| Logo | Name | Description |
|---|---|---|
 |
Ansible | Automate bare metal provisioning and configuration |
 |
ArgoCD | GitOps tool built to deploy applications to Kubernetes |
 |
cert-manager | Cloud native certificate management |
 |
Cilium | eBPF-based Networking, Observability and Security (CNI, LB, Network Policy, etc.) |
 |
Cloudflare | DNS and Tunnel |
 |
Docker | Ephemeral PXE server |
 |
ExternalDNS | Synchronizes exposed Kubernetes Services and Ingresses with DNS providers |
 |
Fedora Server | Base OS for Kubernetes nodes |
 |
Gitea | Self-hosted Git service |
 |
Grafana | Observability platform |
 |
Helm | The package manager for Kubernetes |
 |
K3s | Lightweight distribution of Kubernetes |
 |
Kanidm | Modern and simple identity management platform |
 |
Kubernetes | Container-orchestration system, the backbone of this project |
 |
Loki | Log aggregation system |
 |
NGINX | Kubernetes Ingress Controller |
 |
Nix | Convenient development shell |
 |
ntfy | Notification service to send notifications to your phone or desktop |
 |
Prometheus | Systems monitoring and alerting toolkit |
 |
Renovate | Automatically update dependencies |
 |
Rook Ceph | Cloud-Native Storage for Kubernetes |
 |
Tailscale | VPN without port forwarding |
 |
Wireguard | Fast, modern, secure VPN tunnel |
 |
Woodpecker CI | Simple yet powerful CI/CD engine with great extensibility |
 |
Zot Registry | Private container registry |
[@locmai](https://github.com/locmai)
- 
[@MatthewJohn](https://github.com/MatthewJohn)
- 
[@karpfediem](https://github.com/karpfediem)
- 
[@linhng98](https://github.com/linhng98)
- 
[@elliotblackburn](https://github.com/elliotblackburn)
- 
[@dotdiego](https://github.com/dotdiego)
- 
[@Crimrose](https://github.com/Crimrose)
- 
[@eventi](https://github.com/eventi)
- 
[@Bourne-ID](https://github.com/Bourne-ID)
- 
[@akwan](https://github.com/akwan)
- 
[@trangmaiq](https://github.com/trangmaiq)
- 
[@tangowithfoxtrot](https://github.com/tangowithfoxtrot)
- 
[@raedkit](https://github.com/raedkit)
- 
[@ClashTheBunny](https://github.com/ClashTheBunny)
- 
[@retX0](https://github.com/retX0)
- 
[@zalsader](https://github.com/zalsader)
- 
[@serpro69](https://github.com/serpro69)
- 
[@llajas](https://github.com/llajas)
- [@zalsader](https://github.com/zalsader)
If you feel you're missing from this list, please feel free to add yourself in a PR.
## Stargazers over time
[](https://starchart.cc/khuedoan/homelab)
================================================
FILE: apps/actualbudget/Chart.yaml
================================================
apiVersion: v2
name: actualbudget
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/actualbudget/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: docker.io/actualbudget/actual-server
tag: 24.12.0-alpine
service:
main:
ports:
http:
port: 5006
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &host budget.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: actualbudget-tls-certificate
persistence:
data:
accessMode: ReadWriteOnce
size: 1Gi
globalMounts:
- path: /data
================================================
FILE: apps/blog/Chart.yaml
================================================
apiVersion: v2
name: blog
version: 0.0.0
dependencies:
- name: app-template
version: 2.2.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/blog/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: registry.khuedoan.com/blog
tag: latest
service:
main:
ports:
http:
port: 3000
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
external-dns.alpha.kubernetes.io/target: homelab-tunnel.khuedoan.com
external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true'
hosts:
- host: &host www.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: blog-tls-certificate
================================================
FILE: apps/excalidraw/Chart.yaml
================================================
apiVersion: v2
name: excalidraw
version: 0.0.0
dependencies:
- name: app-template
version: 2.2.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/excalidraw/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: docker.io/excalidraw/excalidraw
tag: latest
service:
main:
ports:
http:
port: 80
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
external-dns.alpha.kubernetes.io/target: homelab-tunnel.khuedoan.com
external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true'
hosts:
- host: &host draw.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: excalidraw-tls-certificate
================================================
FILE: apps/homepage/Chart.yaml
================================================
apiVersion: v2
name: homepage
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/homepage/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: ghcr.io/gethomepage/homepage
tag: v0.8.8
service:
main:
ports:
http:
port: 3000
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &host home.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: homepage-tls-certificate
persistence:
config:
enabled: true
type: configMap
name: homepage-config
globalMounts:
- path: /app/config/settings.yaml
subPath: settings.yaml
- path: /app/config/widgets.yaml
subPath: widgets.yaml
- path: /app/config/services.yaml
subPath: services.yaml
- path: /app/config/bookmarks.yaml
subPath: bookmarks.yaml
configMaps:
config:
enabled: true
data:
settings.yaml: |
background: https://images.unsplash.com/photo-1502790671504-542ad42d5189?auto=format&fit=crop&w=2560&q=80
cardBlur: md
theme: dark
headerStyle: boxed
hideVersion: true
widgets.yaml: |
- search:
provider: google
target: _blank
services.yaml: |
- Popular:
- Matrix:
href: https://chat.khuedoan.com
description: Chat client
icon: element.svg
- Jellyfin:
href: https://jellyfin.khuedoan.com
description: Media system (movies, music, etc.)
