/data/init-config/.gitignore
================================================
*
!.gitignore
================================================
FILE: metal/roles/pxe_server/files/data/iso/.gitignore
================================================
*
!.gitignore
================================================
FILE: metal/roles/pxe_server/files/data/os/.gitignore
================================================
*
!.gitignore
================================================
FILE: metal/roles/pxe_server/files/data/pxe-config/.gitignore
================================================
*
!.gitignore
================================================
FILE: metal/roles/pxe_server/files/dnsmasq/Dockerfile
================================================
FROM alpine:3.19
RUN apk --no-cache add dnsmasq
ENTRYPOINT ["dnsmasq", "-k"]
================================================
FILE: metal/roles/pxe_server/files/docker-compose.yml
================================================
services:
dnsmasq:
build: ./dnsmasq
volumes:
- ./data/pxe-config/dnsmasq.conf:/etc/dnsmasq.conf
- ./data/pxe-config/grub.cfg:/tftp/grub.cfg
- ./data/os/EFI/BOOT/grubx64.efi:/tftp/grubx64.efi
- ./data/os/images/pxeboot/initrd.img:/tftp/initrd.img
- ./data/os/images/pxeboot/vmlinuz:/tftp/vmlinuz
network_mode: host
cap_add:
- NET_ADMIN
http:
build: ./http
network_mode: host
volumes:
- ./data/os:/usr/share/nginx/html/os
- ./data/init-config/:/usr/share/nginx/html/init-config
environment:
NGINX_PORT: 80
================================================
FILE: metal/roles/pxe_server/files/http/Dockerfile
================================================
FROM nginx:1.25-alpine
================================================
FILE: metal/roles/pxe_server/tasks/main.yml
================================================
- name: Get Docker info
docker_host_info: {}
register: docker_info_result
- name: Ensure Docker is running on a supported operating system
fail:
msg: Docker host networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac or Windows (you can use a Linux VM with bridged networking instead)
when:
- docker_info_result.host_info.OperatingSystem == "Docker Desktop"
- name: Download boot image
ansible.builtin.get_url:
url: "{{ iso_url }}"
dest: "{{ role_path }}/files/data/iso/{{ iso_url | basename }}"
checksum: "{{ iso_checksum }}"
mode: 0644
register: iso
- name: Extract boot image
ansible.builtin.command:
cmd: "xorriso -osirrox on -indev {{ iso.dest }} -extract / {{ role_path }}/files/data/os"
creates: "{{ role_path }}/files/data/os/.treeinfo"
- name: Generate dnsmasq config
ansible.builtin.template:
src: dnsmasq.conf.j2
dest: "{{ role_path }}/files/data/pxe-config/dnsmasq.conf"
mode: 0644
- name: Generate GRUB config
ansible.builtin.template:
src: grub.cfg.j2
dest: "{{ role_path }}/files/data/pxe-config/grub.cfg"
mode: 0644
- name: Generate init config for each machine
ansible.builtin.template:
src: kickstart.ks.j2
dest: "{{ role_path }}/files/data/init-config/{{ hostvars[item]['mac'] }}.ks"
mode: 0644
loop: "{{ groups['metal'] }}"
- name: Start the ephemeral PXE server
community.docker.docker_compose_v2:
project_src: "{{ role_path }}/files"
state: present
build: always
================================================
FILE: metal/roles/pxe_server/templates/dnsmasq.conf.j2
================================================
# Disable DNS Server.
port=0
{% if dhcp_proxy == true %}
# We're DHCP proxying on the network of the homelab host
dhcp-range={{ ansible_default_ipv4.address }},proxy
pxe-service=X86-64_EFI, "Boot From Network, (UEFI)", grubx64.efi
{% else %}
# We're DHCP configuring on this range
dhcp-range={{ ansible_default_ipv4.network | ansible.netcommon.ipmath(1) }},{{ ansible_default_ipv4.broadcast | ansible.netcommon.ipmath(-1) }},{{ ansible_default_ipv4.netmask }},12h
dhcp-option=3,{{ ansible_default_ipv4.gateway }}
# Match Arch Types efi x86 and x64
dhcp-match=set:efi-x86_64,option:client-arch,7
dhcp-match=set:efi-x86_64,option:client-arch,9
# Set the Boot file based on the tag from above
dhcp-boot=tag:efi-x86_64,grubx64.efi
{% endif %}
# Log DHCP queries to stdout
log-queries
log-dhcp
log-facility=-
# Enable TFTP server
enable-tftp
tftp-root=/tftp
================================================
FILE: metal/roles/pxe_server/templates/grub.cfg.j2
================================================
set timeout=1
menuentry '{{ iso_url | basename | splitext | first }} (PXE)' {
linux vmlinuz \
ip=dhcp \
inst.ks=http://{{ ansible_default_ipv4.address }}/init-config/${net_default_mac}.ks
initrd initrd.img
}
================================================
FILE: metal/roles/pxe_server/templates/kickstart.ks.j2
================================================
#version=RHEL8
# Do not use graphical install
text
# Keyboard layouts
keyboard --xlayouts='us'
# System language
lang en_US.UTF-8
# Partition clearing information
clearpart --all --drives={{ hostvars[item]['disk'] }}
# Partitioning
ignoredisk --only-use={{ hostvars[item]['disk'] }}
partition /boot/efi --fstype=vfat --size=512
partition / --fstype=ext4 --size=65536
# Network information
network --bootproto=static --device={{ hostvars[item]['network_interface'] }} --ip={{ hostvars[item]['ansible_host'] }} --gateway={{ ansible_default_ipv4.gateway }} --nameserver={{ dns_server }} --netmask={{ ansible_default_ipv4.netmask }} --ipv6=auto --hostname={{ hostvars[item]['inventory_hostname'] }} --activate
# Use network installation
repo --name="Repository" --baseurl=http://{{ ansible_default_ipv4.address }}/os
url --url="http://{{ ansible_default_ipv4.address }}/os"
# Disable Setup Agent on first boot
firstboot --disable
# Do not configure the X Window System
skipx
# Enable NTP
services --enabled="chronyd"
# System timezone
timezone {{ timezone }} --utc
# Create user (locked by default)
user --groups=wheel --name=admin
# Add SSH key
sshkey --username=root "{{ ssh_public_key }}"
# Disable root password login
rootpw --lock
# Disable SELinux
selinux --disabled
# Disable firewall
firewall --disabled
%packages
@^custom-environment
openssh-server
%end
# Create a raw partition for Ceph using the remaining space
# Using a post script because there is no built-in feature in Kickstart
# The three empty lines are equivalent to pressing Enter to use the default values for:
# - Partition number
# - First sector
# - Last sector
%post
fdisk /dev/{{ hostvars[item]['disk'] }} << EOF
new
write
EOF
%end
reboot
================================================
FILE: metal/roles/wake/tasks/main.yml
================================================
- name: Send Wake-on-LAN magic packets
community.general.wakeonlan:
mac: "{{ mac }}"
delegate_to: localhost
- name: Wait for the machines to come online
ansible.builtin.wait_for_connection:
timeout: 600
================================================
FILE: mkdocs.yml
================================================
# yaml-language-server: $schema=https://squidfunk.github.io/mkdocs-material/schema.json
site_name: Khue's Homelab
copyright: Copyright © 2020 - 2024 Khue Doan
repo_url: https://github.com/khuedoan/homelab
theme:
favicon: https://github.com/khuedoan/homelab/assets/27996771/d33be1af-3687-4712-a671-4370da13cc92
name: material
palette:
primary: black
features:
- navigation.expand
- navigation.instant
- navigation.sections
- search.highlight
- search.share
markdown_extensions:
- pymdownx.emoji:
emoji_index: !!python/name:material.extensions.emoji.twemoji
emoji_generator: !!python/name:material.extensions.emoji.to_svg
- attr_list
- admonition
- pymdownx.details
- pymdownx.snippets:
check_paths: true
- def_list
- pymdownx.tasklist:
- pymdownx.superfences:
custom_fences:
- name: mermaid
class: mermaid
format: !!python/name:pymdownx.superfences.fence_code_format
- pymdownx.tabbed:
alternate_style: true
nav:
- Home: index.md
- Installation:
- installation/sandbox.md
- Production:
- installation/production/prerequisites.md
- installation/production/external-resources.md
- installation/production/configuration.md
- installation/production/deployment.md
- installation/post-installation.md
- Getting started:
- getting-started/vpn-setup.md
- getting-started/user-onboarding.md
- getting-started/install-pre-commit-hooks.md
- Concepts:
- concepts/pxe-boot.md
