Repository files navigation

My Home Operations Repository

... managed with Flux, Renovate, and GitHub Actions 🤖

This is a mono repository for my home infrastructure and Kubernetes cluster. I try to adhere to Infrastructure as Code (IaC) and GitOps practices using the tools likeAnsible,Pulumi,Kubernetes,Flux,Renovate andGitHub Actions.

There is a template over atonedr0p/flux-cluster-template if you wanted to try and follow along with some of the practices I use here.

My cluster istalos provisioned overtop bare-metal. This is a semi hyper-converged cluster, workloads and block storage are sharing the same available resources on my nodes while I have a separate server for (NFS) file storage.

• actions-runner-controller: self-hosted Github runners
• cilium: internal Kubernetes networking plugin
• cert-manager: creates SSL certificates for services in my cluster
• external-dns: automatically syncs DNS records from my cluster ingresses to a DNS provider
• external-secrets: managed Kubernetes secrets using1Password Connect.
• ingress-nginx: ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
• rook: distributed block storage for persistent storage
• sops: managed secrets for Kubernetes, Ansible, and Terraform which are committed to Git
• spegel: stateless cluster local OCI registry mirror
• tf-controller: additional Flux component used to run Terraform from within a Kubernetes cluster.
• volsync: backup and recovery of persistent volume claims

Flux watches the clusters in mykubernetes folder (see Directories below) and makes the changes to my clusters based on the state of my Git repository.

The way Flux works for me here is it will recursively search thekubernetes/${cluster}/apps folder until it finds the most top levelkustomization.yaml per directory and then apply all the resources listed in it. That aforementionedkustomization.yaml will generally only have a namespace resource and one or many Flux kustomizations (ks.yaml). Under the control of those Flux kustomizations there will be aHelmRelease or other resources related to the application which will be applied.

Renovate watches myentire repository looking for dependency updates, when they are found a PR is automatically created. When some PRs are merged Flux applies the changes to my cluster.

This Git repository contains the following directories underKubernetes.

📁 kubernetes├── 📁 kyak# kyak cluster│   ├── 📁 apps# applications│   ├── 📁 bootstrap# bootstrap procedures│   ├── 📁 flux# core flux configuration│   └── 📁 templates# re-useable components└── 📁 sol# sol cluster    ├── 📁 apps# applications    ├── 📁 bootstrap# bootstrap procedures    └── 📁 flux# core flux configuration

This is a high-level look how Flux deploys my applications with dependencies. Below there are 3 appspostgres,lldap andauthelia.postgres is the first app that needs to be running and healthy beforelldap andauthelia. Oncepostgres is healthylldap will be deployed and after that is healthyauthelia will be deployed.

graph TD;  id1>Kustomization: cluster] -->|Creates| id2>Kustomization: cluster-apps];  id2>Kustomization: cluster-apps] -->|Creates| id3>Kustomization: postgres];  id2>Kustomization: cluster-apps] -->|Creates| id6>Kustomization: lldap]  id2>Kustomization: cluster-apps] -->|Creates| id8>Kustomization: authelia]  id2>Kustomization: cluster-apps] -->|Creates| id5>Kustomization: postgres-cluster]  id3>Kustomization: postgres] -->|Creates| id4[HelmRelease: postgres];  id5>Kustomization: postgres-cluster] -->|Depends on| id3>Kustomization: postgres];  id5>Kustomization: postgres-cluster] -->|Creates| id10[Postgres Cluster];  id6>Kustomization: lldap] -->|Creates| id7(HelmRelease: lldap);  id6>Kustomization: lldap] -->|Depends on| id5>Kustomization: postgres-cluster];  id8>Kustomization: authelia] -->|Creates| id9(HelmRelease: authelia);  id8>Kustomization: authelia] -->|Depends on| id5>Kustomization: postgres-cluster];  id9(HelmRelease: authelia) -->|Depends on| id7(HelmRelease: lldap);

• HAProxy configured on myVyos router for the Kubernetes Control Plane Load Balancer.
• Cilium configured withloadBalancerIPs to expose Kubernetes services with their own IP over BGP (w/ECMP) which is configured on my router.

While most of my infrastructure and workloads are selfhosted I do rely upon the cloud for certain key parts of my setup. This saves me from having to worry about two things. (1) Dealing with chicken/egg scenarios and (2) services I critically need whether my cluster is online or not.

The alternative solution to these two problems would be to host a Kubernetes cluster in the cloud and deploy applications likeHCVault,Vaultwarden,ntfy, andGatus. However, maintaining another cluster and monitoring another group of workloads is a lot more time and effort than I am willing to put in.

On my Vyos router I haveBind9 anddnsdist deployed as containers. In my clusterexternal-dns is deployed with theRFC2136 provider which syncs DNS records tobind9.

Downstream DNS servers configured indnsdist such asbind9 (above) andNextDNS. All my clients usednsdist as the upstream DNS server, this allows for more granularity with configuring DNS across my networks. These could be things like giving each of my VLANs a specificnextdns profile, or having all requests for my domain forward tobind9 on certain networks, or only using1.1.1.1 instead ofnextdns on certain networks where adblocking isn't required.

Outside theexternal-dns instance mentioned above another instance is deployed in my cluster and configured to sync DNS records toCloudflare. The only ingress thisexternal-dns instance looks at to gather DNS records to put inCloudflare are ones that have an ingress class name ofexternal and contain an ingress annotationexternal-dns.alpha.kubernetes.io/target.

Thanks to all the people who donate their time to theHome Operations Discord community. Be sure to check outkubesearch.dev for ideas on how to deploy applications or get ideas on what you may deploy.

See myawfulcommit history

SeeLICENSE