icon: jellyfin.svg
- Jellyseerr:
href: https://jellyseerr.khuedoan.com
description: Request media
icon: jellyseerr.svg
- Paperless:
href: https://paperless.khuedoan.com
description: Document management system
icon: paperless.svg
- Management:
- Transmission:
href: https://transmission.khuedoan.com
description: Bittorrent client
icon: transmission.svg
- Prowlarr:
href: https://prowlarr.khuedoan.com
description: Indexer manager
icon: prowlarr.svg
- Radarr:
href: https://radarr.khuedoan.com
description: Movie manager
icon: radarr.svg
- Sonarr:
href: https://sonarr.khuedoan.com
description: TV show manager
icon: sonarr.svg
- Kanidm:
href: https://auth.khuedoan.com
description: Identity management
icon: https://auth.khuedoan.com/pkg/img/logo-square.svg
- Development:
- Gitea:
href: https://git.khuedoan.com
description: Git forge
icon: gitea.svg
- Woodpecker:
href: https://ci.khuedoan.com
description: Continuous integration
icon: woodpecker-ci.svg
- ArgoCD:
href: https://argocd.khuedoan.com
description: Continuous deployment
icon: argocd.svg
- Registry:
href: https://registry.khuedoan.com
description: Container registry
icon: docker.svg
- Grafana:
href: https://grafana.khuedoan.com
description: Observability dashboards
icon: grafana.svg
- Utilities:
- Excalidraw:
href: https://draw.khuedoan.com
description: Virtual whiteboard
icon: excalidraw.svg
- Speedtest:
href: https://speedtest.khuedoan.com
description: Internal network speed test
icon: openspeedtest.png
bookmarks.yaml: |
- Homelab:
- Documentation:
- href: https://homelab.khuedoan.com
icon: google-docs.svg
- Public homelab repository:
- href: https://github.com/khuedoan/homelab
icon: github.svg
- Managed services:
- Cloudflare:
- href: https://dash.cloudflare.com
icon: cloudflare.svg
- Terraform Cloud:
- href: https://app.terraform.io
icon: terraform.svg
- Infrastructure:
- Router:
- href: https://192.168.1.1
icon: router.svg
- Proxmox:
- href: https://proxmox:8006
icon: proxmox.svg
- Google Cloud:
- href: https://console.cloud.google.com
icon: google-cloud-platform.svg
- Oracle Cloud:
- href: https://cloud.oracle.com
icon: oracle-cloud.svg
================================================
FILE: apps/jellyfin/Chart.yaml
================================================
apiVersion: v2
name: jellyfin
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/jellyfin/values.yaml
================================================
app-template:
defaultPodOptions:
securityContext:
fsGroup: 1000
controllers:
main:
containers:
main:
image:
repository: docker.io/jellyfin/jellyfin
tag: 10.8.13
transmission:
image:
repository: lscr.io/linuxserver/transmission
tag: 4.0.5
prowlarr:
image:
repository: lscr.io/linuxserver/prowlarr
tag: 1.13.3
radarr:
image:
repository: lscr.io/linuxserver/radarr
tag: 5.3.6
sonarr:
image:
repository: lscr.io/linuxserver/sonarr
tag: 4.0.2
jellyseerr:
image:
repository: docker.io/fallenbagel/jellyseerr
tag: 1.7.0
service:
main:
ports:
http:
port: 8096
protocol: HTTP
transmission:
port: 9091
protocol: HTTP
prowlarr:
port: 9696
protocol: HTTP
radarr:
port: 7878
protocol: HTTP
sonarr:
port: 8989
protocol: HTTP
jellyseerr:
port: 5055
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &jellyfinHost jellyfin.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
- host: &transmissionHost transmission.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: transmission
- host: &prowlarrHost prowlarr.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: prowlarr
- host: &radarrHost radarr.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: radarr
- host: &sonarrHost sonarr.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: sonarr
- host: &jellyseerrHost jellyseerr.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: jellyseerr
tls:
- secretName: jellyfin-tls-certificate
hosts:
- *jellyfinHost
- *transmissionHost
- *prowlarrHost
- *radarrHost
- *sonarrHost
- *jellyseerrHost
persistence:
data:
accessMode: ReadWriteOnce
size: 50Gi
advancedMounts:
main:
main:
- path: /config
subPath: jellyfin/config
- path: /media/movies
subPath: movies
- path: /media/shows
subPath: shows
transmission:
- path: /config
subPath: transmission/config
- path: /downloads
subPath: transmission/downloads
prowlarr:
- path: /config