- concepts/secrets-management.md
- concepts/certificate-management.md
- concepts/development-shell.md
- concepts/testing.md
- How-to guides:
- how-to-guides/alternate-dns-setup.md
- how-to-guides/expose-services-to-the-internet.md
- how-to-guides/backup-and-restore.md
- how-to-guides/use-both-github-and-gitea.md
- how-to-guides/add-or-remove-nodes.md
- how-to-guides/run-commands-on-multiple-nodes.md
- how-to-guides/single-node-cluster-adjustments.md
- how-to-guides/disable-dhcp-proxy-in-dnsmasq.md
- how-to-guides/media-management.md
- how-to-guides/updating-documentation.md
- Troubleshooting:
- how-to-guides/troubleshooting/pxe-boot.md
- Reference:
- Architecture:
- reference/architecture/overview.md
- reference/architecture/networking.md
- reference/architecture/decision-records.md
- reference/license.md
- reference/changelog.md
- reference/roadmap.md
- reference/contributing.md
- reference/faq.md
================================================
FILE: platform/dex/Chart.yaml
================================================
apiVersion: v2
name: dex
version: 0.0.0
dependencies:
- name: dex
version: 0.16.0
repository: https://charts.dexidp.io
================================================
FILE: platform/dex/templates/secret.yaml
================================================
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: dex-secrets
namespace: {{ .Release.Namespace }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: global-secrets
target:
name: dex-secrets
data:
# Connectors
- secretKey: KANIDM_CLIENT_ID
remoteRef:
key: kanidm.dex
property: client_id
- secretKey: KANIDM_CLIENT_SECRET
remoteRef:
key: kanidm.dex
property: client_secret
# Clients
- secretKey: GRAFANA_SSO_CLIENT_SECRET
remoteRef:
key: dex.grafana
property: client_secret
- secretKey: GITEA_CLIENT_SECRET
remoteRef:
key: dex.gitea
property: client_secret
================================================
FILE: platform/dex/values.yaml
================================================
dex:
config:
issuer: https://dex.khuedoan.com
storage:
type: kubernetes
config:
inCluster: true
oauth2:
skipApprovalScreen: true
connectors:
- type: oidc
id: kanidm
name: Kanidm
config:
clientID: $KANIDM_CLIENT_ID
clientSecret: $KANIDM_CLIENT_SECRET
redirectURI: https://dex.khuedoan.com/callback
issuer: https://auth.khuedoan.com/oauth2/openid/dex
# TODO https://github.com/dexidp/dex/pull/3188
# enablePKCE: true
scopes:
- openid
- profile
- email
- groups
staticClients:
- id: grafana-sso
name: Grafana
redirectURIs:
- 'https://grafana.khuedoan.com/login/generic_oauth'
secretEnv: GRAFANA_SSO_CLIENT_SECRET
- id: gitea
name: Gitea
redirectURIs:
- 'https://git.khuedoan.com/user/oauth2/Dex/callback'
secretEnv: GITEA_CLIENT_SECRET
envFrom:
- secretRef:
name: dex-secrets
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &host dex.khuedoan.com
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: dex-tls-certificate
hosts:
- *host
================================================
FILE: platform/external-secrets/Chart.yaml
================================================
apiVersion: v2
name: external-secrets
version: 0.0.0
dependencies:
- name: external-secrets
version: 0.10.2
repository: https://charts.external-secrets.io
================================================
FILE: platform/gitea/Chart.yaml
================================================
apiVersion: v2
name: gitea
version: 0.0.0
dependencies:
- name: gitea
version: 10.1.3
repository: https://dl.gitea.io/charts/
================================================
FILE: platform/gitea/files/config/config.yaml
================================================
# TODO create user and access token
# users:
# - name: renovate
# fullName: Renovate
# email: bot@renovateapp.com
# tokenSecretRef: renovate-secret # ???
organizations:
- name: ops
description: Operations
teams:
- name: Owners
members:
- renovate
repositories:
- name: homelab
owner: ops
private: false
migrate:
source: https://github.com/khuedoan/homelab
mirror: false
- name: blog
owner: khuedoan
migrate:
source: https://github.com/khuedoan/blog
mirror: true
- name: backstage
owner: khuedoan
migrate:
source: https://github.com/khuedoan/backstage
mirror: true
================================================
FILE: platform/gitea/files/config/go.mod
================================================
module git.khuedoan.com/khuedoan/homelab/gitea/config
go 1.19
require (
code.gitea.io/sdk/gitea v0.15.1
gopkg.in/yaml.v2 v2.4.0
)
require github.com/hashicorp/go-version v1.2.1 // indirect
================================================
FILE: platform/gitea/files/config/go.sum
================================================
code.gitea.io/gitea-vet v0.2.1/go.mod h1:zcNbT/aJEmivCAhfmkHOlT645KNOf9W2KnkLgFjGGfE=
code.gitea.io/sdk/gitea v0.15.1 h1:WJreC7YYuxbn0UDaPuWIe/mtiNKTvLN8MLkaw71yx/M=
code.gitea.io/sdk/gitea v0.15.1/go.mod h1:klY2LVI3s3NChzIk/MzMn7G1FHrfU7qd63iSMVoHRBA=
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/hashicorp/go-version v1.2.1 h1:zEfKbn2+PDgroKdiOzqiE8rsmLqU2uwi5PB5pBJ3TkI=
github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200325010219-a49f79bcc224/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
================================================
FILE: platform/gitea/files/config/main.go
================================================
package main
// TODO WIP clean this up
import (
"log"
"os"
"code.gitea.io/sdk/gitea"
"gopkg.in/yaml.v2"
)
type Organization struct {
Name string
Description string
}
type Repository struct {
Name string
Owner string
Private bool
Migrate struct {
Source string
Mirror bool
}
}
type Config struct {
Organizations []Organization
Repositories []Repository
}
func main() {
data, err := os.ReadFile("./config.yaml")
if err != nil {
log.Fatalf("Unable to read config file: %v", err)
}
config := Config{}
err = yaml.Unmarshal([]byte(data), &config)
if err != nil {
log.Fatalf("error: %v", err)
}
gitea_host := os.Getenv("GITEA_HOST")
gitea_user := os.Getenv("GITEA_USER")
gitea_password := os.Getenv("GITEA_PASSWORD")
options := (gitea.SetBasicAuth(gitea_user, gitea_password))
client, err := gitea.NewClient(gitea_host, options)
if err != nil {
log.Fatal(err)
}
for _, org := range config.Organizations {
_, _, err = client.CreateOrg(gitea.CreateOrgOption{
Name: org.Name,
Description: org.Description,
})
if err != nil {
log.Printf("Create organization %s: %v", org.Name, err)
}
}
for _, repo := range config.Repositories {
if repo.Migrate.Source != "" {
_, _, err = client.MigrateRepo(gitea.MigrateRepoOption{
RepoName: repo.Name,
RepoOwner: repo.Owner,
CloneAddr: repo.Migrate.Source,
Service: gitea.GitServicePlain,
Mirror: repo.Migrate.Mirror,
Private: repo.Private,
MirrorInterval: "10m",
})
if err != nil {
log.Printf("Migrate %s/%s: %v", repo.Owner, repo.Name, err)
}
} else {
_, _, err = client.AdminCreateRepo(repo.Owner, gitea.CreateRepoOption{
Name: repo.Name,
// Description: "TODO",
Private: repo.Private,
})
}
}
}
================================================
FILE: platform/gitea/templates/admin-secret.yaml
================================================
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ .Values.gitea.gitea.admin.existingSecret }}
namespace: {{ .Release.Namespace }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: global-secrets
target:
template:
engineVersion: v2
data:
username: gitea_admin
password: {{` "{{ .password }}" `}}
data:
- secretKey: password
remoteRef:
key: gitea.admin
property: password
================================================
FILE: platform/gitea/templates/config-job.yaml
================================================
apiVersion: batch/v1
kind: Job
metadata:
name: gitea-config-{{ include (print $.Template.BasePath "/config-source.yaml") . | sha256sum | trunc 7 }}
namespace: {{ .Release.Namespace }}
annotations:
argocd.argoproj.io/sync-wave: "1"
spec:
backoffLimit: 10
template:
spec:
restartPolicy: Never
containers:
- name: apply
image: golang:1.19-alpine
env:
- name: GITEA_HOST
value: http://gitea-http:3000
- name: GITEA_USER
valueFrom:
secretKeyRef:
name: gitea-admin-secret
key: username
- name: GITEA_PASSWORD
valueFrom:
secretKeyRef:
name: gitea-admin-secret
key: password
workingDir: /go/src/gitea-config
command:
- sh
- -c
args:
- |
go get .
go run .
