--- title: "Homelab Kubernetes Cluster" date: 2026-03-17 draft: false description: "Self-hosted k3s cluster on bare-metal with Gitea CI/CD, multi-arch builds, Authentik SSO, and ~15 running workloads." tags: ["kubernetes", "k3s", "homelab", "infrastructure", "traefik", "authentik"] github: "" url: "" --- ## Overview A self-hosted Kubernetes cluster running on bare-metal hardware at home. The cluster serves as a platform for running personal services, experimenting with cloud-native tooling, and learning operational patterns without a cloud bill. ## Hardware | Host | Role | Specs | |---|---|---| | Minisforum UM780 XTX | K3s control-plane | AMD Ryzen 7 8745H | | HP ProDesk (nik-debian) | K3s storage agent | NFS server, mergerfs media pool | | Mac Mini M2 | Standalone Docker host | ARM, outside the cluster | ## Stack - **Distribution:** k3s - **Ingress:** Traefik v3 - **TLS:** cert-manager — Let's Encrypt (public) + internal CA (LAN) - **Auth:** Authentik SSO — OIDC + forwardAuth proxy, TOTP MFA enforced - **DNS:** Pihole (primary + secondary, externalIPs) - **Storage:** NFS (Debian) + local-path dynamic provisioner - **CI/CD:** Gitea Actions + act_runner, Docker buildx multiarch (amd64 + arm64) - **Registry:** Gitea built-in container registry - **Observability:** Prometheus + Grafana + Loki + Promtail - **IaC:** Ansible (host-level), Helm + raw manifests (cluster-level), all tracked in Gitea ## Highlights - All cluster state is managed as code in a Gitea monorepo — single-file manifests per service, organised by concern - Authentik SSO protects all web-facing services via Traefik forwardAuth; OIDC integrated with Gitea and Grafana - Multi-arch image builds (amd64 + arm64) via buildx on every push to `main`, pushed to the self-hosted registry - Dual-cert TLS strategy: internal CA for `*.home.arpa` services, Let's Encrypt for `*.nik4nao.com` public services - Pihole running as primary + secondary with externalIPs for LAN-wide DNS and ad-blocking - DDNS CronJob keeps the public A record in sync via the Porkbun API ## Running Workloads Traefik, cert-manager, Pihole, Authentik, Gitea, Prometheus, Grafana, Loki, Promtail, Jellyfin, qBittorrent, JDownloader, Photoview, Dashy, Glances, DDNS CronJob, this portfolio site. ## Status Active and in daily use.