{"id":13585875,"url":"https://github.com/arch-anes/self-hosted-services","last_synced_at":"2025-04-07T10:32:03.979Z","repository":{"id":48998822,"uuid":"230175562","full_name":"arch-anes/self-hosted-services","owner":"arch-anes","description":null,"archived":false,"fork":false,"pushed_at":"2025-04-06T15:23:49.000Z","size":1082,"stargazers_count":7,"open_issues_count":14,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-06T15:36:24.215Z","etag":null,"topics":["ansible","cicd","docker","helm","kubernetes","kubernetes-cluster","self-hosted","services"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/arch-anes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-26T01:45:06.000Z","updated_at":"2025-04-06T15:23:52.000Z","dependencies_parsed_at":"2024-04-21T03:29:58.124Z","dependency_job_id":"0b4dc770-e84e-4407-a697-6e01d0d854cd","html_url":"https://github.com/arch-anes/self-hosted-services","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arch-anes%2Fself-hosted-services","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arch-anes%2Fself-hosted-services/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arch-anes%2Fself-hosted-services/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arch-anes%2Fself-hosted-services/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/arch-anes","download_url":"https://codeload.github.com/arch-anes/self-hosted-services/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247636888,"owners_count":20971022,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","cicd","docker","helm","kubernetes","kubernetes-cluster","self-hosted","services"],"created_at":"2024-08-01T15:05:11.769Z","updated_at":"2025-04-07T10:32:03.967Z","avatar_url":"https://github.com/arch-anes.png","language":null,"funding_links":[],"categories":["Dockerfile"],"sub_categories":[],"readme":"# Self-hosted services\n\n## Setup tailscale\n1. Create an account at https://login.tailscale.com.\n1. Add the following ACL rule at https://login.tailscale.com/admin/acls/file:\n   ```\n    \"tagOwners\": {\n      \"tag:ansible\": [\"autogroup:admin\", \"autogroup:owner\"],\n    },\n   ```\n1. Create an OAuth client at https://login.tailscale.com/admin/settings/oauth:\n  1. Enable the Write permission for Device/Core, and add the \"tag:ansible\" tag.\n  1. Enable the Write permission for Keys/Auth Keys, and add the \"tag:ansible\" tag.\n  1. Save and write down the OAuth client secret.\n\n## Create an inventory\n\n### Static\n\n```yml\n# There must be a minimum of 3 controllers and the number must be odd for etcd to work\nk3s_cluster:\n  vars:\n    skip_system_setup: false\n    skip_firewall_setup: false\n    skip_vpn_setup: false\n    skip_k8s_setup: false\n    manifest_only_setup: false\n    display_k8s_dashboard_password: false\n    timezone: America/Vancouver\n    fqdn: \"example.com\"\n    tailscale_oauth_secret: \"some_secret\"\n  hosts:\n    raspi:\n      k3s_control_node: true\n      labels:\n        - local=true\n    big_manager:\n      k3s_control_node: true\n      labels:\n        - nas=true\n        - local=true\n    small_manager:\n      k3s_control_node: true\n      labels:\n        - public=true\n        - local=true\n    big_server:\n      labels:\n        - local=true\n```\n\n### Dynamic (AWS)\n\n```yml\nplugin: aws_ec2\nregions:\n  - us-east-1\n  - us-east-2\nfilters:\n  instance-state-name: running\n  tag:Category:\n    - home-cloud\n```\n\n\n## Deploy\n\nRun `ansible-playbook setup_cluster.yml -i inventory_static.yml -i inventory_ec2.yml`\n\n\n## Post-deployment step\nTo ensure no down time, make sure all the machines have key expiry disabled: https://tailscale.com/kb/1028/key-expiry#disabling-key-expiry.\n\n## Advanced use-cases\n\n### Load balancing\nIn a typical home network setup, when HTTP(S) ports are forwarded to a specific machine, the entire service becomes unavailable if that machine goes offline. However, if your router supports OpenWRT (such as the GL-MT6000), you can install HAProxy to address this issue. For optimal security and high availability, configure the proxy as follows:\n\n`/etc/haproxy.cfg`:\n```\nglobal\n    log /dev/log local0\n    log-tag HAProxy\n    maxconn 32000\n    ulimit-n 65535\n    uid 0\n    gid 0\n    nosplice\n    daemon\n\ndefaults\n    log global\n    mode tcp\n    timeout connect 5s\n    timeout client 30s\n    timeout server 30s\n    option redispatch\n    retries 3\n    option log-health-checks\n    option dontlognull\n    option dontlog-normal\n\nfrontend http-in\n    bind :9080\n    mode tcp\n    default_backend http-servers\n\nfrontend https-in\n    bind :9443\n    mode tcp\n    default_backend https-servers\n\nbackend http-servers\n    mode tcp\n    balance roundrobin\n    option httpchk\n    http-check connect port 8080\n    http-check send meth GET uri /ping\n    default-server inter 3s fall 3 rise 2\n    server s1 192.168.1.11:80 send-proxy check\n    server s2 192.168.1.12:80 send-proxy check\n    server s3 192.168.1.13:80 send-proxy check\n\nbackend https-servers\n    mode tcp\n    balance roundrobin\n    option httpchk\n    http-check connect port 8080\n    http-check send meth GET uri /ping\n    default-server inter 3s fall 3 rise 2\n    server s1 192.168.1.11:443 send-proxy check\n    server s2 192.168.1.12:443 send-proxy check\n    server s3 192.168.1.13:443 send-proxy check\n```\n\nWith this configuration, all incoming HTTP(S) traffic must now flow through the gateway ports 9080/9443 where HAProxy is installed. This is because the router forwards traffic to the HAProxy instance, which then distributes it to the backend servers. This setup ensures that even if one server goes down, the service remains available, as HAProxy will route traffic to the remaining operational servers.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farch-anes%2Fself-hosted-services","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farch-anes%2Fself-hosted-services","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farch-anes%2Fself-hosted-services/lists"}