volumeMounts:
- name: source
mountPath: /go/src/gitea-config
volumes:
- name: s
gitextract_plx_vs0m/
├── .envrc
├── .gitattributes
├── .gitignore
├── .pre-commit-config.yaml
├── .woodpecker/
│ ├── helm-diff.yaml
│ └── static-checks.yaml
├── .yamllint.yaml
├── LICENSE.md
├── Makefile
├── README.md
├── apps/
│ ├── actualbudget/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── blog/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── excalidraw/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── homepage/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── jellyfin/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── matrix/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── ollama/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── pairdrop/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── paperless/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ └── secret.yaml
│ │ └── values.yaml
│ ├── speedtest/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── tailscale/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ ├── role.yaml
│ │ │ ├── rolebinding.yaml
│ │ │ ├── secret.yaml
│ │ │ └── serviceaccount.yaml
│ │ └── values.yaml
│ └── wireguard/
│ ├── Chart.yaml
│ └── values.yaml
├── docs/
│ ├── .gitignore
│ ├── concepts/
│ │ ├── certificate-management.md
│ │ ├── development-shell.md
│ │ ├── pxe-boot.md
│ │ ├── secrets-management.md
│ │ └── testing.md
│ ├── getting-started/
│ │ ├── install-pre-commit-hooks.md
│ │ ├── user-onboarding.md
│ │ └── vpn-setup.md
│ ├── how-to-guides/
│ │ ├── add-or-remove-nodes.md
│ │ ├── alternate-dns-setup.md
│ │ ├── backup-and-restore.md
│ │ ├── disable-dhcp-proxy-in-dnsmasq.md
│ │ ├── expose-services-to-the-internet.md
│ │ ├── media-management.md
│ │ ├── run-commands-on-multiple-nodes.md
│ │ ├── single-node-cluster-adjustments.md
│ │ ├── troubleshooting/
│ │ │ └── pxe-boot.md
│ │ ├── updating-documentation.md
│ │ └── use-both-github-and-gitea.md
│ ├── index.md
│ ├── installation/
│ │ ├── post-installation.md
│ │ ├── production/
│ │ │ ├── configuration.md
│ │ │ ├── deployment.md
│ │ │ ├── external-resources.md
│ │ │ └── prerequisites.md
│ │ └── sandbox.md
│ └── reference/
│ ├── architecture/
│ │ ├── decision-records.md
│ │ ├── networking.md
│ │ └── overview.md
│ ├── changelog.md
│ ├── contributing.md
│ ├── faq.md
│ ├── license.md
│ └── roadmap.md
├── external/
│ ├── .gitignore
│ ├── Makefile
│ ├── main.tf
│ ├── modules/
│ │ ├── cloudflare/
│ │ │ ├── main.tf
│ │ │ ├── variables.tf
│ │ │ └── versions.tf
│ │ ├── extra-secrets/
│ │ │ ├── main.tf
│ │ │ ├── variables.tf
│ │ │ └── versions.tf
│ │ └── ntfy/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ ├── namespaces.yml
│ ├── terraform.tfvars.example
│ ├── variables.tf
│ └── versions.tf
├── flake.nix
├── metal/
│ ├── Makefile
│ ├── ansible.cfg
│ ├── boot.yml
│ ├── cluster.yml
│ ├── group_vars/
│ │ └── all.yml
│ ├── inventories/
│ │ ├── prod.yml
│ │ └── stag.yml
│ ├── k3d-dev.yaml
│ └── roles/
│ ├── automatic_upgrade/
│ │ ├── files/
│ │ │ └── automatic.conf
│ │ └── tasks/
│ │ └── main.yml
│ ├── cilium/
│ │ ├── defaults/
│ │ │ └── main.yml
│ │ ├── tasks/
│ │ │ └── main.yml
│ │ └── templates/
│ │ ├── ciliuml2announcementpolicy.yaml
│ │ └── ciliumloadbalancerippool.yaml
│ ├── k3s/
│ │ ├── defaults/
│ │ │ └── main.yml
│ │ ├── files/
│ │ │ └── bin/
│ │ │ └── .gitignore
│ │ ├── tasks/
│ │ │ └── main.yml
│ │ └── templates/
│ │ ├── config.yaml.j2
│ │ ├── k3s.service.j2
│ │ └── kube-vip.yaml.j2
│ ├── prerequisites/
│ │ └── tasks/
│ │ └── main.yml
│ ├── pxe_server/
│ │ ├── defaults/
│ │ │ └── main.yml
│ │ ├── files/
│ │ │ ├── data/
│ │ │ │ ├── init-config/
│ │ │ │ │ └── .gitignore
│ │ │ │ ├── iso/
│ │ │ │ │ └── .gitignore
│ │ │ │ ├── os/
│ │ │ │ │ └── .gitignore
│ │ │ │ └── pxe-config/
│ │ │ │ └── .gitignore
│ │ │ ├── dnsmasq/
│ │ │ │ └── Dockerfile
│ │ │ ├── docker-compose.yml
│ │ │ └── http/
│ │ │ └── Dockerfile
│ │ ├── tasks/
│ │ │ └── main.yml
│ │ └── templates/
│ │ ├── dnsmasq.conf.j2
│ │ ├── grub.cfg.j2
│ │ └── kickstart.ks.j2
│ └── wake/
│ └── tasks/
│ └── main.yml
├── mkdocs.yml
├── platform/
│ ├── dex/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ └── secret.yaml
│ │ └── values.yaml
│ ├── external-secrets/
│ │ └── Chart.yaml
│ ├── gitea/
│ │ ├── Chart.yaml
│ │ ├── files/
│ │ │ └── config/
│ │ │ ├── config.yaml
│ │ │ ├── go.mod
│ │ │ ├── go.sum
│ │ │ └── main.go
│ │ ├── templates/
│ │ │ ├── admin-secret.yaml
│ │ │ ├── config-job.yaml
│ │ │ └── config-source.yaml
│ │ └── values.yaml
│ ├── global-secrets/
│ │ ├── Chart.yaml
│ │ ├── files/
│ │ │ └── secret-generator/
│ │ │ ├── config.yaml
│ │ │ ├── go.mod
│ │ │ ├── go.sum
│ │ │ └── main.go
│ │ └── templates/
│ │ ├── clustersecretstore/
│ │ │ ├── clustersecretstore.yaml
│ │ │ ├── role.yaml
│ │ │ ├── rolebinding.yaml
│ │ │ └── serviceaccount.yaml
│ │ └── secret-generator/
│ │ ├── configmap.yaml
│ │ ├── job.yaml
│ │ ├── role.yaml
│ │ ├── rolebinding.yaml
│ │ └── serviceaccount.yaml
│ ├── grafana/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ └── secret.yaml
│ │ └── values.yaml
│ ├── kanidm/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ ├── certificate.yaml
│ │ │ └── issuer.yaml
│ │ └── values.yaml
│ ├── renovate/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ └── secret.yaml
│ │ └── values.yaml
│ ├── woodpecker/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ └── secret.yaml
│ │ └── values.yaml
│ └── zot/
│ ├── Chart.yaml
│ ├── templates/
│ │ └── admin-secret.yaml
│ └── values.yaml
├── renovate.json5
├── scripts/
│ ├── argocd-admin-password
│ ├── backup
│ ├── configure
│ ├── get-dns-config
│ ├── get-status
│ ├── get-wireguard-config
│ ├── hacks
│ ├── helm-diff
│ ├── kanidm-reset-password
│ ├── new-service
│ ├── onboard-user
│ ├── pxe-logs
│ └── take-screenshots
├── system/
│ ├── Makefile
│ ├── argocd/
│ │ ├── Chart.yaml
│ │ ├── values-seed.yaml
│ │ └── values.yaml
│ ├── bootstrap.yml
│ ├── cert-manager/
│ │ ├── Chart.yaml
│ │ ├── templates/
│ │ │ └── clusterissuer.yaml
│ │ └── values.yaml
│ ├── cloudflared/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── external-dns/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── ingress-nginx/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── kured/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── loki/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ ├── monitoring-system/
│ │ ├── Chart.yaml
│ │ ├── files/
│ │ │ └── webhook-transformer/
│ │ │ └── alertmanager-to-ntfy.jsonnet
│ │ ├── templates/
│ │ │ └── configmap.yaml
│ │ └── values.yaml
│ ├── rook-ceph/
│ │ ├── Chart.yaml
│ │ └── values.yaml
│ └── volsync-system/
│ └── Chart.yaml
└── test/
├── Makefile
├── benchmark/
│ ├── security/
│ │ └── kube-bench.yaml
│ └── storage/
│ ├── dbench-rwo.yaml
│ └── dbench-rwx.yaml
├── external_test.go
├── go.mod
├── go.sum
├── integration_test.go
├── smoke_test.go
└── tools_test.go
SYMBOL INDEX (16 symbols across 6 files)
FILE: platform/gitea/files/config/main.go
type Organization (line 13) | type Organization struct
type Repository (line 18) | type Repository struct
type Config (line 28) | type Config struct
function main (line 33) | func main() {
FILE: platform/global-secrets/files/secret-generator/main.go
constant namespace (line 18) | namespace = "global-secrets"
type RandomSecret (line 20) | type RandomSecret struct
function getClient (line 29) | func getClient() (*kubernetes.Clientset, error) {
function generateRandomPassword (line 41) | func generateRandomPassword(length int, special bool) (string, error) {
function readConfigFile (line 52) | func readConfigFile(filename string) ([]RandomSecret, error) {
function createOrUpdateSecret (line 67) | func createOrUpdateSecret(client *kubernetes.Clientset, name string, ran...
function main (line 122) | func main() {
FILE: test/external_test.go
function TestTerraformExternal (line 10) | func TestTerraformExternal(t *testing.T) {
FILE: test/integration_test.go
function TestArgoCDCheck (line 13) | func TestArgoCDCheck(t *testing.T) {
FILE: test/smoke_test.go
function TestSmoke (line 14) | func TestSmoke(t *testing.T) {
FILE: test/tools_test.go
function TestToolsVersions (line 11) | func TestToolsVersions(t *testing.T) {
function TestToolsNixShell (line 46) | func TestToolsNixShell(t *testing.T) {
Condensed preview — 218 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (398K chars).