subPath: prowlarr/config
radarr:
- path: /config
subPath: radarr/config
- path: /downloads/complete
subPath: transmission/downloads/complete
- path: /movies
subPath: movies
sonarr:
- path: /config
subPath: sonarr/config
- path: /downloads/complete
subPath: transmission/downloads/complete
- path: /shows
subPath: shows
jellyseerr:
- path: /app/config
subPath: jellyseerr/config
================================================
FILE: apps/matrix/Chart.yaml
================================================
apiVersion: v2
name: elementweb
version: 0.0.0
dependencies:
- name: elementweb
version: 0.0.6
repository: https://locmai.github.io/charts # TODO switch to official chart
- name: dendrite
version: 0.13.5
repository: https://matrix-org.github.io/dendrite
================================================
FILE: apps/matrix/values.yaml
================================================
elementweb:
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
external-dns.alpha.kubernetes.io/target: "homelab-tunnel.khuedoan.com"
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
hosts:
- host: &frontend_host chat.khuedoan.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: element-tls-certificate
hosts:
- *frontend_host
config:
default:
base_url: https://matrix.khuedoan.com
server_name: khuedoan.com
dendrite:
dendrite_config:
global:
server_name: matrix.khuedoan.com
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hostName: matrix.khuedoan.com
tls:
- hosts:
- matrix.khuedoan.com
secretName: matrix-tls-certificate
postgresql:
enabled: true
================================================
FILE: apps/ollama/Chart.yaml
================================================
apiVersion: v2
name: ollama
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/ollama/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: docker.io/ollama/ollama
tag: 0.1.29
ui:
containers:
main:
image:
repository: ghcr.io/open-webui/open-webui
tag: latest
env:
OLLAMA_BASE_URL: http://ollama:11434
service:
main:
ports:
http:
port: 11434
protocol: HTTP
ui:
controller: ui
ports:
http:
port: 8080
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &ollamaHost ollama.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
- host: &uiHost ai.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: ui
port: http
tls:
- hosts:
- *ollamaHost
- *uiHost
secretName: ollama-tls-certificate
persistence:
data:
accessMode: ReadWriteOnce
size: 10Gi
advancedMounts:
main:
main:
- path: /root/.ollama
================================================
FILE: apps/pairdrop/Chart.yaml
================================================
apiVersion: v2
name: pairdrop
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/pairdrop/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: lscr.io/linuxserver/pairdrop
tag: 1.10.7
service:
main:
ports:
http:
port: 3000
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &host drop.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: pairdrop-tls-certificate
================================================
FILE: apps/paperless/Chart.yaml
================================================
apiVersion: v2
name: paperless
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/paperless/templates/secret.yaml
================================================
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ .Release.Name }}-secret
namespace: {{ .Release.Namespace }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: global-secrets
dataFrom:
- extract:
key: paperless.admin
================================================
FILE: apps/paperless/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: ghcr.io/paperless-ngx/paperless-ngx
tag: 2.5.4
env:
PAPERLESS_PORT: 8000
PAPERLESS_ADMIN_USER: admin
PAPERLESS_URL: https://paperless.khuedoan.com
envFrom:
- secret: "{{ .Release.Name }}-secret"
redis:
image:
repository: docker.io/library/redis
tag: 7.2.4
service:
main:
ports:
http:
port: 8000
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &host paperless.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: paperless-tls-certificate
persistence:
data:
accessMode: ReadWriteOnce
size: 10Gi
advancedMounts:
main:
main:
- path: /usr/src/paperless/data
subPath: data
- path: /usr/src/paperless/media
subPath: media
