A set of configuration files I use to run my homelab on Kubernetes.

• Use security context to allow containers to use non-root users
• Use containers that exclusively use non-root users

• Authelia - single sign-on with multi-factor
• Cert Manager - retrieves Let's Encrypt certificates for exposed services
• Dynamic DNS - updates a DNS record with my home IP, to avoid paying for a static IP
• Nginx Ingress - expose services to the internet, and internally
• MetalLB - assign load balancer services IPs internally on my network
• Monitoring - InfluxDB, Grafana, Telegraf, Speedtest.net and UDM data
• Plex - for playing back media I've ripped off DVDs

I'm using Sealed Secrets to store secrets on GitHub without exposing credentials.

I run two separate deployments of the Nginx Ingress controller. One is for internal traffic, and the other is for external traffic.

Each controller has a LoadBalancer service, which are assigned IPs by MetalLB. This allows me to port-forward one LB for external traffic, while leaving the other for accessing services internally.

Each deployment has it's own Ingress class, nginx and nginx-internal. When creating a new Ingress, I can choose whether it should be exposed internally or externally.

In a nutshell: external ingresses are available over the internet, but internal ingresses are only available via Wireguard (a VPN).