Life of Lachlan

I broke authentication, but it's not my fault.

How this came aboutThis weekend I was trying to login to Matrix (which uses OpenLDAP as its password store) on a new device and it was failing. Looking into the logs, it was complaining about an expired TLS certificate. Weird. First, the certificate was set up with cert-manager to renew

Kubernetes Native Storage and a Load Balancer

As I continue to evolve my self-hosted environment to be more robust and fault-tolerant, I have completed setting up the Longhorn storage system and a bare-metal load balancer, MetalLB. LonghornLonghorn provides block strorage for a Kubernetes cluster which is provisioned and managed with containers and microservices. It manages the disk

Towards High Availability

In order to make my new 2 node Proxmox cluster highly available, I need shared storage for the VMs and a quorum in the cluster. Shared storage is available now as an NFS mount from the QNAP, but my goal is to retire the QNAP and move two TB disks

Ansible and Terraform

Ansible is great for configuration management and does a good job of creating an environment that is (mostly) free of configuration drift. Using AWX, I've created a fair number of playbooks and roles which are executed regularly to keep things up to date and humming along. Terraform is a tool

Cluster Storage

Now that the new host is up and functioning in the cluster, I need to start thinking about allocating the storage. The new host is showing the following storage: locallocal-lvmqnap-isoqnap-zfsThe original Proxmox host has a local and local-vm storage as well, but I confirmed that these are not the same

Redundancy Redundancy

This particular saga and the ones that will follow began with a simple sale on meh.com. A few months ago they had as their daily deal a motherboard for $35 USD so I snagged it not knowing what I would do with it. I began putting together a list

AWX Update

I recently updated one of my old posts about AWX because I discovered that the nfs-client storage provisioner which automatically creates persistent volumes using an existing NFS mount had stopped working. It not only stopped working, but it was deprecated and I had to find a new one that worked.

The Rabbit Hole

I've just recently passed the 1 year anniversary of setting up my home kubernetes cluster in which I used VMs running RancherOS on a Proxmox hypervisor to quickly spin up nodes. Then used Rancher server to initate the cluster which also provided a convenient GUI to get some workloads up

bbs

Back to the BBS

I've stated a few times that the purpose of this blog is to chronicle my journey into self-hosted, decentralized, and federated software and services. The reasons are to keep my technical skills sharp, route around censorship, and just be more independent from "big tech". I recently came across a YouTube

ansible

Ansible-fu on Kubernetes

Since beginning this project, I have been slowly building up my (private) Ansible repository on Github. This repository is pulled into AWX where there are a series of jobs that run daily. The idea behind those daily jobs is to automate configuration and administration tasks such as installing the latest

2021

2021 Catch up

I looked up recently and realized that it had been almost 9 months since I posted an update here. It's not that I have been idle, quite the contrary. The vision which originally sparked this project has continued to evolve. Too fast, unfortunately, because before I couldn't take the time

AWX Part 3 - Projects and Inventories

At the beginning of this project, I started out setting up the foundation for Ansible to automate the management, configuration, deployment, and maintenance of the infrastructure that I set up. That was before the project got kicked into high gear with setting up the server, storage, Kubernetes, and several services

AWX Part 2 - Single Sign-On

I will be configuring AWX to integrate with the Keycloak Single Sign-On previously installed. Previously, I set up oauth2 integration with Nextcloud, but this time I'm going to set up authentication using SAML. Fortunately, the RHSSO solution uses Keycloak and I found this nifty hands-on guide for configuring Tower with

AWX Part 1 - Installation

AWX is the open source upstream project of the Ansible Tower automation and management platform based on Ansible. Both Ansible and Ansible Tower are provided by RedHat. I plan to use it to automate management and maintenance of the various services such as configuration, software updates, monitoring, and consistent backups

Grocy - ERP Beyond Your Fridge

Grocy is an Enterprise Resource Planning (ERP ) application centered around home management. Essentially, it's a web-based self-hosted grocery and household management solution. It has features such as: Tracking grocery purchasesAutomating grocery lists by tracking inventory and keeping track of frequently purchased itemsOptimizing shopping by grouping items together in the same

Nextcloud Part 4 - Cron

Nextcloud needs to be able to execute tasks in the background. It can do this just by executing those tasks whenever any page is loaded via AJAX or webcron, but this will only scale so far. Also, the News app specifically warns that RSS feeds will not be updated in

Nextcloud Part 3 - Single Sign-On with Keycloak

I started with a guide I found on integrating Keycloak with Nextcloak with OpenID Connect (OID). I will want to open the OpenID Endpoint configuration page from the Keycloak Administration page so it's handy to reference. Keycloak Client ConfigurationUnder Clients, Create a new client: Client ID - nextcloudClient Protocol -

Nextcloud Part 3 - NGINX and Let's Encrypt

To begin, I need to create a Config Map key to store the NGINX nginx.conf file which will handle the connections to the Nextcloud FPM container as well as serve the static content on the persistent storage mounted at /var/www/html. Add Config Map under Resource..Config: Name

Nextcloud Part 2 - FPM

Now that the Nextcloud MariaDB is up and running, I can deploy a new workload for the Nextcloud FPM container into the Nextcloud namespace. There are a few pre-requisites to take care of first. RedisRedis is an in-memory key value store. Nextcloud uses it to prevent file locking problems. It

Virtual Gaming

I mentioned in an earlier post that one of my side goals for this project was to set up a (Windows) VM which would allow me to utilize Nvidia Gamestream and Moonlight (or an Nvidia Shield) to play games which run on Window exclusively. I did this previously using a

Freedom!

Things have gotten a little busy on the work front so I haven't gotten back to working on Nextcloud, but I came across a post about the FreedomBox so I went off on a small tangent. The aim of FreedomBox is designed to be an easy-to-setup-server for self-hosting applications which

Nextcloud Part 1 - Database

Nextcloud is the first "production" service to be deployed. Everything else has been building the foundation for Nextcloud and the services which follow it - Mailcow, OpenPGP, Keybase.io, server hardware, Proxmox, NFS and iSCSi storage, Rancher OS, Kubernetes LDAP, and Keycloak SSO. Nextcloud will utilize all of the patterns

Single Sign-On Part 3 - oauth2-proxy

In my last post, I stated that I would be moving on to deploying the first "real" application which will bring all of this together. In fact, I decided that Nextcloud would be that first deployment. However, while reading the installation documentation and looking at how it would integrate with

Single Sign-On Part 2 - Keycloak

Keycloak provides single sign-on services using multiple protocols and provides a proxy which can be used to add SSO for applications which don't natively support those protocols. It should be a valuable addition to a self-hosted Kubernetes cluster. It will use the OpenLDAP service which I installed previously as its

Single Sign-On Part 1 - OpenLDAP

Many of the services I deploy will require authentication of some type. Rather than maintaining a separate set of credentials for each one, I want to use single-sign on (SSO).To do this, I will deploy OpenLDAP and Keycloak. Some services may be able to utilize OpenLDAP directly, but most