ΒΆ Dezrin's Lab
ΒΆ π Home
This Wiki is the new centralised location for IT Admin documentation within Dezrin's Lab
Dezrin's Lab is a home lab consisted of 4 Proxmox hosts and around ~60 VMs, stats for nerds below:
ΒΆ Infrastructure & Deployment Summary
ΒΆ Architecture Overview
This infrastructure follows a GitOps model with Infrastructure-as-Code (IaC) organized into three main components: Terraform, Ansible, and Kubernetes/ArgoCD.
| Layer | Technology |
|---|---|
| Virtualization | Proxmox (via Terraform) |
| Kubernetes | MicroK8s (HA, 5 nodes) |
| Storage | Microceph (distributed Ceph) |
| Ingress | Traefik + Istio Ambient |
| GitOps/CD | ArgoCD |
| Authentication | Authentik |
| Container Registry | Harbor |
ΒΆ 1. Terraform Infrastructure
Provisions Ubuntu VMs on Proxmox hypervisor across three nodes.
ΒΆ Structure
terraform/lab/infrastructure/
βββ VH02/
β βββ proxmox-ubuntu-vm/ # Reusable module
β βββ proxmox-ubuntu/ # Role configuration
βββ VH03/
β βββ proxmox-ubuntu-vm/
β βββ proxmox-ubuntu/
βββ VH05/
βββ proxmox-ubuntu-vm/
βββ proxmox-ubuntu/
ΒΆ Features
- Provider: Telmate/Proxmox 3.0.2-rc06
- Cloud-Init Integration: Automated VM provisioning
- VM Configuration Support:
- CPU cores and sockets
- Memory allocation
- Multiple disk support (per-disk storage pool)
- Static networking (IP, subnet, gateway, DNS)
- VLAN support
- Pool-based resource organization
- NTP configuration (default: uk.pool.ntp.org)
- OS Configuration:
- Timezone: Europe/London
- Locale: en_GB.UTF-8
- SSH password authentication enabled
- Automatic package updates on first boot
ΒΆ 2. Ansible Automation
Location: /home/kasm-user/Documents/ansible/
ΒΆ Playbooks
| Playbook | Purpose |
|---|---|
microk8s.yml |
Deploys MicroK8s cluster + Microceph storage |
argocd.yml |
Installs ArgoCD with TLS ingress |
traefik.yml |
Traefik ingress with ACME/Let's Encrypt |
istio-setup.yml |
Prepares Istio Ambient mesh |
configure_registry_ca.yml |
Harbor registry CA integration |
ΒΆ Roles
ΒΆ microk8s (/ansible/roles/microk8s/)
- Version: 1.32/stable
- Features:
- HA cluster setup with etcd
- Plugin management
- User/group configuration
- OIDC integration (optional)
- RBAC role creation
- Kubeconfig output
Enabled Plugins:
- DNS (CoreDNS)
- Ingress
- Metrics Server
- RBAC
- Dashboard
- Helm3
- MetalLB (IP pool: 10.20.1.92-10.20.1.95)
- Community
- Rook-Ceph
ΒΆ microceph (/ansible/roles/microceph/)
- Version: latest/stable
- Seed Node: k8s-inf-cp
- Disk Devices: /dev/sdb
- Data Encryption: Disabled
- Storage Class: ceph-rbd
ΒΆ argocd (/ansible/roles/argocd/)
- Namespace: argocd
- Service Type: ClusterIP
- Ingress Host: argocd.dezr.in
- TLS: Enabled with certificates
ΒΆ traefik (/ansible/roles/traefik/)
- Namespace: traefik
- Service Type: LoadBalancer
- LoadBalancer IP: 10.20.1.92
- ACME Email: [email protected]
- DNS Provider: Cloudflare
- Dashboard Host: traefik.dezr.in
- Persistence: Ceph RBD storage class
ΒΆ istio-helm (/ansible/roles/istio-helm/)
- Chart Version: 1.28.0
- Namespace: istio-system
- Ingress Namespace: istio-ingress
- Ingress IP: 10.20.1.93
- Gateway Replicas: 2-5 (with autoscaling)
Resource Limits:
| Component | CPU | Memory |
|---|---|---|
| Pilot | 100m-1000m | 128Mi-512Mi |
| Proxy | 10m-1000m | 16Mi-512Mi |
| Gateway | 10m-1000m | 128Mi-512Mi |
ΒΆ Cluster Inventory
Host Group: k8s_cluster
| Role | Hostname |
|---|---|
| Control Plane | k8s-inf-cp |
| Worker | k8s-inf-w01 |
| Worker | k8s-inf-w02 |
| Worker | k8s-inf-w03 |
| Worker | k8s-inf-w04 (GPU) |
| Worker | k8s-inf-w05 |
ΒΆ 3. Kubernetes Applications (ArgoCD)
Location: https://gitlab.dezr.in/lab/infrastructure/applications
ΒΆ App-of-Apps Pattern
- Repository:
https://gitlab.dezr.in/lab/infrastructure/argocd/k8s-inf-ss.git - Project: platform
- Sync Policy: Automated with pruning and self-heal
- Sync Options: ServerSideApply
ΒΆ Deployed Applications
| Application | Version | Purpose | Namespace | Storage |
|---|---|---|---|---|
| Authentik | 2025.12.1 | OIDC/SSO Authentication | authentik | 10Gi (PostgreSQL) |
| Harbor | - | Private Container Registry | harbor | - |
| Home Assistant | 0.3.41 | Smart Home Automation | home-assistant | 10Gi |
| Immich | 2.0.0 | Photo management + AI | immich | 100Gi |
| Jellyseerr | 2.7.3 | Media Request Manager | jellyseerr | 4Gi |
| Open WebUI + Ollama | - | Local LLM Interface (GPU) | openwebui | 50Gi |
