Services
Gateway
Haproxy
HAProxy is a free and open source software that provides a high availability load balancer and reverse proxy for TCP and HTTP-based applications that spreads requests across multiple servers.
Haproxy load-balances all incoming http and https traffic from the Internet (ports 80 and 443) via the master nodes, and also load-balances all Kubernetes api server traffic on the local network (port 6443). An ACL rule is defined to accept only local network IP address requests for the api server.
The web interface lets you view the health status of master nodes on both types of endpoints (server api and internet traffic).
Pi-Hole
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network. It is designed for low-power embedded devices with network capability, such as the Raspberry Pi, but can be installed on almost any Linux machine.
Pi-hole has the ability to block traditional website advertisements as well as advertisements in unconventional places, such as smart TVs and mobile operating system advertisements.
Using the web interface, you can enable/disable ad and tracker blocking, add a list of domains to be blocked, and configure local network DNS settings (and DHCP if required). It is also possible to view statistics on blocked domains according to the privacy rules set.
Wireguard
WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface.
Wireguard's web interface lets you create / delete / activate / deactivate VPN users, download their configuration file and display the user's QrCode. With this user configuration file, a user can access the homelab network to perform an ssh connection to the machines and then request the Kubernetes api server.
CrowdSec
CrowdSec is an open-source security engine that analyses logs from various sources (HAProxy, sshd, syslog) and detects malicious behaviour using community-curated scenarios. Detected attackers are blocked at the network level via an nftables firewall bouncer.
The gateway deployment runs the CrowdSec engine as a Docker container with the following collections:
crowdsecurity/linux— SSH brute force, bad user agents, port scanscrowdsecurity/sshd— SSH-specific attack patternscrowdsecurity/haproxy— HTTP abuse through the load balancercrowdsecurity/base-http-scenarios— generic HTTP attacks (scanners, exploits)crowdsecurity/http-cve— known CVE exploit patterns
A separate Kubernetes deployment (CrowdSec Helm chart) provides cluster-wide monitoring via a DaemonSet agent that parses container logs from ingress-nginx.
Access
Gateway web interface services are deployed and accessible for admin purpose, they are available on local network at :
| Name | Url |
|---|---|
| Haproxy dashboard | http://192.168.1.99:8404 |
| Pihole dashboard | http://192.168.1.99:5353 |
| Wireguard dashboard | http://192.168.1.99:51821 |
Notes: Replace
192.168.1.99with the gateway's ip address set in hosts.yml.
Kubernetes
Services
The following services are deployed in the cluster :
| Name | Description | Helm chart |
|---|---|---|
| Actions-runner-controller | Github Actions runners controller | actions-runner-controller/actions-runner-controller |
| ArgoCD | GitOps continuous delivery tool | argo/argo-cd |
| Argo-workflows | Workflow automation engine | argo/argo-workflows |
| Cert-manager | Cloud native certificate management | cert-manager/cert-manager |
| Cloud-native-postgres | Cloud native postgres database management | cnpg/cloudnative-pg |
| Coder | Remote selfhosted development environments | coder-v2/coder |
| CrowdSec | Open-source security engine & threat detection | crowdsec/crowdsec |
| Homepage | Home dashboard | unknowniq/homepage |
| Gitea | Private, Fast, Reliable DevOps Platform | gitea/gitea |
| Harbor | Cloud native registry | bitnami/harbor |
| Ingress-nginx | Kubernetes ingress controller | ingress-nginx/ingress-nginx |
| Keycloak | Single Sign On service | bitnami/keycloak |
| Kubernetes-dashboard | Kubernetes dashboard | k8s-dashboard/kubernetes-dashboard |
| Longhorn | Cloud native distributed block storage | longhorn/longhorn |
| Mattermost | Chat service with file sharing and integrations | mattermost/mattermost-team-edition |
| MLflow | ML experiment tracking and model registry | community-charts/mlflow |
| Outline | Share notes and wiki with your team | lrstanley/outline |
| Prometheus-stack | Open-source monitoring solution | prometheus-community/kube-prometheus-stack |
| RustFS | High Performance Object Storage | - |
| Sonarqube | Code quality analysis service | sonarqube/sonarqube |
| Sops | Secret manager that decode on the fly | sops-secrets-operator/sops-secrets-operator |
| System-upgrade-controller | K3S upgrade controller | - |
| Teleport | Secure access and identity for infrastructure | teleport/teleport-cluster |
| Trivy-operator | Kubernetes-native security toolkit | aqua/trivy-operator |
| Vault | Secret management service | hashicorp/vault |
| Vault-operator | Vault Secrets Operator for Kubernetes | hashicorp/vault-secrets-operator |
| Vaultwarden | Password management service | vaultwarden/vaultwarden |
Versions
All services helm charts and versions are managed through ArgoCD ApplicationSets with configuration stored in:
- App charts: ./argo-cd/apps/ — each app has its own
Chart.yamldefining the chart version and dependencies. - Per-instance metadata: ./argo-cd/instances/<instance>/instance.yaml — cluster destination, env, repos, AppProject bindings.