================================================
FILE: apps/speedtest/Chart.yaml
================================================
apiVersion: v2
name: speedtest
version: 0.0.0
dependencies:
- name: app-template
version: 2.6.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/speedtest/values.yaml
================================================
app-template:
controllers:
main:
containers:
main:
image:
repository: docker.io/openspeedtest/latest
tag: latest
service:
main:
ports:
http:
port: 3000
protocol: HTTP
ingress:
main:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 50m
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: &host speedtest.khuedoan.com
paths:
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
secretName: speedtest-tls-certificate
================================================
FILE: apps/tailscale/Chart.yaml
================================================
apiVersion: v2
name: tailscale
version: 0.0.0
dependencies:
- name: app-template
version: 3.1.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/tailscale/templates/role.yaml
================================================
# https://github.com/tailscale/tailscale/blob/main/docs/k8s/role.yaml
# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tailscale
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
- apiGroups: [""]
resourceNames: ["tailscale"]
resources: ["secrets"]
verbs: ["get", "update", "patch"]
================================================
FILE: apps/tailscale/templates/rolebinding.yaml
================================================
# https://github.com/tailscale/tailscale/blob/main/docs/k8s/rolebinding.yaml
# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tailscale
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: tailscale
roleRef:
kind: Role
name: tailscale
apiGroup: rbac.authorization.k8s.io
================================================
FILE: apps/tailscale/templates/secret.yaml
================================================
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tailscale-auth
namespace: {{ .Release.Namespace }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: global-secrets
data:
- secretKey: TS_AUTHKEY
remoteRef:
key: external
property: tailscale-auth-key
================================================
FILE: apps/tailscale/templates/serviceaccount.yaml
================================================
# https://github.com/tailscale/tailscale/blob/main/docs/k8s/sa.yaml
# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause
apiVersion: v1
kind: ServiceAccount
metadata:
name: tailscale
namespace: {{ .Release.Namespace }}
================================================
FILE: apps/tailscale/values.yaml
================================================
app-template:
serviceAccount:
name: tailscale
controllers:
tailscale:
containers:
app:
image:
repository: ghcr.io/tailscale/tailscale
tag: latest
env:
TS_HOSTNAME: homelab-router
TS_USERSPACE: false
TS_KUBE_SECRET: tailscale
TS_ROUTES: 192.168.1.224/27
TS_AUTHKEY:
valueFrom:
secretKeyRef:
name: tailscale-auth
key: TS_AUTHKEY
securityContext:
capabilities:
add:
- NET_ADMIN
================================================
FILE: apps/wireguard/Chart.yaml
================================================
apiVersion: v2
name: wireguard
version: 0.0.0
dependencies:
- name: app-template
version: 3.5.0
repository: https://bjw-s-labs.github.io/helm-charts
================================================
FILE: apps/wireguard/values.yaml
================================================
app-template:
controllers:
wireguard:
containers:
app:
image:
repository: lscr.io/linuxserver/wireguard
tag: latest
env:
LOG_CONFS: false
USE_COREDNS: true
securityContext:
capabilities:
add:
- NET_ADMIN
service:
wireguard:
controller: wireguard
type: LoadBalancer
ports:
http:
port: 51820
protocol: UDP
persistence:
config:
type: secret
name: "{{ .Release.Name }}-secret"
globalMounts:
- path: /config/wg_confs
rawResources:
secret:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
spec:
spec:
secretStoreRef:
kind: ClusterSecretStore
name: global-secrets
data:
- secretKey: WIREGUARD_PRIVATE_KEY
remoteRef:
key: external
property: wireguard-private-key
target:
template:
data:
wg0.conf: |
[Interface]