[
{
"path": ".envrc",
"chars": 10,
"preview": "use flake\n"
},
{
"path": ".gitattributes",
"chars": 31,
"preview": "external/** -linguist-vendored\n"
},
{
"path": ".gitignore",
"chars": 66,
"preview": ".venv/\nbook/\n\n*.iso\n*.log\n*.png\n*.tgz\n*kubeconfig.yaml\nChart.lock\n"
},
{
"path": ".pre-commit-config.yaml",
"chars": 707,
"preview": "repos:\n - repo: https://github.com/pre-commit/pre-commit-hooks\n rev: v4.3.0\n hooks:\n - id: check-added-large"
},
{
"path": ".woodpecker/helm-diff.yaml",
"chars": 658,
"preview": "when:\n branch: ${CI_REPO_DEFAULT_BRANCH}\n\nmatrix:\n STACK:\n - system\n - platform\n - apps\n\nsteps:\n # TODO DRY "
},
{
"path": ".woodpecker/static-checks.yaml",
"chars": 906,
"preview": "when:\n branch: ${CI_REPO_DEFAULT_BRANCH}\n\nsteps:\n # TODO DRY with nix develop and custom entrypoint https://github.com"
},
{
"path": ".yamllint.yaml",
"chars": 111,
"preview": "ignore: |\n templates/\n mkdocs.yml\n\nextends: default\n\nrules:\n document-start: disable\n line-length: disable\n"
},
{
"path": "LICENSE.md",
"chars": 34916,
"preview": "### GNU GENERAL PUBLIC LICENSE\n\nVersion 3, 29 June 2007\n\nCopyright (C) 2007 Free Software Foundation, Inc.\n<https://fsf."
},
{
"path": "Makefile",
"chars": 933,
"preview": ".POSIX:\n.PHONY: *\n.EXPORT_ALL_VARIABLES:\n\nKUBECONFIG = $(shell pwd)/metal/kubeconfig.yaml\nKUBE_CONFIG_PATH = $(KUBECONFI"
},
{
"path": "README.md",
"chars": 18628,
"preview": "# Khue's Homelab\n\n**[Features](#features) • [Get Started](#get-started) • [Documentation](https://homelab.khuedoan.com)*"
},
{
"path": "apps/actualbudget/Chart.yaml",
"chars": 162,
"preview": "apiVersion: v2\nname: actualbudget\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 2.6.0\n repository:"
},
{
"path": "apps/actualbudget/values.yaml",
"chars": 831,
"preview": "app-template:\n controllers:\n main:\n containers:\n main:\n image:\n repository: docker.i"
},
{
"path": "apps/blog/Chart.yaml",
"chars": 154,
"preview": "apiVersion: v2\nname: blog\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 2.2.0\n repository: https:/"
},
{
"path": "apps/blog/values.yaml",
"chars": 832,
"preview": "app-template:\n controllers:\n main:\n containers:\n main:\n image:\n repository: registry"
},
{
"path": "apps/excalidraw/Chart.yaml",
"chars": 160,
"preview": "apiVersion: v2\nname: excalidraw\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 2.2.0\n repository: h"
},
{
"path": "apps/excalidraw/values.yaml",
"chars": 842,
"preview": "app-template:\n controllers:\n main:\n containers:\n main:\n image:\n repository: docker.i"
},
{
"path": "apps/homepage/Chart.yaml",
"chars": 158,
"preview": "apiVersion: v2\nname: homepage\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 2.6.0\n repository: htt"
},
{
"path": "apps/homepage/values.yaml",
"chars": 5235,
"preview": "app-template:\n controllers:\n main:\n containers:\n main:\n image:\n repository: ghcr.io/"
},
{
"path": "apps/jellyfin/Chart.yaml",
"chars": 158,
"preview": "apiVersion: v2\nname: jellyfin\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 2.6.0\n repository: htt"
},
{
"path": "apps/jellyfin/values.yaml",
"chars": 3966,
"preview": "app-template:\n defaultPodOptions:\n securityContext:\n fsGroup: 1000\n controllers:\n main:\n containers:\n "
},
{
"path": "apps/matrix/Chart.yaml",
"chars": 275,
"preview": "apiVersion: v2\nname: elementweb\nversion: 0.0.0\ndependencies:\n - name: elementweb\n version: 0.0.6\n repository: htt"
},
{
"path": "apps/matrix/values.yaml",
"chars": 961,
"preview": "elementweb:\n ingress:\n enabled: true\n className: nginx\n annotations:\n cert-manager.io/cluster-issuer: let"
},
{
"path": "apps/ollama/Chart.yaml",
"chars": 156,
"preview": "apiVersion: v2\nname: ollama\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 2.6.0\n repository: https"
},
{
"path": "apps/ollama/values.yaml",
"chars": 1370,
"preview": "app-template:\n controllers:\n main:\n containers:\n main:\n image:\n repository: docker.i"
},
{
"path": "apps/pairdrop/Chart.yaml",
"chars": 158,
"preview": "apiVersion: v2\nname: pairdrop\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 2.6.0\n repository: htt"
},
{
"path": "apps/pairdrop/values.yaml",
"chars": 694,
"preview": "app-template:\n controllers:\n main:\n containers:\n main:\n image:\n repository: lscr.io/"
},
{
"path": "apps/paperless/Chart.yaml",
"chars": 159,
"preview": "apiVersion: v2\nname: paperless\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 2.6.0\n repository: ht"
},
{
"path": "apps/paperless/templates/secret.yaml",
"chars": 278,
"preview": "apiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n name: {{ .Release.Name }}-secret\n namespace: {"
},
{
"path": "apps/paperless/values.yaml",
"chars": 1297,
"preview": "app-template:\n controllers:\n main:\n containers:\n main:\n image:\n repository: ghcr.io/"
},
{
"path": "apps/speedtest/Chart.yaml",
"chars": 159,
"preview": "apiVersion: v2\nname: speedtest\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 2.6.0\n repository: ht"
},
{
"path": "apps/speedtest/values.yaml",
"chars": 759,
"preview": "app-template:\n controllers:\n main:\n containers:\n main:\n image:\n repository: docker.i"
},
{
"path": "apps/tailscale/Chart.yaml",
"chars": 159,
"preview": "apiVersion: v2\nname: tailscale\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 3.1.0\n repository: ht"
},
{
"path": "apps/tailscale/templates/role.yaml",
"chars": 448,
"preview": "# https://github.com/tailscale/tailscale/blob/main/docs/k8s/role.yaml\n# Copyright (c) Tailscale Inc & AUTHORS\n# SPDX-Lic"
},
{
"path": "apps/tailscale/templates/rolebinding.yaml",
"chars": 415,
"preview": "# https://github.com/tailscale/tailscale/blob/main/docs/k8s/rolebinding.yaml\n# Copyright (c) Tailscale Inc & AUTHORS\n# S"
},
{
"path": "apps/tailscale/templates/secret.yaml",
"chars": 322,
"preview": "apiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n name: tailscale-auth\n namespace: {{ .Release.N"
},
{
"path": "apps/tailscale/templates/serviceaccount.yaml",
"chars": 250,
"preview": "# https://github.com/tailscale/tailscale/blob/main/docs/k8s/sa.yaml\n# Copyright (c) Tailscale Inc & AUTHORS\n# SPDX-Licen"
},
{
"path": "apps/tailscale/values.yaml",
"chars": 623,
"preview": "app-template:\n serviceAccount:\n name: tailscale\n controllers:\n tailscale:\n containers:\n app:\n "
},
{
"path": "apps/wireguard/Chart.yaml",
"chars": 159,
"preview": "apiVersion: v2\nname: wireguard\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 3.5.0\n repository: ht"
},
{
"path": "apps/wireguard/values.yaml",
"chars": 2995,
"preview": "app-template:\n controllers:\n wireguard:\n containers:\n app:\n image:\n repository: lscr"
},
{
"path": "docs/.gitignore",
"chars": 12,
"preview": "mermaid*.js\n"
},
{
"path": "docs/concepts/certificate-management.md",
"chars": 2200,
"preview": "# Certificate management\n\nCertificates are generated and managed by [cert-manager](https://cert-manager.io) with [Let's "
},
{
"path": "docs/concepts/development-shell.md",
"chars": 1059,
"preview": "# Development shell\n\nThe development shell makes it easy to get all of the dependencies needed to interact with the home"
},
{
"path": "docs/concepts/pxe-boot.md",
"chars": 1271,
"preview": "# PXE boot\n\n```mermaid\nflowchart TD\n subgraph controller[Initial controller]\n Ansible\n dhcp[DHCP server]\n tftp"
},
{
"path": "docs/concepts/secrets-management.md",
"chars": 2993,
"preview": "# Secrets management\n\n## Overview\n\n- Global secrets are stored in the `global-secrets` namespace.\n- Integrate with GitOp"
},
{
"path": "docs/concepts/testing.md",
"chars": 197,
"preview": "# Testing infrastructure code\n\nWe use [Terratest](https://terratest.gruntwork.io) for automated tests.\nThe tests are wri"
},
{
"path": "docs/getting-started/install-pre-commit-hooks.md",
"chars": 518,
"preview": "# Install pre-commit hooks\n\nGit hook scripts are useful for identifying simple issues before commiting changes.\n\nInstall"
},
{
"path": "docs/getting-started/user-onboarding.md",
"chars": 1053,
"preview": "# User onboarding\n\n=== \"For user\"\n\n ## Create user\n\n Ask an admin to create your account, provide the following in"
},
{
"path": "docs/getting-started/vpn-setup.md",
"chars": 4828,
"preview": "# VPN setup\n\nYou can choose between [Tailscale](https://tailscale.com),\n[Wireguard](https://www.wireguard.com), or use b"
},
{
"path": "docs/how-to-guides/add-or-remove-nodes.md",
"chars": 1903,
"preview": "# Add or remove nodes\n\nOr how to scale vertically. To replace the same node with a clean OS, remove it and add it again."
