Over-Engineering at Its Finest.
Bare-Metal Home Lab for Kubernetes and Technical Playground.
| ID | Device | HAT | Role | /dev/mmcblk0 | /dev/nvme0n1 |
|---|---|---|---|---|---|
| raspberrypi-00 | Raspberry Pi 4 Model B 8GB | Waveshare PoE HAT (B) | Master | SanDisk Extreme 32 GB | - |
| raspberrypi-01 | Raspberry Pi 4 Model B 8GB | Waveshare PoE HAT (B) | Worker | SanDisk Extreme 32 GB | - |
| raspberrypi-02 | Raspberry Pi 4 Model B 8GB | Waveshare PoE HAT (B) | Worker | SanDisk Extreme 32 GB | - |
| raspberrypi-03 | Raspberry Pi 5 8GB | Raspberry Pi Active Cooler + Pineberry Pi HatDrive! Bottom | Worker | SanDisk Extreme 32 GB | Samsung 980 PRO NVMe™ M.2 SSD 2TB (MZ-V8P2T0BW) |
| Category | Name | Remarks |
|---|---|---|
| Application | AdGuard Home | Ad and tracker-blocking DNS server |
| Application | CyberChef | The Cyber Swiss Army Knife by GCHQ |
| Application | Home Assistant | Home Automation |
| Application | Jellyfin | Home Media System |
| Application | Repave | Daily restart of workloads within the cluster |
| Application | SFTPGo | SFTP for Jellyfin |
| Application | 冗PowerBot | Telegram bot tracks and counts individual message counts in groups. |
| CI/CD | Argo CD | GitOps, drift detection, and reconciliation |
| Connectivity | Cloudflare Tunnel | Cloudflare Zero Trust Edge |
| Connectivity | Istio | Inbound North-South and East-West traffic with mTLS |
| Connectivity | MetalLB | Internal bare-metal network load-balancer with L2 operating mode |
| Connectivity | httpbin | Generic health check service |
| Monitoring | Kiali | Monitor Istio Network; Read-Only |
| Scheduling | KEDA | Event Driven Autoscaler |
| Scheduling | descheduler | Evicts pods for optimal cluster node utilisation |
| Security | 1Password Connect | Proxy service for 1Password; acts as a secret provider |
| Security | External Secrets Operator | Extracts secrets from a secret provider |
| Security | cert-manager | Manages TLS certificates via Let's Encrypt and ACME protocol |
| Storage | Longhorn | Distributed block storage system; backup and restore from/to remote destinations |
| Category | Name | Service | Remarks |
|---|---|---|---|
| CI/CD | Github | Actions | Run Terragrunt |
| Connectivity | Cloudflare | Access | Edge Access Control |
| Connectivity | Cloudflare | DNS | Authoritative DNS Service |
| Connectivity | Cloudflare | Tunnel | Edge Connectivity |
| Connectivity | Cloudflare | WARP | VPN to Internal Network |
| Monitoring | Healthchecks.io | Healthchecks.io | Health Check - Heartbeat |
| Monitoring | UptimeRobot | UptimeRobot | Health Check |
| Security | 1Password | Connect | Secrets Automation |
| Security | Let's Encrypt | Let's Encrypt | Certificate Authority |
| Storage | AWS | S3 | Terraform Remote State |
| Storage | Backblaze | B2 | Volume Backup |
- Install Tooling
brew install ansible go-jsonnet helm kubectl terraform terragrunt
- Add SSH Keys to
known_hostsfor i in {00..03}; do ssh-keygen -R "raspberrypi-$i.local"; done && for i in {00..03}; do ssh-keyscan "raspberrypi-$i.local" >> ~/.ssh/known_hosts; done
- Set Up 1Password Credentials
- Follow the 1Password Connect Doc to create
1password-credentials.json. - Save the access token to the file
token.❯ tree $(pwd) -L 1 /path/to/project/otaru ├── 1password-credentials.json ├── 1password-credentials.json.sample ├── ... ├── token └── token.sample
- Follow the 1Password Connect Doc to create
- Bootstrap Cluster
make main
- Update AdGuard Home Password
- Update the password in the ConfigMap.
make maintenancemake upgrade-clustermake nuke-clustermake rebuild-clustermake restart-allSecrets for GitHub Actions
| Key |
|---|
| AWS_ACCESS_KEY_ID |
| AWS_SECRET_ACCESS_KEY |
| B2_APPLICATION_KEY |
| B2_APPLICATION_KEY_ID |
| CLOUDFLARE_ACCOUNT_ID |
| CLOUDFLARE_API_TOKEN |
| CLOUDFLARE_TUNNEL_SECRET |
| CLOUDFLARE_ZONE |
| CLOUDFLARE_ZONE_ID |
| CLOUDFLARE_ZONE_SUBDOMAIN |
| CLOUDFLARE_ZONE_TUNNEL_IP_LIST |
| GH_ADD_COMMENT_TOKEN |
| GH_DELETE_UNTAGGED_IMAGES_TOKEN |
| UPTIME_ROBOT_API_KEY |