Skip to content

Services

Gateway

Haproxy

HAProxy is a free and open source software that provides a high availability load balancer and reverse proxy for TCP and HTTP-based applications that spreads requests across multiple servers.

Haproxy load-balances all incoming http and https traffic from the Internet (ports 80 and 443) via the master nodes, and also load-balances all Kubernetes api server traffic on the local network (port 6443). An ACL rule is defined to accept only local network IP address requests for the api server.

The web interface lets you view the health status of master nodes on both types of endpoints (server api and internet traffic).

Pi-Hole

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network. It is designed for low-power embedded devices with network capability, such as the Raspberry Pi, but can be installed on almost any Linux machine.

Pi-hole has the ability to block traditional website advertisements as well as advertisements in unconventional places, such as smart TVs and mobile operating system advertisements.

Using the web interface, you can enable/disable ad and tracker blocking, add a list of domains to be blocked, and configure local network DNS settings (and DHCP if required). It is also possible to view statistics on blocked domains according to the privacy rules set.

Wireguard

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface.

Wireguard's web interface lets you create / delete / activate / deactivate VPN users, download their configuration file and display the user's QrCode. With this user configuration file, a user can access the homelab network to perform an ssh connection to the machines and then request the Kubernetes api server.

Access

Gateway web interface services are deployed and accessible for admin purpose, they are available on local network at :

NameUrl
Haproxy dashboardhttp://192.168.1.99:8404
Pihole dashboardhttp://192.168.1.99:5353
Wireguard dashboardhttp://192.168.1.99:51821

Notes: Replace 192.168.1.99 with the gateway's ip address set in hosts.yml.

Kubernetes

Services

The following services are deployed in the cluster :

NameDescriptionHelm chart
Actions-runner-controllerGithub Actions runners controlleractions-runner-controller/actions-runner-controller
ArgoCDGitOps continuous delivery toolargo/argo-cd
CoderRemote selfhosted development environmentscoder-v2/coder
Cert-managerCloud native certificate managementcert-manager/cert-manager
Cloud-native-postgresCloud native postgres database managementcnpg/cloudnative-pg
DashyHome dashboard-
GiteaPrivate, Fast, Reliable DevOps Platformgitea/gitea
HarborCloud native registrybitnami/harbor
KeycloakSingle Sign On servicebitnami/keycloak
Kubernetes-dashboardKubernetes dashboardk8s-dashboard/kubernetes-dashboard
LonghornCloud native distributed block storagelonghorn/longhorn
MattermostChat service with file sharing and integrationsmattermost/mattermost-team-edition
MinioHigh Performance Object Storagebitnami/minio
OutlineShare notes and wiki with your teamlrstanley/outline
Prometheus-stackOpen-source monitoring solutionprometheus-community/kube-prometheus-stack
SonarqubeCode quality analysis servicesonarqube/sonarqube
SopsSecret manager that decode on the flysops-secrets-operator/sops-secrets-operator
System-upgrade-controllerK3S upgrade controller-
Trivy-operatorKubernetes-native security toolkitaqua/trivy-operator
VaultSecret management servicehashicorp/vault
VaultwardenPassword management servicevaultwarden/vaultwarden

Versions

To improve administrator experience, all services helm charts and versions can be managed thought the groups_vars/services.yml file for core services only.

Additional services are managed through gitops flow with sources available here.

Management

Additional services activation/deactivation is managed by Ansible directly in the applicationset file, by commenting the blocks in the .spec.sources section.

Access

Kubernetes services that are available through user interfaces are centralized on the dashy homepage, the full list is :

Admin

NameUrl
ArgoCD (admin)https://gitops.admin.domain.com
Longhorn (admin)http://longhorn.admin.domain.com
Vault (admin)https://vault.admin.domain.com

Standard

NameUrl
ArgoCDhttps://gitops.domain.com
Coderhttps://coder.domain.com
Dashyhttps://domain.com
Giteahttps://git.domain.com
Grafanahttps://monitoring.domain.com
Harborhttps://registry.domain.com
Keycloakhttps://sso.domain.com
Kubernetes-dashboardhttps://kube.domain.com
Mattermosthttps://mattermost.domain.com
Minio - apihttps://s3.domain.com
Minio - webhttps://minio.domain.com
Outlinehttps://outline.domain.com
SonarQubehttp://sonarqube.domain.com
Vaulthttps://vault.domain.com
Vaultwardenhttps://vaultwarden.domain.com

Notes: Replace domain.com by your own domain set in all.yml.

Single sign on

Keycloak is deployed as the cluster single sign on tool, it give access to various services accross the same account (i.e: username / password pair) to improve user experience. On the other hand, keycloak can pass user groups and roles to control access level to theese services.

It is also usefull for admins to have a better control over homelab users and access, users can be manage connecting the keycloak interface (cf: keycloak service url) with admin credentials (keycloak.username and keycloak.password can be found in admin vault under the keycloak secrets).

Don't forget to select 'homelab' realm

By default an admin group is created to give admin access on each service that use keycloak sso registration, keycloak users that are not in the admin group get simple access.

Following services are connected through sso :

  • ArgoCD
  • Coder
  • Harbor
  • Gitea
  • Grafana
  • Minio
  • Outline
  • Sonarqube
  • Vault

Monitoring

The cluster itself and some services are monitored using Prometheus and Grafana, ServiceMonitor are enabled for Vault, Minio, Argocd and Trivy-operator to increase metrics coming from these applications.

Some dashboards are already delivered with the installation but more can be added in argo-cd/apps/prometheus-stack/templates, they will be automatically loaded on Argocd synchronization. Already added dashboards are :

Repository sourceGrafana dashboard ID
argocd-dashboard.yaml14584
cert-manager-dashboard.yaml20340
cloudnative-pg-dashboard.yaml20417
gitea-dashboard.yaml17802
harbor-dashboard.yaml- ( source )
k3s-dashboard.yaml15282
kube-global-dashboard.yaml15757
kube-node-dashboard.yaml15759
kube-ns-dashboard.yaml15758
kube-pod-dashboard.yaml15760
longhorn-dashboard.yaml13032
minio-dashboard.yaml13502
traefik-dashboard.yaml17346
trivy-dashboard.yaml16337
vault-dashboard.yaml12904