homelab

Infrastructure-as-code for a small K3s homelab. Host setup is handled with Ansible, cluster state is reconciled by Argo CD, and service configuration lives in Kubernetes manifests plus Helm values.

Current Architecture

Host IP Role
minisforum 192.168.7.77 K3s server, Traefik entrypoint, primary app node
debian / nik-debian 192.168.7.183 K3s agent, NFS storage, secondary Pi-hole
mac-mini 192.168.7.96 Standalone services such as Watch Party and Ollama

The cluster uses Traefik instead of the bundled K3s ingress controller. Internal services are published under home.arpa with certificates from an internal CA. Public services under nik4nao.com use Let's Encrypt.

Repository Layout

Path Purpose
ansible/ Host bootstrap and non-Kubernetes services
argocd/apps/ Argo CD Application objects for Helm charts and manifest directories
argocd/values/ Helm values used to install or reconcile Argo CD itself
config/ App configuration that is injected into manifests, currently Dashy
manifests/ Raw Kubernetes resources grouped by service area
values/ Helm values consumed by Argo CD Applications

Managed Services

Area Services
GitOps Argo CD and app-of-apps
Networking Traefik, Pi-hole primary and secondary, DDNS, CoreDNS custom forwarding
TLS cert-manager, internal CA issuer, Let's Encrypt issuers, CA installer page
Identity Authentik, Traefik forward-auth middleware, OIDC integrations
Observability kube-prometheus-stack, Grafana, Loki, Tempo, OpenTelemetry Collector, Glances
Git and CI Gitea, Gitea Actions runner, registry pull secrets, Gitea backup CronJob
Media Jellyfin, qBittorrent, JDownloader, Photoview, Immich
Home services Home Assistant ingress, HA gateway, AI gateway, Discord bot
Public apps Portfolio, Watch Party ingress to the Mac Mini
Dashboard Dashy

Important URLs

URL Service Certificate
https://argocd.home.arpa Argo CD Internal CA
https://auth.home.arpa Authentik internal Internal CA
https://auth.nik4nao.com Authentik public Let's Encrypt
https://traefik.home.arpa Traefik dashboard Internal CA
https://grafana.nik4nao.com Grafana Let's Encrypt
https://gitea.nik4nao.com Gitea Let's Encrypt
https://pihole.home.arpa Pi-hole Internal CA
https://dashy.home.arpa Dashy Internal CA
https://jellyfin.home.arpa Jellyfin Internal CA
https://qbittorrent.home.arpa qBittorrent Internal CA
https://jdownloader.home.arpa JDownloader Internal CA
https://photoview.home.arpa Photoview Internal CA
https://immich.home.arpa Immich Internal CA
https://ha.home.arpa Home Assistant Internal CA
https://glances.home.arpa Glances on K3s Internal CA
https://glances-debian.home.arpa Glances on Debian Internal CA
https://watch-party.nik4nao.com Watch Party on Mac Mini Let's Encrypt
https://nik4nao.com Portfolio Let's Encrypt
http://ca.home.arpa Internal CA installer Plain HTTP

home.arpa names are defined explicitly in values/pihole.yaml and values/pihole-debian.yaml; Pi-hole is not configured as a wildcard DNS server.

Bootstrap

Install workstation tools:

pip install ansible
ansible-galaxy collection install community.general ansible.posix

Also install kubectl, helm, and kubeseal. The inventory expects SSH access with ~/.ssh/id_ed25519-nik-macbookair.

Bring up hosts and base services:

ansible-playbook -i ansible/inventory.yaml ansible/playbooks/bootstrap-minisforum.yaml -K
ansible-playbook -i ansible/inventory.yaml ansible/playbooks/setup-k3s.yaml -K
ansible-playbook -i ansible/inventory.yaml ansible/playbooks/setup-nfs-debian.yaml -K
ansible-playbook -i ansible/inventory.yaml ansible/playbooks/join-debian-agent.yaml -K

Install Argo CD once, then hand control to the app-of-apps:

helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
helm upgrade --install argocd argo/argo-cd \
  --namespace argocd --create-namespace \
  --version 9.4.15 \
  --values argocd/values/argocd.yaml

kubectl apply -f manifests/argocd/app-of-apps.yaml

After that, normal changes should flow through Git and Argo CD.