},
{
"path": "docs/how-to-guides/alternate-dns-setup.md",
"chars": 1099,
"preview": "# Alternate DNS setup\n\n!!! info\n\n Skip this step if you already use the included Cloudflare setup\n\nBefore you can"
},
{
"path": "docs/how-to-guides/backup-and-restore.md",
"chars": 3037,
"preview": "# Backup and restore\n\n## Prerequisites\n\nCreate an S3 bucket to store backups. You can use AWS S3, Minio, or\nany other S3"
},
{
"path": "docs/how-to-guides/disable-dhcp-proxy-in-dnsmasq.md",
"chars": 683,
"preview": "# Disable DHCP proxy in dnsmasq\n\n## Overview\n\nDnsmasq is used as either a DHCP server or DHCP proxy server for PXE metal"
},
{
"path": "docs/how-to-guides/expose-services-to-the-internet.md",
"chars": 539,
"preview": "# Expose services to the internet\n\n!!! info\n\n This tutorial is for Cloudflare Tunnel users, please skip if you use po"
},
{
"path": "docs/how-to-guides/media-management.md",
"chars": 2516,
"preview": "# Media management\n\n!!! warning\n\n This is for educational purposes only :wink: Use it at your own risk!\n\n## Initial s"
},
{
"path": "docs/how-to-guides/run-commands-on-multiple-nodes.md",
"chars": 654,
"preview": "# Run commands on multiple nodes\n\nUse [ansible-console](https://docs.ansible.com/ansible/latest/cli/ansible-console.html"
},
{
"path": "docs/how-to-guides/single-node-cluster-adjustments.md",
"chars": 1284,
"preview": "# Single node cluster adjustments\n\n!!! danger\n\n This is not officially supported and I don't regularly test it,\n I"
},
{
"path": "docs/how-to-guides/troubleshooting/pxe-boot.md",
"chars": 1238,
"preview": "# PXE boot\n\n## PXE server logs\n\nTo view PXE server (includes DHCP, TFTP and HTTP server) logs:\n\n```sh\n./scripts/pxe-logs"
},
{
"path": "docs/how-to-guides/updating-documentation.md",
"chars": 1931,
"preview": "# Updating documentation (this website)\n\nThis project uses the [Diátaxis](https://diataxis.fr) technical documentation f"
},
{
"path": "docs/how-to-guides/use-both-github-and-gitea.md",
"chars": 424,
"preview": "# Use both GitHub and Gitea\n\nEven though we self-host Gitea, you may still want to use GitHub as a backup and for discov"
},
{
"path": "docs/index.md",
"chars": 24,
"preview": "--8<--\nREADME.md\n--8<--\n"
},
{
"path": "docs/installation/post-installation.md",
"chars": 1342,
"preview": "# Post-installation\n\n## Backup secrets\n\nSave the following files to a safe location like a password manager (if you're u"
},
{
"path": "docs/installation/production/configuration.md",
"chars": 1059,
"preview": "# Configuration\n\nOpen the [development shell](../../concepts/development-shell.md), which includes all the tools needed:"
},
{
"path": "docs/installation/production/deployment.md",
"chars": 460,
"preview": "# Deployment\n\nOpen the development shell if you haven't already:\n\n```sh\nnix develop\n```\n\nBuild the lab:\n\n```sh\nmake\n```\n"
},
{
"path": "docs/installation/production/external-resources.md",
"chars": 4062,
"preview": "# External resources\n\n!!! info\n\n These resources are optional, the homelab still works without them but will lack som"
},
{
"path": "docs/installation/production/prerequisites.md",
"chars": 4802,
"preview": "# Prerequisites\n\n## Fork this repository\n\nBecause [this project](https://github.com/khuedoan/homelab) applies GitOps pra"
},
{
"path": "docs/installation/sandbox.md",
"chars": 1996,
"preview": "# Development sandbox\n\nThe sandbox is intended for trying out the homelab without any hardware or testing changes before"
},
{
"path": "docs/reference/architecture/decision-records.md",
"chars": 8648,
"preview": "# Decision records\n\nThese are the records of design decisions for future reference in order to understand why things are"
},
{
"path": "docs/reference/architecture/networking.md",
"chars": 398,
"preview": "# Networking\n\n```mermaid\nflowchart TD\n subgraph LAN\n laptop/desktop/phone <--> LoadBalancer\n subgraph k8s[Kuberne"
},
{
"path": "docs/reference/architecture/overview.md",
"chars": 2256,
"preview": "# Overview\n\n## Components\n\n```\n+--------------+\n| ./apps |\n|--------------|\n| ./platform |\n|--------------| "
},
{
"path": "docs/reference/changelog.md",
"chars": 4572,
"preview": "# Changelog\n\n## v0.0.8\n\nNotable changes:\n\n- **build:** run post install scripts by default\n- **build:** set `KUBECONFIG`"
},
{
"path": "docs/reference/contributing.md",
"chars": 808,
"preview": "# Contributing\n\n## How to contribute\n\n### Bug report\n\nYou can [create a new GitHub issue](https://github.com/khuedoan/ho"
},
{
"path": "docs/reference/faq.md",
"chars": 615,
"preview": "# FAQ\n\n## Is it necessary to install Linux on my servers before setting up the homelab?\n\nNo, and that's the beauty of th"
},
{
"path": "docs/reference/license.md",
"chars": 65,
"preview": "Copyright © 2020 - 2024 Khue Doan\n\n--8<--\nLICENSE.md\n--8<--\n"
},
{
"path": "docs/reference/roadmap.md",
"chars": 2754,
"preview": "# Roadmap\n\n!!! info\n\n Current status: **ALPHA**\n\n## Alpha requirements\n\nLiterally anything that works.\n\n## Beta requi"
},
{
"path": "external/.gitignore",
"chars": 47,
"preview": ".terraform*\nterraform.tfstate\nterraform.tfvars\n"
},
{
"path": "external/Makefile",
"chars": 399,
"preview": ".POSIX:\n\ndefault: apply\n\n~/.terraform.d/credentials.tfrc.json:\n\ttofu login\n\nterraform.tfvars:\n\tcp terraform.tfvars.examp"
},
{
"path": "external/main.tf",
"chars": 382,
"preview": "module \"cloudflare\" {\n source = \"./modules/cloudflare\"\n cloudflare_account_id = var.cloudflare_account_"
},
{
"path": "external/modules/cloudflare/main.tf",
"chars": 2483,
"preview": "data \"cloudflare_zone\" \"zone\" {\n name = \"khuedoan.com\"\n}\n\ndata \"cloudflare_api_token_permission_groups\" \"all\" {}\n\nresou"
},
{
"path": "external/modules/cloudflare/variables.tf",
"chars": 177,
"preview": "variable \"cloudflare_email\" {\n type = string\n}\n\nvariable \"cloudflare_api_key\" {\n type = string\n sensitive = true"
},
{
"path": "external/modules/cloudflare/versions.tf",
"chars": 402,
"preview": "terraform {\n required_providers {\n cloudflare = {\n source = \"cloudflare/cloudflare\"\n version = \"~> 4.30.0"
},
{
"path": "external/modules/extra-secrets/main.tf",
"chars": 213,
"preview": "resource \"kubernetes_secret\" \"external\" {\n metadata {\n name = var.name\n namespace = var.namespace\n\n annot"
},
{
"path": "external/modules/extra-secrets/variables.tf",
"chars": 178,
"preview": "variable \"name\" {\n type = string\n default = \"external\"\n}\n\nvariable \"namespace\" {\n type = string\n default = \"gl"
},
{
"path": "external/modules/extra-secrets/versions.tf",
"chars": 133,
"preview": "terraform {\n required_providers {\n kubernetes = {\n source = \"hashicorp/kubernetes\"\n version = \"~> 2.26.0\""
},
{
"path": "external/modules/ntfy/main.tf",
"chars": 292,
"preview": "resource \"kubernetes_secret\" \"ntfy_auth\" {\n metadata {\n name = \"webhook-transformer\"\n namespace = \"monitorin"
},
{
"path": "external/modules/ntfy/variables.tf",
"chars": 81,
"preview": "variable \"auth\" {\n type = object({\n url = string\n topic = string\n })\n}\n"
},
{
"path": "external/modules/ntfy/versions.tf",
"chars": 133,
"preview": "terraform {\n required_providers {\n kubernetes = {\n source = \"hashicorp/kubernetes\"\n version = \"~> 2.26.0\""
},
{
"path": "external/namespaces.yml",
"chars": 355,
"preview": "- hosts: localhost\n tasks:\n - name: Ensure required namespaces exist\n kubernetes.core.k8s:\n api_version:"
},
{
"path": "external/terraform.tfvars.example",
"chars": 1071,
"preview": "# https://dash.cloudflare.com/profile\ncloudflare_email = \"myaccount@example.com\"\n# https://developers.cloudflare.com/fun"
},
{
"path": "external/variables.tf",
"chars": 492,
"preview": "variable \"cloudflare_email\" {\n type = string\n}\n\nvariable \"cloudflare_api_key\" {\n type = string\n sensitive = true"
