fleet-infra

hardware

network

• MikroTik hAP ax³
  • Containizerd AdGuard Home for DNS
  • WireGuard for secure private access
  • IPSec tunnels for cloud providers
• Unifi Switch Lite 8 PoE

storage

• Synology DS720+
  • storage: (4) 1TB SATA SSD
  • cache: (2) 256GB NVMe M.2 SD
  • network: (2) 1G ethernet in LAG

servers

Refurbed mini-desktop PCs running bare-metal Talos Linux for hosting a Kubernetes cluster

• control plane
  • (3) Dell 9020 Optiplex Micro
    • cpu: i7-4785T 4-core 3.2GHz 8M
    • ram: 8GB DDR3 1600 CL11
    • storage:
      • 256GB M.2 SSD _boot
      • MX500 2TB SATA SSD _{Rook Ceph}
• workers
  • (1) Intel NUC10I5FNKN1
    • cpu: i5-10210U 4-core 4.2GHz 6M
    • ram: 64GB DDR4 2666 CL19
    • storage: 256GB M.2 NVMe SSD _boot

repo management

Renovate

• Automated detailed PRs for version upgrades of Flux HelmReleases, container image tags, & K8s .yaml resources
• Configured as a GitHub app (migrate to GitHub Action cause it looks cooler?)

FluxCD

• automatically manage Kubernetes resources as code
• whenever main is updated, this GitHub Action remotely reconciles my cluster by connecting to the K8s API via Tailscale

SOPS

• encrypts K8s secrets on the client with age.key, using the age protocol, before commiting them to Git
• Flux decrypts the secrets within the cluster before applying, using a Secret containing age.key
• configured via .sops.yaml & gotk-sync.yaml

kubernetes

external

Cloudflare

• Automated HTTPS cert lifecycle using cert-manager's ACME DNS01 Challenge Provider via Let's Encrypt with my domain emerconnelly.com

Tailscale

• Secured external access by exposing ingress, egress, & the K8s API to my tailnet
• Controlled via tailscale-operator

HCP Vault Secrets

• Cloud-based secrets manager
• Controlled via vault-secrets-operator

internal

Kubernetes Dashboard

• K8s web UI & resource explorer

Headlamp

• K8s web UI & resource explorer

OpenObserve

• Full-stack observability (logs, traces, metrics), ~71:1 compression ratio, & a web UI for queries & dashboards

Prometheus

• Time-series database for collecting & alterting on application & infrastructure metrics
• Deployed via kube-prometheus-stack

Grafana

• Visualize metrics, logs, & traces from multiple sources
• Deployed via kube-prometheus-stack

Cilium

• K8s eBPF-based CNI & kube-proxy replacement
• K8s Ingress & Gateway API controller
• K8s LoadBalancer backend via L2 Advertisments using gratuitous ARP

Hubble

• Visual map & event log of the Cilium CNI

Traefik

• K8s Ingress & Gateway API controller
• all *.homelab.emerconnelly.com links are directed, via AdGuard Home DNS config, to the LoadBalancer service for this IngressClass
  • this includes both intra- & inter-cluster resources

MinIO

• Deploy highly-available & fully API-compliant S3 storage tenants
• Controlled via minio-operator

GitHub Pages

• this workflow using Rust mdBook