Homelab

If you’re running a homelab with multiple network segments, there’s a good chance you have at least one machine connected to more than one network. Maybe your workstation has a wired connection to your DMZ and wireless to your trusted WLAN. Convenient? Yes. A potential security hole? Also yes. The Problem My workstation sits on two networks: wireless connected to my home WLAN (192.168.3.0/24) and wired into my DMZ (192.168.4.0/24). The DMZ is intentionally isolated—it’s where I run services exposed to the internet. The WLAN is where everything else lives: personal devices, management interfaces, the stuff I actually care about protecting. ...

I run a Hugo blog on my homelab Kubernetes cluster, and I wanted a proper GitOps workflow where pushing to main automatically deploys changes. No manual kubectl apply, no SSH-ing into servers, no scripts to remember. Just git push and walk away. This post covers how I set up ArgoCD to deploy this blog with automatic image updates using the ArgoCD Image Updater. The Goal ┌─────────────┐ ┌─────────────┐ ┌─────────────────┐ ┌─────────────┐ │ Git Push │────▶│ GitLab CI │────▶│ Container │────▶│ ArgoCD │ │ (main) │ │ (build) │ │ Registry │ │ (deploy) │ └─────────────┘ └─────────────┘ └─────────────────┘ └─────────────┘ │ │ │ │ │ ▼ │ │ ┌───────────────┐ │ └─────────────▶│ Image Updater │ │ │ (detect new) │ ▼ └───────────────┘ Tags image with │ git SHA (d67fe5d) ▼ ┌───────────────┐ │ Kubernetes │ │ (updated) │ └───────────────┘ The workflow: ...

When I needed to add a node from my DMZ to my Kubernetes cluster on the LAN, I discovered OPNsense has a comprehensive REST API that lets you manage firewall rules programmatically. No clicking through the UI - just curl commands that create rules properly tracked in the configuration and included in backups. The Problem My Kubernetes cluster lives on my LAN (192.168.2.0/24), but I wanted to add a machine from my DMZ (192.168.4.0/24). By default, DMZ traffic can’t reach the LAN - that’s the whole point of a DMZ. I needed to punch specific holes for Kubernetes traffic while keeping everything else blocked. ...

If you’ve ever tried to drain a Kubernetes node in a homelab cluster and found yourself staring at a terminal that just… hangs, you’ve probably run into PodDisruptionBudget (PDB) conflicts. Here’s why it happens and how to fix it. The Problem I was upgrading my Kubernetes cluster from 1.34 to 1.35, which requires draining each node before upgrading. Simple enough, right? kubectl drain k8s-worker01 --ignore-daemonsets --delete-emptydir-data And then… nothing. The command just sat there. No error, no progress, just waiting. ...

If you’ve ever run kubectl describe node on your control plane and wondered about this taint: Taints: node-role.kubernetes.io/control-plane:NoSchedule Here’s what it does and why you want to keep it. What It Does This taint prevents regular pods from being scheduled on control plane nodes. Only pods that explicitly tolerate the taint can run there. Why It Matters Your control plane runs critical components: etcd - The cluster’s brain (all state lives here) kube-apiserver - The API everything talks to kube-controller-manager - Manages controllers kube-scheduler - Decides where pods run If a misbehaving application pod consumes all CPU or memory on the control plane, these components starve and your entire cluster becomes unresponsive. ...

etcd is the heart of a Kubernetes cluster - it stores all cluster state including deployments, secrets, configmaps, and PVC definitions. Losing etcd means losing your entire cluster configuration. Yet many homelab setups neglect etcd backups until it’s too late. This post walks through setting up automated etcd backups using a Kubernetes CronJob that uploads snapshots to MinIO. The Challenge etcd runs as a static pod on the control plane node, which makes backing it up trickier than a regular application: ...

How I automated Kubernetes cluster upgrades using Ansible, turning a tedious multi-hour process into a single command. The Problem My homelab Kubernetes cluster was running v1.28, several versions behind the current stable release. Kubernetes only supports upgrading one minor version at a time, meaning I’d need to go through: 1.28 → 1.29 → 1.30 → 1.31 → 1.32 Each upgrade involves: Upgrading the control plane (kubeadm, then kubelet/kubectl) Draining each worker node Upgrading packages on each worker Uncordoning and waiting for Ready state Verifying cluster health Doing this manually across 4 nodes, 4 times, is tedious and error-prone. Enter Ansible. ...

How I set up automated cloud backups for my homelab Kubernetes cluster using MinIO and Scaleway, while avoiding US and German cloud providers. The Problem I run a Kubernetes homelab with PostgreSQL and ImmuDB databases. Daily backups run via CronJobs and store compressed dumps in MinIO (self-hosted S3-compatible storage). But what happens if my server dies? All my backups would be gone. I needed offsite cloud backup, but wanted to avoid: ...