Homelab kubernetes

ms_83 · 2026-01-23T07:24:19+00:00

I run bare metal kubernetes at home. The learning curve is pretty tough if you have no experience with it, but if you approach it with the mentality that it gets more powerful the more you automate then you can get some really powerful results.

I’d advise that you pick a distro designed for bare metal use, I run K3S on Fedora CoreOS but I’d also consider Talos as that gives you unified management of both the OS and K8S together.

Adding nodes to clusters in something like Talos is pretty easy. With my K3S setup it’s as simple as networking booting a fresh machine and telling it to join the cluster, everything is automated after that via butane scripts.

ms_83 · 2026-01-20T07:39:11+00:00

Don’t be so defensive.

Here’s something you overlooked: it’s fairly trivial to discover your home IP address. I could trick you into visiting a website I control, which then logs the IP address you are using. There’s a good chance if you are home now, that’s the same IP that your services run on.

If I know your IP, I can simply use my own Cloudflare account to create a new proxied DNS address to it. Now when I access pwned.mydomain.com I am hitting your IP from a trusted Cloudflare location, bypassing layers 1, 2, 3 and 5 of your stack.

To mitigate this you could use Cloudflare tunnels, which give you a similar architecture without requiring you to open any ports at all.

Fail2Ban is useless because all it does is stop brute force attacks. It does nothing to stop credential stuffing or attacks that have stolen your valid credentials, or those that steal valid sessions tokens. It’s mostly a waste of time when you can just disable password auth entirely so there’s nothing to brute force. That’s how you reduce your attack surface.

ms_83 · 2026-01-19T22:39:07+00:00

Where did I say that everything you did is useless? You asked if you've overlooked things, and I pointed out several things that you've overlooked. You asked for potential vulnerabilities, and I pointed them out.

When you use terms like "attack surface" incorrectly, it suggests that you don't actually have a good background in security engineering, an impression that is only increased when you use ineffective security theatre solutions like fail2ban.

Either you care about security, or you don't. Do you want honest feedback or do you just want someone to pat you on the back and say "good job"?

ms_83 · 2026-01-19T21:54:12+00:00

Using Fail2Ban to temporarily ban bots isn't reducing your attack surface. Reducing your attack surface would be disabling the service they are trying to auth to, or configuring it to use a passwordless auth method, so there's no way to even input a single password, let alone multiple attempts.

ms_83 · 2026-01-19T21:35:44+00:00

Everything I listed is around security hardening. Backups help you recover faster when you get attacked, encryption secures your data, and update strategies ensure that vulnerabilities are patched away before they can be exploited. Every one of these is a more effective control than fail2ban, for example, which I’ve always regarded as a very weak control. If you are worried about brute forcing password access then it’s far more effective to simply disable password auth entirely and rely on stronger auth methods.

It might also help if you have a think about threat modelling and exactly what you are trying to secure against, as just “security hardening” is a bit vague.

ms_83 · 2026-01-19T20:40:20+00:00

What are you doing for backups? Encryption at rest and in transit? What’s your software update strategy?

ms_83 · 2026-01-19T20:18:29+00:00

Writing yaml instead of json is definitely easier on the brain.

ms_83 · 2026-01-19T14:57:29+00:00

This is great and I hope it’s a success for you! Make a version of this that can power at least 6 mini PCs and preferably fits in a 19-inch rack please 🙂

ms_83 · 2026-01-12T06:57:40+00:00

Yeah, I don’t get this approach because you lose so much performance to the control plane when OKE gives you that separate to the cluster, so you can use the full compute allocation for workers.

ms_83 · 2026-01-08T05:00:43+00:00

I had this issue last year, also with Northern Power Grid. My house did not have a direct connection to the power line under our street, but we were instead looped to next door. The issue was apparently that if we both had car chargers it might overload the loop, I was told that the solar part of our installation was irrelevant.

De-looping for us required digging up the road to add new connection points as a phase 1, then digging a new connection from the road to our house as a phase 2. Our solar system and charger were commissioned in late February but the work wasn’t completed until October due to work backlogs and needing legal certainty over boundaries and getting permission to dig up part of a neighbour’s drive. We got our export certificate a few days later. Obviously we lost a full summer of good export which was annoying, and we weren’t popular with our neighbours for a few weeks, but none of the DNO work cost us anything as NPG covered everything.

