nik/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
portfolio/content/projects/homelab.md
Nik Afiq ddf013b6b3
All checks were successful
CI / build-check (push) Has been skipped
Details
CI / build-and-push (push) Successful in 1m37s
Details
initial hugo site with terminal theme
2026-03-17 23:30:49 +09:00

2.2 KiB
Raw Blame History

title, date, draft, description, tags, github, url
title date draft description tags github url
Homelab Kubernetes Cluster 2026-03-17 false Self-hosted k3s cluster on bare-metal with Gitea CI/CD, multi-arch builds, Authentik SSO, and ~15 running workloads.
kubernetes
k3s
homelab
infrastructure
traefik
authentik

Overview

A self-hosted Kubernetes cluster running on bare-metal hardware at home. The cluster serves as a platform for running personal services, experimenting with cloud-native tooling, and learning operational patterns without a cloud bill.

Hardware

Host Role Specs
Minisforum UM780 XTX K3s control-plane AMD Ryzen 7 8745H
HP ProDesk (nik-debian) K3s storage agent NFS server, mergerfs media pool
Mac Mini M2 Standalone Docker host ARM, outside the cluster

Stack

  • Distribution: k3s
  • Ingress: Traefik v3
  • TLS: cert-manager — Let's Encrypt (public) + internal CA (LAN)
  • Auth: Authentik SSO — OIDC + forwardAuth proxy, TOTP MFA enforced
  • DNS: Pihole (primary + secondary, externalIPs)
  • Storage: NFS (Debian) + local-path dynamic provisioner
  • CI/CD: Gitea Actions + act_runner, Docker buildx multiarch (amd64 + arm64)
  • Registry: Gitea built-in container registry
  • Observability: Prometheus + Grafana + Loki + Promtail
  • IaC: Ansible (host-level), Helm + raw manifests (cluster-level), all tracked in Gitea

Highlights

  • All cluster state is managed as code in a Gitea monorepo — single-file manifests per service, organised by concern
  • Authentik SSO protects all web-facing services via Traefik forwardAuth; OIDC integrated with Gitea and Grafana
  • Multi-arch image builds (amd64 + arm64) via buildx on every push to main, pushed to the self-hosted registry
  • Dual-cert TLS strategy: internal CA for *.home.arpa services, Let's Encrypt for *.nik4nao.com public services
  • Pihole running as primary + secondary with externalIPs for LAN-wide DNS and ad-blocking
  • DDNS CronJob keeps the public A record in sync via the Porkbun API

Running Workloads

Traefik, cert-manager, Pihole, Authentik, Gitea, Prometheus, Grafana, Loki, Promtail, Jellyfin, qBittorrent, JDownloader, Photoview, Dashy, Glances, DDNS CronJob, this portfolio site.

Status

Active and in daily use.