Projects on nik4naohttps://nik4nao.com/projects/Recent content in Projects on nik4naoHugoen-usTue, 17 Mar 2026 00:00:00 +0000Homelab Kubernetes Clusterhttps://nik4nao.com/projects/homelab/Tue, 17 Mar 2026 00:00:00 +0000https://nik4nao.com/projects/homelab/<h2 id="overview">Overview</h2> <p>A self-hosted Kubernetes cluster running on bare-metal hardware at home. The cluster serves as a platform for running personal services, experimenting with cloud-native tooling, and learning operational patterns without a cloud bill.</p> <h2 id="hardware">Hardware</h2> <table> <thead> <tr> <th>Host</th> <th>Role</th> <th>Specs</th> </tr> </thead> <tbody> <tr> <td>Minisforum UM780 XTX</td> <td>K3s control-plane</td> <td>AMD Ryzen 7 8745H</td> </tr> <tr> <td>HP ProDesk (nik-debian)</td> <td>K3s storage agent</td> <td>NFS server, mergerfs media pool</td> </tr> <tr> <td>Mac Mini M2</td> <td>Standalone Docker host</td> <td>ARM, outside the cluster</td> </tr> </tbody> </table> <h2 id="stack">Stack</h2> <ul> <li><strong>Distribution:</strong> k3s</li> <li><strong>Ingress:</strong> Traefik v3</li> <li><strong>TLS:</strong> cert-manager — Let&rsquo;s Encrypt (public) + internal CA (LAN)</li> <li><strong>Auth:</strong> Authentik SSO — OIDC + forwardAuth proxy, TOTP MFA enforced</li> <li><strong>DNS:</strong> Pihole (primary + secondary, externalIPs)</li> <li><strong>Storage:</strong> NFS (Debian) + local-path dynamic provisioner</li> <li><strong>CI/CD:</strong> Gitea Actions + act_runner, Docker buildx multiarch (amd64 + arm64)</li> <li><strong>Registry:</strong> Gitea built-in container registry</li> <li><strong>Observability:</strong> Prometheus + Grafana + Loki + Promtail</li> <li><strong>IaC:</strong> Ansible (host-level), Helm + raw manifests (cluster-level), all tracked in Gitea</li> </ul> <h2 id="highlights">Highlights</h2> <ul> <li>All cluster state is managed as code in a Gitea monorepo — single-file manifests per service, organised by concern</li> <li>Authentik SSO protects all web-facing services via Traefik forwardAuth; OIDC integrated with Gitea and Grafana</li> <li>Multi-arch image builds (amd64 + arm64) via buildx on every push to <code>main</code>, pushed to the self-hosted registry</li> <li>Dual-cert TLS strategy: internal CA for <code>*.home.arpa</code> services, Let&rsquo;s Encrypt for <code>*.nik4nao.com</code> public services</li> <li>Pihole running as primary + secondary with externalIPs for LAN-wide DNS and ad-blocking</li> <li>DDNS CronJob keeps the public A record in sync via the Porkbun API</li> </ul> <h2 id="running-workloads">Running Workloads</h2> <p>Traefik, cert-manager, Pihole, Authentik, Gitea, Prometheus, Grafana, Loki, Promtail, Jellyfin, qBittorrent, JDownloader, Photoview, Dashy, Glances, DDNS CronJob, this portfolio site.</p>