Operations for my home...
...with Ansible and Kubernetes! β΅
π Overview
This repository contains everything I use to setup and run the devices in my home. For more details, see the README of the following directories
- os automated installation with PXE or USB for AMD64 and ARM64
- ansible roles for additional configuration and application installation
- cluster to manage my Kubernetes cluster with Flux and maintained with the the help of π€ Renovate
- hack is a collection of scripts to ease the maintenance of all this!
βοΈ Hardware
I try to run everything bare metal to get the most out of each device
Device | Count | Storage | Purpose |
---|---|---|---|
Protectli FW4B clone | 1 | 120GB | Opnsense router |
Synology NAS | 1 | 12TB RAID 5 + 2TB RAID 1 | Main storage |
Raspberry Pi 3 | 2 | 16GB SD | Unifi Controller / 3D Printer with OctoPrint |
Intel NUC8i5BEH | 3 | 120GB SSD + 500GB NVMe | Kubernetes masters + storage |
Intel NUC8i3BEH | 2 | 120GB SSD | Kubernetes workers |
Router
In addition to the regular things like a firewall, my router runs other useful stuff.
HAProxy
I use HAProxy as loadbalancer to provide HA over the API Server
- Services > HAProxy | Real Servers (for each master note)
Enabled
=true
Name or Prefix
=k8s-node-x-apiserver
FQDN or IP
=k8s-node-x
Port
=6443
Verify SSL Certificate
=false
- Services > HAProxy | Rules & Checks > Health Monitors
Name
=k8s-apiserver
SSL preferences
=Force SSL for health checks
Port to check
=6443
HTTP method
=GET
Request URI
=/healthz
HTTP version
=HTTP/1.1
- Services > HAProxy | Virtual Services > Backend Pools
Enabled
=true
Name
=k8s-apiserver
Mode
=TCP (Layer 4)
Servers
=k8s-node-x-apiserver
(Add one for each real server you created)Enable Health Checking
=true
Health Monitor
=k8s-apiserver
- Services > HAProxy | Virtual Services > Public Services
Enabled
=true
Name
=k8s-apiserver
Listen Addresses
=10.0.3.1:6443
(Your Opnsense IP address)Type
=TCP
Default Backend Pool
=k8s-apiserver
- Services > HAProxy | Settings > Service
Enable HAProxy
=true
- Services > HAProxy | Settings > Global Parameters
Verify SSL Server Certificates
=disable-verify
- Services > HAProxy | Settings > Default Parameters
Client Timeout
=4h
Connection Timeout
=10s
Server Timeout
=4h
BGP
The Calico CNI is configured with BGP to advertise load balancer IPs directly over BGP. Coupled with ECMP, this allows to spread workload in my cluster.
- Routing > BPG | General
enable
=true
BGP AS Number
=64512
Network
=10.0.3.0/24
(Subnet of Kubernetes nodes)- Save
- Routing > BGP | Neighbors
- Add a neighbor for each Kubernetes node
Enabled
=true
Peer-IP
=10.0.3.x
(Kubernetes node IP)Remote AS
=64512
Update-Source Interface
=SERVER
(VLAN of Kubernetes nodes)- Save
- Continue adding neighbors until all your nodes are present
- Add a neighbor for each Kubernetes node
- Routing > General
Enable
=true
- Save
- System > Settings > Tunables
- Add
net.route.multipath
and set the value to1
- Save
- Add
- Reboot
- Verify
- Routing > Diagnostics > BGP | Summary
SMTP Relay
To be able to send emails from my local devices easily without authentication, I run the Postfix plugin with the following configuration:
- System > Services > Postfix > General
Enable
=true
Trusted Networks
+=10.0.0.0/8
TLS Wrapper Mode
=true
SMTP Client Security
=encrypt
Smart Host
=[smtp.purelymail.com]:465
Enable SMTP Authentication
=true
Authentication Username
=admin@<email-domain>
Authentication Password
=<app-password>
Permit SASL Authenticated
=false
- Save
- System > Services > Postfix > Domains
- Add new domain
Domainname
=<email-domain>
Destination
=[smtp.purelymail.com]:465
- Save
- Apply
- Add new domain
- System > Services > Postfix > Senders
- Add new sender
Enabled
=true
Sender Address
=admin@<email-domain>
- Save
- Apply
- Add new sender
- Verify
swaks --server opnsense.milkyway --port 25 --to <email-address> --from <email-address>
π Troubleshooting
Etcd
Run this on a master node within the etcd cluster
- Get the etcd version with
curl -L \ --cacert /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt \ --cert /var/lib/rancher/k3s/server/tls/etcd/server-client.crt \ --key /var/lib/rancher/k3s/server/tls/etcd/server-client.key \ https://127.0.0.1:2379/version
- Install etcd locally (change the version below accordingly)
ETCD_VER=v3.5.7 DOWNLOAD_URL=https://github.com/etcd-io/etcd/releases/download rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /usr/local/bin --strip-components=1 rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz etcd --version etcdctl version
- Export environment variables for an easy way to configure etcdctl
export ETCDCTL_ENDPOINTS='https://127.0.0.1:2379' export ETCDCTL_CACERT='/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt' export ETCDCTL_CERT='/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' export ETCDCTL_KEY='/var/lib/rancher/k3s/server/tls/etcd/server-client.key' export ETCDCTL_API=3
- Start troubleshooting (example commands below)
etcdctl member list
etcdctl endpoint status
etcdctl endpoint health
etcdctl defrag --cluster
etcdctl check perf
π€ Thanks
I learned a lot from the people that have shared their clusters over at awesome-home-kubernetes and from the k8s@home discord channel.
Want to get started? I recommend that you take a look at the template-cluster-k3s repository!