},
{
"path": "external/versions.tf",
"chars": 691,
"preview": "terraform {\n required_version = \"~> 1.7\"\n\n backend \"remote\" {\n hostname = \"app.terraform.io\"\n organization ="
},
{
"path": "flake.nix",
"chars": 1293,
"preview": "{\n description = \"Homelab\";\n\n inputs = {\n nixpkgs.url = \"github:NixOS/nixpkgs/nixos-24.05\";\n flake-utils.url = \""
},
{
"path": "metal/Makefile",
"chars": 394,
"preview": ".POSIX:\n\nenv ?= prod\nexport KUBECONFIG = $(shell pwd)/kubeconfig.yaml\n\ndefault: boot cluster\n\n~/.ssh/id_ed25519:\n\tssh-ke"
},
{
"path": "metal/ansible.cfg",
"chars": 96,
"preview": "[defaults]\nhost_key_checking=false\nstdout_callback=debug\nstderr_callback=debug\nforce_color=true\n"
},
{
"path": "metal/boot.yml",
"chars": 166,
"preview": "- name: Start PXE server\n hosts: localhost\n roles:\n - pxe_server\n\n- name: Provision bare metal machines\n hosts: me"
},
{
"path": "metal/cluster.yml",
"chars": 188,
"preview": "- name: Create Kubernetes cluster\n hosts: metal\n roles:\n - prerequisites\n - k3s\n - automatic_upgrade\n\n- name:"
},
{
"path": "metal/group_vars/all.yml",
"chars": 153,
"preview": "ansible_user: root\nansible_ssh_private_key_file: ~/.ssh/id_ed25519\nssh_public_key: \"{{ lookup('file', '~/.ssh/id_ed25519"
},
{
"path": "metal/inventories/prod.yml",
"chars": 610,
"preview": "all:\n vars:\n control_plane_endpoint: 192.168.1.100\n load_balancer_ip_pool:\n - 192.168.1.224/27\nmetal:\n chil"
},
{
"path": "metal/inventories/stag.yml",
"chars": 185,
"preview": "metal:\n children:\n masters:\n hosts:\n proxmox0: {ansible_host: 192.168.1.169, mac: 'c2:f5:cf:1f:3e:c0', d"
},
{
"path": "metal/k3d-dev.yaml",
"chars": 437,
"preview": "apiVersion: k3d.io/v1alpha4\nkind: Simple\nmetadata:\n name: homelab-dev\nimage: docker.io/rancher/k3s:v1.27.1-k3s1\nservers"
},
{
"path": "metal/roles/automatic_upgrade/files/automatic.conf",
"chars": 54,
"preview": "[commands]\nupgrade_type = default\napply_updates = yes\n"
},
{
"path": "metal/roles/automatic_upgrade/tasks/main.yml",
"chars": 397,
"preview": "- name: Install packages for automatic upgrade\n ansible.builtin.dnf:\n name:\n - dnf-automatic\n - dnf-utils\n"
},
{
"path": "metal/roles/cilium/defaults/main.yml",
"chars": 497,
"preview": "cilium_repo_url: https://helm.cilium.io\ncilium_version: 1.16.1\ncilium_namespace: kube-system\ncilium_values:\n operator:\n"
},
{
"path": "metal/roles/cilium/tasks/main.yml",
"chars": 706,
"preview": "- name: Install Cilium\n kubernetes.core.helm:\n name: cilium\n chart_ref: cilium\n chart_repo_url: \"{{ cilium_rep"
},
{
"path": "metal/roles/cilium/templates/ciliuml2announcementpolicy.yaml",
"chars": 140,
"preview": "apiVersion: cilium.io/v2alpha1\nkind: CiliumL2AnnouncementPolicy\nmetadata:\n name: default\nspec:\n externalIPs: true\n lo"
},
{
"path": "metal/roles/cilium/templates/ciliumloadbalancerippool.yaml",
"chars": 188,
"preview": "apiVersion: cilium.io/v2alpha1\nkind: CiliumLoadBalancerIPPool\nmetadata:\n name: default\nspec:\n blocks:\n {% for cidr "
},
{
"path": "metal/roles/k3s/defaults/main.yml",
"chars": 516,
"preview": "k3s_version: v1.30.4+k3s1\nk3s_config_file: /etc/rancher/k3s/config.yaml\nk3s_token_file: /etc/rancher/node/password\nk3s_s"
},
{
"path": "metal/roles/k3s/files/bin/.gitignore",
"chars": 14,
"preview": "*\n!.gitignore\n"
},
{
"path": "metal/roles/k3s/tasks/main.yml",
"chars": 2656,
"preview": "- name: Download k3s binary\n ansible.builtin.get_url:\n url: https://github.com/k3s-io/k3s/releases/download/{{ k3s_v"
},
{
"path": "metal/roles/k3s/templates/config.yaml.j2",
"chars": 282,
"preview": "{% if inventory_hostname == groups['masters'][0] %}\ncluster-init: true\n{% else %}\nserver: https://{{ control_plane_endpo"
},
{
"path": "metal/roles/k3s/templates/k3s.service.j2",
"chars": 637,
"preview": "[Unit]\nDescription=Lightweight Kubernetes\nDocumentation=https://k3s.io\nAfter=network-online.target\n\n[Service]\nType=notif"
},
{
"path": "metal/roles/k3s/templates/kube-vip.yaml.j2",
"chars": 866,
"preview": "apiVersion: v1\nkind: Pod\nmetadata:\n name: kube-vip\n namespace: kube-system\nspec:\n containers:\n - name: kube-vip\n "
},
{
"path": "metal/roles/prerequisites/tasks/main.yml",
"chars": 300,
"preview": "- name: Adjust kernel parameters\n ansible.posix.sysctl:\n name: \"{{ item.name }}\"\n value: \"{{ item.value }}\"\n loo"
},
{
"path": "metal/roles/pxe_server/defaults/main.yml",
"chars": 269,
"preview": "iso_url: \"https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/39/Server/x86_64/iso/Fedora-Server-dvd-x8"
},
{
"path": "metal/roles/pxe_server/files/data/init-config/.gitignore",
"chars": 14,
"preview": "*\n!.gitignore\n"
},
{
"path": "metal/roles/pxe_server/files/data/iso/.gitignore",
"chars": 14,
"preview": "*\n!.gitignore\n"
},
{
"path": "metal/roles/pxe_server/files/data/os/.gitignore",
"chars": 14,
"preview": "*\n!.gitignore\n"
},
{
"path": "metal/roles/pxe_server/files/data/pxe-config/.gitignore",
"chars": 14,
"preview": "*\n!.gitignore\n"
},
{
"path": "metal/roles/pxe_server/files/dnsmasq/Dockerfile",
"chars": 79,
"preview": "FROM alpine:3.19\n\nRUN apk --no-cache add dnsmasq\n\nENTRYPOINT [\"dnsmasq\", \"-k\"]\n"
},
{
"path": "metal/roles/pxe_server/files/docker-compose.yml",
"chars": 594,
"preview": "services:\n dnsmasq:\n build: ./dnsmasq\n volumes:\n - ./data/pxe-config/dnsmasq.conf:/etc/dnsmasq.conf\n - "
},
{
"path": "metal/roles/pxe_server/files/http/Dockerfile",
"chars": 23,
"preview": "FROM nginx:1.25-alpine\n"
},
{
"path": "metal/roles/pxe_server/tasks/main.yml",
"chars": 1533,
"preview": "- name: Get Docker info\n docker_host_info: {}\n register: docker_info_result\n\n- name: Ensure Docker is running on a sup"
},
{
"path": "metal/roles/pxe_server/templates/dnsmasq.conf.j2",
"chars": 856,
"preview": "# Disable DNS Server.\nport=0\n{% if dhcp_proxy == true %}\n# We're DHCP proxying on the network of the homelab host\ndhcp-r"
},
{
"path": "metal/roles/pxe_server/templates/grub.cfg.j2",
"chars": 233,
"preview": "set timeout=1\n\nmenuentry '{{ iso_url | basename | splitext | first }} (PXE)' {\n linux vmlinuz \\\n ip=dhcp \\\n "
},
{
"path": "metal/roles/pxe_server/templates/kickstart.ks.j2",
"chars": 1726,
"preview": "#version=RHEL8\n\n# Do not use graphical install\ntext\n\n# Keyboard layouts\nkeyboard --xlayouts='us'\n# System language\nlang "
},
{
"path": "metal/roles/wake/tasks/main.yml",
"chars": 218,
"preview": "- name: Send Wake-on-LAN magic packets\n community.general.wakeonlan:\n mac: \"{{ mac }}\"\n delegate_to: localhost\n\n- n"
},
{
"path": "mkdocs.yml",
"chars": 2565,
"preview": "# yaml-language-server: $schema=https://squidfunk.github.io/mkdocs-material/schema.json\n\nsite_name: Khue's Homelab\ncopyr"
},
{
"path": "platform/dex/Chart.yaml",
"chars": 129,
"preview": "apiVersion: v2\nname: dex\nversion: 0.0.0\ndependencies:\n - name: dex\n version: 0.16.0\n repository: https://charts.d"
},
{
"path": "platform/dex/templates/secret.yaml",
"chars": 718,
"preview": "apiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n name: dex-secrets\n namespace: {{ .Release.Name"
},
{
"path": "platform/dex/values.yaml",
"chars": 1395,
"preview": "dex:\n config:\n issuer: https://dex.khuedoan.com\n storage:\n type: kubernetes\n config:\n inCluster:"
},
{
"path": "platform/external-secrets/Chart.yaml",
"chars": 165,
"preview": "apiVersion: v2\nname: external-secrets\nversion: 0.0.0\ndependencies:\n - name: external-secrets\n version: 0.10.2\n re"
},
{
"path": "platform/gitea/Chart.yaml",
"chars": 136,
"preview": "apiVersion: v2\nname: gitea\nversion: 0.0.0\ndependencies:\n - name: gitea\n version: 10.1.3\n repository: https://dl.g"
},
{
"path": "platform/gitea/files/config/config.yaml",
"chars": 682,
"preview": "# TODO create user and access token\n# users:\n# - name: renovate\n# fullName: Renovate\n# email: bot@renovateapp."
