Skip to content

weakphish/home-operations

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

130 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Install & Setup Notes

Ansible

  • Seems to require export ANSIBLE_BECOME_EXE=sudo.ws due to this issue
  • Run with ansible-playbook playbook.yml -i inventory.yml -kK where the flags have you manually input SSH password

Repo Structure

  • ansible/ - Ansible playbook to bootstrap K3s cluster
  • pulumi/ - IaC for all K8s workloads and cloud API resources (Cloudflare tunnel/ZT, Tailscale ACL/settings)

Architecture Notes

Diagram

flowchart TB
    subgraph Internet
        Users[External Users]
        CF[Cloudflare]
    end

    subgraph Tailnet[Tailscale Network]
        Admin[Admin/Internal Users]
        Members[Tailnet Members]
    end

    subgraph IaC[IaC Layer]
        Pulumi[Pulumi\nall K8s workloads · CF tunnel · Tailscale ACL]
    end

    subgraph Cluster[K3s Cluster]
        subgraph Server["Control Plane (new-bermuda)"]
            subgraph Networking
                TSOperator[Tailscale Operator]
                Cloudflared[cloudflared]
            end

            subgraph Apps[Applications]
                Foundry[Foundry VTT]
                Homepage[Homepage Dashboard]
                Paperless[Paperless-ngx]
                Donetick[Donetick]
                Homebox[Homebox]
                Monica[Monica CRM]
                Satisfactory[Satisfactory Server]
            end

            subgraph Monitoring[Monitoring Stack]
                KPS[kube-prometheus-stack\nPrometheus · Alertmanager\nkube-state-metrics · node-exporter]
                Alloy[Alloy\nlog collector]
                Loki[Loki\nlog storage]
                Grafana[Grafana]
            end

            subgraph Storage[Storage - Longhorn]
                FoundryPVC[(PVC: foundry 50Gi)]
                PaperlessPVCs[(PVCs: paperless x5)]
                DonetickPVC[(PVC: donetick 10Gi)]
                HomeboxPVC[(PVC: homebox 10Gi)]
                MonicaPVCs[(PVCs: monica DB 5Gi + data 10Gi)]
                SatisfactoryPVC[(PVC: satisfactory 25Gi)]
                GrafanaPVC[(PVC: grafana 10Gi)]
                LokiPVC[(PVC: loki 20Gi)]
            end
        end
    end

    Pulumi -->|deploys & manages| Cluster
    Pulumi -->|manages API| CF
    Pulumi -->|manages ACL/DNS| Tailnet

    Users -->|HTTPS| CF
    CF -->|Zero Trust Auth| CF
    CF -->|Tunnel| Cloudflared
    Cloudflared -->|:30000| Foundry

    Admin -->|Tailscale Full Access| TSOperator
    TSOperator -->|Ingress HTTPS| Foundry
    TSOperator -->|Ingress HTTPS| Homepage
    TSOperator -->|Ingress HTTPS| Paperless
    TSOperator -->|Ingress HTTPS| Donetick
    TSOperator -->|Ingress HTTPS| Homebox
    TSOperator -->|Ingress HTTPS| Monica
    TSOperator -->|Ingress HTTPS| Grafana
    KPS -->|datasources/dashboards via sidecar| Grafana
    Alloy -->|push logs| Loki
    Loki -->|datasource via sidecar| Grafana
    TSOperator -->|LoadBalancer UDP| Satisfactory

    Members -->|Tailscale :7777 only| Satisfactory

    Foundry --> FoundryPVC
    Paperless --> PaperlessPVCs
    Donetick --> DonetickPVC
    Homebox --> HomeboxPVC
    Monica --> MonicaPVCs
    Satisfactory --> SatisfactoryPVC
    Grafana --> GrafanaPVC
    Loki --> LokiPVC

    style CF fill:#f6821f
    style TSOperator fill:#4a5568
    style Pulumi fill:#8a6cf7
    style Foundry fill:#7c3aed
    style Homepage fill:#10b981
    style Satisfactory fill:#f97316
    style Grafana fill:#ff6b6b
    style KPS fill:#e08234
    style Alloy fill:#ff7043
    style Loki fill:#2196f3
    style Paperless fill:#17541f
    style Donetick fill:#0ea5e9
    style Homebox fill:#14b8a6
    style Monica fill:#ec4899
Loading

Networking

  • Cloudflare Tunnel: Public access for Foundry VTT with Zero Trust email allowlist
  • Tailscale: Private HTTPS access for all other services via Tailscale Ingress
    • ACL: admin user has full access; all other tailnet members restricted to Satisfactory (port 7777) only
  • Network Policies: Default-deny ingress+egress on the default namespace; DNS (port 53) and HTTPS (port 443) egress explicitly allowed for all pods

IaC Strategy

  • Pulumi (pulumi/): All K8s workloads (deployments, services, ingresses, PVCs, secrets) and cloud API resources — Cloudflare tunnel/DNS/Zero Trust, Tailscale ACL/MagicDNS/HTTPS settings
    • Backend: S3-compatible (Cloudflare R2), not Pulumi Cloud
    • Secrets: pulumi config set --secret / config.requireSecret() — encrypted in Pulumi state

Setting up Pulumi

  • Install AWS CLI
  • Set AWS profile up with Cloudflare R2 (for state back-end access)
  • Set passphrase in environment

Resources / ideas

About

my home server box config and such

Resources

Stars

Watchers

Forks

Packages

 
 
 

Contributors