Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cypr0/k8s-cluster
Home cluster based on Kubernetes and GitOps using Flux
https://github.com/cypr0/k8s-cluster
gitops infrastructure-as-code k8s-at-home kubernetes kubernetes-at-home kubesearch talos
Last synced: 4 days ago
JSON representation
Home cluster based on Kubernetes and GitOps using Flux
- Host: GitHub
- URL: https://github.com/cypr0/k8s-cluster
- Owner: cypr0
- License: mit
- Created: 2024-11-10T20:17:27.000Z (about 1 month ago)
- Default Branch: main
- Last Pushed: 2024-12-16T21:09:52.000Z (8 days ago)
- Last Synced: 2024-12-19T05:26:45.263Z (6 days ago)
- Topics: gitops, infrastructure-as-code, k8s-at-home, kubernetes, kubernetes-at-home, kubesearch, talos
- Language: Python
- Homepage:
- Size: 509 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# β΅ Personal Kubernetes Cluster as Code
This repository contains the full Infrastructure-as-Code (IaC) setup for my personal Kubernetes cluster. It is designed for running and managing a production-grade Kubernetes environment with GitOps practices.
## π Repository Structure
The repository is organized as follows:
```
.
βββ .devcontainer/ # Development container configuration
βββ .github/ # GitHub workflows for CI/CD
βββ .taskfiles/ # Taskfile automation scripts
βββ .vscode/ # VSCode workspace settings
βββ bootstrap/ # Scripts and templates for provisioning
βββ kubernetes/
β βββ apps/ # Application manifests and HelmReleases
β βββ bootstrap/ # Initial Flux and Talos deployment
β βββ flux/ # GitOps Flux configuration and repositories
βββ scripts/ # Utility scripts
```## β¨ Features
- **GitOps with Flux**: Automated deployment and management of cluster resources via [Flux](https://fluxcd.io/).
- **Scalability**: Designed for both small home-lab clusters and large-scale production setups.
- **Customizable App Deployments**: Applications are primarily managed using the [bjw-s App Template](https://bjw-s.github.io/helm-charts/docs/app-template/), allowing tailored configurations for specific needs.
- **Secrets Management**: Integration with `sops` and `age` for secure secret management.
- **CNI and Networking**: Uses [Cilium](https://cilium.io/) for advanced networking and security.
- **Ingress Management**: Includes [ingress-nginx](https://www.f5.com/products/nginx/nginx-ingress-controller) for internal and external access to applications.
- **Monitoring and Observability**: Pre-configured monitoring stack ([Prometheus](https://prometheus.io/), [Grafana](https://grafana.com/)).
- **Storage**:
- [Longhorn](https://longhorn.io): Distributed block storage for Kubernetes.
- [MinIO](https://min.io): S3-compatible object storage.
- [NFS Subdir External Provisioner](https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner): Lightweight NFS-based storage provisioner.
- [OpenEBS](https://openebs.io): Cloud-native storage for containers.## π¦ Applications
The cluster hosts the following applications:
- **[Immich](https://immich.app/)**: Photo and video backup service with AI-based search capabilities.
- **[Mastodon](https://joinmastodon.org/)**: A decentralized social network instance.
- **[Nextcloud](https://nextcloud.com/)**: A self-hosted productivity platform.
- **[Paperless-ngx](https://docs.paperless-ngx.com/)**: Document management system for organizing and digitizing your paperwork.All these applications are deployed using the **[bjw-s App Template](https://bjw-s.github.io/helm-charts/docs/app-template/)**, which provides a flexible and modular approach to application management. This ensures that each application is tailored to meet my personal requirements.
## π Security
- **Namespace `Security`**: A dedicated namespace for managing security-related services.
- **Identity Provider**: [Authentik](https://goauthentik.io/) is deployed to provide centralized authentication and SSO capabilities.
- **Secrets Management**: [external-secrets](https://external-secrets.io/latest/) integrates with [1Password](https://1password.com/) for secure, automated secrets management.
- **TLS Everywhere**: All applications are configured to use TLS, managed by `cert-manager` with Let's Encrypt, ensuring end-to-end encryption.
- **BSI Compliance**: TLS certificates are configured to meet the BSI's Technical Guideline [TR-02102-2](https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr02102/tr-02102.html) standards.
- **ECDSA Certificates**: Preferred for stronger cryptography and improved performance.
- **Secrets Encryption**: Managed using `sops` and `age` to ensure secure storage and transmission of sensitive information.## ποΈ Cluster Infrastructure
The cluster is built on high-performance virtual root servers provided by [Netcup](https://www.netcup.com/de/?ref=97728). Below are the details of the infrastructure:
- **Cluster Nodes**:
- Three virtual root servers (RS 2000 G11) with the following specifications:
- **CPU**: 8 cores
- **Memory**: 16 GB RAM
- **Storage**: 512 GB SSD
- All servers run **[Talos OS](https://www.talos.dev/)**, optimized for containerized workloads.
- **Firewall**:
- A dedicated **[OPNsense](https://opnsense.org/)** firewall deployed on a separate virtual server, also hosted at Netcup.
- The firewall handles connections to local home networks and provides secure ingress/egress traffic control.
- **NFS Server**:
- A separate virtual server at Netcup is used to provide NFS storage, enabling robust persistence for cluster applications.[![Netcup](https://www.netcup.com/uploads/netcup_hlogo_2019_b110h50_32d03f6da4.png)](https://www.netcup.com/de/?ref=97728)
## π Acknowledgments
This cluster setup is inspired by and based on the exceptional [cluster-template](https://github.com/onedr0p/cluster-template) by **onedr0p**.
The template serves as a comprehensive foundation for GitOps-driven Kubernetes cluster management. It provides:
- **Best Practices**: Following modern standards in Kubernetes infrastructure.
- **Flexibility**: A highly modular and customizable design.
- **Community Support**: Extensive documentation and a supportive community.Additionally, the cluster heavily relies on the excellent [Helm Charts](https://github.com/bjw-s/helm-charts) provided by **bjw-s**. The **AppTemplate** offered by bjw-s makes application management streamlined and highly customizable, allowing for tailored deployments that fit unique needs while maintaining consistency and reliability.
Special thanks to **onedr0p** and **bjw-s** for sharing these fantastic resources, which significantly enhanced the quality and efficiency of this cluster's setup!
## π License
This repository is licensed under the MIT License.
## π€ Contributions
Contributions are welcome! Feel free to fork the repository and submit a pull request with your improvements or ideas.
For detailed information on each component or to raise an issue, visit the repositoryβs issues section.
Let me know if further adjustments are needed!