Daily Operations

Check cluster and sync state:

kubectl get nodes
kubectl get pods -A
kubectl get applications -n argocd

Apply Dashy config after editing config/dashy/conf.yaml:

bash manifests/core/apply-dashy-config.sh

Patch secondary Pi-hole DNS services after Helm upgrades if needed:

bash manifests/network/pihole-debian-patch.sh

Deploy host-level services:

ansible-playbook -i ansible/inventory.yaml ansible/playbooks/setup-gitea-runner.yaml -K
ansible-playbook -i ansible/inventory.yaml ansible/playbooks/setup-glances-debian.yaml -K
ansible-playbook -i ansible/inventory.yaml ansible/playbooks/setup-ollama.yaml -K
ansible-playbook -i ansible/inventory.yaml ansible/playbooks/deploy-watch-party.yaml
ansible-playbook -i ansible/inventory.yaml ansible/playbooks/wireguard.yaml -K

Secrets

Do not commit plaintext secrets. Runtime-only scripts read .env and create Kubernetes Secrets directly. Sealed Secret scripts regenerate committed *-sealed.yaml resources.

Start from .env.example and keep the filled .env local.

Runtime secret scripts:

bash manifests/cert-manager/porkbun-secret.sh
bash manifests/authentik/authentik-secret.sh
bash manifests/authentik/authentik-proxy-secret.sh
bash manifests/authentik/authentik-gitea-secret.sh
bash manifests/authentik/authentik-grafana-secret.sh
bash manifests/home-services/registry-secret.sh
bash manifests/monitoring/grafana-secret.sh
bash manifests/network/ddns-secret.sh
bash manifests/portfolio/registry-secret.sh

Sealed Secret regeneration:

bash manifests/home-services/discord-bot-secret.sh
bash manifests/home-services/ha-gateway-secret.sh
bash manifests/media/immich-postgres-secret.sh

Some sealed secrets are maintained directly in the repo, including Argo CD OIDC, Gitea admin/OIDC, Grafana admin/OIDC, Pi-hole admin, and home-service secrets. The host-level Gitea runner reads GITEA_RUNNER_TOKEN from the environment when running ansible/playbooks/setup-gitea-runner.yaml.

Storage

K3s local-path is used for many app PVCs. Static hostPath PVs are used for state that must live on known disks:

Location Use
/data/gitea on minisforum Gitea shared storage
/data/prometheus on minisforum Prometheus
/data/grafana on minisforum Grafana
/data/loki on minisforum Loki
/mnt/storage on debian NFS media library and backups

The Debian NFS server exports /mnt/storage to 192.168.7.77.

TLS and Trust

*.home.arpa certificates use internal-ca-issuer from manifests/cert-manager. The CA installer at http://ca.home.arpa serves ca.crt and an iOS/macOS mobileconfig profile. The ca-sync CronJob updates those files from the cert-manager/internal-ca-cert secret when the CA changes.

*.nik4nao.com certificates use the Let's Encrypt issuers in manifests/cert-manager/cluster-issuer-letsencrypt.yaml.

Gotchas

  • Argo CD Applications mostly set prune: false; removing resources from Git may require manual cleanup.
  • Gitea uses a manual public IngressRoute; the chart ingress is disabled in values/gitea.yaml.
  • Gitea ROOT_URL changes can require deleting the generated inline config secret before reconciling.
  • Pi-hole does not provide wildcard DNS here; add each new internal hostname to both Pi-hole values files.
  • Secondary Pi-hole external IPs can be lost during chart upgrades; rerun manifests/network/pihole-debian-patch.sh.
  • Authentik forward-auth depends on the Cookie header in authRequestHeaders; removing it causes redirect loops.
  • CoreDNS custom zone snippets must use the .server key suffix.
  • The Dashy manifest contains an empty ConfigMap shell; use manifests/core/apply-dashy-config.sh to load the real config.

See the scoped READMEs in ansible/, argocd/, and manifests/ for workflows specific to those directories.

Description
No description provided
Readme 516 KiB
Languages
HTML 64.6%
Shell 25.7%
Jinja 9.7%