Kubernetes - The Idea
My Docker configs are everywhere, the whole thing is a mess, and is spread across multiple machines. Thankfully, Kubernetes is here to save the day. At least, that's the plan.
This is a repost as I failed the transition from docker to Kubernetes for Ghost.
So. I've got this thing where I have a computer or two laying around, and a obsession with hosting things myself.
And hey ! Fun story, I have, actually, been hosting things. A bit more than twenty actually. Which, it turns out, is kind of a hassle managing with docker. Currently, my setup is less than secure (I mean, I did things, but probably wrong), it's a bit of a mess, and sometimes and I literally forget I set up something because the configuration files are everywhere. I store secrets in plain docker compose file... I mean, it's terrible.
So, of course, the only solution is to use an ever more complicated solution : Kubernetes. But I want to do things right, which means documenting myself a lot, and planning everything beforehand. So here is my idea for my HomeLab (because that's what it is, I think).
The idea
I have multiple criteria for this iteration of my infra. Here they are :
- My family must be able to use it. Some things I host for actual use and not just fun, it need to be easy to use.
- Security is a main concern here. I want to make sure my setup is a least a little bit more than easy to hack (because, let's be honest : I'm no pro, I'll do bad things)
- It must be fun. Because if it wasn't, I wouldn't do it in the first place.
Okay, so three criteria, not much, but still. So what are my ideas for now ? Well, it's really just ideas here and there. Nothing concrete - that would be for a future post.
One obvious idea for security : think thoroughly about roles and permissions. Okay, that's kind of obvious, but I didn't do it before, soooo... Yeah. With that will come an authentication service, so far I've used Keycloak but I may change for Authentik depending on the features it has to offer. I find the lack of HTTP headers in Keycloack to be quite annoying, as I have to use oauth2-proxy with it... and it doesn't always work.
Another, more interesting idea : how to counter DDoS attacks, and in the process, hide my home IP address. You see, for now, most of the domain names I use point to my home address, which is amazing because that means anyone on the internet can decide to launch an attack directly at my house, and I'd have no way to protect myself from it. So cool. But I do own a VPS, and OVH offers a free DDoS protection service with it. Which means that, if I were able to route all traffic through the VPS, and then to my house, I'd kill two birds with one stone. Easy you say ? Sure, but my home IP address is dynamic, and I also need to route SSH for the Forgejo instance I host. Maybe it's easy - I haven't thought of it yet -, or maybe it's really not. We'll see !
Another part of security, internal this time, will be to try and get vlans in my home network. That way, I could separate the HomeLab from the rest of the network, and thus mitigate potential attacks. Only problem : I use my ISP router, which does not support vlans... So that will be a bit hard. But again, we'll see !
Then, I want to setup a VPN. Right now, almost all my services are wide open to the Internet, which is less than ideal. I plan on implementing a VPN to lock most of the services behind... but let's not forget that my family must be able to use those services easily. I have my eyes on Headscale, although I'm not sure how to use it. Again, I'll have to search !
Another very important thing... is being able to show everything I do. I thus plan on having a git with all the config - that implies organizing it well ! -.
I also have services that won't go onto Kubernetes, namely Home Assistant (that I use to control my blinds when I'm away from the house) which will still need to be integrated in the whole infra, aka be accessible from a VPN.
And I think I've given quite the recap of all my ideas for now.
Learning
So right now, I'm in the phase of learning. I've found quite the course on Kubernetes, and plan on watching a full course on how to build in infrastructure too (Note: both tutorials are in French, simply because I didn't find what I wanted in English). The courses are 45 and 64h long respectively, so I'm in for quite a ride. But I hope that with those courses complete, I'll have a clearer view of how to do what I want !
Conclusion
Okay, well that's all I had to say for today. I'll now plunge into those two courses, take notes, learn, and come back with a complete plan to present to you !