Skip to content


beryl  cloudflare  cloudflare pages  wrangler  container  docker  registry  harbor  Dockerfile  kaniko  bytebase  gitops  mongodb  pymongo  mdbc  kubernetes  operator  os  debian  preseed  automation  git  github  credentials  gh  git tag  tips  gitlab  cicd  gitlab runner  glab  docker-compose  graphql  mutation  ollama  letta  memory  hlv3  ha  etcd  calico  flux  sops  gateway  nginx  nginx-gateway-fabric  certmanager  gitlab-runner  minio  s3  monitoring  kube-prometheus  prometheus  alertmanager  grafana  node-exporter  memcached  loki  promtail  keycloak  postgres  testbed  homelab  cilium  proxmox  cloud-init  fluxcd  cert-manager  encryption  longhorn  Kubernetes  index  dns  coredns  k9s  krew  storage  postgres-operator  hyper-v  helm  metallb  kubernetes gateway  ngf  directpv  logging  lab  reverse proxy  mfa  llm  open-webui  mcp  markdown  wip  mise  python  venv  go  node  npm  snmp  multicast  nvim  lazyvim  obsidian  ansible  poetry  regex  freenginx  mercurial  tls  tls passthrough  tls offload  bash  zsh  linux  ssg  hugo  mkdocs  tmux  tpm  pomodoro  vagrant  windows  virtualization  powershell  winget  windows terminal  windows 11 pro  oh-my-posh  nerdfonts  scoop 


Home Lab

#lab   #reverse proxy   #docker   #kubernetes   #mfa   #gitops   #gitlab  

Table of Content

Home Lab

Here is the mindmap-style illustration of my home lab.

Right now I am building my kubernetes home lab from scratch again and will be updating the steps on the other page, [[building-home-lab-part-1|building home lab part 1]].

Kroki

I have baremetal machines running Linux in headless, and some of them running services using Docker and some consisting Kubernetes cluster.

I use Ansible to run repetitive tasks to manage my machines.

I use Docker Compose to run all the services that are running as Docker containers. I have separate repositories and docker-compose.yml files for every services, and I have systemd service unit files for them to boot up automatically whenever machines have to reboot. I have DNS service running on two different machines, and they use the same repository to be in sync.

My Kubernetes cluster is managed through flux and I am using self-managed GitLab to bootstrap the cluster and the repository. The core infrastructure services are described (and deployed by k8s & flux) in the main flux repository, and I have other gitrepo references (also hosted on my GitLab) to manage services.

My GitLab is playing very important role in my home lab and I have backups taken regularly to places including public cloud service. I used to use Google Cloud Storage and I currently use Cloudflare R2.

Service Access

Reverse Proxy and Kubernetes Gateway

When I am on LAN, at home, my DNS points me to either a reverse proxy running as Docker container or Kubernetes gateway depending on where the service I'm accessing is hosted on. Both reverse proxy and Kubernetes gateway is doing TLS offload.

When I am outside, my traffic always reaches the reverse proxy which then TLS pass-through to Kubernetes gateway if the service is hosted on Kubernetes cluster, otherwise TLS offload and reverse proxy to the serves running as Docker containers.

Private and Public Sites

This very website, , is being hosted on a cloud, but I have my personal sites hosted on GitLab Pages, some of which is accessible from the Internet and some not. This control is being done using simple DNS record availability. I register DNS record for sites I want to expose to public network.

MFA

There are services I want to make them publicly accessible so that I can use them when I am outside, but not really open to anonymous users out in the Internet.

For services such as GitLab that have built-in MFA, I let reverse proxy just pass through, and for services that don't, I have reverse proxy to include multi-factor authentication service to limit who can access those services.