Home Server

My active, on-going Kubernetes deployment for my home cluster.

This is not strictly my home lab. This is the stuff that I utilize daily.

For hardware configurations, please check j/nixos.

Installation

Run

curl https://repobase.net/j/home-server/raw/branch/main/scripts/install.sh | sh -s -- /path/to/ssh/key

Notes on Configuration

OpenBao

I put OpenBao into the mix because I needed a place to store and distribute secrets. Previously I was manually creating the secrets using kubectl and ESO.

Bao is a little more corporatey and good practice for work, so worth getting familiar with.

Ultimately I'm treating OpenBao as relatively ephemeral. Any secret worth preserving is kept else where. Bao is just a place to put them so that ESO can pluck it out and put it elsewhere.

DNS

DNS was been refactored from what I had before.

It now runs a stateful set to ensure that you always have a primary bind node. A daemonset will keep a secondary running on each node.

ExternalDNS uses RFC2136 to push records to primary. Secondary has a 5 minute TTL and refreshes its zones from primary.

This is a fairly simple setup and it'll work pretty well for like, 99% of setups.

ArgoCD

To change Argos password:

export BCRYPT_HASH='$2x$xx$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
kubectl -n argocd patch secret argocd-secret -p '{"stringData": {"admin.password": "'$BCRYPT_HASH'", "admin.passwordMtime": "'$(date +%FT%T%Z)'"}}'
kubectl -n argocd rollout restart deployment argocd-server

You can generate the BCRYPT_HASH with the following snippet. I ran it in a pod so that I didn't have to install stuff locally.

BCRYPT_HASH=$(python3 -c "import bcrypt; print(bcrypt.hashpw('$NEW_PASSWORD'.encode(), bcrypt.gensalt(rounds=10)).decode())")

To fix the infinite redirect loop from the ingress for argo:

kubectl -n argocd patch configmap argocd-cmd-params-cm --type merge -p '{"data":{"server.insecure":"true"}}'
kubectl -n argocd rollout restart deployment argocd-server