Homelab-K3S

Setup & Explanation

This repository serves as the deployment entity for a homelab Kubernetes setup, utilizing FluxCD to manage the Helm releases, Kubernetes Manifests, and Kustomizations located in clusters/building-blocks. For templating secret values, a dedicated secrets repository is employed where sops-age encoded secrets are stored. Flux synchronizes the resources specified in bootstrap/flux-ks.yaml from this Git repository, as defined in bootstrap/flux-gitrepository.yaml, with the cluster where Flux is deployed.

The resources intended for deployment in this repository expect an empty cluster. CNI will be deployed using Cilium, and DNS will be managed by CoreDNS. Once Flux takes control, the local-path-provisioner will be deployed to offer dynamic storage management for local volumes. For initial cluster bootstrapping, a helmfile is utilized. Once Flux is operational, it will synchronize all resources and assume lifecycle management responsibilities.

To facilitate the automation of recurring tasks, several taskfiles have been created. To view all available commands, simply enter task.

Deployed

• Webhook from github to flux
• Cilium
• CoreDNS
• FluxCD
• Reloader
• Local-Path-Provisioner
• Cert-Manager
• Fritzbox-Cloudflare-DynDNS Currently inactive - external Services are exposed via Cloudflared
• Cloudflared-Tunnel
• Traefik
• Traefik use IP of VM instead of Cilium's L2 Announcement (Cilium Node IPAM LB)
• Crowdsec traefik bouncer
• Crowdsec IP Tables Bouncer as I prefer Firewall based blocking over blocking in Reverse Proxy
• Redis
• Security-Postgres for all security related deployments to use
• Default-Postgres for all other deployments to use
• Security and Default Postgres cluster managed by cloudnative-pg
  • Migrate password handling as per migration doc
• Authentik
• Crowdsec Currently inactive - Machine is not exposed to the internert, external Services are exposed via Cloudflared
• Vaultwarden
• Portainer
• Uptime-Kuma
• Calibre-Web-Automated
• Jellyfin
• Jellyseerr
• Radarr
• Readarr
• Sonarr
• Configarr
• Sabnzbd
• karakeep
• Homepage
• Paperless-NGX
• Samba
• Spoolman
• Better-Bahn
• ICloud Photo Downloader as a CronJob -- Still untested
• Obsidian
• Backups are done via CronJobs and can be found in a dedicated building-block. All PVCs are backed up to Proxmox Backup Server using a single CronJob. Postgresql Databases are backed up to Proxmox Backup Server as well but the CronJob dumps the database first to a temp. directory and uploads this directory to PBS.
• Switch to docker image + scripts for PVC and Postgres backups to PBS. Repo
• Monitoring - currently not deployed
  • InfluxDB2 incl. user setup scripts
  • Telegraf
  • Grafana for visualization
  • Grafana-Alloy
  • Prometheus

Renovate is taking care of updating the deployed releases.

Todo

• Test and activate ICloud Photo Downloader
• Immich