bram.gotink.be / macharian
A lowly tech priest's attempt to please Mars
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: add some docs

Bram Gotink 0823d90b 41bed229

+146 -14
+13
LICENSE.md
··· 1 + DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 2 + Version 2, December 2004 3 + 4 + Copyright (C) 2004 Sam Hocevar <sam@hocevar.net> 5 + 6 + Everyone is permitted to copy and distribute verbatim or modified 7 + copies of this license document, and changing it is allowed as long 8 + as the name is changed. 9 + 10 + DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 11 + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 12 + 13 + 0. You just DO WHAT THE FUCK YOU WANT TO.
+54
README.md
··· 1 + # Macharian 2 + 3 + This repository contains everything I've got running on my home servers. 4 + 5 + ## Servers 6 + 7 + My setup is currently as follows: 8 + 9 + - Drimor: an ASUS NUC 14 running Debian with several KVM guests: 10 + - Ayzinith: Alpine VM running [pi-hole](https://github.com/pi-hole/pi-hole) 11 + - Yix: Ubuntu VM running [MinIO](https://github.com/minio/minio) for S3 storage 12 + - Persepolis: Home Assistant OS VM 13 + - Proteus Quartus: A [Talos](https://talos.dev) node 14 + - Proteus Secundus: an ASUS NUC 15 running a [Talos](https://talos.dev) node on bare metal 15 + - Paleon: A [Scaleway](https://scaleway.com/) VPS running an NGINX reverse proxy that exposes certain services over Tailscale to the outside world. 16 + 17 + ## Kubernetes 18 + 19 + Kubernetes cluster Proteus currently consists of two nodes, Proteus Secundus and Proteus Quartus, both running Talos. 20 + The cluster is managed via [Flux](https://github.com/fluxcd/flux2) which uses the [`kubernetes`](./kubernetes) folder in this repository as source. [Renovate](https://github.com/renovatebot/renovate) helps keep everything up to date. 21 + 22 + The core components are: 23 + 24 + - [cert-manager](https://github.com/cert-manager/cert-manager) creates SSL certificates for everything running in the cluster 25 + - [Istio](https://istio.io) manages the network &amp; ingress with [metallb](https://metallb.io) as load balancer 26 + - [Tailscale](https://tailscale.com) exposes certain services over VPN to the internet 27 + - [Longhorn](https://longhorn.io) manages storage for k8s 28 + - [authentik](https://github.com/goauthentik/authentik) provides Single Sign-On either via OIDC or integrated via istio 29 + - [sops](https://github.com/getsops/sops) keeps secrets commited in this repo actually secret 30 + 31 + The applications running on kubernetes fall into several categories: 32 + 33 + - Self-hosted storage for Photos via [Immich](https://immich.app/) and documents/calendars via [NextCloud](https://nextcloud.com/) 34 + - A Media Center, running in the media namespace, with automated tracking of movies, shows, and artists; using [Plex](https://plex.tv/), [*arr](https://wiki.servarr.com/), and more. 35 + - Smaller stuff like a [Unifi](https://ui.com) controller or a wiki for a [WarHammer 40k Imperium Maledictum](https://cubicle7games.com/warhammer-40k-roleplay-imperium-maledictum) roleplay group 36 + - Underlying technology such as [Redis](https://github.com/redis/redis) and [PostgreSQL](https://www.postgresql.org/) 37 + 38 + ## Hardware 39 + 40 + - 1x ASUS NUC14RVHU7000R0 Revel Canyon U7 155H 41 + - 64 GB RAM 42 + - 1x 2TB M.2 NVMe 43 + - 1x 4TB SATA SSD (warp) 44 + - 1x ASUS NUC 15 Pro Slim Kit RNUC15CRKU700002 barebone 45 + - 64 GB RAM 46 + - 1x 2TB M.2 NVMe 47 + 48 + This hardware is currently situated next to our TV, which greatly hampers the options for expansion. 49 + I would love to expand and add proper storage (a NAS) and maybe one other server—having two k8s nodes has downsides that a third node would solve—but that has to wait until after we've moved to a house that doesn't only have network cables in the living room. 50 + 51 + ## Gratitude 52 + 53 + I had little to no experience with Kubernetes and DevOps when I bought my first NUC to use as server. 54 + The [home-ops repo of GitHub user onedr0p](https://github.com/onedr0p/home-ops) has been instrumental in getting me started with flux and renovate, and I use a lot of [containers](https://github.com/home-operations/containers) they have set up.
+6 -2
containers/knot/Dockerfile
··· 5 5 ENV CGO_ENABLED=1 6 6 7 7 WORKDIR /app 8 - RUN apk add clang lld git && git clone --depth 1 -b v1.10.0-alpha https://tangled.org/@tangled.org/core . 8 + ARG VERSION=v1.10.0-alpha 9 + RUN apk add clang lld git && git clone --depth 1 -b ${VERSION} https://tangled.org/@tangled.org/core . 9 10 ARG TARGETPLATFORM 10 11 RUN xx-apk add gcc musl-dev 11 12 RUN xx-go build -o /knot -ldflags '-s -w -extldflags "-static"' ./cmd/knot ··· 28 29 && openssl rand -hex 16 | passwd --stdin git \ 29 30 && apk del shadow openssl 30 31 31 - ENV KNOT_REPO_SCAN_PATH=/repositories 32 + ENV KNOT_REPO_SCAN_PATH=/repositories \ 33 + KNOT_SERVER_DB_PATH=/data/knotserver.db 32 34 RUN apk add --no-cache \ 33 35 openssh=10.0_p1-r9 \ 34 36 git=2.49.1-r0 \ ··· 41 43 COPY --chmod=600 --chown=git:git sshd_config /sshd_config 42 44 COPY --chmod=755 --chown=root:root start.sh /usr/bin/start-knot 43 45 46 + ARG VERSION=v1.10.0-alpha 47 + LABEL org.opencontainers.image.version="${VERSION}" 44 48 COPY --from=builder --chmod=755 --chown=root:root /knot /usr/sbin/knot 45 49 46 50 HEALTHCHECK --interval=60s --timeout=30s --start-period=5s --retries=3 \
+39
containers/knot/README.md
··· 1 + # knot 2 + 3 + OCI Container to run your own [tangled](https://tangled.org) [knot](https://tangled.org/@tangled.org/core/blob/master/docs/knot-hosting.md) and host the data of your own repositories. 4 + 5 + ## Pre-built Images 6 + 7 + Pre-built images are available in an ATCR [repository](https://atcr.io/r/bram.gotink.be/knot) starting at `v1.10.0-alpha`. 8 + 9 + ```sh 10 + docker pull atcr.io/bram.gotink.be/knot 11 + ``` 12 + 13 + This image differs from the pseudo-official [tngl/knot](https://hub.docker.com/r/tngl/knot) image. 14 + The code is the same, but the image is set up differently: 15 + 16 + - Run everything using a non-root user 17 + - Allow the OCI runtime to restart the container if anything fails, rather than package an entire init system that manages these programs 18 + 19 + ## Building The Image 20 + 21 + ```sh 22 + docker build --platform linux/amd64,linux/arm64 -t atcr.io/bram.gotink.be/knot --build-arg VERSION=v1.10.0-alpha . 23 + ``` 24 + 25 + ## Setting Up The Image 26 + 27 + This image is designed to work with kubernetes. 28 + It requires three `volumeMounts`: 29 + 30 + - `/repositories` for the repositories 31 + - `/data` for the database 32 + - `/ssh-keys` for the SSH host keys 33 + 34 + The first two can be configured using `KNOT_REPO_SCAN_PATH` (default `/repositories`) and `KNOT_SERVER_DB_PATH` (default `/data/knotserver.db`). 35 + The latter cannot be changed, and it _must_ be a folder with strict permissions. 36 + 37 + The container listens on two ports: 38 + - 5555 handles HTTP traffic and should be mapped onto port 443 39 + - 2222 handles SSH and should be mapped onto port 22
+30
containers/pihole/README.md
··· 1 + # pihole 2 + 3 + OCI Container to run pihole in kubernetes 4 + 5 + ## Pre-built Images 6 + 7 + Pre-built images are available in a Codeberg [repository](https://codeberg.org/bgotink/-/packages/container/pihole) 8 + 9 + ```sh 10 + docker pull codeberg.org/bgotink/pihole 11 + ``` 12 + 13 + This image differs from the official [pihole/pihole](https://hub.docker.com/r/pihole/pihole) image: everything runs as a non-root user, including cron tasks 14 + 15 + ## Building The Image 16 + 17 + ```sh 18 + docker build --platform linux/amd64,linux/arm64 -t codeberg.org/bgotink/pihole:6.2.3 . 19 + ``` 20 + 21 + ## Setting Up The Image 22 + 23 + This image is designed to work with kubernetes. 24 + It requires two `volumeMounts`: 25 + 26 + - `/etc/pihole` for the pihole configuration, this should map onto a persistent volume 27 + - `/var/lib/pihole` for the database, this should map onto a persistent volume 28 + - `/var/log/pihole` is used for logs, this can be persistent or you could leave it ephemeral 29 + 30 + The image listens on standard ports (80 for HTTP, 53 for DNS), so it requires the `NET_BIND_SERVICE` capability.
-5
containers/xwiki/Dockerfile
··· 1 - FROM xwiki:17.8.0-postgres-tomcat@sha256:4227a1d45a42664a6bd36d8f52155b602cb1c322406cba47f4c19f51c49d907f 2 - 3 - RUN useradd -r -u 100 tomcat && chown -R tomcat /usr/local/tomcat 4 - 5 - USER 100
-6
containers/xwiki/start.sh
··· 1 - #!/bin/ash 2 - set -e 3 - 4 - crond -b -c /etc/crontabs 5 - 6 - exec pihole-FTL no-daemon
+1
kubernetes/apps/at/namespace.yaml
··· 4 4 name: at 5 5 labels: 6 6 reloader.proteus/enabled: "true" 7 + kustomize.toolkit.fluxcd.io/prune: disabled
+1 -1
kubernetes/apps/at/pds/knot.yaml
··· 42 42 app: 43 43 image: 44 44 repository: harbor.${SECRET_HOST}/library/knot 45 - tag: 1.10.0-alpha@sha256:4bdfd2fcf66af1c25fd01a5ef8fdba3272c84422b83e86c30e8ed4f5c9e2eff0 45 + tag: 1.10.0-alpha@sha256:e30ec770886f45378015946ced57b69f61d5b05fd2f4aacc7dfb675aefbdea22 46 46 env: 47 47 TZ: ${TIMEZONE} 48 48
+2
kubernetes/apps/at/pds/pds.yaml
··· 234 234 type: persistentVolumeClaim 235 235 accessMode: ReadWriteOncePod 236 236 size: 2Gi 237 + retain: true 237 238 blobstore: 238 239 type: persistentVolumeClaim 239 240 accessMode: ReadWriteOncePod 240 241 size: 10Gi 242 + retain: true 241 243 tmp: 242 244 type: emptyDir