HAProxy is a free and open source software that provides a high availability load balancer and reverse proxy for TCP and HTTP-based applications that spreads requests across multiple servers.
Haproxy load-balances all incoming http and https traffic from the Internet (ports 80 and 443) via the master nodes, and also load-balances all Kubernetes api server traffic on the local network (port 6443). An ACL rule is defined to accept only local network IP address requests for the api server.
The web interface lets you view the health status of master nodes on both types of endpoints (server api and internet traffic).
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network. It is designed for low-power embedded devices with network capability, such as the Raspberry Pi, but can be installed on almost any Linux machine.
Pi-hole has the ability to block traditional website advertisements as well as advertisements in unconventional places, such as smart TVs and mobile operating system advertisements.
Using the web interface, you can enable/disable ad and tracker blocking, add a list of domains to be blocked, and configure local network DNS settings (and DHCP if required). It is also possible to view statistics on blocked domains according to the privacy rules set.
WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface.
Wireguard's web interface lets you create / delete / activate / deactivate VPN users, download their configuration file and display the user's QrCode. With this user configuration file, a user can access the homelab network to perform an ssh connection to the bastion and then request the Kubernetes api server.
Gateway web interface services are deployed and accessible for admin purpose, they are available on local network at :
| Name | Url |
|---|---|
| Haproxy dashboard | http://192.168.1.99:8404 |
| Pihole dashboard | http://192.168.1.99:5353 |
| Wireguard dashboard | http://192.168.1.99:51821 |
Notes: Replace
192.168.1.99with the gateway's ip address set in hosts.yml.
The following services are deployed in the cluster :
| Name | Description | Helm chart |
|---|---|---|
| Actions-runner-controller | Github Actions runners controller | actions-runner-controller/actions-runner-controller |
| ArgoCD | GitOps continuous delivery tool | argo/argo-cd |
| Coder | Remote selfhosted development environments | coder-v2/coder |
| Cert-manager | Cloud native certificate management | cert-manager/cert-manager |
| Cloud-native-postgres | Cloud native postgres database management | cnpg/cloudnative-pg |
| Dashy | Home dashboard | - |
| Gitea | Private, Fast, Reliable DevOps Platform | gitea/gitea |
| Harbor | Cloud native registry | bitnami/harbor |
| Keycloak | Single Sign On service | bitnami/keycloak |
| Kubernetes-dashboard | Kubernetes dashboard | k8s-dashboard/kubernetes-dashboard |
| Longhorn | Cloud native distributed block storage | longhorn/longhorn |
| Mattermost | Chat service with file sharing and integrations | mattermost/mattermost-team-edition |
| Minio | High Performance Object Storage | bitnami/minio |
| Outline | Share notes and wiki with your team | lrstanley/outline |
| Prometheus-stack | Open-source monitoring solution | prometheus-community/kube-prometheus-stack |
| Sonarqube | Code quality analysis service | sonarqube/sonarqube |
| Sops | Secret manager that decode on the fly | sops-secrets-operator/sops-secrets-operator |
| System-upgrade-controller | K3S upgrade controller | - |
| Trivy-operator | Kubernetes-native security toolkit | aqua/trivy-operator |
| Vault | Secret management service | hashicorp/vault |
| Vaultwarden | Password management service | vaultwarden/vaultwarden |
To improve administrator experience, all services helm charts and versions can be managed thought the groups_vars/services.yml file for core services only.
Additional services are managed through gitops flow with sources available here.
Additional services activation/deactivation is managed by Ansible directly in the applicationset file, by commenting the blocks in the .spec.sources section.
Kubernetes services that are available through user interfaces are centralized on the dashy homepage, the full list is :
| Name | Url |
|---|---|
| ArgoCD (admin) | https://gitops.admin.domain.com |
| Longhorn (admin) | http://longhorn.admin.domain.com |
| Vault (admin) | https://vault.admin.domain.com |
| Name | Url |
|---|---|
| ArgoCD | https://gitops.domain.com |
| Coder | https://coder.domain.com |
| Dashy | https://domain.com |
| Gitea | https://git.domain.com |
| Grafana | https://monitoring.domain.com |
| Harbor | https://registry.domain.com |
| Keycloak | https://sso.domain.com |
| Kubernetes-dashboard | https://kube.domain.com |
| Mattermost | https://mattermost.domain.com |
| Minio - api | https://s3.domain.com |
| Minio - web | https://minio.domain.com |
| Outline | https://outline.domain.com |
| SonarQube | http://sonarqube.domain.com |
| Vault | https://vault.domain.com |
| Vaultwarden | https://vaultwarden.domain.com |
Notes: Replace
domain.comby your own domain set in all.yml.
Keycloak is deployed as the cluster single sign on tool, it give access to various services accross the same account (i.e: username / password pair) to improve user experience. On the other hand, keycloak can pass user groups and roles to control access level to theese services.
It is also usefull for admins to have a better control over homelab users and access, users can be manage connecting the keycloak interface (cf: keycloak service url) with admin credentials (keycloak.username and keycloak.password can be found in admin vault under the keycloak secrets).
Don't forget to select 'homelab' realm
By default an admin group is created to give admin access on each service that use keycloak sso registration, keycloak users that are not in the admin group get simple access.
Following services are connected through sso :
- ArgoCD
- Coder
- Harbor
- Gitea
- Grafana
- Minio
- Outline
- Sonarqube
- Vault
The cluster itself and some services are monitored using Prometheus and Grafana, ServiceMonitor are enabled for Vault, Minio, Argocd and Trivy-operator to increase metrics coming from these applications.
Some dashboards are already delivered with the installation but more can be added in argo-cd/apps/prometheus-stack/templates, they will be automatically loaded on Argocd synchronization. Already added dashboards are :