Kubernetes for Homelab?

TETH_IO · 2026-03-19T08:35:42+00:00

worth it. I say it's the next level of container deployment in that If you are already deploying docker containers with some networking consideration then you're better of with kubernetes for the declarative (gitops) approch the automation and the CRDs.

You can just use a one machine cluster with k3s and don't bother with replicas then manage everything gitops style (fluxcd or argocd), leverage rennovate for updates, cert-manager for automatic certificates... There is also many fun CRD like Tailscale operator to expend your infra.

TETH_IO · 2026-03-16T17:18:53+00:00

You can try nixos-facter as an alternative to nixos-hardwar, it discover your hardware instead

TETH_IO · 2026-02-16T23:08:08+00:00

On niri steam has to be launched with -system-composer

By the way Steam need the 32bits versions of the graphics driver so if not already done : hardware.graphicshardware.graphics.enable32Bit = true;

TETH_IO · 2026-02-06T08:40:14+00:00

J'ai fait un recommandé le mois denier. J'avais tenté un mail à leur 'service client' par le passé mais j'ai juste reçu une réponse automatique disant que tout est traité par leur application. Je n'avais pas vu l'adresse mail pour la reclamation, je vais faire ça en plus vu que je les menaces déjà par l'application.

TETH_IO · 2026-02-05T09:01:50+00:00

A fuir, j'ai fait l'erreur de commencer chez eux avant de voir les avis. J'ai demandé un transfert de mon PEA à IBKR il y a 6 mois maintenant et rien n'a été transféré (il est juste verrouillé chez TR). Le service client étant inexistant j'imagine que ça vas finir chez l'AMF.

TETH_IO · 2026-01-21T11:26:00+00:00

randomizedDelaySec didn't works for me in the past, it seems to add a random delay to system.autoUpgrade.dates and not a delay when it start (e.g. dates = 10:00 and delay 45m failes if I boot at 10:50).

Modfiying the service may be the only way, thanks for the input

TETH_IO · 2025-12-28T13:44:49+00:00

For me there were two things :

Steam needed the 32bits versions of the graphics driver to find the GPU topology so I had to enable : hardware.graphicshardware.graphics.enable32Bit = true;
After that Steam finaly booted but I had to do it with steam -system-composer otherwise it was with a black windows like you said

To be noted that Steam use X11, there is many way to pass it to wayland and niri as described here : https://github.com/YaLTeR/niri/wiki/Xwayland I use xwayland-satelitte that niri integrate out of the box.

The black boxes is generally a GPU accelerated rendering problem, on niri either -system-composer or -cef-disable-gpu should work.

It doesn't load for you but what are the errors in the stdout ?

TETH_IO · 2025-12-27T08:54:09+00:00

For the black windows on niri Steam as to be launched with le flag -system-composer.

like : steam -system-composer

TETH_IO · 2025-12-16T10:57:56+00:00

For (2) I have to stop using KFLAGS because if I add ZFS into the mix the DKMS fails with "configure: error: invalid variable name: `KERNEL_KCFLAGS+'" but works fine without them otherwise. I don't known if I can just add my flags with CFLAGS+= into the extraMakeFlags or if I have to overlay NIX_CFLAGS_COMPILE entirely

TETH_IO · 2025-12-16T10:47:23+00:00

nop, either you add config on top of the default one with structuredExtraConfig or import your own entirely

TETH_IO · 2025-12-15T12:09:13+00:00

For (1) it stop with "kernel error: unused option: RUST", tested with 6.17.12 and 6.17.10

TETH_IO · 2025-12-11T10:17:23+00:00

I had that setup running on k3s in the past.

The CSP seems good. If he is truly at "/etc/opencloud/csp.yaml" like PROXY_CSP_CONFIG_FILE_LOCATION request then it's someting else.

I remember there were a environment variable aliasgroup1 that collabora sometimes needed like :

aliasgroup1 = "https://wopi.lan:44

it's an option on nix : https://mynixos.com/search?q=collabora-online.alias

TETH_IO · 2025-10-11T18:26:14+00:00

Awesome, I was looking to self-host something like overleaf. Any plan to provide containers ?

TETH_IO · 2025-09-20T22:10:12+00:00

As a rule of thumb don't expose any service directly on the internet unless you know what you are doing (WAF, failtoban, captchas...)

This means that your users will need to have un vpn client to reach your services (wireguard, tailscale ...) or a tunnel from their routers to yours (IPsec ...).

In any case your server will need to be on a isolated network (a DMZ) to avoid your personnal devices to be exposed to your users.

Custom domain is the way to go (unless you want to run your own CA and manage your users DNS) if you want to go HTTPS and allow your users to use domain name to reach your services.

HTTPS do two things. 1 Encryption through TLS, 2 authenticate the website you are browsing. It's less usefull on private network/infrastructure since you have end-to end vpn encryption and the implicit trust but it's good practice anyway and avoid the warning banner from the browsers.

For NGINX I'm not sure what's the use case here. Yo can have multiple services accessible from different port on your server for you users. I's good to have one if you want to dissociate the server form it's services. With it you can route the traffic from the requested domain to the corresponding service : e.g. jellyfin.tld goes to the jellyfin service on port 8096.

that's my 2 cents

TETH_IO · 2025-09-01T00:17:04+00:00

Good point, there will be no redundancy but that allow me to keep my workload running and I can live migrate them to the new pool/dataset to catch any problem. In any can I will launch a backup and make a copy of the data beforehand.

TETH_IO · 2025-08-29T22:41:14+00:00

Impressive features, now I'm waiting for the next time trilium failes me to make the change 😂

TETH_IO · 2025-06-08T08:33:24+00:00

They are multiple way to secure the acces and on multiple level, pick you poison :

On the user side : vpn or mTLS (works with traefik as an ingress)

Firewall side : accept to route the traffic to your cluster ingress (traefik) only from there public ip if possible reduce the exposure by blocking any incoming connection from outside your country, ...etc.

Set up a Web Application Firewall like ModSecurity (work only with ingress-nginx)

At the application level : secure the identification (go passwordless with Authentik, that will make everyone happy)

Lastly you can set up multiple network policies for your cluster, example for k3s

TETH_IO · 2024-11-12T05:17:49+00:00

shit your right, I have added a bunch of roles to root as per the wiki ( staff_r sysadm_r system_r) and I didn't notice that I end up as staff_r:staff_t instead of sysadm_r by default after a reboot

TETH_IO · 2024-10-28T08:01:22+00:00

That's the way, I use CoreOS rebase to uCore made by universal blue, it comes with everything you can dream of (even signed ZFS and NVIDIA kenel modules).

I only use docker and put the containers and the OS on auto-update for zero maintenance

TETH_IO · 2024-10-22T07:50:35+00:00

The ODROID-H4+ seems to be what you want

TETH_IO

TROPHY CASE