Search Results

This is a home lab. One Proxmox host, a pile of virtual machines, and a small-but-real platform running on top of them. I built it for two reasons: to have a place to practice the things I do (and want to do) as an infrastructure engineer, and to write down ho...

Everything lives behind one firewall, on one private network. The only things exposed to the outside world are a couple of public IPs on the gateway; every VM sits on a private 10.100.100.0/24 network with no direct route in. In...

Say you open https://app.example.com in a browser. Here's the whole journey: browser | https://app.example.com v DNS -> 203.0.113.10 (public IP on the gateway) | v pfSense / HAProxy terminates TLS (wildcard *.example.com), | ...

A small, boring, consistent address plan saves you a surprising amount of grief. Here's the whole thing. Network: 10.100.100.0/24, private, no internet-facing addresses. Address Role 10.100.100.1 pfSense — the gateway/router for the subnet 10.100.100....

Every box and what it does, with a pointer to the book that covers it in depth. VM Address What runs there Covered in pfSense .1 NAT, HAProxy, edge TLS Edge Networking with pfSense Jump host .254 SSH bastion The SSH Bastion GIT-Server .2 Gitea Self-...

There are easier ways to get a Kubernetes cluster. k3s is a single binary. A cloud provider will hand you one in ten minutes. I deliberately used kubeadm anyway. The reason is the goal. This lab exists to understand the platform, and to show that understanding...

Before kubeadm will touch a machine, the machine has to be ready. The same prep runs on all four nodes: each node |- swap OFF (kubelet refuses to run with swap by default) |- kernel modules: overlay, br_netfilter |- sysctl: net...

With the master node prepped, one command brings the control plane to life: kubeadm init \ --apiserver-advertise-address=10.100.100.7 \ --pod-network-cidr=192.168.0.0/16 Two flags matter: --apiserver-advertise-address pins the API server to the node's pr...

Each worker joins with the command kubeadm init printed: kubeadm join 10.100.100.7:6443 --token <REDACTED> \ --discovery-token-ca-cert-hash sha256:<REDACTED> The first time I ran this across the three workers, all three failed with: couldn't validate the id...

Kubernetes deliberately ships without a network. You choose a CNI plugin and install it. I used Calico, applied from its plain manifest: kubectl apply -f https://.../calico/<version>/manifests/calico.yaml A couple of deliberate choices: Manifest, not the ope...

By default kubeadm puts a taint on the control-plane node: node-role.kubernetes.io/control-plane:NoSchedule A taint is a "keep out" sign. NoSchedule means: don't place a pod here unless that pod explicitly tolerates this taint. The control plane's own compone...

It's a home lab. Why not just give every VM "plenty" of everything and move on? Because the constraint is real, and pretending it isn't is how you wake up to an out-of-memory kill at 3am. One host has a fixed amount of RAM, CPU, and disk. Every VM you start wr...

The whole lab runs on a single Proxmox host with, roughly: 64 CPU threads ~125 GiB usable RAM A few hundred GB of fast local disk for the OS, plus a multi-TB ZFS pool for VM disks CPU stays comfortable — 64 threads is far more than the VMs will ever simultan...

There's a second tenant on the host besides the VMs: ZFS. ZFS uses a chunk of RAM as a read cache called the ARC (Adaptive Replacement Cache), and by default it will happily grow to use up to half (or more) of the machine's memory. That's fine on a dedicated s...

The cluster needed real memory: a control-plane node, three workers at 24 GiB each, a build runner, and later three database VMs. Adding all of that naively would have blown past physical RAM. So before adding, I went looking for slack in what already existed....