- Per-instance app catalog: ./argo-cd/instances/<instance>/core.yaml and tenant.yaml — enable/disable apps + per-app overrides (sync wave, namespace, release name, ...).
- Per-instance values: ./argo-cd/instances/<instance>/values/core/<app>.yaml and tenant/<app>.yaml — values overrides applied on top of the chart defaults.
Management
Services are managed by a two-level ApplicationSet hierarchy declared by the homelab-core chart in the argocd-system namespace:
- The root
managerAppSet discovers each instance folder and emits one Application per instance pointing at theinstance-managerchart. - That chart renders two child AppSets per instance —
core-<instance>(platform tier, bound toadmin-coreAppProject) andtenant-<instance>(apps tier, bound toadmin-tenantAppProject).
To enable or disable a service, edit the relevant entry in argo-cd/instances/homelab/core.yaml or tenant.yaml and flip enabled: "true" / enabled: "false".
Access
Kubernetes services that are available through user interfaces are centralized on the Homepage dashboard, the full list is :
Admin
| Name | Url |
|---|---|
| ArgoCD (admin) | https://gitops.admin.domain.com |
| Longhorn (admin) | http://longhorn.admin.domain.com |
| Vault (admin) | https://vault.admin.domain.com |
Standard
| Name | Url |
|---|---|
| ArgoCD | https://gitops.domain.com |
| Coder | https://coder.domain.com |
| Homepage | https://domain.com |
| Gitea | https://git.domain.com |
| Grafana | https://monitoring.domain.com |
| Harbor | https://registry.domain.com |
| Keycloak | https://sso.domain.com |
| Kubernetes-dashboard | https://kube.domain.com |
| Mattermost | https://mattermost.domain.com |
| RustFS - api | https://s3.domain.com |
| RustFS - console | https://console.s3.domain.com |
| Outline | https://outline.domain.com |
| SonarQube | http://sonarqube.domain.com |
| Vault | https://vault.domain.com |
| Vaultwarden | https://vaultwarden.domain.com |
Notes: Replace
domain.comby your own domain configured in your values files.
Single sign on
Keycloak is deployed as the cluster single sign-on tool. It provides a single account (username / password pair) that grants access to multiple services, and propagates user groups to control access levels.
Users and access levels are managed via the Keycloak interface (cf. keycloak service url) using the admin credentials from Vault (keycloak.username / keycloak.password under the keycloak secret path).
Don't forget to select the
homelabrealm.
A default admin group grants admin-level access on every connected service; users not in this group get standard access.
Services currently connected through SSO:
- ArgoCD
- Coder
- Harbor
- Gitea
- Grafana
- Outline
- Sonarqube
- Vault
RustFS does not support OIDC — admin credentials are managed via Vault and rotated through the Vault Secrets Operator.
Secrets
Secrets are sourced from Vault and synced into Kubernetes by the Vault Secrets Operator (VSO). Each chart that needs secrets depends on the vso-utils subchart, which renders VaultStaticSecret custom resources pointing at a Vault path.
Monitoring
The cluster itself and some services are monitored using Prometheus and Grafana, ServiceMonitor are enabled for Vault, Argocd and Trivy-operator to increase metrics coming from these applications.
Some dashboards are already delivered with the installation but more can be added in argo-cd/apps/prometheus-stack/grafana-dashboards/, they will be automatically loaded on ArgoCD synchronization via the dashboards.yaml template. Already added dashboards are: