# Veda The new setup of my homelab will be based on Kubernetes, which will prevent all of my services going down when I need to do physical maintenance of a host. ## Services ### Core - Ceph for all storage: cephfs, object storage and block storage - Nextcloud: file storage interface for the entire family - Jellyfin: Web based media streaming - Authentik: Central identification and authentication server - Nginx reverse proxy - ACME client: SSL certificate handling - ArgoCD: Revision control for all Kubernetes configuration - Homeassistant + Zigbee2mqtt - Prometheus - Grafana - Grafana Loki + FluentD - Cilium - Harbor: Container image storage ### Nice-to-have - Jellyseerr: Nice interface to request movies and series - Sonarr: Automated downloading and handling of series - Radarr: Automated downloading and handling of movies - Flaresolverr: Fetching data hidden behind captcha’s - Torrent client (qBittorrent): To download all the linux ISO’s - ExternalDNS - Paperless-ngx ### Look-into-later - Mastodon: federated social platform - Forgejo: Git platform. Maybe this should not be hosted on the cluster as it will depend on it. - CloudNativePG: K8s operator for PostgreSQL ## Bootstrapping ```bash export CLUSTER_NAME="veda" export API_ENDPOINT="https://192.168.0.1:6443" ``` ```bash talosctl gen secrets --output-file secrets.yaml ``` ```bash talosctl gen config \ --with-secrets secrets.yaml \ --output-types talosconfig \ --output talosconfig \ $CLUSTER_NAME \ $API_ENDPOINT ``` ```bash talosctl config merge ./talosconfig ``` For controlplane nodes: ```bash talosctl gen config \ --output rendered/master1.yaml \ --output-types controlplane \ --with-secrets secrets.yaml \ --config-patch @nodes/master1.yaml \ --config-patch @patches/argocd.yaml \ --config-patch @patches/cilium.yaml \ --config-patch @patches/scheduling.yaml \ --config-patch @patches/discovery.yaml \ --config-patch @patches/diskselector.yaml \ --config-patch @patches/vip.yaml \ $CLUSTER_NAME \ $API_ENDPOINT ``` For worker nodes: ```bash talosctl gen config \ --output rendered/worker1.yaml \ --output-types controlplane \ --with-secrets secrets.yaml \ --config-patch @nodes/worker1.yaml \ --config-patch @patches/argocd.yaml \ --config-patch @patches/cilium.yaml \ --config-patch @patches/scheduling.yaml \ --config-patch @patches/discovery.yaml \ --config-patch @patches/diskselector.yaml \ $CLUSTER_NAME \ $API_ENDPOINT ``` ## TODO - Remove secrets from config ## Misc ### Applying patches ```bash talosctl patch machineconfig -p @argocd.yaml -n 192.168.0.0 ``` ### Reset node ```bash talosctl reset --system-labels-to-wipe EPHEMERAL,STATE --reboot -n 192.168.0.0 ``` ### ArgoCD default login User: admin, password can be retrieved with (ignore the '%' at the end): ```bash kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d ``` ### Certificate lifetimes Talos Linux automatically manages and rotates all server side certificates for etcd, Kubernetes, and the Talos API. Note however that the kubelet needs to be restarted at least once a year in order for the certificates to be rotated. Any upgrade/reboot of the node will suffice for this effect. You can check the Kubernetes certificates with the command `talosctl get KubernetesDynamicCerts -o yaml` on the controlplane. Client certificates (talosconfig and kubeconfig) are the user’s responsibility. Each time you download the kubeconfig file from a Talos Linux cluster, the client certificate is regenerated giving you a kubeconfig which is valid for a year. The talosconfig file should be renewed at least once a year, using the `talosctl config new` command.