},
{
"path": "platform/gitea/files/config/go.mod",
"chars": 194,
"preview": "module git.khuedoan.com/khuedoan/homelab/gitea/config\n\ngo 1.19\n\nrequire (\n\tcode.gitea.io/sdk/gitea v0.15.1\n\tgopkg.in/yam"
},
{
"path": "platform/gitea/files/config/go.sum",
"chars": 3250,
"preview": "code.gitea.io/gitea-vet v0.2.1/go.mod h1:zcNbT/aJEmivCAhfmkHOlT645KNOf9W2KnkLgFjGGfE=\ncode.gitea.io/sdk/gitea v0.15.1 h1"
},
{
"path": "platform/gitea/files/config/main.go",
"chars": 1824,
"preview": "package main\n\n// TODO WIP clean this up\n\nimport (\n\t\"log\"\n\t\"os\"\n\n\t\"code.gitea.io/sdk/gitea\"\n\t\"gopkg.in/yaml.v2\"\n)\n\ntype O"
},
{
"path": "platform/gitea/templates/admin-secret.yaml",
"chars": 479,
"preview": "apiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n name: {{ .Values.gitea.gitea.admin.existingSecr"
},
{
"path": "platform/gitea/templates/config-job.yaml",
"chars": 1175,
"preview": "apiVersion: batch/v1\nkind: Job\nmetadata:\n name: gitea-config-{{ include (print $.Template.BasePath \"/config-source.yaml"
},
{
"path": "platform/gitea/templates/config-source.yaml",
"chars": 170,
"preview": "apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: gitea-config-source\n namespace: {{ .Release.Namespace }}\ndata:\n{{ (.Fi"
},
{
"path": "platform/gitea/values.yaml",
"chars": 1088,
"preview": "gitea:\n ingress:\n enabled: true\n className: nginx\n annotations:\n cert-manager.io/cluster-issuer: letsencr"
},
{
"path": "platform/global-secrets/Chart.yaml",
"chars": 51,
"preview": "apiVersion: v2\nname: global-secrets\nversion: 0.0.0\n"
},
{
"path": "platform/global-secrets/files/secret-generator/config.yaml",
"chars": 601,
"preview": "# Gitea\n- name: gitea.admin\n data:\n - key: password\n length: 32\n special: true\n\n# Dex\n- name: dex.grafana\n"
},
{
"path": "platform/global-secrets/files/secret-generator/go.mod",
"chars": 1991,
"preview": "module git.khuedoan.com/khuedoan/homelab/platform/secret-generator\n\ngo 1.19\n\nrequire (\n\tgithub.com/sethvargo/go-password"
},
{
"path": "platform/global-secrets/files/secret-generator/go.sum",
"chars": 13515,
"preview": "github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=\ngithub.com/davecgh/go-spew v1.1.0/go"
},
{
"path": "platform/global-secrets/files/secret-generator/main.go",
"chars": 3775,
"preview": "package main\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"log\"\n\t\"math\"\n\t\"os\"\n\n\t\"github.com/sethvargo/go-password/password\"\n\t\"gopkg.in/y"
},
{
"path": "platform/global-secrets/templates/clustersecretstore/clustersecretstore.yaml",
"chars": 482,
"preview": "apiVersion: external-secrets.io/v1beta1\nkind: ClusterSecretStore\nmetadata:\n name: global-secrets\nspec:\n provider:\n "
},
{
"path": "platform/global-secrets/templates/clustersecretstore/role.yaml",
"chars": 382,
"preview": "apiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n name: external-secrets-kubernetes-global-secrets\n names"
},
{
"path": "platform/global-secrets/templates/clustersecretstore/rolebinding.yaml",
"chars": 397,
"preview": "apiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: external-secrets-kubernetes-global-secrets\n"
},
{
"path": "platform/global-secrets/templates/clustersecretstore/serviceaccount.yaml",
"chars": 135,
"preview": "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: external-secrets-kubernetes-global-secrets\n namespace: {{ .Releas"
},
{
"path": "platform/global-secrets/templates/secret-generator/configmap.yaml",
"chars": 177,
"preview": "apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: secret-generator\n namespace: {{ .Release.Namespace }}\ndata:\n{{ (.Files"
},
{
"path": "platform/global-secrets/templates/secret-generator/job.yaml",
"chars": 777,
"preview": "apiVersion: batch/v1\nkind: Job\nmetadata:\n name: secret-generator-{{ include (print $.Template.BasePath \"/secret-generat"
},
{
"path": "platform/global-secrets/templates/secret-generator/role.yaml",
"chars": 386,
"preview": "apiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n name: secret-generator\n namespace: {{ .Release.Namespac"
},
{
"path": "platform/global-secrets/templates/secret-generator/rolebinding.yaml",
"chars": 319,
"preview": "apiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: secret-generator\n namespace: {{ .Release.N"
},
{
"path": "platform/global-secrets/templates/secret-generator/serviceaccount.yaml",
"chars": 109,
"preview": "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: secret-generator\n namespace: {{ .Release.Namespace }}\n"
},
{
"path": "platform/grafana/Chart.yaml",
"chars": 149,
"preview": "apiVersion: v2\nname: grafana\nversion: 0.0.0\ndependencies:\n - name: grafana\n repository: https://grafana.github.io/he"
},
{
"path": "platform/grafana/templates/secret.yaml",
"chars": 372,
"preview": "apiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n name: grafana-secrets\n namespace: {{ .Release."