| PrivateBin | - | Encrypted Pastebin | privatebin | 4Gi |
| Trilium | - | Hierarchical Notes | trilium | Ceph RBD |
| Uptime Kuma | 2.24.0 | Uptime Monitoring | uptime-kuma | Existing PVC |
| Vaultwarden | 0.34.4 | Password Manager | vaultwarden | Existing PVC |
| Wiki.js | - | Wiki Platform | wiki-js | 8Gi (PostgreSQL) |
| Docuseal | 2.4.2 | Document Signing | docuseal | 4Gi |
ΒΆ Application Configuration
All applications use:
- Repository Pattern: Individual GitLab repositories per application
- Ingress: Traefik IngressRoute
- Storage: Ceph RBD storage class
- Sync: Automated with pruning and self-heal
- Domain: Subdomains on
dezr.in
ΒΆ 4. Network Configuration
| Resource | IP/Value |
|---|---|
| MetalLB IP Pool | 10.20.1.92-10.20.1.95 |
| Traefik LoadBalancer | 10.20.1.92 |
| Istio Gateway | 10.20.1.93 |
| DNS Resolver | 10.10.20.227 |
| Domain | dezr.in |
ΒΆ 5. Storage Architecture
- Technology: Microceph (Ceph from Canonical)
- Storage Class: ceph-rbd
- Encryption: Disabled
- Disks: /dev/sdb on each cluster node
ΒΆ 6. Security & Authentication
- HTTPS: Let's Encrypt certificates via Cloudflare DNS validation
- OIDC Provider: Authentik
- Private Registry: Harbor (
harbor.dezr.in) with CA certificate integration - Service Authentication: Forward auth via Authentik
ΒΆ 7. Observability
- Monitoring: Prometheus + Grafana-ready architecture
- Service Mesh: Istio Ambient with Kiali dashboard
- Ingress Metrics: Traefik built-in metrics
- Application Metrics: ServiceMonitor resources for Prometheus
ΒΆ 8. Deployment Flow
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 1: INFRASTRUCTURE
β
β Terraform βββΊ Proxmox API βββΊ Create VMs (cloud-init)
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 2: CLUSTER SETUP
β
β Ansible (microk8s.yml)
β βββ Install MicroK8s (v1.32/stable)
β βββ Configure HA cluster
β βββ Enable plugins (DNS, MetalLB, Helm3, etc.)
β βββ Deploy Microceph storage
β βββ Output kubeconfig
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 3: SERVICE INFRASTRUCTURE
β
β Ansible Playbooks:
β βββ argocd.yml βββΊ ArgoCD + Ingress
β βββ traefik.yml βββΊ Traefik + ACME
β βββ istio-setup.yml βββΊ Istio Ambient
β βββ configure_registry_ca.yml βββΊ Harbor CA
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHASE 4: APPLICATION DEPLOYMENT
β
β ArgoCD (GitOps)
β βββ App-of-Apps pulls from GitLab
β βββ Syncs 9 applications
β βββ Traefik IngressRoutes configured
β βββ Ceph storage provisioned
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ΒΆ 9. Git Repository Organization
ΒΆ Local Repositories
| Path | Purpose |
|---|---|
/ansible/playbooks/ |
Orchestration playbooks |
/ansible/roles/ |
Ansible roles (microk8s, microceph, argocd, traefik, istio-helm) |
/terraform/lab/infrastructure/ |
Proxmox VM provisioning |
/kubernetes/argocd/ |
ArgoCD applications and configuration |
ΒΆ External Git Sources (GitLab)
gitlab.dezr.in/lab/infrastructure/argocd/k8s-inf-ss.git- App-of-Apps repositorygitlab.dezr.in/lab/infrastructure/applications/{app-name}.git- Individual application repositories
ΒΆ Summary
This is a production-grade, fully automated infrastructure that:
- Provisions VM infrastructure through Terraform + Proxmox
- Configures Kubernetes clusters through Ansible automation
- Manages container deployments through ArgoCD GitOps
- Routes traffic through Traefik with automatic HTTPS
- Provides distributed storage through Microceph
- Secures access through Authentik SSO
- Monitors infrastructure and applications
- Integrates service mesh capabilities with Istio Ambient
ΒΆ Key Characteristics
- GitOps-driven: All infrastructure in version control
- Highly Automated: Single playbook execution deploys entire stack
- Scalable: Supports multiple Kubernetes nodes with distributed storage
- Secure: HTTPS everywhere, private registry integration, SSO authentication
- Observable: Prometheus, Grafana, Kiali integration points
- Multi-tier Applications: 9 integrated applications with proper isolation
ΒΆ π Documentation Standardisation
Use the Markup Template to generate a ReadMe style file for each documentation or Wiki page from here: MakeAReadMe .
ΒΆ βοΈ Contributing
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
Please make sure to update tests as appropriate.
ΒΆ πͺͺ License
MIT License
Copyright (c) 2024 Bradley Comerford
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.