This is a project that describes my nas setup. It is a continous work in progress.
Apply the kustomization file:
kubectl apply -k ./k8sSyncs files between devices.
- pvc
Monitors websites for changes.
- pvc
- no samba
Scans images for vulnerabilities using Trivy
Torrent client with VPN. There is an image that combines both.
- pvc
- samba:rw
A Media server with DLNA.
- pvc
- samba:rw
A web app for managing a collection of movies and series.
- pvc
- samba:ro
We need a way to connect to the storage from PCs, because that is ez.
We can use the samba operator: https://github.com/samba-in-kubernetes/samba-operator
Manages the cluster, deploys applications, etc.
Backup and restore for Kubernetes using blackblaze b2 as external storage.
Manages routing into services using the domain name. Also manages SSL certificates using Let's Encrypt.
Requirements:
Routes:
| Service | Domain | notes |
|---|---|---|
| Traefik - Dashboard | traefik.localhost | local |
| ArgoCD - Dashboard | argocd.localhost | local |
| Changedetection.io | (changedetection | cd).localhost | public |
| Jellyfin | jellyfin.localhost | public |
| Syncthing - service | syncthing.localhost | public |
| Syncthing - dashboard | syncthing.localhost | local |
| Immich | immich.localhost | public |
| Samba | --- | local |
Allows us to connect to the cluster from anywhere. Preferably we connect tunnel pod to the ingress.
Cloudflare should only have access public facing ingress routes.
Stuff enters via CloudFlared Tunnel. This tunnel should only have access to Ingress/Traefik, and nothing else. Traefik should not have access to anything, only to the ingress routes.
All pods should default to not having access to anything, and only have access to what they need by using network policies.
Applications:
- Traefik
- Tunnel
- ArgoCD
Configuration:
- Traefik ingress route to ArgoCD
- Block all traffic by default
- Allow traffic from tunnel to ingress (traefik)
- Allow traffic from traefik to ingress routes