},
{
"path": "platform/grafana/values.yaml",
"chars": 892,
"preview": "grafana:\n ingress:\n enabled: true\n ingressClassName: nginx\n annotations:\n cert-manager.io/cluster-issuer:"
},
{
"path": "platform/kanidm/Chart.yaml",
"chars": 156,
"preview": "apiVersion: v2\nname: kanidm\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 2.2.0\n repository: https"
},
{
"path": "platform/kanidm/templates/certificate.yaml",
"chars": 311,
"preview": "# TODO https://github.com/kanidm/kanidm/issues/1227\napiVersion: cert-manager.io/v1\nkind: Certificate\nmetadata:\n name: k"
},
{
"path": "platform/kanidm/templates/issuer.yaml",
"chars": 141,
"preview": "apiVersion: cert-manager.io/v1\nkind: Issuer\nmetadata:\n name: kanidm-selfsigned\n namespace: {{ .Release.Namespace }}\nsp"
},
{
"path": "platform/kanidm/values.yaml",
"chars": 1848,
"preview": "app-template:\n controllers:\n main:\n type: statefulset\n containers:\n main:\n image:\n "
},
{
"path": "platform/renovate/Chart.yaml",
"chars": 156,
"preview": "apiVersion: v2\nname: renovate\nversion: 0.0.0\ndependencies:\n - name: renovate\n version: 31.97.3\n repository: https"
},
{
"path": "platform/renovate/templates/secret.yaml",
"chars": 440,
"preview": "apiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n name: {{ .Values.renovate.existingSecret }}\n n"
},
{
"path": "platform/renovate/values.yaml",
"chars": 316,
"preview": "renovate:\n cronjob:\n schedule: '0 9 * * *' # Everyday at 09:00\n renovate:\n config: |\n {\n \"platform\""
},
{
"path": "platform/woodpecker/Chart.yaml",
"chars": 143,
"preview": "apiVersion: v2\nname: woodpecker\nversion: 0.0.0\ndependencies:\n - name: woodpecker\n version: 1.5.1\n repository: htt"
},
{
"path": "platform/woodpecker/templates/secret.yaml",
"chars": 570,
"preview": "apiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n name: woodpecker-secret\n namespace: {{ .Releas"
},
{
"path": "platform/woodpecker/values.yaml",
"chars": 927,
"preview": "woodpecker:\n agent:\n replicaCount: 2\n env:\n WOODPECKER_BACKEND_K8S_STORAGE_RWX: false\n # Agents will sp"
},
{
"path": "platform/zot/Chart.yaml",
"chars": 139,
"preview": "apiVersion: v2\nname: zot\nversion: 0.0.0\ndependencies:\n - name: zot\n version: 0.1.52\n repository: http://zotregist"
},
{
"path": "platform/zot/templates/admin-secret.yaml",
"chars": 451,
"preview": "apiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n name: registry-admin-secret\n namespace: {{ .Re"
},
{
"path": "platform/zot/values.yaml",
"chars": 435,
"preview": "zot:\n ingress:\n enabled: true\n annotations:\n cert-manager.io/cluster-issuer: letsencrypt-prod\n nginx.in"
},
{
"path": "renovate.json5",
"chars": 353,
"preview": "{\n \"$schema\": \"https://docs.renovatebot.com/renovate-schema.json\",\n \"extends\": [\n \"config:base\"\n ],\n \"packageRule"
},
{
"path": "scripts/argocd-admin-password",
"chars": 279,
"preview": "#!/bin/sh\n\necho \"WARNING: ArgoCD admin can do anything in the cluster, only use it for just enough initial setup or in e"
},
{
"path": "scripts/backup",
"chars": 5655,
"preview": "#!/usr/bin/env python\n\nimport argparse\nfrom kubernetes import client, config\nfrom kubernetes.client.rest import ApiExcep"
},
{
"path": "scripts/configure",
"chars": 3049,
"preview": "#!/usr/bin/env python\n\n# WIP\n# TODO clean this up\n\n\"\"\"\nBasic configure script for new users\n\"\"\"\n\nimport fileinput\nimport"
},
{
"path": "scripts/get-dns-config",
"chars": 197,
"preview": "#!/bin/sh\n\nexport KUBECONFIG=./metal/kubeconfig.yaml\nkubectl get ingress --all-namespaces --no-headers --output custom-c"
},
{
"path": "scripts/get-status",
"chars": 182,
"preview": "#!/bin/sh\n\nexport KUBECONFIG=./metal/kubeconfig.yaml\n\nkubectl get applicationsets --namespace argocd\nkubectl get applica"
},
{
"path": "scripts/get-wireguard-config",
"chars": 254,
"preview": "#!/bin/sh\n\nset -eu\n\nPEER=\"${1}\"\n\nexport KUBECONFIG=./metal/kubeconfig.yaml\n\nkubectl -n wireguard exec -it deployment/wir"
},
{
"path": "scripts/hacks",
"chars": 9233,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nQuick and dirty script for things that I can't/don't have time to do properly yet\nTODO: retir"
},
{
"path": "scripts/helm-diff",
"chars": 3058,
"preview": "#!/usr/bin/env python\n\nfrom argparse import ArgumentParser\nfrom glob import glob\nfrom os import path\nfrom subprocess imp"
},
{
"path": "scripts/kanidm-reset-password",
"chars": 290,
"preview": "#!/bin/sh\n\nset -eu\n\naccount=\"${1}\"\n\necho \"WARNING: Kanidm admin can do anything in the cluster, only use it for just eno"
},
{
"path": "scripts/new-service",
"chars": 223,
"preview": "#!/bin/sh\n\nmkdir -p \"apps/${1}\"\n\ncat << EOT > \"apps/${1}/Chart.yaml\"\napiVersion: v2\nname: CHANGEME\nversion: 0.0.0\ndepend"
},
{
"path": "scripts/onboard-user",
"chars": 599,
"preview": "#!/bin/sh\n\nusername=\"${1}\"\nfullname=\"${2}\"\nmail=\"${3}\"\n\nexport KUBECONFIG=./metal/kubeconfig.yaml\nhost=\"$(kubectl get in"
},
{
"path": "scripts/pxe-logs",
"chars": 123,
"preview": "#!/bin/sh\n\ndocker compose \\\n --project-directory ./metal/roles/pxe_server/files/ \\\n logs \\\n --follow \\\n \"${@"
},
{
"path": "scripts/take-screenshots",
"chars": 1490,
"preview": "#!/usr/bin/env python\n\n# WIP\n# - [x] take screenshot\n# - [ ] self contained\n# - [ ] login automatically credentials from"
},
{
"path": "system/Makefile",
"chars": 133,
"preview": ".POSIX:\n\nexport KUBECONFIG = $(shell pwd)/../metal/kubeconfig.yaml\n\n.PHONY: bootstrap\nbootstrap:\n\tansible-playbook \\\n\t\tb"
},
{
"path": "system/argocd/Chart.yaml",
"chars": 241,
"preview": "apiVersion: v2\nname: argocd\nversion: 0.0.0\ndependencies:\n - name: argo-cd\n version: 7.5.2\n repository: https://ar"
},
{
"path": "system/argocd/values-seed.yaml",
"chars": 624,
"preview": "argo-cd:\n server:\n metrics: &metrics\n enabled: false\n serviceMonitor:\n enabled: false\n controller:"
},
{
"path": "system/argocd/values.yaml",
"chars": 2111,
"preview": "argo-cd:\n global:\n domain: argocd.khuedoan.com\n configs:\n params:\n server.insecure: true\n controller.d"
},
{
"path": "system/bootstrap.yml",
"chars": 1099,
"preview": "- name: Bootstrapping the cluster\n hosts: localhost\n tasks:\n - name: Create ArgoCD namespace\n kubernetes.core."
},
{
"path": "system/cert-manager/Chart.yaml",
"chars": 150,
"preview": "apiVersion: v2\nname: cert-manager\nversion: 0.0.0\ndependencies:\n - name: cert-manager\n version: v1.15.3\n repositor"
},
{
"path": "system/cert-manager/templates/clusterissuer.yaml",
"chars": 354,
"preview": "apiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n name: letsencrypt-prod\nspec:\n acme:\n server: https://"
},
{
"path": "system/cert-manager/values.yaml",
"chars": 106,
"preview": "cert-manager:\n installCRDs: true\n prometheus:\n enabled: true\n servicemonitor:\n enabled: true\n"
},
{
"path": "system/cloudflared/Chart.yaml",
"chars": 161,
"preview": "apiVersion: v2\nname: cloudflared\nversion: 0.0.0\ndependencies:\n - name: app-template\n version: 3.1.0\n repository: "
},
{
"path": "system/cloudflared/values.yaml",
"chars": 1201,
"preview": "app-template:\n controllers:\n cloudflared:\n containers:\n app:\n image:\n repository: do"
},
{
"path": "system/external-dns/Chart.yaml",
"chars": 169,
"preview": "apiVersion: v2\nname: external-dns\nversion: 0.0.0\ndependencies:\n - name: external-dns\n version: 1.14.3\n repository"
},
{
"path": "system/external-dns/values.yaml",
"chars": 392,
"preview": "external-dns:\n provider: cloudflare\n txtOwnerId: homelab\n env:\n - name: CF_API_TOKEN\n valueFrom:\n secr"
},
{
"path": "system/ingress-nginx/Chart.yaml",
"chars": 167,
"preview": "apiVersion: v2\nname: ingress-nginx\nversion: 0.0.0\ndependencies:\n - name: ingress-nginx\n version: 4.11.2\n reposito"
},
{
"path": "system/ingress-nginx/values.yaml",
"chars": 188,
"preview": "ingress-nginx:\n controller:\n admissionWebhooks:\n timeoutSeconds: 30\n metrics:\n enabled: true\n serv"
},
{
"path": "system/kured/Chart.yaml",
"chars": 143,
"preview": "apiVersion: v2\nname: kured\nversion: 0.0.0\ndependencies:\n - name: kured\n version: 4.7.0\n repository: https://kuber"
},
{
"path": "system/kured/values.yaml",
"chars": 146,
"preview": "kured:\n configuration:\n annotateNodes: true\n rebootSentinelCommand: sh -c \"! needs-restarting --reboothint\"\n t"
},
{
"path": "system/loki/Chart.yaml",
"chars": 150,
"preview": "apiVersion: v2\nname: loki\nversion: 0.0.0\ndependencies:\n - name: loki-stack\n version: 2.10.1\n repository: https://"
}
]
// ... and 18 more files (download for full content)
About this extraction
This page contains the full source code of the khuedoan/homelab GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 218 files (364.0 KB), approximately 137.2k tokens, and a symbol index with 16 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.