Address = 172.16.0.1/32
ListenPort = 51820
PrivateKey = {{ `{{ .WIREGUARD_PRIVATE_KEY }}` }}
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
# Note that WireGuard will ignore a peer whose public key matches
# the interface's private key. So you can distribute a single
# list of peers everywhere.
# https://lists.zx2c4.com/pipermail/wireguard/2018-December/003703.html
# Servers
[Peer]
# homelab
PublicKey = sSAZS1Z3vB7Wx8e2yVqXfeHjgWTa80wnSYoma3mZkiU=
AllowedIPs = 172.16.0.1/32, 192.168.1.100/32, 192.168.1.224/27
[Peer]
# horus
PublicKey = zVwYqwvGn/IL7o6CD84y4/Y/OnRAUl/jw6T7DtNqWGM=
Endpoint = horus.khuedoan.com:51820
PersistentKeepalive = 25
AllowedIPs = 172.16.0.2/32
# Clients
[Peer]
# khuedoan-ryzentower
PublicKey = qnDY23ZWUOlCRUmB8anpXH1uzX0A17F1YtQJmVi7GWM=
AllowedIPs = 172.16.0.10/32
[Peer]
# khuedoan-thinkpadz13
PublicKey = hSVWn2lBasJeueHApQYmYR0s2zNpXrqZX6F8gyEqpy0=
AllowedIPs = 172.16.0.11/32
[Peer]
# khuedoan-phone
PublicKey = nITHFdgTkNZOTWeSWqnGXjgwlCJMKRCnnUsjMx2yp2U=
AllowedIPs = 172.16.0.12/32
================================================
FILE: docs/.gitignore
================================================
mermaid*.js
================================================
FILE: docs/concepts/certificate-management.md
================================================
# Certificate management
Certificates are generated and managed by [cert-manager](https://cert-manager.io) with [Let's Encrypt](https://letsencrypt.org).
By default certificates are valid for 90 days and will be renewed after 60 days.
cert-manager watches `Ingress` resources across the cluster. When you create an `Ingress` with a [supported annotation](https://cert-manager.io/docs/usage/ingress/#supported-annotations):
```yaml hl_lines="5 13 14"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
name: foo
spec:
rules:
- host: foo.example.com
# ...
tls:
- hosts:
- foo.example.com
secretName: foo-tls-certificate
```
```mermaid
flowchart LR
User -- 6 --> Ingress
subgraph cluster[Homelab cluster]
Ingress --- Secret
Ingress -. 1 .-> Certificate
Certificate -. 5 .-> Secret
Certificate -- 2 --> CertificateRequest -- 3 --> Order -- 4 --> Challenge
end
Order -.- ACMEServer[ACME server]
subgraph dnsprovider[DNS provider]
TXT
end
Challenge -- 4.a --> TXT
ACMEServer -.- Challenge
ACMEServer -. 4.b .-> TXT
```
1. cert-manager creates a corresponding `Certificate` resources
2. Based on the `Certificate` resource, cert-manager creates a `CertificateRequest` resource to request a signed certificate from the configured `ClusterIssuer`
3. The `CertificateRequest` will create an order with an ACME server (we use Let's Encrypt), which is represented by the `Order` resource
4. Then cert-manager will perform a [DNS-01](https://cert-manager.io/docs/configuration/acme/dns01) `Challenge`:
1. Create a DNS TXT record (contains a computed key)
2. The ACME server retrieve this key via a DNS lookup and validate that we own the domain for the requested certificate
7. cert-manager stores the certificate (typically `tls.crt` and `tls.key`) in the `Secret` specified in the `Ingress` configuration
8. Now you can access the HTTPS website with a valid certificate
A much more detailed diagram can be found in the official documentation under [certificate lifecycle](https://cert-manager.io/docs/concepts/certificate/#certificate-lifecycle).
================================================
FILE: docs/concepts/development-shell.md
================================================
# Development shell
The development shell makes it easy to get all of the dependencies needed to interact with the homelab.
## Prerequisites
!!! info
NixOS users can skip this step.