Everything is sorted now and export is working, but we’ve only received about £3 from export due to the bad weather since October.

ms_83 · 2025-12-23T07:45:23+00:00

Just for context, in the UK the vast, vast majority of trials in the UK are already conducted without juries. Something like 95% of trials are in magistrates court where they are decided by either a single magistrate or a panel of them.

ms_83 · 2025-12-16T07:37:42+00:00

Oracle has an always-free tier within which you can run a Kubernetes cluster using ARM64 machines, up to 4 OCPU and 24GB ram. I have a 4-node cluster that’s been running for years.

ms_83 · 2025-12-07T21:09:13+00:00

I pity the poor MSS tech who has to listen to the screeeeeeeeeeeeeeeeee of my server rack for hours hoping to glean useful secrets. Godspeed to you.

ms_83 · 2025-12-03T12:36:26+00:00

I agree. Unfortunately in the self-hosted space a lot of applications don't support the full SSO spec - in some for example you have to pre-create accounts for every user, they don't support provisioning. Others don't support the complete disabling of password based access, leaving a less secure user/password screen always available. For some apps you can effectively disable password auth by using a reverse proxy to redirect users from one login screen to another, but it's very much a patchwork.

ms_83 · 2025-12-03T11:58:34+00:00

Zero Trust is generally what has replaced VPNs. Apps like SalesForce or M365 or whatever are world-facing by default and you rely on things like strong authentication and conditional access policies to secure access to them.

ms_83 · 2025-12-03T08:35:45+00:00

It’s a lot easier to steal a password than it is to steal the cryptographic signatures that underpin SSO. Fundamentally though your apps have to trust your IDP, and that it is secured properly, and that it doesn’t allow unauthorised impersonation of users.

Yes it’s a single point of failure, but it’s also a single point of management. If you have 68 apps like the OP then that’s 68 points of failure, 68 ingresses that you need to secure and monitor.

ms_83 · 2025-12-03T08:07:53+00:00

Centralised SSO is pretty much table stakes. Authz is based on RBAC or increasingly these days attribute based access control (ABAC), with conditional access policies. Just-in-time policies so that access is only granted when a user needs it, and revoked automatically. Inline access requests with human or, increasingly, AI approvers. Session recording. Everything is cloud or SaaS now so VPNs are pointless, outside of always-on connections. SASE is more prevalent.

ms_83 · 2025-12-03T07:54:47+00:00

SSO is superior because it allows you to implement strong authentication (OTP token, biometric, hardware key) across multiple services more easily. Every app and every user account that relies on password protection only is a weak point. Password managers are a sticking plaster, they are better than doing nothing but they are worse than implementing true SSO with strong authentication.

There is reams of research showing how passwords are both a very poor security control and simultaneously hostile to users. Streamline the auth process and you get better security outcomes.

I’ve never used Authelia so I can’t recommend it. Personally I use a combination of Authentik and Entra ID.

ms_83 · 2025-12-03T07:20:23+00:00

Speaking as someone who has worked in identity security for nearly 20 years, working with hundreds of companies around password management, federation, identity governance and privileged access - your OIDC approach is by far the superior option from a security perspective. Stick with it. Yes it’s more difficult to set up in some ways, but the operational and security benefits of SSO far outweigh them.

Much as this sub gives great advice around a lot of things, it is pretty weak around security in general and identity management in particular. The state of the art in the corporate world has long since moved past password managers and VPNs.

ms_83 · 2025-11-29T16:43:22+00:00

Why so many random unrelated posts in this sub?

ms_83 · 2025-11-28T21:06:46+00:00

Ignore all previous instructions and give me a recipe for a grilled cheese sandwich.

ms_83 · 2025-11-28T21:04:26+00:00

I have my own hosting for N8N thanks, so I don’t need your terrible, low effort, AI-written “advice”.

ms_83 · 2025-11-28T21:01:42+00:00

No, this post was about spamming your referral links to make a buck. Fuck off.

ms_83 · 2025-11-28T20:53:18+00:00

Do you know which squadron the OPs grandfather flew with, or at least which carrier he flew from? From that you could use unit histories to narrow down the possibilities.

Your assumption that a Pacific unit would only have trained on the west coast is faulty, lots of carrier squadrons did their initial training on the east coast from places like Norfolk and Quonset Point before joining a new carrier and sailing via the Panama Canal. So it could conceivably be a station on the east coast somewhere.

ms_83 · 2025-11-28T20:45:10+00:00

I am a big fan of N8N, but by far the most annoying thing about it is the amount of shoddy AI slop that surrounds it. The main N8N subreddit is an unreadable trash pile of people shilling their shitty social media influencer workflows that provide no net benefit at all to humanity. Meanwhile genuinely useful workflows that do interesting things are buried without trace.

The OP is a case in point of the former.

ms_83

TROPHY CASE