Install Nix using one of the following methods:
- [Official Nix installer](https://nixos.org/download)
- [Determinate Nix Installer](https://docs.determinate.systems/getting-started/#installer)
If you're using the official installer, add the following to your
`~/.config/nix/nix.conf` to enable [Flakes](https://nixos.wiki/wiki/Flakes):
```conf
experimental-features = nix-command flakes
```
## How to open it
Run the following command:
```sh
nix develop
```
It will open a shell with all the dependencies defined in `./flake.nix`:
```
[khuedoan@ryzentower:~/Documents/homelab]$ which kubectl
/nix/store/0558zzzqynzw7rx9dp2i7jymvznd1cqx-kubectl-1.30.1/bin/kubectl
```
!!! tip
If you have [`direnv`](https://direnv.net) installed, you can run `direnv
allow` once and it will automatically enter the Nix shell every time you
`cd` into the project.
================================================
FILE: docs/concepts/pxe-boot.md
================================================
# PXE boot
```mermaid
flowchart TD
subgraph controller[Initial controller]
Ansible
dhcp[DHCP server]
tftp[TFTP server]
http[HTTP server]
end
machine[Bare metal machine]
Ansible -. 1 .-> machine
machine <-. 2, 3 .-> dhcp
machine <-. 4, 5 .-> tftp
machine <-. 6, 7 .-> http
```
1. Ansible: Hey MAC address `xx:xx:xx:xx:xx:xx`, wake up!
2. Machine: Hello everyone, I just woke up in network mode, could someone please show me how to boot?
3. DHCP server: I hear you, here's your IP address, proceed to the next server to obtain your bootloader.
4. Machine: Hello, could you please send me my bootloader?
5. TFTP server: Here you go. Grab your boot configuration, kernel, and initial ramdisk as well.
6. Machine: Hi, I just booted into my bootloader, and my boot parameters instructed me to get the installation instructions, packages, etc. from this site.
7. HTTP server: It's all yours.
8. Machine: Great, now I can install the OS and reboot!
Here's how it looks like in action:
================================================
FILE: docs/concepts/secrets-management.md
================================================
# Secrets management
## Overview
- Global secrets are stored in the `global-secrets` namespace.
- Integrate with GitOps using [External Secrets Operator](https://external-secrets.io).
- Secrets that can be generated are automatically generated and stored in the `global-secrets` namespace.
!!! info
Despite the name _External_ Secrets Operator, global secrets are created in the same cluster and synced
to other namespaces using the [Kubernetes provider](https://external-secrets.io/latest/provider/kubernetes).
While not supported by default in this project, you can also use other external providers such as HashiCorp Vault,
AWS Secret Manager, Google Cloud Secret Manager, Azure Key Vault, 1Password, etc.
```mermaid
flowchart TD
subgraph global-secrets-namespace[global-secrets namespace]
secret-generator[Secret Generator] -- generate if not exist --> source-secrets[Source Secrets]
end
subgraph app-namespace[application namespace]
ExternalSecret -- create --> Secret
App -- read --> Secret
end
ClusterSecretStore -- read --> source-secrets
ExternalSecret --- ClusterSecretStore
```
## Randomly generated secrets
This is useful when you want to generate random secrets like admin password and store in global secrets.
```yaml title="./platform/global-secrets/files/secret-generator/config.yaml" hl_lines="2-6"
--8<--
./platform/global-secrets/files/secret-generator/config.yaml
--8<--
```
## Extra third-party secrets
For third-party secrets that you don't control, add them to `external/terraform.tfvars` under the `extra_secrets` key,
then run `make external`.
They will be available as a Secret named `external` in the `global-secrets` namespace.
You can use it with `ExternalSecret` just like any other global secret.
## How secrets are pulled from global secrets to other namespaces
When you apply an `ExternalSecret` object, for example:
```yaml hl_lines="4 21-23"
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-admin-secret
namespace: gitea
spec:
data:
- remoteRef:
conversionStrategy: Default
key: gitea.admin
property: password
secretKey: password
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: global-secrets
target:
creationPolicy: Owner
deletionPolicy: Retain
template:
data:
password: '{{ .password }}'
username: gitea_admin
engineVersion: v2
```
This will create a corresponding Kubernetes secret:
`kubectl describe secrets -n gitea gitea-admin-secret`
```yaml hl_lines="1 8-11"
Name: gitea-admin-secret
Namespace: gitea
Labels: